Authenticating Humans
|
|
- Herbert Hall
- 8 years ago
- Views:
Transcription
1 29 Oct 2015 CSCD27 Computer and Network Security Authenticating Humans CSCD27 Computer and Network Security 1 Authenticating Computers and Programs Computers and programs need to authenticate one another: e.g. mutual-authentication mechanisms using nonces and symmetric keys SSL/HTTPS server authentication based on CA-signed certificate What about human beings? CSCD27 Computer and Network Security 2 CSCD27F Computer and Network Security 1
2 29 Oct 2015 Authenticating Humans What evidence can you provide to prove that you are who you say you are, or perhaps at least are someone with authorization to do something? to another human? EXAMPLES? to a machine (computer, program)? EXAMPLES? Is this a hypothetical (e.g. sci-fi) scenario, or is it something we do routinely in our daily lives? Can we solve the problem of authentication-based attacks by eliminating authentication? CSCD27 Computer and Network Security 3 Passwords as Authenticators An example of security based on what you know, vs what you have (e.g. RFID transponder) or what you are (e.g. biometrics) Humans prefer short, memorable key values (commonly 8 characters, 56/64 bits if using ASCII) Can use directly, or as basis for constructing longer key directly e.g. as DES 56-bit key can t use for RSA p,q: o but, could use as random-#-generator seed to generate p,q Commonly used by operating systems and Web applications as a way of checking that the user is who they say they are. Challenges: easy to remember, hard to guess, keeping secret CSCD27 Computer and Network Security 4 CSCD27F Computer and Network Security 2
3 29 Oct 2015 Passwords in Practice (the grim reality) Security policies can have unintended consequences, e.g.: Should use different password for each account users actually use single password Passwords must be at least N characters, e.g users pad shorter passwords Passwords must not be dictionary words (must be truly random = high entropy) checked or generated by program users write down passwords or store in unencrypted file Passwords must contain a mix of upper/lower-case, digits users add digit 1 to shorter password, reuse same password with upper-case initial character Passwords must be changed regularly users append date to password (whose core remains static) CSCD27 Computer and Network Security 5 Passwords in Practice A large proportion of passwords in the wild are exceptionally weak, e.g. top-10 from RockYou.com password database breach in 2009 (accounting for 2% of 32 million passwords): password 5. iloveyou 6. princess rockyou abc123 CSCD27 Computer and Network Security 6 CSCD27F Computer and Network Security 3
4 29 Oct 2015 Passwords in Practice (significance) OK, average person is not very savvy when it comes to password selection, so what? Sometimes you can t protect people from themselves, no matter how hard you try Imagine that you are a sys/network admin for a company. You take care to select appropriately secure passwords for system/admin accounts, and for yourself If some staff member doesn t follow your advice, and chooses as their password, does that affect you (or your employer)? Why/not? password 5. iloveyou 6. princess rockyou abc123 CSCD27 Computer and Network Security 7 Passwords as Authenticators Advantages: portable, standalone user-remembered password can be use anywhere no additional client-side certificates, technology required but many advocate for multi-factor authentication Defending against attacks Network should not send cleartext passwords o can you think of a situation that violates this rule? Malicious users should not have opportunity to conduct offline dictionary attacks o what s the harm, if a password is well chosen? Malicious server (as in phishing) should not learn password by communicating with honest user o want to protect users from accidentally divulging passwords to 3 rd parties CSCD27 Computer and Network Security 8 CSCD27F Computer and Network Security 4
5 29 Oct 2015 Password System: First Attempt Basic password system: file w/ username, password records (colon delimited) john:car mary:chariot joe:czablozk Simple to implement, but risky If attacker gets a copy of the password file, all user accounts are compromised maybe even worse, if these account names and passwords are used on other systems too, a common behavior CSCD27 Computer and Network Security 9 Password Encryption Idea: rather than storing passwords in plaintext, why not encrypt them! Advantage: if password file stolen, passwords not (immediately) compromised Encrypt at client-side for secure transmission Server could decrypt (e.g. DES, AES) to check Issues: o key exchange with client-side? o key storage what if server-key is compromised?? o ugh, cure worse than the disease? If only we had a way to encrypt without a key have we seen an example of that? CSCD27 Computer and Network Security 10 CSCD27F Computer and Network Security 5
