authentication
play

Authentication Fall 2017 Franziska (Franzi) Roesner - PowerPoint PPT Presentation

Aug 08, 2023 •165 likes •536 views

CSE 484 / CSE M 584: Computer Security and Privacy Authentication Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov,

  1. CSE 484 / CSE M 584: Computer Security and Privacy Authentication Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Admin • Lab #2 due Wednesday 8pm • No class on Wednesday (or Friday) – Happy Thanksgiving! • Homework #3 out soon – Signup coming ASAP for the fuzzing part; the rest you can get started on orthogonally – Due 8pm Dec 8 (last day of class) • Final project reminder 11/25/17 CSE 484 / CSE M 584 - Fall 2017 2

  3. Basic Problem ? How do you prove to someone that you are who you claim to be? Any system with access control must solve this problem. 11/25/17 CSE 484 / CSE M 584 - Fall 2017 3

  4. Many Ways to Prove Who You Are • What you know – Passwords – Answers to questions that only you know • Where you are – IP address, geolocation • What you are – Biometrics • What you have – Secure tokens, mobile devices 11/25/17 CSE 484 / CSE M 584 - Fall 2017 4

  5. Passwords and Computer Security • In 2012, 76% of network intrusions exploited weak or stolen credentials (username/password) – Source: Verizon Data Breach Investigations Report • First step after any successful intrusion: install sniffer or keylogger to steal more passwords • Second step: run cracking tools on password files – Cracking needed because modern systems usually do not store passwords in the clear (how are they stored?) • In Mitnick’s “Art of Intrusion” 8 out of 9 exploits involve password stealing and/or cracking 11/25/17 CSE 484 / CSE M 584 - Fall 2017 5

  6. UNIX-Style Passwords • How should we store passwords on a server? – In cleartext? “ cypherpunk ” – Encrypted? system password file – Hashed? t4h97t4m43 hash fa6326b1c2 function N53uhjr438 Hgg658n53 … user 11/25/17 CSE 484 / CSE M 584 - Fall 2017 6

  7. Password Hashing • Instead of user password, store H(password) • When user enters password, compute its hash and compare with entry in password file – System does not store actual passwords! – System itself can’t easily go from hash to password • Which would be possible if the passwords were encrypted • Hash function H must have some properties – One-way: given H(password), hard to find password • No known algorithm better than trial and error – “Slow” to compute 11/25/17 CSE 484 / CSE M 584 - Fall 2017 7

  8. UNIX Password System • Approach: Hash passwords • Problem: passwords are not truly random – With 52 upper- and lower-case letters, 10 digits and 32 punctuation symbols, there are 94 8 ≈ 6 quadrillion possible 8-character passwords (~2 52 ) – BUT: Humans like to use dictionary words, human and pet names ≈ 1 million common passwords 11/25/17 CSE 484 / CSE M 584 - Fall 2017 8

  9. Dictionary Attack • Dictionary attack is possible because many passwords come from a small dictionary – Attacker can pre-compute H(word) for every word in the dictionary – this only needs to be done once! • This is an offline attack • Once password file is obtained, cracking is instantaneous – Sophisticated password guessing tools are available • Take into account freq. of letters, password patterns, etc. 11/25/17 CSE 484 / CSE M 584 - Fall 2017 9

  10. Salt franzi:fURxfg,4hLBX:14510:30:Franzi:/u/franzi:/bin/csh /etc/passwd entry salt (chosen randomly when password is first set) Password hash(salt,pwd) • Users with the same password have different entries in the password file • Offline dictionary attack becomes much harder 11/25/17 CSE 484 / CSE M 584 - Fall 2017 10

  11. Advantages of Salting • Without salt, attacker can pre-compute hashes of all dictionary words once for all password entries – Same hash function on all UNIX machines – Identical passwords hash to identical values; one table of hash values can be used for all password files • With salt, attacker must compute hashes of all dictionary words once for each password entry – With 12-bit random salt, same password can hash to 2 12 different hash values – Attacker must try all dictionary words for each salt value in the password file • Pepper: Secret salt (not stored in password file) 11/25/17 CSE 484 / CSE M 584 - Fall 2017 11

