challenge response authentication
play

Challenge/Response Authentication Authentication by what questions - PowerPoint PPT Presentation

Feb 15, 2024 •33 likes •233 views

Challenge/Response Authentication Authentication by what questions you can answer correctly Again, by what you know The system asks the user to provide some information If its provided correctly, the user is authenticated

  1. Challenge/Response Authentication • Authentication by what questions you can answer correctly – Again, by what you know • The system asks the user to provide some information • If it’s provided correctly, the user is authenticated Lecture 7 Page 1 CS 236 Online

  2. Differences From Passwords • Challenge/response systems ask for different information every time • Or at least the questions come from a large set • Best security achieved by requiring what amounts to encryption of the challenge – But that requires special hardware – Essentially, a smart card Lecture 7 Page 2 CS 236 Online

  3. Challenge/Response Problems • Either the question is too hard to answer without special hardware • Or the question is too easy for intruders to spoof the answer • Still, commonly used in real-world situations – E.g., authenticating you by asking your childhood pet’s name – “Security questions” used as an alternative to passwords Lecture 7 Page 3 CS 236 Online

  4. Identification Devices • Authentication by what you have • A smart card or other hardware device that is readable by the computer • Authenticate by providing the device to the computer Lecture 7 Page 4 CS 236 Online

  5. Simple Use of Authentication Tokens • If you have the token, you are identified • Generally requires connecting the authentication device to computer – Unless done via wireless • Weak, because it’s subject to theft and spoofing • How can we do better? Lecture 7 Page 5 CS 236 Online

  6. Authentication With Smart Cards Authentication verified! challenge E(challenge) challenge E(challenge) How can the server be sure of the remote user’s identity? Lecture 7 Page 6 CS 236 Online

  7. Some Details on Smart Cards • Cryptography performed only on smart card – So compromised client machine can’t steal keys • Often user must enter password to activate card – Should it be entered to the card or the computer? Lecture 7 Page 7 CS 236 Online

  8. Problems With Identification Devices • If lost or stolen, you can’t authenticate yourself – And maybe someone else can – Often combined with passwords to avoid this problem • Unless cleverly done, susceptible to sniffing attacks • Requires special hardware Lecture 7 Page 8 CS 236 Online

  9. Attacks on Smart Cards • Often based on fake terminals – E.g., fake or altered ATM machine • Ideally, card shouldn’t respond to fake or tampered terminal • Alas, they often do – European Chip & Pin standard broken in 2011, for example Lecture 7 Page 9 CS 236 Online

  10. Another Form of Attack • Smart cards sometimes used to protect or hide stuff from the card’s owner • E.g., smart cards that allow access to rapid transit systems • Owner has total access • Some attacks based on hacking card hardware – Recent research makes this more feasible • Or observing card behavior Lecture 7 Page 10 CS 236 Online

  11. Authentication Through Biometrics • Authentication based on who you are • Things like fingerprints, voice patterns, retinal patterns, etc. • To authenticate to the system, allow system to measure the appropriate physical characteristics • Biometric converted to binary and compared to stored values – With some level of match required Lecture 7 Page 11 CS 236 Online

  12. Problems With Biometric Authentication • Requires very special hardware – Except systems that use typing patterns • May not be as foolproof as you think • Many physical characteristics vary too much for practical use • Generally not helpful for authenticating programs or roles • What happens when it’s cracked? – You only have two retinas, after all Lecture 7 Page 12 CS 236 Online

  13. When Do Biometrics (Maybe) Work Well? • When you use them for authentication – Carefully obtain clean readings from legitimate users – Compare those to attempts to authenticate • When biometric readers are themselves secure • In conjunction with other authentication Lecture 7 Page 13 CS 236 Online

  14. When Do Biometrics (Definitely) Work Poorly? • Finding “needles in haystacks” – Face recognition of terrorists in airports • When working off low-quality readings • When the biometric reader is easy to bypass or spoof – Anything across a network is suspect • When the biometric is “noisy” – Too many false negatives Lecture 7 Page 14 CS 236 Online

