Authentication systems. Authentication methodologies
|
|
- Brianna Ferguson
- 7 years ago
- Views:
Transcription
1 Authentication systems Diana Berbecaru < polito.it > Politecnico i di Torino Dip. Automatica e Informatica Authentication methodologies can be based on different factors ( 1/2/3-factors authentication ): something I know pippo! (e.g. a password) something I have (e.g. magnetic card) something I am (e.g. my fingerprint) multiple different mechanisms can be combined to achieve identification 1
2 User authentication server authentication ti ti request UID user (UID) UID : f (S UID ) proof request proof = F (S UID ) secret (S UID ) Password-based authentication secret = the user password F = I (the identity function) case #1: f = I access control: proof = password? case #2: f = one-way hash function H access control: F(proof) = F(S UID )? 2
3 Password-based authentication: case#1 server UID : S UID authentication ti ti request UID proof request proof = S UID user (UID) secret (S UID ) checks if indeed proof = password (= S UID ) Password-based authentication: case#2 server authentication ti ti request UID user (UID) UID : H(S UID ) checks if indeed proof = H(S UID ) proof request proof = H(S UID ) secret (S UID ) computes proof = H(S UID ) 3
4 pro: Password-based authentication simple for the user cons: password storage (post-it!) password readable during transmission password guessable (my son s name!) the server must know in cleartext the password or its digest unprotected (dictionary attack) possible attacks: sniffing and replay Password suggestions to reduce the associated risks: letters + digits + special characters long (at least 8 characters) never use dictionary words frequently changed (but not too frequently!) don t use them :-) use of at least one password (or PIN or access code or...) unavoidable unless we use biometric techniques 4
5 (Symmetric) challenge-response systems user proves its identity to verifier by demonstrating knowledge of a secret without revealing the (shared) secret itself to the verifier during the protocol sniffing of the secret not possible a challenge (typically a random number) is sent to the user who replies with the solution after a computation involving the shared secret and the challenge the challenge is usually time variant and is random number. (Symmetric) challenge-response systems the challenge must be different every time: even if the adversary is monitoring the network he won t be able to reuse the response replay attack not possible the server must know the secret in clear often R is a hash function UID user challenge response = R (challenge, S UID ) { UID, S UID } S UID 5
6 Symmetric challenge-response systems server UID : S UID authentication ti ti request UID proof request + challenge proof user (UID) secret (S UID ) checks if indeed proof = H(challenge,S UID ) computes proof = H(challenge, S UID ) Mutual authentication with symmetric challenge (v1) this is the base exchange only the initiator provides explicitly its (claimed) identity A C B Alice enc (K AB, C B ) C A Bob enc (K AB, C A ) 6
7 Mutual authentication with symmetric challenge (v2) reduction in the number of messagges (better performance but no impact on security) used dby the IBMSNA A, C A Alice C B, enc (K AB, C A ) Bob enc (K AB, C B ) Attack to the symmetric challenge protocol Mike (as Alice) A, S A Bob S B, enc (K AB, S A ) conn n #1 S B enc #2 conn A, S B S C, enc (K AB, S B ) enc (K AB, S B ) 7
8 (Asymmetric) challenge-response systems a random number R is encrypted with the user's public key and dthe users replies by sending Ri in clear thanks to its knowledge of the private key cert (Mario, KpubMario) user challenge = E (R, KpubMario) acceptable users response = R private key Risks with asymmetric challenges trust in the issuer CA of the user cert check of the name constraint on trusted CAs unwilling RSA signature possible: if R=digest(document)... and the server sends R in clear and ask it back encrypted with user s private key... then the user has unwillingly gysigned the document!!! 8
9 original idea: Bell Labs One-Time Passwords (OTP) the S/KEY system (RFC 1760) public-domain implementation commercial implementations with automatic hardware generators (authenticator) OTP provisioning to the users on stupid or insecure workstation: paper sheet of pre-computed passwords hardware authenticator (crypto token) on intelligent and secure workstation : automatically computed by an ad-hoc application eventual integration into the communication sw (e.g. telnet client) or hw (e.g. modem) 9