  12. Shadow Password franzi:x:14510:30:Franzi:/u/franzi:/bin/csh /etc/passwd entry Hashed password is no longer stored in a world-readable file Hashed passwords are stored in /etc/shadow file which is only readable by system administrator (root) 11/25/17 CSE 484 / CSE M 584 - Fall 2017 12

  13. Other Password Security Risks • Keystroke loggers – Hardware – Software (spyware) • Shoulder surfing • Same password at multiple sites • Broken implementations – TENEX timing attack • Social engineering 11/25/17 CSE 484 / CSE M 584 - Fall 2017 13

  14. Other Issues • Usability – Hard-to-remember passwords? – Carry a physical object all the time? • Denial of service – Attacker tries to authenticate as you, account locked after three failures • Social engineering 11/25/17 CSE 484 / CSE M 584 - Fall 2017 14

  15. Default Passwords • Pennsylvania ice cream shop phone scam – Voicemail PIN defaults to last 4 digits of phone number; criminals change message to “I accept collect call ” , make $8600 on a 35-hour call to Saudi Arabia • Examples from Mitnick’s “Art of Intrusion” – U.S. District Courthouse server: “public” / “public” – NY Times employee database: pwd = last 4 SSN digits – “Dixie ban” ” : break into router (pwd=“administrator”), then into server (pwd=“administrator”), install keylogger to snarf other passwords (99% were “password123”) • Mirai IoT botnet – Weak and default passwords on routers and other devices 11/25/17 CSE 484 / CSE M 584 - Fall 2017 15

  16. Weak Passwords • RockYou hack – “ Social gaming ” company – Database with 32 million user passwords from partner social networks – Passwords stored in the clear – December 2009: entire database hacked using an SQL injection attack and posted on the Internet – One of many such examples! 11/25/17 CSE 484 / CSE M 584 - Fall 2017 16

  17. Weak Passwords • RockYou hack – “ Social gaming ” company – Database with 32 million user passwords from partner social networks – Passwords stored in the clear – December 2009: entire database hacked using an SQL injection attack and posted on the Internet 11/25/17 CSE 484 / CSE M 584 - Fall 2017 17

  18. Password Usability 11/25/17 CSE 484 / CSE M 584 - Fall 2017 18

  19. [Inglesant and Sasse, “ The True Cost of Unusable Password Policies ” ] Password Policies • Overly restrictive password policies… – 7 or 8 characters, at least 3 out of {digits, upper- case, lower-case, non-alphanumeric}, no dictionary words, change every 4 months, password may not be similar to previous 12 passwords… • … result in frustrated users and less security – Burdens of devising, learning, forgetting passwords – Users construct passwords insecurely, write them down • Can’t use their favorite password construction techniques (small changes to old passwords, etc.) – Heavy password re-use across systems 11/25/17 CSE 484 / CSE M 584 - Fall 2017 19

  20. Image from http://www.interactivetools.com/staff/dave/damons_office/ 11/25/17 CSE 484 / CSE M 584 - Fall 2017 20

  21. Recovering Passwords 11/25/17 CSE 484 / CSE M 584 - Fall 2017 21

  22. Wired Cover Story (Dec 2012) “This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat.” 11/25/17 CSE 484 / CSE M 584 - Fall 2017 22

  23. “Mugged in London” Scam James Fallows in Nov 2011 issue of The Atlantic: “When she looked at her Inbox, and her Archives, and even the Trash and Spam folders in her account, she found—absolutely nothing.” 11/25/17 CSE 484 / CSE M 584 - Fall 2017 23

  24. Improving(?) Passwords • Add biometrics – For example, keystroke dynamics or voiceprint • Graphical passwords – Goal: easier to remember? no need to write down? • Password managers – Examples: LastPass, KeePass, built into browsers – Can have security vulnerabilities… • Two-factor authentication – Leverage phone (or other device) for authentication 11/25/17 CSE 484 / CSE M 584 - Fall 2017 24

  25. Multi-Factor Authentication 11/25/17 CSE 484 / CSE M 584 - Fall 2017 25

  26. Graphical Passwords • Many variants… one example: Passfaces – Assumption: easy to recall faces – Problem: to make passwords easy to remember, users choose predictable faces 11/25/17 CSE 484 / CSE M 584 - Fall 2017 26

  27. Graphical Passwords • Another variant: draw on the image (Windows 8) • Problem: users choose predictable points/lines 11/25/17 CSE 484 / CSE M 584 - Fall 2017 27

  28. Unlock Patterns • Problems: – Predictable patterns (sound familiar by now??) – Smear patterns – Side channels: apps can use accelerometer and gyroscope to extract pattern! 11/25/17 CSE 484 / CSE M 584 - Fall 2017 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides
HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication

THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication

THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication overview Current state of Authentication The future of authentication MY JOURNEY 2012-2015 2004-2011 2015-Present 1998-2004 Staff at MIT

453 views • 34 slides
User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
Protecting Password Databases using Trusted Hardware Klaudia Krawiecka, Andrew Paverd, N.