6 29 Oct 2015 Password Encryption Insight: server doesn t actually require users plaintext passwords, only needs to match what users supplied at time account created Could thus use one-way encryption, using what? Even better than encryption; now no way to decrypt! if password file stolen, passwords not compromised nosy sys admin can t read your password Have we seen a suitable way to encrypt one-way? Use secure hash function, one-way (pre-image protection) and 2 nd -preimage protection e.g.: store SHA-1 hash rather than plaintext password CSCD27 Computer and Network Security 11 Hashed Passwords User pomegranate hash function Password file :exrygbzyf: :kgnosfixa: :ggjoklbsz: CSCD27 Computer and Network Security 12 CSCD27F Computer and Network Security 6
7 29 Oct 2015 Basic Hashed-Password Setup User chooses password Hash of password stored in password file User logs into system by supplying password System computes hash of supplied password, compares to hash value stored password file Attacks Online dictionary attack o try to log in by repeatedly guessing password (defense?) Offline dictionary attack o steal password file, search for string with hash(string) in password file (tells you what?) CSCD27 Computer and Network Security 13 Dictionary Attacks Attacker Obtains Password File: joe mary john 9Mfsk4EQ... AEd62KRD... J3mhF7Mv... Online: test guesses against live system Offline: attacker steals password file; tests guesses Summer 2012 LinkedIn 6M hashed passwords posted online in.ru maryhas password chariot! Attacker computes possible password hashes (using words from dictionary) h(car) = 9Mfsk4EQ... h(cello) = z5wcujwe... h(chariot) = AEd62KRD... h(daft) = tvj/d6r4 CSCD27 Computer and Network Security 14 CSCD27F Computer and Network Security 7
8 29 Oct 2015 Middle Earth Dictionary Attacks CSCD27 Computer and Network Security 15 Dictionary Attack some numbers If passwords were actually random strings Assuming a seven-character password o upper- and lowercase letters, digits, 32 punctuation characters o 64,847,759,419,264 possible values; maybe reasonable deterrent But could users remember them? And if not? Typical password dictionary 1,000,000 entries of common passwords o ordinary words, peoples names, place names, etc. Suppose you generate and analyze 10 guesses per second o this may be reasonable for a Web site; offline muchfaster Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on average reality check: GPU up to 3B hash calculations per second CSCD27 Computer and Network Security 16 CSCD27F Computer and Network Security 8
9 29 Oct 2015 Dictionary Attack Mitigation How could dictionary attacks be thwarted? problem: a dictionary attacker can immediately see which users have the same password crack one instance and you get the whole set problem: once an attacker hashes a dictionary into a table of hash values, can use this precomputed table against all systems(with same OS/version), why? Goal: mitigate both problems: block use of precomputed lookup tables randomize same-password hashes CSCD27 Computer and Network Security 17 Unix password file entry: alice:furfuu4.4hy0u:129:129:admin:/home/alice:/bin/csh Password Input Constant (0) Plaintext Salt Key 25x DES Idea: Salt Compare Ciphertext Where does salt come from? chosen randomly when password set, egclock time why constant 0? Just encrypting null plaintext Now users with same password have different entries in the password table, across all systems; attack table must account for all possible hash values (attack cost now much higher) CSCD27 Computer and Network Security 18 CSCD27F Computer and Network Security 9
10 29 Oct 2015 Idea: Salt Unix password file entry: alice:furfuu4.4hy0u:129:129:admin:/home/alice:/bin/csh Password Input Salt catenate Hash Compare Hash value Where does salt come from? chosen randomly when password set, eg clock time Same idea as prior slide, but with secure hash rather than DES Now users with same password have different entries in the password table, across all systems; attack table must account for all possible hash values (attack cost now much higher) CSCD27 Computer and Network Security 19 Advantages of Salting Without salt, attacker can pre-compute hashes of all dictionary words once for all password entries same hash function on all same-version Linux/UNIX machines one table of hash values can be used for all password files therefore attacker willing to expend considerable effort to build this table With salt, attacker must recomputehashes of all dictionary words for each possible salt value With original Unix 12-bit random salt, same password can hash to 2 12 different values (now use 48 to 128-bit hash value) o users with same password have different hashed password values o minimal incremental effort to implement salting Attacker must try all dictionary words for each salt value in the password file huge change in cost/effort for attack CSCD27 Computer and Network Security 21 CSCD27F Computer and Network Security 10