10 RFC-1760 The S/KEY system (I) the user generates a secret S (the seed) the user computes N one-time passwords: P 1 = h (S) P 2 = h (P 1 ) = h( h(s) )... the user initializes the authentication server with the last generated password (e.g. P 100 ) User Initial secret s h Password 1 h(s) h Password 2 h(h(s))=h 2 (s) *** The S/KEY system (III) User has Password n h n (s) Password n-1 h n-1 (s) Password 2 h(h(s))=h h 2 (s) h(password n-1)?= h n (s) server Password n h n (s) store Password n-1 Password n-1 h n-1 (s) Password n h(h( h(s)))=h n (s) Password generation Password 1 h(s) S/KEY authentication 10
11 The S/KEY system (II) the server prompts for the passwords in reverse sequence: S: P99? C: X S: if h (X) = P100 then access allowed + X is stored in this way the server doesn t need to know the client s secret RFC-1760 uses MD4 (other choices possible) public-domain implementation for Unix, MS-DOS, Windows, MacOs S/KEY generation of the password list the user inserts a pass phrase (PP): minimum 8 char long secret! (if disclosed then the security of S/KEY is compromised) PP is concatenated with a server-provided seed the seed is not secret (sent in cleartext from S to C) allows to use the same PP for multiple servers (using different seeds) and to safely reuse the same PP by changing the seed a 64 bit quantity is extracted from the MD4 hash (by XORing the first / third 32 bit groups and the second / fourth groups) 11
12 OTP problems generally uncomfortable uncomfortable when used to access multiple password-based d services (e.g. POP with periodic check of the mailbox) expensive when based on hw authenticators paper-based passwords cannot be used by a process but only by a human operator Problems of hw authenticators denial-of-service: deliberately wrong attempts to trigger account blocking social engineering: phone call to simulate loss of the authenticator and remotely initialize a new one 12
13 Security Dynamics: SecurID time-based synchronous OTP technique: P UID ( t ) = h ( S UID, t ) access code ( token-code ): 8 digits random, never repeats itself changes every 60 s maximum drift 15 s / year expires in 4 years based on proprietary and secret (!) hash algorithm SecurID: architecture the client sends in clear user, PIN, token-code (seed, time) based on user and PIN the server verifies against three possible token-codes: TC -1, TC 0, TC +1 duress code: PIN to generate an alarm (useful for authentication under threat) wrong authentication attempts limited (default: 10) may have three different keys per device 13
14 SecurID: hardware SecurID Card: classic device (credit-card size) SecurID PinPad: local PIN keying and then only user and token-code* are sent to the server SecurID Key Fob: usable as a key fob SecurID modem: PCMCIA-II V.34 modem with an internal token activated via sw by introducing the PIN RSA SecurID - Token token available in various models, but all with the same functionality: generate tokencode with integrated smartcard (SID800), pinpad (SD520), software version (SoftID) 14
15 SecurID: architecture token OK? ACE server token OK? ACE client OK! KO! ACE client TELNET server DBMS server TELNET client user, PIN, TC SecurID (normal) user, TC* DBMS client SecurID (pinpad) Example RSA SecureID 15
16 ACE/client SecurID: client manages the dialogue with the ACE/server encrypted channel sd_ftp for secure FTP available for: Unix Win32 Netware Macintosh TACACS ACE/server: SecurID: server authentication with SecurID tokens monitor, audit and report GUI management interface authentication API SQL interface to access a DBMS (already) storing the user data large commercial support in security (e.g. firewall) and communication (e.g. comm. server) products available for Solaris, AIX, HP-UX, NT, 2000, XP 16
17 Biometric systems measure of one biologic characteristics of the user main characteristics being used: fingerprint voice retinal scan iris scan useful to *locally* replace a PIN or a password Problems of biometric systems FAR = False Acceptance Rate FRR = False Rejection Rate FAR and FRR may be partly tuned but they heavily depend on the cost of the device variable biological characteristics: finger wound voice altered due to emotion retinal blood pattern altered due to alcohol or drug 17
18 FAR / FRR Kerberos Kerberos is a network authentication protocol system initially developed as part of MIT project Athena provides authentication for client-server applications, and data integrity and confidentiality relies entirely on symmetric cryptography two versions in use: 4 & 5 18
