lecture 10 authentication
play

Lecture 10 - Authentication CMPSC 443 - Spring 2012 Introduction - PowerPoint PPT Presentation

Jan 09, 2023 •135 likes •379 views

Lecture 10 - Authentication CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  1. Lecture 10 - Authentication CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

  2. Kerberos: What to know 1) Alice → Trent : { Alice + Bob + rand 1 } 2) Trent → Alice : { Alice + Bob + rand 1 + K AB + { Alice + K AB } K BT } K AT 3) Alice → Bob : { Alice + K AB } K BT 4) Bob → Alice : { rand 2 } K AB Bob’s Ticket Alice’s Ticket 5) Alice → Bob : { rand 2 − 1 } K AB Replaced by single “authenticator” message {time}K AB • Kerberos Properties – Initial Goals: secure communication, mutual authentication – Extra Goal: single signon – Compare result to SSH (and PKI today) • Deployment of Needham-Schroeder – Two-phase protocol – Limited to single administrative domain 2 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  3. Public Key Authentication • Public Key Cryptography is the answer – easy to distribute the public key – never give the private key to anyone else – key agreement is easy (sans Needham-Schoeder) – keys can be global • While PK is used, not as broadly as expected • Requires a significant infrastructure – Global systems are difficult (impossible) to build 3 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  4. Public Key Infrastructure • System to “securely distribute public keys” – Q: Why is that hard? • Terminology: – Alice signs a certificate for Bob ʼ s name and key • Alice is issuer, and Bob is subject – Alice wants to find a path to Bob ʼ s key • Alice is verifier, and Bob is target – Anything that has a public key is a principal – Anything trusted to sign certificates is a trust anchor • Its certificate is a root certificate 4 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  5. What is a certificate? • A certificate … – … makes an association between a user identity/job/attribute and a private key – … contains public key information {e,n} – … has a validity period – … is signed by some certificate authority (CA) • Issued by CA for some purpose – Verisign is in the business of issuing certificates – People trust Verisign to vet identity 5 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  6. Why do I trust the certificate? • A collections of “root” CA certificates – … baked into your browser – … vetted by the browser manufacturer – … supposedly closely guarded (yeah, right) • Root certificates used to validate certificate – Vouches for certificate ʼ s authenticity • Who is “Bob Jones?” ... (signs) CA Certificate Signature Signature 6 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  7. What is a PKI? Root • Rooted tree of CAs • Cascading issuance – Any CA can issue cert CA1 CA2 CA3 – CAs issue certs for children … … … CA11 CA12 CA1n CA21 CA22 Cert11a Cert11b Cert11c … … … … 7 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  8. Certificate Validation Root CA1 CA2 CA3 … … … CA11 CA12 CA1n CA21 CA22 Certificate Signature Cert11a Cert11b Cert11c … … … … 8 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  9. PKI and Revocation • Certificate may be revoked before expiration – Lost private key – Compromised – Owner no longer authorized • Revocation is hard … – The “anti-matter” problem – Verifiers need to check revocation state • Loses the advantage of off-line verification – Revocation state must be authenticated 9 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  10. PKI Challenges • Must trust a CA – Which one? – What is it trusted to do? • Key storage – Who can access my key? – Similar problem for Kerberos, SSH, etc. • Certificate bindings must be correct – Which John Smith is this? – Who authorizes attributes in a certificate? – How long are these value valid? – What process is used to verify the key holder? 10 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  11. Pretty Good Privacy • Alternative infrastructure for public key – Peer-to-Peer approach – E.g., for email • Key management is manual – Public key exchange between peers – Add public key to personal ʻ keyring ʼ – Can authenticate messages from these parties • Used mainly by computer security types – Johnny can ʼ t encrypt – GNU Privacy Guard 11 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  12. Authentication Architecture Clients of These Programs Remote Local Application Service Service Service (sshd, (su, login) (ftp,httpd) telnet) 12 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  13. Authentication Architecture Clients of These Programs Remote Local Application Service Service Service (sshd, (su, login) (ftp,httpd) telnet) Common Authentication Architecture 13 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  14. Pluggable Authentication Modules • Centralized authentication service for Linux/Solaris • Advantages – Provides a common authentication scheme that can be used with a wide variety of applications. – Allows a large amount of flexibility and control over authentication for both the system administrator and application developer. – Allows application developers to develop programs without creating their own authentication scheme. • PAM-ified application – Uses PAM authentication technique and config – Receives identity – May be entrusted to forward identity to system 14 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  15. Authentication Architecture Clients of These Programs PAM PAM PAM Remote Local Application Service Service Service Authentication Mechanism (may be different for each service) 15 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  16. PAM Concepts • Module Interface – Auth: authentication – Account: management + authorization • Use service; password expire – Password: set and verify passwords – Session: configure session • E.g., mount home directory • One module may provide all – pam_stack.so for each interface • Modules may be ‘stacked’ – Multiple support same interface – Required and optional session interfaces modules 16 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  17. PAM Usage • PAMify an application – Must be able to modify the application code – Build with PAM libraries (libpam, libpam-misc, ...) • Authenticate first – Build pam_handle_t data structure – Call pam_authenticate (calls PAM module for authenticate) • Use pam_get_item to get authenticated identity • Example – Call pam_authenicate (uses module specified in config) – PAM gets username, password (or whatever) – Returns PAM_SUCCESS – Use pam_get_item to get the actual identity 17 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  18. PAM Usage (con’t) • Session management – pam_setcred() before open session • application-specific credentials to PAM – pam_open_session() – pam_close_session() – based on module specified in config • Account management – pam_acct_mgmt() – based on module specified in config • Password management – pam_chauthtok() – based on module specified in config • Where is responsibility for correct authentication? 18 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  19. pam_unix.so • Auth: – Authentication – pam_authenticate() and pam_setcred() (RPC credentials) • Session – Session logging • Account – Check that password has not expired • Password – Password update, includes cracklib to check strength 19 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