11 29 Oct 2015 Shadow Passwords Dictionary attacks still possible with salt? o if have an account on target system, /etc/password file readable, perform dictionary attack for each salt found o why is /etc/password file readable?! Idea: store hashed passwords in /etc/shadowfile, readable only by system administrator (and root programs) alice:x:129:129:admin:/home/alice:/bin/csh Hashed password is not stored in a world-readable file password file entry But, always keep in mind weakest link: system backups? Stored where? CSCD27 Computer and Network Security 22 CSCD27F Computer and Network Security 11
CSC 474 -- Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity
CSC 474 -- Network Security Topic 6.2 User Authentication CSC 474 Dr. Peng Ning 1 User Authentication Basics CSC 474 Dr. Peng Ning 2 Authentication and Identity What is identity? which characteristics
More informationTwo-Factor Authentication and Swivel
Two-Factor Authentication and Swivel Abstract This document looks at why the username and password are no longer sufficient for authentication and how the Swivel Secure authentication platform can provide
More informationConnected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)
Cryptelo Drive Cryptelo Drive is a virtual drive, where your most sensitive data can be stored. Protect documents, contracts, business know-how, or photographs - in short, anything that must be kept safe.
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 10 Authentication and Account Management Objectives Describe the three types of authentication credentials Explain what single sign-on
More informationAuthentication Types. Password-based Authentication. Off-Line Password Guessing
Authentication Types Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4:
More informationServer Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4
Contents Is Rumpus Secure? 2 Use Care When Creating User Accounts 2 Managing Passwords 3 Watch Out For Aliases 4 Deploy A Firewall 5 Minimize Running Applications And Processes 5 Manage Physical Access
More information2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries
Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application
More informationCryptography & Digital Signatures
Cryptography & Digital Signatures CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration Prof. Sloan s Slides, 2007, 2008 Robert H.
More informationAuthentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques
Computer Security process of reliably verifying identity verification techniques what you know (eg., passwords, crypto key) what you have (eg., keycards, embedded crypto) what you are (eg., biometric information)
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash
More informationCyber Security Workshop Encryption Reference Manual
Cyber Security Workshop Encryption Reference Manual May 2015 Basic Concepts in Encoding and Encryption Binary Encoding Examples Encryption Cipher Examples 1 P a g e Encoding Concepts Binary Encoding Basics
More informationNetwork Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1
Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret
More information1.2 Using the GPG Gen key Command
Creating Your Personal Key Pair GPG uses public key cryptography for encrypting and signing messages. Public key cryptography involves your public key which is distributed to the public and is used to
More informationDesigning a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology
Designing a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology FREDRIK ANDERSSON Department of Computer Science and Engineering CHALMERS UNIVERSITY
More informationSymmetric and Public-key Crypto Due April 14 2015, 11:59PM
CMSC 414 (Spring 2015) 1 Symmetric and Public-key Crypto Due April 14 2015, 11:59PM Updated April 11: see Piazza for a list of errata. Sections 1 4 are Copyright c 2006-2011 Wenliang Du, Syracuse University.
More informationA Standards-based Approach to IP Protection for HDLs
A Standards-based Approach to IP Protection for HDLs John Shields Staff Engineer, Modelsim Overview Introduction A Brief Status First Look at The Flow Encryption Technology Concepts Key Management Second
More informationPractical Yet Universally Composable Two-Server Password-Authenticated Secret Sharing
Practical Yet Universally Composable Two-Server Password-Authenticated Secret Sharing Jan Camenisch (IBM Research Zurich) Anna Lysyanskaya (Brown University) Gregory Neven (IBM Research Zurich) Password
More informationHigh Security Online Backup. A Cyphertite White Paper February, 2013. Cloud-Based Backup Storage Threat Models
A Cyphertite White Paper February, 2013 Cloud-Based Backup Storage Threat Models PG. 1 Definition of Terms Secrets Passphrase: The secrets passphrase is the passphrase used to decrypt the 2 encrypted 256-bit
More informationAdobe Systems Software Ireland Ltd
Adobe Systems Software Ireland Ltd Own motion investigation report 13/00007 Timothy Pilgrim, Australian Privacy Commissioner Contents Overview... 2 Background... 3 Relevant provisions of the Privacy Act...