19 Kerberos authentication service only; accounting and audit service were never implemented applies to an open distributed environment in which users at workstations wish to access services on servers distributed throughout the network servers need to be able to restrict the access to authorized users and to authenticate requests for service workstations cannot be trusted to identify its users correctly to network service Kerberos Overview clients wants service from a particular server an Authentication Server (AS) allows access to the service for a particular period of time How? Based on tickets Ticket: specifies that a particular client (authenticated by the AS) has the right to obtain service from a specified server S Servers are able to verify the validity of tickets Realm: network under the control of an AS Principal: is the name used to refer to the entries in the AS database format: Name[/Instance]@REALM example: pippo@example.com 19
20 Kerberos (cont.) servers must confirm the identities of clients undertaking this task in an open environment places a significant ifi burden on server solution: use an authentication server (AS) knows the password of all users (stored in a DB) shares a unique secret key (e.g. s) with each server in the Kerberos domain, that is the set of systems that t use Kerberos as authentication ti ti system (distributed physically or in some other secure manner) Kerberos (simple authentication dialog) K S AS Authentication Server {TGT} s request client user ID, {TGT} s (application) server 20
21 Kerberos (simple authentication dialog) request: (user s ID, server s ID, user s password) AS checks its user DB: whether user supplied the correct password for this user ID whether this user is permitted access to server => AS accepts the user as authentic and must convince the (application) server creates {TGT} s : (user s ID, network address, server s ID) encrypted with the shared secret s client cannot forge {TGT} s server: verifies user ID in {TGT} s = (sent) user ID? Kerberos (simple authentication dialog) problems: user password sent in clear supposing each ticket can be used only once, the user need to insert the password for each access request (e.g. to mail server, file server, etc) solution: use two type of tickets with two different lifetimes: one ticket grants to right to ask for service; performed once per login session: ticket-granting ticket (TGT) for each type of service, use a ticket that grants the right to use that particular service: service-granting ticket (T S ) every time that service is needed, use the T S mark time when tickets are issued and also lifetime of tickets. 21
22 Ticket Granting Server (TGS) New service: Ticket Granting Server (TGS) TGS issues TGT tickets to users who have been authenticated to AS AS sends to client a TGT demonstrating the user is authorized to receive a ticket for a service only the legitimate user can recover TGT but cannot alter because it is encrypted (by AS) with TGS s secret key the client module in the user workstation saves this ticket. Each time the user requires access to a new service, the client applies to the TGS, using the TGT to authenticate itself based on TGT, user gets a Ts for a particular service Kerberos high-level view K UID, K TGS AS Authentication Server { TGT } TGT K S TGS Ticket Granting Server T s request client T s (application) server 22
23 ticket Kerberos ticket (TGT, Ts) data structure to authenticate a client to a server variable lifetime (V4: max 21 hours = 5 x 255) (V5: unlimited) encrypted with the DES key of the target server bound to the IP address of the client bound to just one principal simple or mutual authentication Kerberos versions MIT V4 (the original public one) MIT V5 (RFC-1510) not only DES extended ticket lifetime (begin-end) inter-realm authentication forwardable ticket message byte ordering OSF-DCE (Distributed Computing Environment from Open Source Foundation) based on MIT V5 implemented as RPC rather than a message exchange protocol 23
24 SSO (Single Sign-On) the user has a single credential to authenticate himself and access any service in the system fictitious SSO: client for automatic password synchronization / management (alias password wallet ) specific for some applications only integral SSO: multiapplication authentication techniques (e.g. asymmetric challenge, Kerberos) likely requires a change in the applications 24
Authentication systems. Authentication methodologies. User authentication. Authentication systems (auth - april 2012)
Authentication systems Diana Berbecaru < diana.berbecaru @ polito.it > Politecnico di Torino Dip. Automatica e Informatica Authentication methodologies can be based on different factors ( 1/2/3-factors
More informationAuthentication systems. Authentication methodologies. User authentication. Antonio Lioy - Politecnico di Torino (1995-2009) 1.