Protecting Password Databases using Trusted Hardware Klaudia Krawiecka, Andrew Paverd, N.

Protecting Password Databases using Trusted Hardware Klaudia Krawiecka, Andrew Paverd, N. Asokan Aalto University, Finland This work was supported by the Cloud Security Services (CloSer) project funded by Tekes - the Finnish Funding

351 views • 20 slides
SALTMONEY.ORG 2 SALT CREATED BY AMERICAN STUDENT ASSISTANCE Student Loan Repayment Information

SALTMONEY.ORG 2 SALT CREATED BY AMERICAN STUDENT ASSISTANCE Student Loan Repayment Information

SALTMONEY.ORG 2 SALT CREATED BY AMERICAN STUDENT ASSISTANCE Student Loan Repayment Information Repayment Tools Repayment Tools My Money 101 SALT Is An Ecosystem Multiple Channels to Reach Users Multiple Channels of Engagement for the User

299 views • 11 slides
Lecture 2.7: Advanced mixing problems Matthew Macauley Department of Mathematical Sciences

Lecture 2.7: Advanced mixing problems Matthew Macauley Department of Mathematical Sciences

Lecture 2.7: Advanced mixing problems Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 2080, Differential Equations M. Macauley (Clemson) Lecture 2.7: Advanced mixing problems

70 views • 6 slides
Unleashing the Power of AI and ML in the Cloud through a Pay-per-Use Business Model Jin Zhang

Unleashing the Power of AI and ML in the Cloud through a Pay-per-Use Business Model Jin Zhang

Unleashing the Power of AI and ML in the Cloud through a Pay-per-Use Business Model Jin Zhang VP of Marketing, Algodone ENABLING SILICON-AS-A-SERVICE Algodone at a Glance When/Where Founders Vision Technology Jrme Rampon Founded in

389 views • 20 slides
DATA ANALYTICS USING DEEP LEARNING GT 8803 // FALL 2019 // JOY ARULRAJ W R I T I N G T I P S

DATA ANALYTICS USING DEEP LEARNING GT 8803 // FALL 2019 // JOY ARULRAJ W R I T I N G T I P S

DATA ANALYTICS USING DEEP LEARNING GT 8803 // FALL 2019 // JOY ARULRAJ W R I T I N G T I P S ANALYSIS 2 GT 8803 // Fall 2018 ANALYSIS Problem Description Significance Novelty Relevance Validity Contribution GT 8803

663 views • 33 slides
Modelling with Differential Equations Modelling with Differential Equations Modelling with

Modelling with Differential Equations Modelling with Differential Equations Modelling with

Modelling with Differential Equations Modelling with Differential Equations Modelling with Differential Equations Problems with inflow/outflow Modelling with Differential Equations Problems with inflow/outflow Equation for

647 views • 33 slides
Introduction Ch 1 Object Oriented Main focus is on objects/variables and how they interact

Introduction Ch 1 Object Oriented Main focus is on objects/variables and how they interact

Introduction Ch 1 Object Oriented Main focus is on objects/variables and how they interact (represented by me as boxes) Reusable groups of actions (verbs) between objects are called functions (squiggly boxes) These actions can take additional

611 views • 34 slides
Heaven Applauds You 5 Now when Jesus saw the crowds, he went up on a mountainside and sat down.

Heaven Applauds You 5 Now when Jesus saw the crowds, he went up on a mountainside and sat down.

Heaven Applauds You 5 Now when Jesus saw the crowds, he went up on a mountainside and sat down. His disciples came to him, 2 and he began to teach them. He said: 3 Blessed are the poor in spirit, for theirs is the kingdom of heaven. 4

842 views • 12 slides

More recommend