computer and information security
play

Computer and Information Security Fall 2020 User Authentication and - PowerPoint PPT Presentation

Feb 15, 2024 •426 likes •1.15k views

ECE560 Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch Duke University User Authentication Determining if a user is who they say they are before giving them access. 2 The four means of

  1. ECE560 Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch Duke University

  2. User Authentication Determining if a user is who they say they are before giving them access. 2

  3. The four means of authenticating user identity are based on: Something Something Something Something the the the the individual individual individual is individual knows possesses (static does (token) biometrics) (dynamic • Password, PIN, biometrics) answers to • Smartcard, • Fingerprint, prearranged electronic retina, face • Voice pattern, questions keycard, handwriting, physical key typing rhythm

  4. Authentication Authentication logic using logic using f rst factor second factor n n o o i i t t a a c c i l i l o o t t n n c c e e o o h h t t o o t t u u r r A p A p P ass P ass F ail F ail Client Client Figure 3.2 Multifactor Authentication

  5. The four means of authenticating user identity are based on: Something Something Something Something the the the the individual individual individual is individual knows possesses (static does (token) biometrics) (dynamic • Password, PIN, biometrics) answers to • Smartcard, • Fingerprint, prearranged electronic retina, face • Voice pattern, questions keycard, handwriting, physical key typing rhythm

  6. Password-Based Authentication • Widely used line of defense against intruders o User provides name/login and password o System compares password with the one stored for that specified login • The user ID: o Determines that the user is authorized to access the system o Determines the user’s privileges o Is used in discretionary access control

  7. Hash • Threat model: ▪ Database of password hashes is compromised (happens a LOT) ▪ Attacker wants to figure out password • Hashing: ▪ Don’t store the plaintext password, store a hash ▪ Compare hashes • Why? ▪ So the attacker can’t just look at the database and see passwords 7

  8. Salt • Threat model: ▪ Database of password hashes is compromised (happens a LOT) ▪ Attacker wants to figure out password for a given hash • Salting: ▪ Add a bit of random stuff (“salt”) to password before hashing ▪ Random stuff differs per record ▪ Store the salt with the hash so we can use it when verifying given passwords • Why? ▪ If I hash many possible passwords and find that “c00ldude” hashes to a53d677656e7bcb216b9ef6e38bb7ab1, then anyone with that hash must have that password ▪ With a salt, I need to brute-force search per user instead of once-for-everyone 8

  9. Iteration count • Threat model: ▪ Database of password hashes is compromised (happens a LOT) ▪ Attacker wants to figure out password for a given hash ▪ Attacker has lots of fast computers • Iteration count: ▪ Instead of just using H(data), do H(H(H( … H( data ) … ))) ▪ Increase iteration count to make it very hard for attacker while still being feasible for login checks ▪ Makes our hash function “slow” ( configurably so!) • Why? ▪ If default hashing has speed of X, then an iteration count of 1000 gives a speed of X/1000. Login is a tiny amount of time in normal use, but it makes the attacker’s job 1000x harder for very little cost. 9

  10. Password Vulnerabilities • Offline dictionary attack (e.g., cracking a hashed password) ▪ Defense: Make harder by salting, iteration count • Specific account attack (e.g., dictionary attack on account) ▪ Defense: Max attempt counter, password complexity requirements • Popular password attack (try few passwords on many accounts) ▪ Defense: Password complexity requirements • Password guessing against single user (do research then guess) ▪ Defense: User training, password complexity requirements • Workstation hijacking (physically use logged-in workstation) ▪ Defense: Physical security, auto-lock timers • Exploiting user mistakes (Post-Its, sharing, unchanged defaults, ...) ▪ Defense: Training, single-use expiring passwords for new accounts • Exploiting multiple password use ▪ Defense for individual: Password managers with strong crypto ▪ Defense for organization: ????? • Electronic monitoring (sniffing network, keylogger, etc.) ▪ Defense: Encryption, challenge-response schemes, training 10

  11. Password Password File User ID Salt Hash code Salt • slow hash Load • function • (a) Loading a new password Password File User id User ID Salt Hash code Salt Select Password slow hash function Hashed password Compare (b) Verifying a password Figure 3.3 UNIX Password Scheme

  12. Evolution of UNIX scheme • Originally: hash stored in public-readable /etc/passwd file • Now: hash stored in separate root-readable /etc/shadow file • Originally: small hash, few iterations • Later: MD5 hash, more iterations • Now: SHA 512 hash, configurable iterations 12

  13. Password Cracking • Dictionary attacks ▪ Develop a large dictionary of possible passwords and try each against the password file ▪ Each password must be hashed using each salt value and then compared to stored hash values • Rainbow table attacks ▪ Pre-compute tables of hash values for all salts ▪ A mammoth table of hash values ▪ Can be countered by using a sufficiently large salt value and a sufficiently large hash length • Password crackers exploit the fact that people choose easily guessable passwords ▪ Shorter password lengths are also easier to crack 13

