identification and authentication
play

Identification and Authentication CSM27 Computer Security Dr Hans - PowerPoint PPT Presentation

Oct 14, 2023 •158 likes •809 views

Identification and Authentication CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2009 Week 4 Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 Week 4 1 / 32 Introduction Background

  1. Identification and Authentication CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2009 – Week 4 Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 1 / 32

  2. Introduction Background Outline Introduction 1 Background Definitions Password management Attacks 2 Guessing Passwords Spoofing Passwords The password file Closing Words 3 Alternative Approaches User convenience Exercises Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 2 / 32

  3. Introduction Background Session objectives Recognise the purposes of (password) identification. Be aware of the potential vulnerabilities in password authentication caused by organisational, human, and technical issues. Be able to identify and apply some security mechanisms for password distribution and management. Draw general security lessons from the familiar scenario of password authentication. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 3 / 32

  4. Introduction Background A familiar scenario How many usernames and passwords do you have? How many different passwords do you use? Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 4 / 32

  5. Introduction Definitions Outline Introduction 1 Background Definitions Password management Attacks 2 Guessing Passwords Spoofing Passwords The password file Closing Words 3 Alternative Approaches User convenience Exercises Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 5 / 32

  6. Introduction Definitions Identification and Authentication Identification e.g. giving your username. You reveal your identity to the system. Entity Authentication e.g. giving a password. The process of verifying a claimed identity. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 6 / 32

  7. Introduction Definitions The purpose of passwords The computer system can know who the user is. Enables the two features: Audit trail The system logs activity, and in the case of unauthorised and illegal activities, the logs can be used to trace the guilty user. Authorisation Use is restricted to recognised users, based on payment or membership. Remark Authorisation does not necessarily require identification, there are alternative approaches. However, using the audit trail to prosecute misbehaving users can hardly be done without identification. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 7 / 32

  8. Introduction Definitions The purpose of passwords The computer system can know who the user is. Enables the two features: Audit trail The system logs activity, and in the case of unauthorised and illegal activities, the logs can be used to trace the guilty user. Authorisation Use is restricted to recognised users, based on payment or membership. Remark Authorisation does not necessarily require identification, there are alternative approaches. However, using the audit trail to prosecute misbehaving users can hardly be done without identification. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 7 / 32

  9. Introduction Definitions The purpose of passwords The computer system can know who the user is. Enables the two features: Audit trail The system logs activity, and in the case of unauthorised and illegal activities, the logs can be used to trace the guilty user. Authorisation Use is restricted to recognised users, based on payment or membership. Remark Authorisation does not necessarily require identification, there are alternative approaches. However, using the audit trail to prosecute misbehaving users can hardly be done without identification. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 7 / 32

  10. Introduction Definitions The purpose of passwords The computer system can know who the user is. Enables the two features: Audit trail The system logs activity, and in the case of unauthorised and illegal activities, the logs can be used to trace the guilty user. Authorisation Use is restricted to recognised users, based on payment or membership. Remark Authorisation does not necessarily require identification, there are alternative approaches. However, using the audit trail to prosecute misbehaving users can hardly be done without identification. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 7 / 32

  11. Introduction Password management Outline Introduction 1 Background Definitions Password management Attacks 2 Guessing Passwords Spoofing Passwords The password file Closing Words 3 Alternative Approaches User convenience Exercises Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 8 / 32

  12. Introduction Password management The bootstrap problem How do you identify the user when you give him the first password? How did you get your first password at Surrey? Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 9 / 32

  13. Introduction Password management Forgotten passwords What do you do if the user forgets his password? Has anyone ever forgotten the password? What did you do to have it reset? Forgotten passwords is an accessibility threat We have to reissue passwords to maintain accessibility Creates a vulnerability an intruder pretend to be an authorised user having forgotten his password. Misissuing a password is a confidentiality threat Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 10 / 32

  14. Introduction Password management Forgotten passwords What do you do if the user forgets his password? Has anyone ever forgotten the password? What did you do to have it reset? Forgotten passwords is an accessibility threat We have to reissue passwords to maintain accessibility Creates a vulnerability an intruder pretend to be an authorised user having forgotten his password. Misissuing a password is a confidentiality threat Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 10 / 32