  15. Characterizing Biometric Accuracy How many false positives? Match made when it shouldn’t have been Versus how many false negatives? Match not made when it should have been The Crossover Error False False Rate (CER) Positive Negative Rate Rate Generally, the lower the Errors CER is, the better the system But sometimes one rate more important than the other Sensitivity Lecture 7 Page 15 CS 236 Online

  16. Some Typical Crossover Error Rates Technology Rate Retinal Scan 1:10,000,000+ Iris Scan 1:131,000 Fingerprints 1:500 Facial Recognition 1:500 Hand Geometry 1:500 Signature Dynamics 1:50 Voice Dynamics 1:50 Data as of 2002 Things can improve a lot in this area over time Also depends on how you use them And on what’s important to your use Lecture 7 Page 16 CS 236 Online

  17. Biometrics and Usability • Always a tradeoff in false positives vs. false negatives • For consumer devices, false negatives are very, very bad – People discard devices that won’t let the legitimate user in • Can you make the false positive rate non-trivial with almost no false negs? Lecture 7 Page 17 CS 236 Online

  18. Didn’t Carnegie Mellon Just Perfect Facial Recognition? • Not really • Quick and dirty version got 1 in 3 right • With more photos and time, did better • But think about how accurate your use of biometrics needs to be • In many cases, you need 5 nines or so Lecture 7 Page 18 CS 236 Online

  19. Another Cautionary Tale • British cameras captured faces of many rioters in London in 2011 • Tried to use facial recognition software to automatically identify them • Very poor results, in terms of accuracy – Because camera images were of poor quality • Current technology requires good image quality Lecture 7 Page 19 CS 236 Online

  20. Authentication by Where You Are • Sometimes useful in ubiquitous computing • The issue is whether the message in question is coming from the machine that’s nearby • Less important who owns that machine • Requires sufficient proof of physical location • And ability to tie a device at that location to its messages • Sometimes used in conjunction with other authentication methods – E.g., the door opens only if an authorized user is right outside it Lecture 7 Page 20 CS 236 Online

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By Gaetan Leurent Presented by:- Guided By:- Raagi Sukhlecha Prof. Anish Mathuria Lalit Agarwal Outline Introduction APOP What is

953 views • 79 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication servers) Kerberos Challenge-response Symm.Key What do we learn from previous attacks? Timestamps: are valid only in a small time window

334 views • 22 slides
Salted Challenge Response Authentication Mechanism (SCRAM) draft-newman-auth-scram-10.txt

Salted Challenge Response Authentication Mechanism (SCRAM) draft-newman-auth-scram-10.txt

Salted Challenge Response Authentication Mechanism (SCRAM) draft-newman-auth-scram-10.txt Abhijit Menon-Sen <ams@oryx.com> Chris Newman <chris.newman@sun.com> Alexey Melnikov <alexey.melnikov@isode.com> Simon Josefsson

189 views • 7 slides
Whither Challenge Question Authentication? 12 May 2009 Mike Just University of Edinburgh

Whither Challenge Question Authentication? 12 May 2009 Mike Just University of Edinburgh

University of Cambridge Security Seminar Series Whither Challenge Question Authentication? 12 May 2009 Mike Just University of Edinburgh Outline What are Challenge Questions? Challenge Question Research Our Research Collecting

765 views • 28 slides
Personal Choice and Challenge Questions: A Security and Usability Assessment 16 July 2009 Mike

Personal Choice and Challenge Questions: A Security and Usability Assessment 16 July 2009 Mike

SOUPS 2009 Personal Choice and Challenge Questions: A Security and Usability Assessment 16 July 2009 Mike Just University of Edinburgh (joint work with David Aspinall) Challenge Question Authentication Authentication credential is answer

394 views • 20 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Attacking RO-PUFs with Enhanced Challenge-Response Pairs Nils Wisiol and Marian Margraf

Attacking RO-PUFs with Enhanced Challenge-Response Pairs Nils Wisiol and Marian Margraf

Attacking RO-PUFs with Enhanced Challenge-Response Pairs Nils Wisiol and Marian Margraf {firstname.lastname}@fu-berlin.de 1. Physically Unclonable Functions 2. Ring Oscillator PUF with Enhanced Outline Challenge-Response Pairs 3.