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationSticky Password 7. Sticky Password 7 is the latest, most advanced, portable, cross platform version of the powerful yet
Sticky Password 7 Reviewer Guide Introduction Sticky Password 7 is the latest, most advanced, portable, cross platform version of the powerful yet simple password manager and form-filler. Its main goal
More informationOverview of Cryptographic Tools for Data Security. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the
More informationINF3510 Information Security. Lecture 8: User Authentication. University of Oslo Spring 2015
INF3510 Information Security Lecture 8: User Authentication University of Oslo Spring 2015 Outline Concepts related to authentication Identity and authentication steps User Authentication Knowledge-Based
More information12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust
Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or
More informationSecurity. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1
Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions
More informationHow To Encrypt Data With Encryption
USING ENCRYPTION TO PROTECT SENSITIVE INFORMATION Commonwealth Office of Technology Security Month Seminars Alternate Title? Boy, am I surprised. The Entrust guy who has mentioned PKI during every Security
More informationComputer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University
Computer Networks Network Security and Ethics Week 14 College of Information Science and Engineering Ritsumeikan University Security Intro for Admins l Network administrators can break security into two
More informationHash Functions. Integrity checks
Hash Functions EJ Jung slide 1 Integrity checks Integrity vs. Confidentiality! Integrity: attacker cannot tamper with message! Encryption may not guarantee integrity! Intuition: attacker may able to modify
More informationMulti-Factor Authentication
Making the Most of Multi-Factor Authentication Introduction The news stories are commonplace: Hackers steal or break passwords and gain access to a company s data, often causing huge financial losses to
More informationKy Vu DeVry University, Atlanta Georgia College of Arts & Science
Ky Vu DeVry University, Atlanta Georgia College of Arts & Science Table of Contents - Objective - Cryptography: An Overview - Symmetric Key - Asymmetric Key - Transparent Key: A Paradigm Shift - Security
More informationNetwork Security. Modes of Operation. Steven M. Bellovin February 3, 2009 1
Modes of Operation Steven M. Bellovin February 3, 2009 1 Using Cryptography As we ve already seen, using cryptography properly is not easy Many pitfalls! Errors in use can lead to very easy attacks You
More informationMitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security
Mitigating Server Breaches with Secure Computation Yehuda Lindell Bar-Ilan University and Dyadic Security The Problem Network and server breaches have become ubiquitous Financially-motivated and state-sponsored
More informationCryptography Lecture 8. Digital signatures, hash functions
Cryptography Lecture 8 Digital signatures, hash functions A Message Authentication Code is what you get from symmetric cryptography A MAC is used to prevent Eve from creating a new message and inserting
More informationCS 161 Computer Security Spring 2010 Paxson/Wagner MT2
CS 161 Computer Security Spring 2010 Paxson/Wagner MT2 PRINT your name:, (last) SIGN your name: (first) PRINT your class account login: cs161- Your T s name: Your section time: Name of the person sitting
More informationProtecting against modern password cracking
Protecting against modern password cracking Are passwords still an adequate form of authentication? by Yiannis Chrysanthou, MSc (RHUL, 2012), and Allan Tomlinson (supervisor), ISG, Royal Holloway istockphoto/ronen
More information1. a. Define the properties of a one-way hash function. (6 marks)
1. a. Define the properties of a one-way hash function. (6 marks) A hash function h maps arbitrary length value x to fixed length value y such that: Hard to reverse. Given value y not feasible to find
More informationCS 361S - Network Security and Privacy Spring 2014. Homework #1
CS 361S - Network Security and Privacy Spring 2014 Homework #1 Due: 11am CST (in class), February 11, 2014 YOUR NAME: Collaboration policy No collaboration is permitted on this assignment. Any cheating
More informationSecuring PostgreSQL From External Attack
Securing From External Attack BRUCE MOMJIAN January, 2012 systems are rich with attack vectors to exploit. This presentation explores the many potential external vulnerabilities and shows how they can
More informationApplication Design and Development
C H A P T E R9 Application Design and Development Practice Exercises 9.1 What is the main reason why servlets give better performance than programs that use the common gateway interface (CGI), even though
More informationA Security Survey of Strong Authentication Technologies
A Security Survey of Strong Authentication Technologies WHITEPAPER Contents Introduction... 1 Authentication Methods... 2 Classes of Attacks on Authentication Mechanisms... 5 Security Analysis of Authentication
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationSecuring Online Accounts
An NJVC Executive White Paper Robert J. Michalsky Principal, Cyber Security March 2015 Learn more at NJVC.com Securing Online Accounts Online accounts of all types continue to proliferate. There are accounts
More informationUser Identification and Authentication Concepts
Chapter 1 User Identification and Authentication Concepts The modern world needs people with a complex identity who are intellectually autonomous and prepared to cope with uncertainty; who are able to
More informationKerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530 520 BC. From Italy (?).
