cmpsc 497 password authentication
play

CMPSC 497 Password Authentication Trent Jaeger Systems and - PowerPoint PPT Presentation

Nov 14, 2023 •263 likes •582 views

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Password Authentication Trent Jaeger Systems and

  1. Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 � Password Authentication Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. Security Model - E-voting • Who are the principals? Voters, Admins, Counters, Others ‣ • Who are adversaries? • Which commands may be threatened (attack surface)? Start the application ‣ Process the vote ‣ Count the votes ‣ • Who must the application trust? To do what? Of principals above ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  3. Principals Principals • Principals are expected system subjects ‣ Computers, agents, people, enterprises, … ‣ Depending on context referred to as: servers, clients, users, entities, hosts, routers, … - and some may be adversarial ‣ Security is defined with respect to these subjects • Implication: every principal may have unique view • A trusted third party ‣ Trusted by all principals for some set of actions ‣ Often used as introducer or arbiter CSE543 - Introduction to Computer and Network Security Page � X Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  4. Challenges • Distinguish adversaries from trusted principals Suppose the e-voting application receives a command ‣ How do we know whether the command may be from an ‣ adversary or a trusted principal? • The security mechanism for identifying principals is Authentication ‣ The act of confirming the truth of an attribute of a single ‣ piece of data claimed true by an entity For an identity, authentication is the process of actually ‣ confirming a claimed identity Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  5. What is Authentication? Authentication • Short answer: establishes identity • Several mechanisms for performing authentication ‣ Answers the question: To whom am I speaking? • Long answer: evaluates the authenticity of identity by proving credentials ‣ Credential – is proof of identity ‣ Evaluation – process that assesses the correctness of the association between credential and claimed identity • for some purpose • under some policy (what constitutes a good cred.?) CSE543 - Introduction to Computer and Network Security Page � X Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5

  6. Why authentication? E-Voting Application • Well, we live in a world of rights, permissions, and • Suppose you are building an e-voting application duties How do you ensure your application satisfies security ‣ ‣ Authentication establishes our identity so that we can requirements? obtain the set of rights • What does the e-voting application do? ‣ E.g., we establish our identity with Tiffany’s by providing a valid credit card which gives us rights to purchase Process vote commands ‣ goods ~ physical authentication system Store votes ‣ Retrieve/count votes ‣ • What are its security requirements? Let’s see how we reason about security ‣ • Q: How does this relate to security? CSE543 - Introduction to Computer and Network Security Page � X Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  7. Why authentication (cont.)? Risk • Same in online world, just different constraints ‣ Vendor/customer are not physically co-located, so we • What’s at risk in the e-voting application? must find other ways of providing identity • e.g., by providing credit card number ~ electronic authentication system ‣ Risks (for customer and vendor) are different • Q: How so? • Computer security is crucially dependent on the proper design, management, and application of authentication systems. 7 CSE543 - Introduction to Computer and Network Security Page � X Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  8. What is Identity? Security Requirements • That which gives you access … which is largely • Usually security requirements are described in three determined by context categories ‣ We all have lots of identities • Secrecy ‣ Pseudo-identities • Really, determined by who is evaluating credential Prevent risk that sensitive data may be leaked to an adversary (e.g., ‣ votes) ‣ Driver’s License, Passport, SSN prove … ‣ Credit cards prove … • Integrity ‣ Signature proves … Prevent risk that adversaries may modified data that others depend ‣ ‣ Password proves … on (e.g., vote instances, tallies, database) ‣ Voice proves … • Availability Prevent risk that adversaries block use of critical services (e.g., ‣ • Exercise: Give an example of bad mapping between disable the processing of votes) identity and the purpose for which it was used. 8 CSE543 - Introduction to Computer and Network Security Page � X Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  9. Credentials Exercise • … are evidence used to prove identity • Classify each of the following as a violation of • Credentials can be confidentiality, of integrity, of availability, or of some ‣ Something I am combination. ‣ Something I have ‣ Something I know Carol changes the amount of Angelo's check from $100 to ‣ $1000 John copies Mary's homework ‣ Eve registers the domain name “psu.edu" and refuses to ‣ let Penn State buy or use that domain name. 9 CSE543 - Introduction to Computer and Network Security Page � X Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  10. Passwords • An example of “something you know” Client users must remember passwords to ‣ access their data on servers • Passwords have a checkered history People have often chosen poor passwords ‣ Why is that an issue? ‣ • We (security community) assumed (in the 1990s) that passwords would be replaced with another technology to enable users to authenticate Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10

