Computer Security Authentication - PowerPoint PPT Presentation

Loading...

PPT – Computer Security Authentication PowerPoint presentation | free to download - id: 128b14-YmEzN



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Computer Security Authentication

Description:

Entity Authentication is the process of verifying a claimed identity ... password, this would come down to approximately 2 days. 9/27/09. 10. Probable passwords ... – PowerPoint PPT presentation

Number of Views:85
Avg rating:3.0/5.0
Slides: 23
Provided by: MikeBur3
Learn more at: http://www.ccs.neu.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Computer Security Authentication


1
Computer SecurityAuthentication
2
Entity Authentication
  • Entity Authentication is the process of verifying
    a claimed identity
  • It is based on
  • something the entity knows
  • something the entity holds
  • something the entity is
  • something the entity does
  • where the entity is

3
Something the entity knows
  • The user has to know some secret, such as a
  • password or a personal identification number
    (PIN).
  • Threats
  • Anybody who knows your secret is you!

4
Something the entity holds
  • The user has to present a physical token (such
    as key,
  • an identity tag, a card) to be authenticated.
  • Threats
  • The token can be lost or stolen!

5
Something the entity is
  • Use biometrics, such as fingerprints, palm
    prints, iris
  • patterns, or retina patterns.
  • With biometrics a stored pattern is compared to
    an actual
  • taken measurement.
  • Problems
  • False positives (accepting the wrong entity) and
    false
  • negatives!
  • Many users find biometrics unacceptable.
  • Gruesome threats of the kind used in some
    Hollywood thrillers!

6
Something the entity does
  • People perform some mechanical tasks in a way
    that is both
  • repeatable and specific to the individual.
  • Examples
  • hand written signatures
  • on a writing pad
  • the writing speed/pressure of a hand written
    signature
  • on the keyboard
  • the typing speed and intervals between strokes
  • Problems
  • False positives (accepting the wrong entity) and
    false negatives!

7
Where the entity is
  • The system may take into account the location of
    the
  • login.
  • For example, access may only be granted from
    certain
  • terminals.
  • With mobile and distributed computing the precise
  • geographical location can be established during
  • authentication by using the services of a global
  • positioning system (GPS).

8
Usernames Passwords
  • The most common authentication mechanism.
  • Although password protection seems to offer
    relatively good
  • security, human practice degrades its quality.
  • Attacks on passwords
  • Exhaustive search
  • Try many probable passwords
  • Try likely passwords for the user
  • Search for the system list of passwords.
  • Ask the user!

9
Exhaustive search attacks
  • If passwords are words consisting of the 26
    characters A-Z
  • and have length 8, then we are altogether 268
    passwords.
  • This is roughly 21011, which seems enough
    intractable.
  • It would take of the order of about 6 years to
    test all passwords
  • at the rate of 1 millisecond per password.
  • If we were to speed up the search to one
    microsecond per
  • password, this would come down to approximately 2
    days.

10
Probable passwords
  • People prefer simple passwords.
  • Our earlier analysis assumes that people choose
  • passwords such as vxlagrst.
  • Whereas in reality they tend to use names and
    words
  • they can remember.
  • Spelling checkers carry dictionaries of the most
    common English
  • words. The typical size of such a dictionary is
    80,000 words.
  • This reduces the search to seconds

11
Passwords likely for a user
  • People prefer words which are related to them,
    such
  • as the name of a spouse, a child, a relative, a
    pet,
  • a street name or something memorable or familiar.
  • Some people pick a simple password and replace
  • certain characters such as 0 (zero) by O, 1 for
    letter L,
  • 3 for letter E, etc

12
Passwords defenses
  • Password checkers check password against a
  • dictionary of weak passwords.
  • Password generators users are not allowed to
  • pick their own passwords.
  • Password ageing an expiry date is set for
    passwords.
  • Limit login attacks.
  • Inform user after a successful login of the last
  • login and the number of failed logins
    since then.

13
Spoofing attacks
  • An entity enters a password and the system
    verifies the
  • entities identity.
  • Does the user know who has received the password?
  • Defenses
  • Display number of failed attempts
  • Use trusted paths (with Windows NT, CTRLALTDEL
    invokes the OS login screen)
  • Mutual authentication the system could be
    required to identify itself

14
Protecting the password file
  • To validate passwords the system compares the
    password
  • entered against a value stored in the password
    file.
  • Defenses
  • cryptographic protection (e.g. use a one-way
    hash function f instead of listing passwords x,
    list their values f(x)
  • beware of dictionary attacks!)
  • access control enforced by the OS (e.g. restrict
    access to files and other resources to users
    holding the appropriate privileges)
  • combine both

15
Cryptographic protection
  • Use one-way hash function f
  • Instead of storing the password x in the password
    list,
  • the hash is stored.
  • The password list is organized as a two column
    table
  • of user IDs (usernames) and the corresponding
    hashed
  • values
  • When the user logs in and enters the password x
    is it is
  • hashed (locally) into f (x). This value is then
    compared
  • with the stored value.

16
Cryptographic protection
  • The one-way hash function f
  • crypt(3) for Unix systems
  • This uses a slightly modified version of the
    encryption
  • scheme DES with 25 rounds (instead of the 16
    rounds)
  • This encrypts the all zero block using the
    password x as
  • a key.
  • The encryption f (x) of the zero block is the
    hash value.

17
Cryptographic protection
  • Access control mechanisms in the OS
  • These restrict access to files and other
    resources to users
  • holding the appropriate privileges.
  • Only privileged users can have write access to
    the password file
  • otherwise an attacker could access data of other
    users by
  • changing their password file.
  • If read access is restricted to privileged users
    then passwords
  • should be secure, in theory.
  • In practice an attacker can still use a
    dictionary attack.

18
Cryptographic protection
  • Access control mechanisms in the OS
  • Dictionary attacks can be prevented by using
    password
  • salting.
  • With salting, additional information (the salt)
    is appended
  • to the password x before it is hashed to get
    f(x).
  • This implies that even if two users have the same
  • password their salted hashes will be different.

19
Multiple passwords
  • For additional password protection several
    passwords
  • may used.
  • For example, use
  • the first password for workstation
  • the second password to get onto the network
  • the third password to access the server
  • the fourth to access the database management
  • system
  • etc

20
Passwords Single sign-on
  • Remembering many passwords is rather
    inconvenient.
  • A single sign-on service solves this problem. You
    enter
  • your password once, the system stores it, and
    then uses
  • it whenever you have to authenticate yourself
    again.
  • However this raises new security concerns.
  • How do you protect the stored password?
  • (the password needs to be in cleartext)

21
Biometrics
  • Fingerprints
  • -- scan optically
  • -- use capacitive technique (measure
  • differences in electrical charges to
    detect
  • those parts touching a chip and
    those raised).
  • Data is converted into a graph with
    vertices the ridges adjacent ridges are
    connected.

22
Biometrics
  • Voices
  • Eyes
  • Faces
  • Keystrokes
  • Combinations
  • Problem false positives/negatives
About PowerShow.com