Authentication systems Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dip. Automatica e Informatica Authentication methodologies can be based on different factors ( 1/2/3-factors authentication
More informationAuthentication systems
Authentication systems Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dip. Automatica e Informatica Authentication methodologies can be based on different factors ( 1/2/3-factors authentication
More informationHow To Use Kerberos
KERBEROS 1 Kerberos Authentication Service Developed at MIT under Project Athena in mid 1980s Versions 1-3 were for internal use; versions 4 and 5 are being used externally Version 4 has a larger installed
More informationChapter 4. Authentication Applications. COSC 490 Network Security Annie Lu 1
Chapter 4 Authentication Applications COSC 490 Network Security Annie Lu 1 OUTLINE Kerberos X.509 Authentication Service COSC 490 Network Security Annie Lu 2 Authentication Applications authentication
More informationAuthentication Applications
Authentication Applications CSCI 454/554 Authentication Applications will consider authentication functions developed to support application-level authentication & digital signatures Kerberos a symmetric-key
More informationAuthentication Application
Authentication Application KERBEROS In an open distributed environment servers to be able to restrict access to authorized users to be able to authenticate requests for service a workstation cannot be
More informationCSC 474 -- Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity
CSC 474 -- Network Security Topic 6.2 User Authentication CSC 474 Dr. Peng Ning 1 User Authentication Basics CSC 474 Dr. Peng Ning 2 Authentication and Identity What is identity? which characteristics
More informationKerberos: An Authentication Service for Computer Networks by Clifford Neuman and Theodore Ts o. Presented by: Smitha Sundareswaran Chi Tsong Su
Kerberos: An Authentication Service for Computer Networks by Clifford Neuman and Theodore Ts o Presented by: Smitha Sundareswaran Chi Tsong Su Introduction Kerberos: An authentication protocol based on
More informationAuthentication Applications
Authentication Applications will consider authentication functions developed to support application-level authentication & digital signatures will consider Kerberos a private-key authentication service
More informationSYSTEM MODEL KERBEROS OBJECTIVES PHYSICAL SECURITY TRUST: CONSOLIDATED KERBEROS MODEL TRUST: BILATERAL RHOSTS MODEL
INFS 766 Internet Security Protocols Lecture 9 WORK- STATIONS SYSTEM MODEL NETWORK SERVERS NFS GOPHER Prof. Ravi Sandhu LIBRARY KERBEROS 2 PHYSICAL SECURITY KERBEROS OBJECTIVES CLIENT WORKSTATIONS None,
More informationKerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530 520 BC. From Italy (?).
Kerberos Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530 520 BC. From Italy (?). 1 Kerberos Kerberos is an authentication protocol and a software suite implementing this
More informationIntroduction to Computer Security
Introduction to Computer Security Identification and Authentication Pavel Laskov Wilhelm Schickard Institute for Computer Science Resource access: a big picture 1. Identification Which object O requests
More informationAuthentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques
Computer Security process of reliably verifying identity verification techniques what you know (eg., passwords, crypto key) what you have (eg., keycards, embedded crypto) what you are (eg., biometric information)
More informationIntroduction to Computer Security
Introduction to Computer Security Authentication and Access Control Pavel Laskov Wilhelm Schickard Institute for Computer Science Resource access: a big picture 1. Identification Which object O requests
More informationCS 356 Lecture 28 Internet Authentication. Spring 2013
CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationNetwork Security 1. Module 4 Trust and Identity Technology. Ola Lundh 070 69 86596 ola.lundh@edu.falkenberg.se
Network Security 1 Module 4 Trust and Identity Technology Module 1 Trust and Identity Technology 4.1 AAA AAA Model Network Security Architecture Authentication Who are you? I am user student and my password
More informationPart I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT
Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationModule: Authentication. Professor Trent Jaeger Fall 2010. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger Fall 2010 1 What is Authentication? Short answer: establishes identity Answers the question: To whom
More informationImplementing a Kerberos Single Sign-on Infrastructure
Implementing a Kerberos Single Sign-on Infrastructure Gary Tagg IT Security Consultant, Tagg Consulting Ltd gary.tagg@itsecure.demon.co.uk Abstract Kerberos provides secure authentication, single sign-on
More informationChapter 8 Security. IC322 Fall 2014. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012
Chapter 8 Security IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross, All
More informationResearch Article. Research of network payment system based on multi-factor authentication
Available online www.jocpr.com Journal of Chemical and Pharmaceutical Research, 2014, 6(7):437-441 Research Article ISSN : 0975-7384 CODEN(USA) : JCPRC5 Research of network payment system based on multi-factor
More informationTwo-Factor Authentication
Two-Factor Authentication IT Professional & Customer Service Desk Feature Guide Two-Factor Authentication for Exchange Online Office 365 Dedicated & ITAR-Support Plans April 26, 2013 The information contained
More informationNetwork Security Protocols