  11. Password Use Lateness Policy • Naively: Retrieve password for ID from database and check against that supplied password • Assignments and project milestones are assessed a 20% per-day late penalty, up to a • Baravelli: ...you can't come in unless you give the password. Professor Wagstaff: Well, what is the password? • maximum of 4 days. Unless the problem is Baravelli: Aw, no. You gotta tell me. Hey, I tell what I do. I give you three guesses. It's the name of a fish. • apocalyptic, don’t give me excuses. • ……. [Slams door. Professor Wagstaff knocks again. Baravelli opens peephole again.] Hey, what's-a matter, you no • Students with legitimate reasons who understand English? You can't come in here unless you say, "Swordfish." Now I'll give you one more guess. • Professor Wagstaff: ...swordfish, swordfish... I think I got it. Is it "swordfish"? contact the professor before the deadline Baravelli: Hah. That's-a it. You guess it. • Professor Wagstaff: Pretty good, eh? • may apply for an extension. [Marx Brothers, Horse Feathers ] • How should you store passwords to protect them? • You decide what you turn in • Just storing them in a file gives anyone with access to the file your password CSE543 - Introduction to Computer and Network Security Page � X Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  12. Password Storage • Instead of storing passwords, we store A value that can be computed from the password ‣ F(password) = value • That is highly unlikely to be the same as the value ‣ computed from another password (collision-free) From which it is difficult to extract (reverse) the ‣ password (one-way) • What kind of function provides such properties? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 12

  13. Hash Algorithms Cryptographic Hash Functions • Hash algorithm • A challenge is to determine how a program may ‣ Compression of data into a hash value be threatened by adversaries ‣ E.g., h(d) = parity(d) • In what ways may an adversary impact CIA? ‣ Such algorithms are generally useful in algorithms (speed/ space optimization) • … as used in cryptosystems • Adversaries may be able to control the resources ‣ One-way - (computationally) hard to invert h() , i.e., used by the program and inputs to the program compute h -1 (y), where y=h(d) ‣ Collision resistant hard to find two data x 1 and x 2 such that Obtained via system calls – later researchers ‣ h(x 1 ) == h(x 2 ) described the system calls that may receive adversary- controlled input as a program’s attack surface • Q: What can you do with these constructs? CSE543 - Introduction to Computer and Network Security Page � X Systems and Internet Infrastructure Security (SIIS) Laboratory Page 13

  14. Password Storage • Hosts store password hashes in a file Originally, /etc/passwd for UNIX systems ‣ Now /etc/shadow ‣ • Server programs can also store their own users’ password hashes in a file For Apache can store in /usr/local/apache/passwd ‣ • What if an adversary can gain access to a password storage file? 14 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password Validate password strength Store salted hash of the password Authentication User sends username/password Retrieve the stored salted

359 views • 20 slides
Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is weak authentication mechanism. Use Brute Force to find the password. We are using Hashing and Salt to protect the password. Passwords: Two factors

559 views • 51 slides
Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer Mohammad

Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer Mohammad

Mobile Password Authentication (MP-Auth) Financial Cryptography - Feb 13, 2007 Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer Mohammad Mannan and Paul C. van Oorschot Digital Security Group Carleton

557 views • 18 slides
Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication servers) Kerberos Challenge-response Symm.Key What do we learn from previous attacks? Timestamps: are valid only in a small time window

334 views • 22 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

LastPass, a Password Manager Application CS 88S Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring 2017 Agenda Review last weeks material Some Definitions Password in the Cloud

584 views • 47 slides
Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

5/25/2019 Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this Lecture 5/25/2019 Password Topic 3: User Authentication Password strength Salt_(cryptography) Password cracking

1.03k views • 75 slides
SCRAM in LDAP Better Password-based Authentication Kurt Zeilenga Isode Limited What is SCRAM?

SCRAM in LDAP Better Password-based Authentication Kurt Zeilenga Isode Limited What is SCRAM?

SCRAM in LDAP Better Password-based Authentication Kurt Zeilenga Isode Limited What is SCRAM? S alted C hallenge R esponse A uthentication M echanism SCRAM-SHA-1-PLUS An improved SASL mechanism for password authentication of the

469 views • 31 slides
On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis Defense, Bochum, Germany, May 29, 2019 User Authentication Competing requirements of security and usability . [1] Common Factors: Knowledge ( Password ,

619 views • 34 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
NERSC Multi-Factor Authentication It's easy! Abe Singer 2018-11-01 MFA in Brief MFA will

NERSC Multi-Factor Authentication It's easy! Abe Singer 2018-11-01 MFA in Brief MFA will

NERSC Multi-Factor Authentication It's easy! Abe Singer 2018-11-01 MFA in Brief MFA will be required starting with new allocation year MFA == Password + One Time Password (OTP) Protects your account against password

1.07k views • 22 slides
Multi-factor Authentication Coming to a NERSC near you You Have Probably Heard of MFA

Multi-factor Authentication Coming to a NERSC near you You Have Probably Heard of MFA

Multi-factor Authentication Coming to a NERSC near you You Have Probably Heard of MFA Password One-time Password (OTP) Factor == Authentication Method Certificate Hardware Token Biometric password + OTP token + PIN Multi-factor ::= 2+

90 views • 7 slides
Authentication Using Graphical Password: Effects of Increased Security on Usability William M.