197 views • 19 slides
Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such

Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such

Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such as MD5 Challenge/Response such as APOP * APOP * Yu Sasaki ( The University of Electro-Communications ) Go Yamamoto (NTT) Kazumaro Aoki (NTT)

436 views • 8 slides
Authentication Using Pulse-Response Biometrics Kasper B. Rasmussen 1 Marc Roeschlin 2 Ivan

Authentication Using Pulse-Response Biometrics Kasper B. Rasmussen 1 Marc Roeschlin 2 Ivan

Authentication Using Pulse-Response Biometrics Kasper B. Rasmussen 1 Marc Roeschlin 2 Ivan Martinovic 1 Gene Tsudik 3 1 University of Oxford 2 ETH Zurich 3 UC Irvine Clermont Ferrand, 2014 Slide 1. A Bit About Myself Lecturer at University of

598 views • 37 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
IUC Response to The Senate Challenge Reducing the Cost of College for Students The Senate

IUC Response to The Senate Challenge Reducing the Cost of College for Students The Senate

IUC Response to The Senate Challenge Reducing the Cost of College for Students The Senate Challenge Reduce College Costs For Ohio Students by 5% While Continuing to Improve Quality 2 Talent Gap Imperative Source: The Lumina

464 views • 19 slides
Consumer Challenge Panel response to ActewAGLs (ACT) Regulatory Proposal 30 July 2014 Role

Consumer Challenge Panel response to ActewAGLs (ACT) Regulatory Proposal 30 July 2014 Role

Consumer Challenge Panel response to ActewAGLs (ACT) Regulatory Proposal 30 July 2014 Role of Consumer Challenge Panel Arose in response to various 2012 reporting processes recognising lack of NEO focus, lack of consumer engagement. CCP

668 views • 22 slides
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C.

Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C.

CS259: Security Analysis of Network Protocols, Winter 2008 Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic Todays Plan First half The meaning, importance and technique of

729 views • 24 slides
I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche,

I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche,

I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche, Kashyap Thimmaraju , Liron Schiff and Stefan Schmid IFIP Networking 2018 14-16 May, 2018, Zurich, Switzerland 1 Outline 1. Motivation 2. Covert

999 views • 95 slides
The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs

The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs

The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs Bluetooth Security and Cooperation in Wireless Networks Georg-August University Gttingen Security in Wireless Networks Wireless networks are

519 views • 48 slides
Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7

Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7

Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7 April 2018 Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 2 Overview Key reinstalls in 4-way

991 views • 56 slides
CS 356 Lecture 5 User Authentication Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 5 User Authentication Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 5 User Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive,

449 views • 24 slides
The Pandemic Challenge Responding to COVID-19 Who We Are, What We Do Together Our Impact Is

The Pandemic Challenge Responding to COVID-19 Who We Are, What We Do Together Our Impact Is

The Pandemic Challenge Responding to COVID-19 Who We Are, What We Do Together Our Impact Is Greater We unleash the power of collaboration between CDC and philanthropies, organizations, corporations, governments and individuals in order to

342 views • 8 slides
Block-Supply Chain: A New Anti- Counterfeiting Supply Chain Using NFC and Blockchain By: Naif

Block-Supply Chain: A New Anti- Counterfeiting Supply Chain Using NFC and Blockchain By: Naif

Block-Supply Chain: A New Anti- Counterfeiting Supply Chain Using NFC and Blockchain By: Naif Alzahrani Nirupama Bulusu Portland State University Motivation Products Counterfeiting World Health Organization (WHO) 2008 [1]: 30% of

919 views • 53 slides
CSCE 790 Secure Computer Systems Applied Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Applied Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Applied Cryptography Professor Qiang Zeng Spring 2020 Symmetric vs. Asymmetric Cryptography Symmetric cipher is much faster With asymmetric ciphers, you can post your Public Key to the world

273 views • 26 slides

More recommend