G53SEC - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

G53SEC

Description:

G53SEC Authentication and Identification Who? What? Where? * Revealing passwords, giving them to friends Writing them on a post-it * Mail, e-mail, phone, web Don t ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 31
Provided by: csNottA9
Category:

less

Transcript and Presenter's Notes

Title: G53SEC


1
G53SEC
Authentication and Identification Who? What?
Where?
1
2
G53SEC
  • Coursework
  • NOT team work
  • You will need to solve TWO problems firewall
    AND spam filter
  • Labs will start from next week onwards
  • Submission deadline will be BEFORE EASTER BREAK
  • Some useful hints about the coursework will be
    given to you within the next couple of weeks
    (after you start working on the problems)

2
3
G53SEC
  • Overview of Todays Lecture
  • Username and Password
  • Managing Passwords
  • Choosing Passwords
  • Spoofing Attacks
  • Protecting the Password File
  • Single Sign-On
  • Alternative Approaches
  • Summary

3
4
G53SEC
  • Username and Password
  • Identification Who you are
  • Authentication The process of verifying a
    claimed identity
  • TOCTTOU time of check to time of use
  • Repeated authentication
  • at start as well as during a session

4
5
G53SEC
  • Username and Password (continued)
  • First line of defence
  • Widely accepted
  • Not too difficult to implement
  • Managing passwords expensive
  • Common way of getting in

5
6
G53SEC
  • Exmaples of potential hazards
  • forgotten passwords
  • password guessing
  • password spoofing
  • compromise of the password file
  • Remember
  • User has a vital role in password protection

6
7
G53SEC
  • Managing Passwords
  • Password a secret between user and system
  • Issues
  • Password ends up in right hands?
  • Interception?
  • No password yet?
  • New passwords delay ok
  • Forgotten passwords instant remedy necessary

7
8
G53SEC
  • Choosing Passwords
  • Critical security issue
  • Keeping probability of guessing to minimum
  • Guessing strategies
  • Exhaustive search brute force
  • Intelligent search e.g. dictionary attack

8
9
G53SEC
  • continued
  • Defences
  • Change default passwords
  • Password length
  • Password format
  • Avoid obvious passwords

9
10
G53SEC
  • continued
  • Further security improvements
  • Password checkers
  • Password generation
  • Password aging
  • Limit login attempts
  • A combination of all those highest security?

10
11
G53SEC
  • continued

11
12
G53SEC
  • continued
  • People forget
  • Contact an operator
  • Opens a way for a new attack Social
    Engineering
  • Regularly used passwords best remembered
  • Tip - dont change passwords before the weekend
    or holidays

12
13
G53SEC
  • Spoofing attacks
  • Unilateral authentication one way
  • No guarantee about end system
  • Spoofing attack
  • e.g. Fake login screen
  • Prevention
  • display failed login attempts
  • trusted path (e.g. ctrlaltdel)
  • mutual authentication

13
14
G53SEC
  • continued
  • Password caching
  • password temporarily stored (buffer, cache, web
    page)
  • beyond control of user
  • sometimes for too long
  • .

14
15
G53SEC
  • Protecting the Password File
  • Password compared to an entry in a password
    file
  • An attractive target for an attacker
  • Protection
  • Cryptography
  • Access control enforced by the OS
  • Combination of the above

15
16
G53SEC
  • Cryptography
  • One-way Function
  • A function that is relatively easy to compute but
    significantly harder to undo or reverse.
  • x f(x)
  • f(x) x
  • f(x) is stored in the password file
  • f(x) compared to computed f(x) from x
    supplied by user

16
17
G53SEC
  • Access Control
  • Access Control
  • Restricts access to files and resource to users
    with appropriate privileges
  • Password file cant be world readable
  • - Off-line dictionary attacks
  • or writeable
  • - Change password

17
18
G53SEC
  • continued
  • Password salting
  • Password Additional Info (Salt) - gt Encrypt
  • Remember
  • Combination of mechanisms can enhance
    protection
  • Separate security relevant and openly
    available data
  • (e.g. /etc/passwd and shadow password files)

18
19
G53SEC
  • Single Sign-On
  • Not convenient to repeatedly authenticate
  • Whether one or multiple passwords
  • Single Sign-On
  • Password entered once. Stored by system and
    subsequently authenticating on your behalf.
  • Convenient
  • But new problems arise storage of password

19
20
G53SEC
  • Alternative Approaches used for Authentication
  • Something you know
  • Something you hold
  • Who you are
  • What you do
  • Where you are

20
21
G53SEC
  • Something You Know
  • Knowledge of a secret
  • - Password
  • - PIN
  • - Personal Details
  • Anybody who obtains your secret YOU
  • No trace of passing secret to someone else
  • Can you prove your innocence?

21
22
G53SEC
  • Something You Hold
  • Physical token
  • A key to a lock
  • Card (Smart cards, RFID cards)
  • Identity Tag
  • Can be lost or stolen
  • Again the one in possession becomes you
  • Used in combination with something you know

22
23
G53SEC
  • Something You Are
  • Biometric schemes unique physical
    characteristics
  • Face
  • Fingerprints
  • Iris patterns, etc
  • Accuracy of training and authentication
  • forged fingers
  • Mutilations
  • Acceptable by users?

23
24
G53SEC
  • Biometrics
  • Enrolment - Collection and storage of reference
    templates
  • Identification Finding a user in a database of
    templates
  • Verification - Comparison against the reference
    template of identified user
  • Matching algorithm calculates similarity
    between reference template and current reading.
    If similarity above certain threshold, accept
    user.

24
25
G53SEC
Biometrics False positives Accepting the
wrong user False negatives Rejecting a
legitimate user A balance needs to be
found! State-of-the-art fingerprint recognition
schemes have error rates of around 1-2
25
26
G53SEC
  • What You Do
  • Mechanical Tasks repeatable and specific to
    individual
  • Handwritten signatures
  • Writing speed and pressure
  • Keyboard typing speed and intervals between keys
  • Again needs to take into account false
    positives and negatives

26
27
G53SEC
  • Where You Are
  • Location of access
  • Operator console vs. arbitrary terminal
  • Office workstation vs. home PC
  • Geographical location
  • IP address or GPS for locating users
  • Not reliable on its own
  • Should be used in combination with other
    mechanisms

27
28
G53SEC
To remember - A Password does not authenticate
a person! - Successful authentication user
knows a particular secret - No way of
distinguishing legitimate user and attacker who
obtained the users credentials
28
29
G53SEC
  • Summary
  • Passwords (creation, management)
  • Attacks on passwords
  • Alternative approaches
  • Next Week
  • Access Control

29
30
G53SEC
End
30
Write a Comment
User Comments (0)
About PowerShow.com