Kerberos Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530 520 BC. From Italy (?). 1 Kerberos Kerberos is an authentication protocol and a software suite implementing this
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define access control and list the four access control models Describe logical access control
More informationSecure Remote Password (SRP) Authentication
Secure Remote Password (SRP) Authentication Tom Wu Stanford University tjw@cs.stanford.edu Authentication in General What you are Fingerprints, retinal scans, voiceprints What you have Token cards, smart
More informationVirtual Code Authentication User s Guide. June 25, 2015
Virtual Code Authentication User s Guide June 25, 2015 Virtual Code Authentication User s Guide Overview of New Security Modern technologies call for higher security standards as practiced among many other
More informationCryptographic Key Infrastructure
Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as all keys are shared Use protocols to agree on a shared key (see earlier) Public key: bind identity to public key Crucial
More informationPasswords the server side
Passwords the server side A tour of decreasingly bad ideas regarding server-side password handling. Thomas Waldmann @ EuroPython 2013 Disclaimer I am not a crypto or security expert, just a caring developer
More informationThe Misuse of RC4 in Microsoft Word and Excel
The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft
More informationFIPS 140 2 Non Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series USB Flash Drive
FIPS 140 2 Non Proprietary Security Policy Kingston Technology Company, Inc. DataTraveler DT4000 G2 Series USB Flash Drive Document Version 1.8 December 3, 2014 Document Version 1.8 Kingston Technology
More informationLecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References
Lecture Objectives Wireless Networks and Mobile Systems Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks Introduce security vulnerabilities and defenses Describe security functions
More informationUser Identity and Authentication
User Identity and Authentication WordPress, 2FA, and Single Sign-On Isaac Potoczny-Jones ijones@tozny.com http://tozny.com About the Speaker Galois, Inc. - @galoisinc. Research & Development for computer
More informationPassword Manager with 3-Step Authentication System
Password Manager with 3-Step Authentication System Zhelyazko Petrov, Razvan Ragazan University of Westminster, London z.petrov@my.westminster.ac.uk, razvan.ragazan@my.westminster.ac.uk Abstract: A big
More informationGuide to Data Field Encryption
Guide to Data Field Encryption Contents Introduction 2 Common Concepts and Glossary 3 Encryption 3 Data Field Encryption 3 Cryptography 3 Keys and Key Management 5 Secure Cryptographic Device 7 Considerations
More informationWindows passwords security
IT Advisory Windows passwords security ADVISORY WHOAMI 2 Agenda The typical windows environment Local passwords Secure storage mechanims: Syskey & SAM File Password hashing & Cracking: LM & NTLM Into the
More informationYour Password Complexity Requirements are Worthless. Rick Redman KoreLogic www.korelogic.com
Your Password Complexity Requirements are Worthless Rick Redman KoreLogic www.korelogic.com Introduction Rick Redman < rredman@korelogic.com > 88FB D23C 5AC1 8756 5690 6661 A933 6E99 4E2C EF75 Penetration
More informationThe Password Problem Will Only Get Worse
The Password Problem Will Only Get Worse New technology for proving who we are Isaac Potoczny-Jones Galois & SEQRD ijones@seqrd.com @SyntaxPolice Goals & Talk outline Update the group on authentication
More informationWhite Paper: Multi-Factor Authentication Platform
White Paper: Multi-Factor Authentication Platform Version: 1.4 Updated: 29/10/13 Contents: About zero knowledge proof authentication protocols: 3 About Pairing-Based Cryptography (PBC) 4 Putting it all
More informationUsing etoken for SSL Web Authentication. SSL V3.0 Overview
Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents
More informationCommon Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July 2006. The OWASP Foundation http://www.owasp.org/
Common Pitfalls in Cryptography for Software Developers OWASP AppSec Israel July 2006 Shay Zalalichin, CISSP AppSec Division Manager, Comsec Consulting shayz@comsecglobal.com Copyright 2006 - The OWASP
More informationAuthentication. Steven M. Bellovin September 25, 2015 1
Authentication Steven M. Bellovin September 25, 2015 1 Authentication Another trilogy: identification, authentication, authorization ACLs and the like are forms of authorization: what you re allowed to
More informationSecurity of Cloud Storage: - Deduplication vs. Privacy
Security of Cloud Storage: - Deduplication vs. Privacy Benny Pinkas - Bar Ilan University Shai Halevi, Danny Harnik, Alexandra Shulman-Peleg - IBM Research Haifa 1 Remote storage and security Easy to encrypt
More informationIt may look like this all has to do with your password, but that s not the only factor to worry about.