Network Security Protocols EE657 Parallel Processing Fall 2000 Peachawat Peachavanish Level of Implementation Internet Layer Security Ex. IP Security Protocol (IPSEC) Host-to-Host Basis, No Packets Discrimination
More informationNetwork Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide
Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead
More informationAuthentication Types. Password-based Authentication. Off-Line Password Guessing
Authentication Types Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4:
More informationCryptography and Network Security Digital Signature
Cryptography and Network Security Digital Signature Xiang-Yang Li Message Authentication Digital Signature Authentication Authentication requirements Authentication functions Mechanisms MAC: message authentication
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 9: Authentication protocols, digital signatures Ion Petre Department of IT, Åbo Akademi University 1 Overview of
More information2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries
Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application
More informationRSA SecurID Software Token 1.0 for Android Administrator s Guide
RSA SecurID Software Token 1.0 for Android Administrator s Guide Contact Information See the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks RSA,
More informationChapter 15 User Authentication
Chapter 15 User Authentication 2015. 04. 06 Jae Woong Joo SeoulTech (woong07@seoultech.ac.kr) Table of Contents 15.1 Remote User-Authentication Principles 15.2 Remote User-Authentication Using Symmetric
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationRSA SecurID Ready Implementation Guide
RSA SecurID Ready Implementation Guide Partner Information Last Modified: December 18, 2006 Product Information Partner Name Microsoft Web Site http://www.microsoft.com/isaserver Product Name Internet
More informationSecuring Data on Microsoft SQL Server 2012
Securing Data on Microsoft SQL Server 2012 Course 55096 The goal of this two-day instructor-led course is to provide students with the database and SQL server security knowledge and skills necessary to
More informationOverview Windows NT 4.0 Security Cryptography SSL CryptoAPI SSPI, Certificate Server, Authenticode Firewall & Proxy Server IIS Security IE Security
Overview Windows NT 4.0 Security Cryptography SSL CryptoAPI SSPI, Certificate Server, Authenticode Firewall & Proxy Server IIS Security IE Security Ch 7 - Security 1 Confidentiality and privacy: Protect
More informationSecure Remote Password (SRP) Authentication
Secure Remote Password (SRP) Authentication Tom Wu Stanford University tjw@cs.stanford.edu Authentication in General What you are Fingerprints, retinal scans, voiceprints What you have Token cards, smart
More informationWindows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation
Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation Topics Single Sign-on Kerberos v5 integration Active Directory security Delegation of authentication
More informationHitachi ID Password Manager Telephony Integration
Hitachi ID Password Manager Telephony Integration 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 Functional integration 2 2.1 Self-service password reset....................................
More informationInternet Banking Two-Factor Authentication using Smartphones
Internet Banking Two-Factor Authentication using Smartphones Costin Andrei SOARE IT&C Security Master Department of Economic Informatics and Cybernetics Bucharest University of Economic Studies, Romania
More informationInformation Security Basic Concepts
Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,
More informationSuccessful Enterprise Single Sign-on Addressing Deployment Challenges
Successful Enterprise Single Sign-on Addressing Deployment Challenges 2015 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 Background: User Problems with Passwords 2 3 Approaches
More informationUsing etoken for SSL Web Authentication. SSL V3.0 Overview
Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents
More informationMS-55096: Securing Data on Microsoft SQL Server 2012
MS-55096: Securing Data on Microsoft SQL Server 2012 Description The goal of this two-day instructor-led course is to provide students with the database and SQL server security knowledge and skills necessary
More informationKerberos. Guilin Wang. School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk
Kerberos Guilin Wang School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk 1 Entity Authentication and Key Exchange In the last talk, we discussed key exchange and reviewed some concrete
More informationSECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS
SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS Abstract: The Single sign-on (SSO) is a new authentication mechanism that enables a legal user with a single credential
More informationTOPIC HIERARCHY. Distributed Environment. Security. Kerberos
KERBEROS TOPIC HIERARCHY Distributed Environment Security Privacy Authentication Authorization Non Repudiation Kerberos ORIGIN MIT developed Kerberos to protect network services. Developed under the Project
More informationCryptographic Key Infrastructure
Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as all keys are shared Use protocols to agree on a shared key (see earlier) Public key: bind identity to public key Crucial
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash
More informationDashlane Security Whitepaper
Dashlane Security Whitepaper November 2014 Protection of User Data in Dashlane Protection of User Data in Dashlane relies on 3 separate secrets: The User Master Password Never stored locally nor remotely.