  15. Introduction Password management Forgotten passwords What do you do if the user forgets his password? Has anyone ever forgotten the password? What did you do to have it reset? Forgotten passwords is an accessibility threat We have to reissue passwords to maintain accessibility Creates a vulnerability an intruder pretend to be an authorised user having forgotten his password. Misissuing a password is a confidentiality threat Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 10 / 32

  16. Introduction Password management Forgotten passwords What do you do if the user forgets his password? Has anyone ever forgotten the password? What did you do to have it reset? Forgotten passwords is an accessibility threat We have to reissue passwords to maintain accessibility Creates a vulnerability an intruder pretend to be an authorised user having forgotten his password. Misissuing a password is a confidentiality threat Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 10 / 32

  17. Introduction Password management Forgotten passwords What do you do if the user forgets his password? Has anyone ever forgotten the password? What did you do to have it reset? Forgotten passwords is an accessibility threat We have to reissue passwords to maintain accessibility Creates a vulnerability an intruder pretend to be an authorised user having forgotten his password. Misissuing a password is a confidentiality threat Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 10 / 32

  18. Introduction Password management Verification techniques Authorised channel Do not give a password to a caller on the phone, but call back on an authorised phone number. Courier for personal delivery. Independent witness Call back someone else, like the requestor’s manager. Damage limitation One-time password, forcing the user to change it immediately. Independent verification channel Confirmation by a different channel before the password is activated. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 11 / 32

  19. Introduction Password management Verification techniques Authorised channel Do not give a password to a caller on the phone, but call back on an authorised phone number. Courier for personal delivery. Independent witness Call back someone else, like the requestor’s manager. Damage limitation One-time password, forcing the user to change it immediately. Independent verification channel Confirmation by a different channel before the password is activated. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 11 / 32

  20. Introduction Password management Verification techniques Authorised channel Do not give a password to a caller on the phone, but call back on an authorised phone number. Courier for personal delivery. Independent witness Call back someone else, like the requestor’s manager. Damage limitation One-time password, forcing the user to change it immediately. Independent verification channel Confirmation by a different channel before the password is activated. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 11 / 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords Identification, Authentication, and Authorization Identification: You give your name Authentication: Youve proven that its really you.

486 views • 31 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2019-02-08 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

1.19k views • 102 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2016-01-29 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

683 views • 44 slides
Information Security Identification and authentication Advanced User Authentication I 2018-02-02

Information Security Identification and authentication Advanced User Authentication I 2018-02-02

Information Security Identification and authentication Advanced User Authentication I 2018-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

568 views • 41 slides
Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

573 views • 32 slides
Information Security Identification and authentication Advanced User Authentication I 2016-01-26

Information Security Identification and authentication Advanced User Authentication I 2016-01-26

Information Security Identification and authentication Advanced User Authentication I 2016-01-26 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

865 views • 40 slides
Information Security Identification and authentication Advanced User Authentication II and III

Information Security Identification and authentication Advanced User Authentication II and III

Information Security Identification and authentication Advanced User Authentication II and III (somewhat abbreviated ) 2018-02-09 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background

1.24k views • 106 slides
Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III 2016-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture II within this part of the course Background Statistics Statistics in user

1.49k views • 70 slides
Know Your Traveller Enhanced Early Identification and Authentication Done Remotely

Know Your Traveller Enhanced Early Identification and Authentication Done Remotely

Know Your Traveller Enhanced Early Identification and Authentication Done Remotely Gordon Wilson, President, WorldReach Software New Pressure Points UN SECURITY COUNCIL UNANIMOUSLY ADOPTS RESOLUTION 2178 UN Condemns Violent

355 views • 18 slides
Applications & Usage A Brief Insight Scenario :: Identification, Authentication & Non-

Applications & Usage A Brief Insight Scenario :: Identification, Authentication & Non-

Public Key Applications & Usage A Brief Insight Scenario :: Identification, Authentication & Non- :: Authenticity, e-business transaction Repudiation requirements for electronic :: Confidentiality and Integrity requirements ::

252 views • 11 slides
Identification and Authentication Daniel Bosk Department of Information and Communication

Identification and Authentication Daniel Bosk Department of Information and Communication

Introduction Bootstrapping Authenticating Securing References Identification and Authentication Daniel Bosk Department of Information and Communication Systems, Mid Sweden University, Sundsvall 14th March 2019 Daniel Bosk MIUN

1.26k views • 105 slides
Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following: Conventional cryptography Hash functions and MACs Public key cryptography Encryption Signatures Identification (Fiat-Shamir) + Zero