Account Security One of the easiest ways to lose control of private information is to use poor safeguards on internet accounts like web-based email, online banking and social media (Facebook, Twitter).
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More information159.334 Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology
Network Security 1 Professor Richard Harris School of Engineering and Advanced Technology Presentation Outline Overview of Identification and Authentication The importance of identification and Authentication
More informationBetter PHP Security Learning from Adobe. Bill Condo @mavrck PHP Security: Adobe Hack
Better PHP Security Learning from Adobe Quickly, about me Consultant! Senior Engineer! Developer! Senior Developer! Director of Tech! Hosting Manager! Support Tech 2014: Digital Director Lunne Marketing
More informationNESCO/NESCOR Common TFE Analysis: CIP-007 R5.3 Password Complexity
NESCO/NESCOR Common TFE Analysis: CIP-007 R5.3 Password Complexity National Electric Sector Cybersecurity Organization (NESCO)/NESCO Resource (NESCOR) DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITIES
More informationEncrypting Business Files in the Cloud
Quick Guide for IT-Security and Data Privacy Encrypting Business Files in the Cloud Requirements for data security in the cloud End to end encryption Secure file transfers Data Security in the Cloud A
More informationCSC474/574 - Information Systems Security: Homework1 Solutions Sketch
CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher
More informationRFG Secure FTP. Web Interface
RFG Secure FTP Web Interface Step 1: Getting to the Secure FTP Web Interface: Open your preferred web browser and type the following address: http://ftp.raddon.com After you hit enter, you will be taken
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationBig Data, Big Security:
Big Data, Big Security: Best Practices for Enterprise Data Encryption Introduction Big Data is a big topic right now and well it should be. The ebb and flow of commerce and other interactions around the
More informationWHITE PAPER www.tresorit.com
WHITE PAPER tresor [tʀeˈzoːɐ ] noun (German) 1. lockable, armoured cabinet THE CLOUD IS UNTRUSTED The cloud has huge potential when it comes to storing, sharing and exchanging files, but the security provided
More informationBlaze Vault Online Backup. Whitepaper Data Security
Blaze Vault Online Backup Version 5.x Jun 2006 Table of Content 1 Introduction... 3 2 Blaze Vault Offsite Backup Server Secure, Robust and Reliable... 4 2.1 Secure 256-bit SSL communication... 4 2.2 Backup
More informationAdvanced Authentication
White Paper Advanced Authentication Introduction In this paper: Introduction 1 User Authentication 2 Device Authentication 3 Message Authentication 4 Advanced Authentication 5 Advanced Authentication is
More informationDigital Signatures on iqmis User Access Request Form
Digital Signatures on iqmis User Access Request Form When a user clicks in the User Signature block on the iqmis Access Form, the following window appears: Click Save a Copy and rename it with your name,
More informationChapter 10. Cloud Security Mechanisms
Chapter 10. Cloud Security Mechanisms 10.1 Encryption 10.2 Hashing 10.3 Digital Signature 10.4 Public Key Infrastructure (PKI) 10.5 Identity and Access Management (IAM) 10.6 Single Sign-On (SSO) 10.7 Cloud-Based
More informationCAPITAL UNIVERSITY PASSWORD POLICY
1.0 Overview Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Capital University's
More information2006-331: PASSWORD AUDITING TOOLS
2006-331: PASSWORD AUDITING TOOLS Mario Garcia, Texas A&M University-Corpus Christi American Society for Engineering Education, 2006 Page 11.985.1 Password Auditing Tools Abstract A goal of computer system
More informationComplying with PCI Data Security
Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring
More informationDeploying EFS: Part 1
Security Watch Deploying EFS: Part 1 John Morello By now, everyone has heard reports about personal or sensitive data being lost because of laptop theft or misplacement. Laptops go missing on a regular
More informationPLATFORM ENCRYPTlON ARCHlTECTURE. How to protect sensitive data without locking up business functionality.
