CSC 474 -- Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity



Similar documents
Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

Authentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques

Authentication Types. Password-based Authentication. Off-Line Password Guessing

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

Research Article. Research of network payment system based on multi-factor authentication

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Authenticating Humans

Introduction to Computer Security

Introducing etoken. What is etoken?

Secure Remote Password (SRP) Authentication

Advanced Authentication

ADVANCE AUTHENTICATION TECHNIQUES

User Identification and Authentication Concepts

A Security Survey of Strong Authentication Technologies

Designing a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology

Dashlane Security Whitepaper

Authentication Protocols

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Moving to Multi-factor Authentication. Kevin Unthank

IDRBT Working Paper No. 11 Authentication factors for Internet banking

Cryptography and Network Security Digital Signature

Two-Factor Authentication and Swivel

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

ARCHIVED PUBLICATION

Applying Cryptography as a Service to Mobile Applications

Kerberos: An Authentication Service for Computer Networks by Clifford Neuman and Theodore Ts o. Presented by: Smitha Sundareswaran Chi Tsong Su

CSE/EE 461 Lecture 23

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

French Justice Portal. Authentication methods and technologies. Page n 1

Guidance on Multi-factor Authentication

A Method of Risk Assessment for Multi-Factor Authentication

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services. Table of Contents. 1. Two Factor and CJIS

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

CSCI 454/554 Computer and Network Security. Final Exam Review

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

White Paper: Multi-Factor Authentication Platform

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Two-Factor Authentication Making Sense of all the Options

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

Biometric For Authentication, Do we need it? Christophe Rosenberger GREYC Research Lab - France

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

INF3510 Information Security. Lecture 8: User Authentication. University of Oslo Spring 2015

Client Server Registration Protocol

Enhancing Web Application Security

White Paper. Options for Two Factor Authentication. Authors: Andrew Kemshall Phil Underwood. Date: July 2007

SSL Protect your users, start with yourself

Hash Functions. Integrity checks

Securing Cloud Applications with Two-Factor Authentication

1. a. Define the properties of a one-way hash function. (6 marks)

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

WHITE PAPER Usher Mobile Identity Platform

Multi Factor Authentication API

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Managed Portable Security Devices

Midterm 2 exam solutions. Please do not read or discuss these solutions in the exam room while others are still taking the exam.

CS 361S - Network Security and Privacy Spring Homework #1

Criteria for web application security check. Version

SAP Single Sign-On 2.0 Overview Presentation

Securing the Connection with Remote Users Leveraging Strong Authentication and VPNs to Secure Access to the Enterprise

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

The Security Behind Sticky Password

Authentication requirement Authentication function MAC Hash function Security of

User Authentication Guidance for IT Systems

Creating Trust Online TM. Comodo Mutual Authentication Solution Overview: Comodo Two Factor Authentication Comodo Content Verification Certificates

Digital Signatures on iqmis User Access Request Form

One Time Password Generation for Multifactor Authentication using Graphical Password

CS 161 Computer Security Spring 2010 Paxson/Wagner MT2

Multi-Factor Authentication

Internet Banking Two-Factor Authentication using Smartphones

Authentication in WLAN

Chapter 15 User Authentication

Security: Focus of Control. Authentication

Security Levels for Web Authentication using Mobile Phones

TELE 301 Network Management. Lecture 16: Remote Terminal Services

CRYPTOGRAPHY AS A SERVICE

Section 12 MUST BE COMPLETED BY: 4/22

International Journal of Software and Web Sciences (IJSWS)

Two Factor Authentication for VPN Access

Strong Authentication for Secure VPN Access

Soran University Faculty of Science and Engineering Computer Science Department Information Security Module Specification

How To Protect Your Data From Attack

Topics in Network Security

Entrust IdentityGuard

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

Our Key Security Features Are:

The Password Problem Will Only Get Worse

E-Book Security Assessment: NuvoMedia Rocket ebook TM

Improving Online Security with Strong, Personalized User Authentication

Transcription:

CSC 474 -- Network Security Topic 6.2 User Authentication CSC 474 Dr. Peng Ning 1 User Authentication Basics CSC 474 Dr. Peng Ning 2 Authentication and Identity What is identity? which characteristics uniquely identifies a person? do we care if identity is unique? Authentication: verify a user s identity a supplicant wishes to authenticate a verifier performs the authentication What s relationship of identity to role, or job function? CSC 474 Dr. Peng Ning 3 1