  14. Storing passwords correctly Link • Storing password plaintext (or encrypted) Link Link Link • Storing hashed password Link • Storing salted hash of password Link I couldn’t find anyone who • Hash function has iteration count bothered to do this yet didn’t just use one of the functions below Link • Just use PBKDF2, scrypt, bcrypt, etc. Link • Have a user management library handle it 14

  15. Where do stolen hashes go? • Attacker uses directly, sells on black market, or they leak • Often, eventually, they hit the public internet: 15

  16. Importance of password storage illustrated (1) • Plaintext passwords: 100% are “recovered” by attacker (obviously) • Sorted hashes.org by “percent recovered” – all are unsalted! • Scroll to lower percent – almost all are salted. 16

  17. Importance of password storage illustrated (2) • Scroll to very low percentages...most use bcrypt or similar, which has an iteration count • Conclusion: How you store password has HUGE effect on what happens if (when) they are breached! 17

  18. Password Selection Strategies • User education ▪ Users can be told the importance of using hard to guess passwords and can be provided with guidelines for selecting strong passwords • Computer generated passwords ▪ Users have trouble remembering them (good for single-use, bad for long-term) • Reactive password checking ▪ System periodically runs its own password cracker to find guessable passwords • Complex password policy ▪ User is allowed to select their own password, however the system checks to see if the password is allowable, and if not, rejects it ▪ Goal is to eliminate guessable passwords while allowing the user to select a password that is memorable 18

  19. The four means of authenticating user identity are based on: Something Something Something Something the the the the individual individual individual is individual knows possesses (static does (token) biometrics) (dynamic • Password, PIN, biometrics) answers to • Smartcard, • Fingerprint, prearranged electronic retina, face • Voice pattern, questions keycard, handwriting, physical key typing rhythm

  20. Table 3.3 Card Type Defining Feature Example Embossed Raised characters only, on Old credit card front Magnetic stripe Magnetic bar on back, characters on front Bank card Memory Electronic memory inside Prepaid phone card Smart Electronic memory and processor inside Biometric ID card Contact Electrical contacts exposed on surface Contactless Radio antenna embedded inside Types of Cards Used as Tokens

  21. Memory Cards • Can store but do not process data • The most common is the magnetic stripe card • Can include an internal electronic memory • Can be used alone for physical access o Hotel room o ATM • Provides significantly greater security when combined with a password or PIN • Drawbacks of memory cards include: o Requires a special reader o Loss of token o User dissatisfaction

  22. Smart Tokens • Physical characteristics: o Include an embedded microprocessor o A smart token that looks like a bank card o Can look like calculators, keys, small portable objects • User interface: o Manual interfaces include a keypad and display for human/token interaction • Electronic interface o A smart card or other token requires an electronic interface to communicate with a compatible reader/writer o Contact and contactless interfaces • Authentication protocol: o Classified into three categories: • Static • Dynamic password generator • Challenge-response

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

System Security I: Introduction TDDD17 Information Security, Second Course Ulf Kargn

System Security I: Introduction TDDD17 Information Security, Second Course Ulf Kargn

System Security I: Introduction TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University System Security 2 Security in computer systems Hardware (System)

838 views • 56 slides
Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak

Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak

8.10.2019 Information Security Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak Can Network Security: Hacettepe University Ensure security of communication over insecure medium

267 views • 10 slides
Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security Important? Computer Security allows

690 views • 19 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Information Security in a Wireless World Dennis D. Steinauer Computer Security Division

Information Security in a Wireless World Dennis D. Steinauer Computer Security Division

Information Security in a Wireless World Dennis D. Steinauer Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD Information Security in a Wireless World Basic

554 views • 30 slides
Computer and Information Security Fall 2019 Endpoint security Tyler Bletsch Duke University

Computer and Information Security Fall 2019 Endpoint security Tyler Bletsch Duke University

ECE590 Computer and Information Security Fall 2019 Endpoint security Tyler Bletsch Duke University Overview How do you configure endpoints for better security? 1. Updates 2. Correct settings 3. Reduce attack surface 4. Limit privilege 5.