PLATFORM ENCRYPTlON ARCHlTECTURE How to protect sensitive data without locking up business functionality. 1 Contents 03 The need for encryption Balancing data security with business needs Principles and
More informationChapter 7: Network security
Chapter 7: Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer: secure e-mail transport
More informationSecure Storage. Lost Laptops
Secure Storage 1 Lost Laptops Lost and stolen laptops are a common occurrence Estimated occurrences in US airports every week: 12,000 Average cost of a lost laptop for a corporation is $50K Costs include
More informationHOW ENCRYPTION WORKS. Introduction to BackupEDGE Data Encryption. Technology Overview. Strong Encryption BackupEDGE
HOW ENCRYPTION WORKS Technology Overview Strong Encryption BackupEDGE Introduction to BackupEDGE Data Encryption A major feature of BackupEDGE is the ability to protect archives containing critical client
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationPenetration Testing Report. Client: xxxxxx Date: 19 th April 2014
1. Executive Summary Penetration Testing Report Client: xxxxxx Date: 19 th April 2014 On the 19th of April, a security assessment was carried out on the internal networks of xxxxxx, with the permission
More informationNetwork Security. HIT Shimrit Tzur-David
Network Security HIT Shimrit Tzur-David 1 Goals: 2 Network Security Understand principles of network security: cryptography and its many uses beyond confidentiality authentication message integrity key
More informationContents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008
Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication
More informationDashlane Security Whitepaper
Dashlane Security Whitepaper November 2014 Protection of User Data in Dashlane Protection of User Data in Dashlane relies on 3 separate secrets: The User Master Password Never stored locally nor remotely.
More informationInternet Banking Two-Factor Authentication using Smartphones
Internet Banking Two-Factor Authentication using Smartphones Costin Andrei SOARE IT&C Security Master Department of Economic Informatics and Cybernetics Bucharest University of Economic Studies, Romania
More informationStrong and Convenient Multi-Factor Authentication on Mobile Devices
Strong and Convenient Multi-Factor Authentication on Mobile Devices Francisco Corella, PhD fcorella@pomcor.com Karen Lewison, MD kplewison@pomcor.com Revised September 6, 2012 Executive Summary Authentication
More informationKerberos. Guilin Wang. School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk
Kerberos Guilin Wang School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk 1 Entity Authentication and Key Exchange In the last talk, we discussed key exchange and reviewed some concrete
More informationProtecting GoldMine CRM database with DbDefence
Protecting GoldMine CRM database with DbDefence Version 1.1, 26 July 2013 Introduction As the backbone of any digital venture, databases are essential to the running of organizations, whether they be enormous
More informationπωχ Notes on Domino Black Hat Las Vegas 2003 Aldora Louw PricewaterhouseCoopers
Notes on Domino Black Hat Las Vegas 2003 Aldora Louw PricewaterhouseCoopers Lotus Domino is inherently secure...a Misconception!!! Security is Not Automatic!!!! Slide #2 Security Requires Planning Design
More informationModern two-factor authentication: Easy. Affordable. Secure.
Modern two-factor authentication: Easy. Affordable. Secure. www.duosecurity.com Your systems and users are under attack like never before The last few years have seen an unprecedented number of attacks
More informationUniversity of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template
University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationDiscovering passwords in the memory
Discovering passwords in the memory Abhishek Kumar (abhishek.kumar@paladion.net) November 2003 Escalation of privileges is a common method of attack where a low privileged user exploits a vulnerability
More information