213 views • 9 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Computer Security 3e Dieter Gollmann Chapter 4: 1 Security.di.unimi.it/1314/ Chapter 4:

Computer Security 3e Dieter Gollmann Chapter 4: 1 Security.di.unimi.it/1314/ Chapter 4:

Computer Security 3e Dieter Gollmann Chapter 4: 1 Security.di.unimi.it/1314/ Chapter 4: Identification & Authentication Chapter 4: 2 Agenda User authentication Identification & authentication Passwords how to get the

1.37k views • 43 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
1 Cryptography basics Secret-key encryption Algorithms (E, D) are widely known Also

1 Cryptography basics Secret-key encryption Algorithms (E, D) are widely known Also

Security The security environment Basics of cryptography User authentication Chapter 9: Security Attacks from inside the system Attacks from outside the system Protection mechanisms Trusted systems CS 1550, cs.pitt.edu

538 views • 11 slides
PRIVACY ENHANCING TECHNOLOGIES INTRODUCTION INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES OUR

PRIVACY ENHANCING TECHNOLOGIES INTRODUCTION INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES OUR

PRIVACY ENHANCING TECHNOLOGIES INTRODUCTION INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES OUR MISSION Least Authoritys mission is to build and support ethical and usable technology solutions that advance digital security and privacy as

552 views • 13 slides
Theoretical Foundations of SBSE Xin Yao CERCIA, School of Computer Science University of

Theoretical Foundations of SBSE Xin Yao CERCIA, School of Computer Science University of

Theoretical Foundations of SBSE Xin Yao CERCIA, School of Computer Science University of Birmingham Some Theoretical Foundations of SB SE Xin Yao and Many Others CERCIA, School of Computer Science University of Birmingham

667 views • 21 slides
Results from the LUX Experiment Sally Shaw DMUK Meeting UCL, 18th January 2016 1 Large

Results from the LUX Experiment Sally Shaw DMUK Meeting UCL, 18th January 2016 1 Large

Results from the LUX Experiment Sally Shaw DMUK Meeting UCL, 18th January 2016 1 Large Underground Xenon Detector 2 The LUX Collaboration 3 The Black Hills 4 Sanford Lab, South Dakota 5 Direct Detection of WIMPs WIMP-nucleon

793 views • 41 slides
Bolt on some Crypto Michael Samuel @mik235 https://miknet.net/ Ruxcon 2014 Securing The

Bolt on some Crypto Michael Samuel @mik235 https://miknet.net/ Ruxcon 2014 Securing The

Bolt on some Crypto Michael Samuel @mik235 https://miknet.net/ Ruxcon 2014 Securing The Network - TLS & SSH IETF Standards: SSH - RFC 4250-4255 Remote shell File transfer TCP port forwarding, socks proxy Pipe commands over

679 views • 35 slides
GSP Stakeholder Committee Stakeholder Committee Meeting July 22, 2019 Agenda Welcome,

GSP Stakeholder Committee Stakeholder Committee Meeting July 22, 2019 Agenda Welcome,

GSP Stakeholder Committee Stakeholder Committee Meeting July 22, 2019 Agenda Welcome, Introductions, and Agenda Review Presentation by Woodard & Curran on GSP development Coordinating Committee Update 1. Public Draft GSP

785 views • 54 slides
Andrew Stacy Andrew.Stacy@mail.wvu.edu www.3riversquest.org WEST VIRGINIA UNIVERSITY BACKGROUND

Andrew Stacy Andrew.Stacy@mail.wvu.edu www.3riversquest.org WEST VIRGINIA UNIVERSITY BACKGROUND

Andrew Stacy Andrew.Stacy@mail.wvu.edu www.3riversquest.org WEST VIRGINIA UNIVERSITY BACKGROUND High TDS events in late summer/early fall 2008 Lead to a shut down of some municipal water intakes when the river exceeded the EPAs

573 views • 13 slides
Earnings Conference Call April 21th, 2016 Forward-Looking Statement The information herein

Earnings Conference Call April 21th, 2016 Forward-Looking Statement The information herein

F i r s t Q u a r t e r Earnings Conference Call April 21th, 2016 Forward-Looking Statement The information herein contained (Information) has been prepared by Grupo Herdez, S.A.B. de C.V., its associates, subsidiaries and/or affiliated

252 views • 9 slides

More recommend