User Authentication Can Be Based On 1. What the user knows passwords, personal information, a key, a credit card number, etc. 2. Where the user is or can be reached email address, IP address, 3. Physical characteristics of the user fingerprints, voiceprint, signature dynamics, iris pattern, DNA, etc. 4. What the user has in their possession smart card, (physical) key, USB token, CSC 474 Dr. Peng Ning 4 Based on (cont d) Which of the above is best? best in what way? CSC 474 Dr. Peng Ning 5 Crypto-Based Authentication Basic idea: user performs a requested cryptographic operation on a value (a challenge) that the verifier supplies Usually based on knowledge of a key (secret key or private key) Examples: RSA, zero knowledge proofs, we ll look at such protocols in more detail next time CSC 474 Dr. Peng Ning 6 2

Address-Based User Authentication Associates identity with network address or email address used by many web services Several early OS functions and tools worked this way Benefits? Problems? CSC 474 Dr. Peng Ning 7 Password Authentication CSC 474 Dr. Peng Ning 8 Password-Based User Authentication User demonstrates knowledge of a secret value to authenticate most common method of user authentication response challenge Threats to password-based authentication? CSC 474 Dr. Peng Ning 9 3

Some Issues for Password Systems A password should be easy to remember but hard to guess that s difficult to achieve! Some questions what makes a good password? where is the password stored, and in what form? how is knowledge of the password verified? CSC 474 Dr. Peng Ning 10 Password Storage Storing unencrypted passwords in a file is high risk compromising the file system compromises all the stored passwords Better idea: use the password to compute a one-way function (e.g., a hash, an encryption), and store the output of the one-way function When user inputs the requested password 1. compute its one-way function 2. compare with the stored value CSC 474 Dr. Peng Ning 11 Attacks on Passwords Suppose passwords could be up to 9 characters long This would produce 10 18 possible passwords; 320,000 years to try them all at 10 million a second! Unfortunately, not all passwords are equally likely to be used CSC 474 Dr. Peng Ning 12 4

Example of a Study In a sample of over 3000 passwords: 500 were easily guessed versions of dictionary words or first name / last name 86% of passwords were easily guessed Length in characters 1 2 3 4 5 6 Number of passwords 15 72 464 477 706 605 (lower case only) CSC 474 Dr. Peng Ning 13 Common Password Choices Pet names Common names Common words Dates Variations of above (backwards, append a few digits, etc.) CSC 474 Dr. Peng Ning 14 Online Dictionary Attacks Can statically create a dictionary of all such choices Guess passwords using a dictionary Send guesses to verifier for confirmation or refutation response challenge Dictionary Effective? Possible defensive techniques? CSC 474 Dr. Peng Ning 15 5

Offline Dictionary Attacks Obtain password file with hashed password values Guess passwords, compute hash, and compare with values stored in file much faster than offline attacks! Dictionary response challenge Effective? Possible defenses? CSC 474 Dr. Peng Ning 16 Salting the Password Many systems append to each password a random value (salt) before computing the one-way function value is fixed and unique per user stored with user s hash value in the password file Increases the effort required for offline dictionary attacks each bit of salt doubles the effort required dictionaries with precomputed hashes of common passwords will not be useful Doesn t increase resistance to online attacks? CSC 474 Dr. Peng Ning 17 Example: Unix Passwords Keyed password hashes are stored, with twocharacter (16 bit) salt prepended password file is publicly readable Users with identical passwords but different salt values will have different hash values CSC 474 Dr. Peng Ning 18 6

Password Guidelines For Users 1.Initial passwords are system-generated, have to be changed by user on first login 2.User must change passwords periodically 3.Passwords vulnerable to a dictionary attack are rejected 4.User should not use same password on multiple sites 5.etc. etc. CSC 474 Dr. Peng Ning 19 Other Password Attacks Technical eavesdropping on traffic that may contain unencrypted passwords (especially keystroke logging) trojan horse password entry programs man-in-the-middle network attack Social careless password handling or sharing phishing CSC 474 Dr. Peng Ning 20 The S/Key Protocol CSC 474 Dr. Peng Ning 21 7