More informationElectronic mail security. MHS (Message Handling System)
Electronic mail security Diana Berbecaru < diana.berbecaru @ polito.it> Politecnico di Torino Dip. Automatica e Informatica MHS (Message Handling System) MS MS MUA MUA (Message Transfer ) MS (Message Store)
More informationSecure Web Access Solution
Secure Web Access Solution I. CONTENTS II. INTRODUCTION... 2 OVERVIEW... 2 COPYRIGHTS AND TRADEMARKS... 2 III. E-CODE SECURE WEB ACCESS SOLUTION... 3 OVERVIEW... 3 PKI SECURE WEB ACCESS... 4 Description...
More informationADVANCE AUTHENTICATION TECHNIQUES
ADVANCE AUTHENTICATION TECHNIQUES Introduction 1. Computer systems and the information they store and process are valuable resources which need to be protected. With the current trend toward networking,
More informationController of Certification Authorities of Mauritius
Contents Pg. Introduction 2 Public key Infrastructure Basics 2 What is Public Key Infrastructure (PKI)? 2 What are Digital Signatures? 3 Salient features of the Electronic Transactions Act 2000 (as amended)
More informationAdvanced Authentication
White Paper Advanced Authentication Introduction In this paper: Introduction 1 User Authentication 2 Device Authentication 3 Message Authentication 4 Advanced Authentication 5 Advanced Authentication is
More informationA brief on Two-Factor Authentication
Application Note A brief on Two-Factor Authentication Summary This document provides a technology brief on two-factor authentication and how it is used on Netgear SSL312, VPN Firewall, and other UTM products.
More informationSmart Card Authentication. Administrator's Guide
Smart Card Authentication Administrator's Guide October 2012 www.lexmark.com Contents 2 Contents Overview...4 Configuring the applications...5 Configuring printer settings for use with the applications...5
More informationAuthentication applications Kerberos X.509 Authentication services E mail security IP security Web security
UNIT 4 SECURITY PRACTICE Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security Slides Courtesy of William Stallings, Cryptography & Network Security,
More information4.2: Kerberos Kerberos V4 Kerberos V5. Chapter 5: Security Concepts for Networks. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme
Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Secure Applications Network Authentication Service: Kerberos 4.2:
More informationCertificate-Based Single Sign-on Mechanism for Multi-Platform Distributed Systems
Acta Universitatis Sapientiae Electrical and Mechanical Engineering, 1 (2009) 113-123 Certificate-Based Single Sign-on Mechanism for Multi-Platform Distributed Systems Attila MAGYARI 1, Béla GENGE 2, Piroska
More informationDesigning a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology
Designing a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology FREDRIK ANDERSSON Department of Computer Science and Engineering CHALMERS UNIVERSITY
More informationCryptography and network security CNET4523
1. Name of Course 2. Course Code 3. Name(s) of academic staff 4. Rationale for the inclusion of the course/module in the programme Cryptography and network security CNET4523 Major The Great use of local
More informationPublic Key Infrastructure (PKI)
Public Key Infrastructure (PKI) In this video you will learn the quite a bit about Public Key Infrastructure and how it is used to authenticate clients and servers. The purpose of Public Key Infrastructure
More informationBiometrics, Tokens, & Public Key Certificates
Biometrics, Tokens, & Public Key Certificates The Merging of Technologies TOKENEER Workstations WS CA WS WS Certificate Authority (CA) L. Reinert S. Luther Information Systems Security Organization Biometrics,
More informationKerberos and Active Directory symmetric cryptography in practice COSC412
Kerberos and Active Directory symmetric cryptography in practice COSC412 Learning objectives Understand the function of Kerberos Explain how symmetric cryptography supports the operation of Kerberos Summarise
More informationSecurity IIS Service Lesson 6
Security IIS Service Lesson 6 Skills Matrix Technology Skill Objective Domain Objective # Configuring Certificates Configure SSL security 3.6 Assigning Standard and Special NTFS Permissions Enabling and
More informationCompTIA Security+ Certification SY0-301
CompTIA Security+ Certification SY0-301 Centro Latino, Inc. Computer Technology Program Prof: Nestor Uribe, nuribe@centrolatino.org www.centrolatino.org 267 Broadway, Chelsea, MA 02150 Tel. (617) 884-3238
More informationMulti-Factor Authentication
Enhancing network security through the authentication process Multi-Factor Authentication Passwords, Smart Cards, and Biometrics INTRODUCTION Corporations today are investing more time and resources on
More informationBasic network security threats
Basic network security threats Packet sniffing Packet forgery (spoofed from address) DNS spoofing wrong IP address for hostname Assume bad guy controls network - Can read all your packets - Can tamper
More informationIntroducing etoken. What is etoken?