477 views • 19 slides
Definitions and Terminology Fall 2014 CS 334 Computer Security 1 Security Goals

Definitions and Terminology Fall 2014 CS 334 Computer Security 1 Security Goals

Definitions and Terminology Fall 2014 CS 334 Computer Security 1 Security Goals Confidentiality : concealment of information or resources. Availability : preserve ability to use information or resource desired. An unavailable

318 views • 19 slides
Physical Information Security Fall 2010 CS461/ECE422 Computer Security I Reading Material

Physical Information Security Fall 2010 CS461/ECE422 Computer Security I Reading Material

Physical Information Security Fall 2010 CS461/ECE422 Computer Security I Reading Material Secrets of Computer Espionage Chapter 5 Soft TEMPEST paper http://www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf Outline Forensics/Spying

595 views • 46 slides
Physical Information Security Fall 2009 CS461/ECE422 Computer Security I Reading Material

Physical Information Security Fall 2009 CS461/ECE422 Computer Security I Reading Material

Physical Information Security Fall 2009 CS461/ECE422 Computer Security I Reading Material Secrets of Computer Espionage Chapter 5 Soft TEMPEST paper http://www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf Outline Forensics/Spying

771 views • 47 slides
Computer and Information Security Fall 2019 Computer Security Overview Tyler Bletsch Duke

Computer and Information Security Fall 2019 Computer Security Overview Tyler Bletsch Duke

ECE590 Computer and Information Security Fall 2019 Computer Security Overview Tyler Bletsch Duke University Is this circle secure? PROBLEM: The question is under-defined. What does it mean to for a circle to be secure? LESSON:

400 views • 29 slides
ECE560 Computer and Information Security Fall 2020 Computer Security Overview Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 Computer Security Overview Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 Computer Security Overview Tyler Bletsch Duke University Is this circle secure? PROBLEM: The question is under-defined. What does it mean to for a circle to be secure? LESSON:

573 views • 29 slides
ECE590 Computer and Information Security Fall 2018 Computer Security Overview Tyler Bletsch

ECE590 Computer and Information Security Fall 2018 Computer Security Overview Tyler Bletsch

ECE590 Computer and Information Security Fall 2018 Computer Security Overview Tyler Bletsch Duke University Is this circle secure? PROBLEM: The question is under-defined. What does it mean to for a circle to be secure? LESSON:

763 views • 29 slides
Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular testing aims to

1.06k views • 54 slides
CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1

CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1

CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1 General Information A research project with 2-5 individuals Building a new system Improving an existing technique Performing a large

647 views • 9 slides
Computer and Information Security Fall 2020 Cryptography Tyler Bletsch Duke University Some

Computer and Information Security Fall 2020 Cryptography Tyler Bletsch Duke University Some

ECE560 Computer and Information Security Fall 2020 Cryptography Tyler Bletsch Duke University Some slides adapted from slideware accompanying Computer Security: Principles and Practice by William Stallings and Lawrie Brown REAL advice

1.12k views • 79 slides
A brief introduction to information security Part II Tyler Moore Computer Science &

A brief introduction to information security Part II Tyler Moore Computer Science &

Notes A brief introduction to information security Part II Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX August 28 & 30, 2012 Engineered defenses to achieve protection goals Security threats Countering

369 views • 14 slides
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication Basics

653 views • 42 slides
Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with

Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with

Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with David Cash, Andrew Drucker, Hoeteck Wee 1 This Talk Inspects time-space tradeo ff s for finding short collisions in Merkle-Damgrd hash

890 views • 55 slides
CSCE 790 Computer Systems Security Entity Authentication Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Entity Authentication Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Entity Authentication Professor Qiang Zeng Spring 2020 Previous Class PKI Digital Certificate Certificate Authority Verifying Certificates and Chain of Trust Revoking Certificates

310 views • 30 slides
Salting things up in the sysadmin's world Juan Manuel Santos Who? (boring part) Juan Manuel

Salting things up in the sysadmin's world Juan Manuel Santos Who? (boring part) Juan Manuel

Salting things up in the sysadmin's world Juan Manuel Santos Who? (boring part) Juan Manuel Santos godlike64 on github / gmail / twitter godlike on freenode Information Systems Engineer / RHCA TL - STSE @ Red Hat Need beer

964 views • 58 slides
Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not

CSCE Intro to Computer Systems Security - Passwords Security: Some Fun with Passwords How to handle Passwords: the Basics Rainbow Attacks Not too long ago Hi, I forgot my password! Let me help you. What is your name? My Name is John

369 views • 5 slides
You are the salt of the earth; but if the salt loses its flavor, how shall it be seasoned? It

You are the salt of the earth; but if the salt loses its flavor, how shall it be seasoned? It

You are the salt of the earth; but if the salt loses its flavor, how shall it be seasoned? It is then good for nothing but to be thrown out and trampled underfoot by men. You are the light of the world. A city that is set on a hill cannot be

1.76k views • 161 slides
WEP/WPA2 WiFi Password Security & Exploiting IP Based Surveillance Cameras By Basiru

WEP/WPA2 WiFi Password Security & Exploiting IP Based Surveillance Cameras By Basiru

WEP/WPA2 WiFi Password Security & Exploiting IP Based Surveillance Cameras By Basiru Mohammed Rajkumar Ramadhin Alexander Martin Introduction With growing advancement in the "Internet of Things" we must take a look at the

468 views • 29 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides

More recommend