Using Disposable Passwords Simple idea: generate a long list of passwords, use each only one time attacker gains little/no advantage by eavesdropping on password protocol, or cracking one password Disadvantages storage overhead users would have to memorize lots of passwords! Alternative: the S/Key protocol based on use of one-way (e.g. hash) function CSC 474 Dr. Peng Ning 22 S/Key Password Generation 1. Alice selects a password x 2. Alice specifies n, the number of passwords to generate 3. Alice s computer then generates a sequence of passwords x 1 = H(x) x (Password) x 2 = H(x 1 ) H H H H x n = H(x n-1 ) x1 x2 x3 x4 CSC 474 Dr. Peng Ning 23 Generation (cont d) 4. Alice communicates (securely) to a server the last value in the sequence: x n Key feature: no one knowing x i can easily find an x i-1 such that H(x i-1 ) = x i only Alice possesses that information CSC 474 Dr. Peng Ning 24 8

Authentication Using S/Key Assuming server is in possession of x i Server i Alice x i-1 verifies H(x i-1 ) = x i Is dictionary attack still possible? CSC 474 Dr. Peng Ning 25 Limitations Value of n limits number of passwords need to periodically regenerate a new chain of passwords Does not authenticate server! Example attack: 1. real server sends i to fake server, which is masquerading as Alice 2. fake server sends i to Alice, who responds with x i- 1 3. fake server then presents x i-1 to real server CSC 474 Dr. Peng Ning 26 Biometrics CSC 474 Dr. Peng Ning 27 9

Biometrics Relies upon physical characteristics of people to authenticate them Desired qualities 1. uniquely identifying 2. very difficult to forge / mimic 3. highly accurate, does not vary 4. easy to scan or collect 5. fast to measure / compare 6. inexpensive to implement Which of these are concerns for passwords? CSC 474 Dr. Peng Ning 28 Assessment Convenient for users (e.g., you always have your fingerprints, never have to remember them), but potentially troubling sacrifice of private information no technique yet has all the desired properties CSC 474 Dr. Peng Ning 29 Example Biometric Technologies Signature / penmanship / typing style Fingerprints Palm geometry Retina scan Iris scan Face recognition Voice recognition CSC 474 Dr. Peng Ning 30 10

The Scorecard From One Study CSC 474 Dr. Peng Ning 31 Multifactor Authentication If one characteristic is pretty good, two or more characteristics should be better? Suppose true positive rate was AND of the two, and false positive rate was OR of the two TP = TP1 * TP2 FP = 1 - (1-FP1)*(1-FP2) Alternative: combine a biometric technique with passwords CSC 474 Dr. Peng Ning 32 Authentication Hardware (Tokens) CSC 474 Dr. Peng Ning 33 11

Tokens A token is a physical device that can be interfaced to the computer, and carries identifying information Types passive tokens just store information active tokens have processors and can perform cryptographic operations Examples cards with magnetic strips smart cards USB storage devices RFID tags CSC 474 Dr. Peng Ning 34 Design Issues for Tokens Cost Size Capabilities Robustness Resistance to tampering Usefulness if stolen / lost CSC 474 Dr. Peng Ning 35 An Example:Time Synchronized Tokens The token contains: internal clock display a secret key Token computes a one-way function of current time+key, and displays that this value changes about once per minute User reads this value and types it in to authenticate to the server requires that server and token time stays synchronized CSC 474 Dr. Peng Ning 36 12

Another Example: Alladin etoken API / standards Security Algorithms Power source LCD Data retention PKCS#11 v2.01, CAPI (Microsoft Crypto API), Siemens/Infineon APDU commands, PC/SC, X.509 v3 certificate storage, SSL v3, IPSec/IKE RSA 1024-bit / 2048-bit*, DES, 3DES, SHA1 Battery, 5 year lifetime 6 characters 10 years CSC 474 Dr. Peng Ning 37 Summary 1. Passwords are by far the most widely used form of authentication, despite numerous problems 2. Biometrics hold promise but are expensive, inconvenient, and compromise privacy 3. Two factor authentication is commonly used for higher security 4. One-time passwords (S/Key) are attractive, especially if combined with hardware CSC 474 Dr. Peng Ning 38 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information