Introducing etoken Nirit Bear September 2002 What is etoken? Small & portable reader-less Smartcard Standard USB connectivity Logical and physical protection Tamper evident (vs. tamper proof) Water resistant
More informationCS 4803 Computer and Network Security
Many-to-Many Authentication CS 4803 Computer and Network Security s? Servers Alexandra (Sasha) Boldyreva Kerberos How do users prove their identities when requesting services from machines on the network?
More informationAuthentication. Agenda. IT Security course Lecture April 14 th 2003. Niels Christian Juul 2. April 14th, 2003
Authentication IT Security course Lecture April 14 th 2003 Niels Christian Juul Computer Science, building 42.1 Roskilde University Universitetsvej 1 P.O. Box 260 DK-4000 Roskilde Denmark Phone: +45 4674
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationNetwork Security 1 Module 4 Trust and Identity Technology
Network Security 1 Module 4 Trust and Identity Technology 1 Learning Objectives 4.1 AAA 4.2 Authentication Technologies 4.3 Identity Based Networking Services (IBNS) 4.4 Network Admission Control (NAC)
More informationEnhancing Web Application Security
Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor
More informationMobile OTPK Technology for Online Digital Signatures. Dec 15, 2015
Mobile OTPK Technology for Online Digital Signatures Dec 15, 2015 Presentation Agenda The presentation will cover Background Traditional PKI What are the issued faced? Alternative technology Introduction
More informationApplying Cryptography as a Service to Mobile Applications
Applying Cryptography as a Service to Mobile Applications SESSION ID: CSV-F02 Peter Robinson Senior Engineering Manager RSA, The Security Division of EMC Introduction This presentation proposes a Cryptography
More informationEntrust IdentityGuard
+1-888-437-9783 sales@identisys.com IdentiSys.com Distributed by: Entrust IdentityGuard is an award-winning software-based authentication enterprises and governments. The solution serves as an organization's
More informationTELE 301 Network Management. Lecture 16: Remote Terminal Services
TELE 301 Network Management Lecture 16: Remote Terminal Services Haibo Zhang Computer Science, University of Otago TELE301 Lecture 16: Remote Terminal Services 1 Today s Focus Remote Terminal Services
More information2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec
2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec TECHNOLOGY WHITEPAPER DSWISS LTD INIT INSTITUTE OF APPLIED INFORMATION TECHNOLOGY JUNE 2010 V1.0 1 Motivation With the increasing
More informationEndpoint Security VPN for Windows 32-bit/64-bit
Endpoint Security VPN for Windows 32-bit/64-bit E75.20 User Guide 13 September 2011 2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected
More informationKerberos. Login via Password. Keys in Kerberos
Kerberos Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Secure Applications Network Authentication Service: Kerberos
More informationInternational Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING &
INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & TECHNOLOGY (IJCET) ISSN 0976 6367(Print) ISSN 0976 6375(Online) Volume 4, Issue 6, November - December (2013), pp. 62-69 IAEME: www.iaeme.com/ijcet.asp Journal
More informationCERTIFICATE-BASED SINGLE SIGN-ON MECHANISM FOR MULTI-PLATFORM DISTRIBUTED SYSTEMS Magyari Attila*, Genge Bela**, Haller Piroska**
CERTIFICATE-BASED SINGLE SIGN-ON MECHANISM FOR MULTI-PLATFORM DISTRIBUTED SYSTEMS Magyari Attila*, Genge Bela**, Haller Piroska** Petru Maior University of Tirgu Mures Nicolae Iorga Str., No. 1, Mures
More informationStrong authentication of GUI sessions over Dedicated Links. ipmg Workshop on Connectivity 25 May 2012
Strong authentication of GUI sessions over Dedicated Links ipmg Workshop on Connectivity 25 May 2012 Agenda Security requirements The T2S U2A 2 Factor Authentication solution Additional investigation Terminal
More informationModule 7 Security CS655! 7-1!