Authentication Using Graphical Password: Effects of Increased Security on Usability William M.

Authentication Using Graphical Password: Effects of Increased Security on Usability William M. Martin Aaron G. Cass March 3, 2018 Introduction 01 Human Computer Interface Security (HCIsec) 02 Password Problem 03 Graphical User

633 views • 31 slides
Two factor authentication Open, trustworthy and enterprise ready Two factor authentication

Two factor authentication Open, trustworthy and enterprise ready Two factor authentication

Version 1.0 Cornelius Klbel (corny@cornelinux.de) May 2014 (CC BY-NC-SA 4.0) Everybody knows that a password - be it simple or even complex - is a potential vulnerability. Two factor authentication is the way to authenticate a user not only

400 views • 5 slides
Towards Scalable Backscatter Sensor Networks Aggelos Bletsas & John N. Sahalos

Towards Scalable Backscatter Sensor Networks Aggelos Bletsas & John N. Sahalos

Towards Scalable Backscatter Sensor Networks Aggelos Bletsas & John N. Sahalos RadioCommunications Laboratory (RCL) Aristotle University of Thessaloniki, Greece Cost Assist Workshop April 2008, Cyprus Outline 1. Introduction to RFIDs:

509 views • 29 slides
Clo cks [Contd.] 1 Goals of the lecture Direct dep endency clo cks Pred and

Clo cks [Contd.] 1 Goals of the lecture Direct dep endency clo cks Pred and

Clo cks [Contd.] 1 Goals of the lecture Direct dep endency clo cks Pred and Succ functions Matrix clo cks Prop erties of matrix clo cks Vija c y K. Ga rg Distributed Systems Sp ring 96 Clo

186 views • 15 slides
Continuous Improvement Toolkit 5S www. citoolkit .com The Continuous Improvement Map Managing

Continuous Improvement Toolkit 5S www. citoolkit .com The Continuous Improvement Map Managing

Continuous Improvement Toolkit 5S www. citoolkit .com The Continuous Improvement Map Managing Selecting & Decision Making Planning & Project Management* Risk PDPC Daily Planning PERT/CPM Break-even Analysis Importance Urgency

1.88k views • 162 slides
The Utility of OpenMath James H. Davenport Department of Computer Science University of Bath

The Utility of OpenMath James H. Davenport Department of Computer Science University of Bath

The Utility of OpenMath James H. Davenport Department of Computer Science University of Bath Bath BA2 7AY England J.H.Davenport@bath.ac.uk June 28, 2007 The status of an OpenMath content dictionary is one of the following: official :

383 views • 20 slides
Use puppet and network inventory to populate nagios/icinga configuration TF-NOC Dublin

Use puppet and network inventory to populate nagios/icinga configuration TF-NOC Dublin

http://www.grnet.g r GRNET NOC Use puppet and network inventory to populate nagios/icinga configuration TF-NOC Dublin Alexandros Kosiaris (alex@noc.grnet.gr) Network & Equipment Optical Network: Storage Equipment:

281 views • 24 slides
A n Experiments Krishna Kumar Stony Brook University The Electroweak Box Workshop at ACFI,

A n Experiments Krishna Kumar Stony Brook University The Electroweak Box Workshop at ACFI,

Acknowledgements: D. Armstrong, M. Dalton, K. Paschke, J. Mammei, M. Pitt, B. Waidyawansa and all my theory colleagues A n Experiments Krishna Kumar Stony Brook University The Electroweak Box Workshop at ACFI, UMass, Amherst, September 28, 2017

589 views • 26 slides
Problem report #1 From: me@dot.com To: zeller@gnu.org Subject: Crash Your program crashed.

Problem report #1 From: me@dot.com To: zeller@gnu.org Subject: Crash Your program crashed.

Tracking Problems Andreas Zeller 1 Whats a problem? A problem is a questionable property of a program run It becomes a failure if its incorrect a request for enhancement if missing and a feature if normal

411 views • 18 slides
OpenPhoenux Smartphone: Learnings from the past and ideas for next year Christoph Mair, Lukas

OpenPhoenux Smartphone: Learnings from the past and ideas for next year Christoph Mair, Lukas

OpenPhoenux Smartphone: Learnings from the past and ideas for next year Christoph Mair, Lukas Mrdian, Nikolaus Schaller LinuxTag, Berlin, May 23 th , 2013 supported by What the inventors ofPC and WWW did want... computation,

691 views • 46 slides

More recommend