Module 7 Security CS655! 7-1! Issues Separation of! Security policies! Precise definition of which entities in the system can take what actions! Security mechanism! Means of enforcing that policy! Distributed
More informationCommon Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July 2006. The OWASP Foundation http://www.owasp.org/
Common Pitfalls in Cryptography for Software Developers OWASP AppSec Israel July 2006 Shay Zalalichin, CISSP AppSec Division Manager, Comsec Consulting shayz@comsecglobal.com Copyright 2006 - The OWASP
More informationAuthentication in WLAN
Authentication in WLAN Flaws in WEP (Wired Equivalent Privacy) Wi-Fi Protected Access (WPA) Based on draft 3 of the IEEE 802.11i. Provides stronger data encryption and user authentication (largely missing
More informationCiphire Mail. Abstract
Ciphire Mail Technical Introduction Abstract Ciphire Mail is cryptographic software providing email encryption and digital signatures. The Ciphire Mail client resides on the user's computer between the
More informationTwo SSO Architectures with a Single Set of Credentials
Two SSO Architectures with a Single Set of Credentials Abstract Single sign-on (SSO) is a widely used mechanism that uses a single action of authentication and authority to permit an authorized user to
More informationInformation Security
Information Security Dr. Vedat Coşkun Malardalen September 15th, 2009 08:00 10:00 vedatcoskun@isikun.edu.tr www.isikun.edu.tr/~vedatcoskun What needs to be secured? With the rapid advances in networked
More informationBiometric SSO Authentication Using Java Enterprise System
Biometric SSO Authentication Using Java Enterprise System Edward Clay Security Architect edward.clay@sun.com & Ramesh Nagappan CISSP Java Technology Architect ramesh.nagappan@sun.com Agenda Part 1 : Identity
More informationSAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011
NetWeaver Single Sign-On Product Management NetWeaver Identity Management & Security June 2011 Agenda NetWeaver Single Sign-On: Solution overview Key benefits of single sign-on Solution positioning Identity
More informationMultifactor authentication systems Jiří Sobotka, Radek Doležel
Multifactor authentication systems Jiří Sobotka, Radek Doležel Fakulta elektrotechniky a komunikačních technologií VUT v Brně Email: sobotkaj@feec.vutbr.cz Fakulta elektrotechniky a komunikačních technologií
More informationScenario. Roadmap. ! The simplified architecture! The complete architecture Pre-authentication Delegation. Realms
erberos' erberos! erberos is based on the Needham-Schroeder protocol (1978)! erberos was developed at MIT in1980! erberos V4 and erberos V5 (RFC 1510)! erberos if part of OSF DCE and Windows 2 (e later)!
More informationCent ralized Out -Of-Band Aut hent ic at ion Syst em. Authentication Security for the 21 st Century
Cent ralized Out -Of-Band Aut hent ic at ion Syst em Security for the 21 st Century Presented by: Southeast Europe Cybersecurity Conference Sophia, Bulgaria September 8-9, 2003 Introduction Organizations
More informationSingle Sign-On Secure Authentication Password Mechanism
Single Sign-On Secure Authentication Password Mechanism Deepali M. Devkate, N.D.Kale ME Student, Department of CE, PVPIT, Bavdhan, SavitribaiPhule University Pune, Maharashtra,India. Assistant Professor,
More informationAbout the white paper: The pressure to demonstrate compliance with standards and regulations such as Sarbanes Oxley, HIPAA, PCI DSS and Basel II,
TWO FACTOR AUTHENTICATION FOR THE IBM SYSTEM i WHITE PAPER MAY 2010 About the white paper: The pressure to demonstrate compliance with standards and regulations such as Sarbanes Oxley, HIPAA, PCI DSS and
More informationSSL A discussion of the Secure Socket Layer
www.harmonysecurity.com info@harmonysecurity.com SSL A discussion of the Secure Socket Layer By Stephen Fewer Contents 1 Introduction 2 2 Encryption Techniques 3 3 Protocol Overview 3 3.1 The SSL Record
More informationWhite Paper. Options for Two Factor Authentication. Authors: Andrew Kemshall Phil Underwood. Date: July 2007
White Paper Options for Two Factor Authentication Authors: Andrew Kemshall Phil Underwood Date: July 2007 Page 1 Table of Contents 1. Problems with passwords 2 2. Issues with Certificates (without Smartcards)
More information