  20. PAM Policies • Config files: /etc/pam.d/ – For each PAMified application • su -- /etc/pam.d/su or /etc/pam.conf <module interface> <control flag> <module path> <module arguments> #%PAM-1.0 auth required /lib/security/$ISA/pam_stack.so service=system-auth account required /lib/security/$ISA/pam_stack.so service=system-auth password required /lib/security/$ISA/pam_stack.so service=system-auth session required /lib/security/$ISA/pam_stack.so service=system-auth session optional /lib/security/$ISA/pam_xauth.so 20 CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Page

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication Basics

653 views • 42 slides
Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following: Conventional cryptography Hash functions and MACs Public key cryptography Encryption Signatures Identification (Fiat-Shamir) + Zero

213 views • 9 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2016-01-29 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

683 views • 44 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2019-02-08 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

1.19k views • 102 slides
Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication Problem Bob Alice k k message M Eve is Active: Can alter messages Can insert new messages Authentication Problem Secrecy is not the only

553 views • 37 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Lecture 9 Authentication &amp; Key Distribution 1 Where are we now? We know a bit of

Lecture 9 Authentication &amp; Key Distribution 1 Where are we now? We know a bit of

Lecture 9 Authentication &amp; Key Distribution 1 Where are we now? We know a bit of the following: Conventional (symmetric) cryptography Hash functions and MACs Public key (asymmetric) cryptography Encryption

490 views • 33 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Security building blocks: authentication Markus Peuhkuri 2005-03-01 Lecture topics

Security building blocks: authentication Markus Peuhkuri 2005-03-01 Lecture topics

Security building blocks: authentication Markus Peuhkuri 2005-03-01 Lecture topics Authentication Different methods to authenticate Caveats in authentication How one

242 views • 7 slides
Information Security Identification and authentication Advanced User Authentication II and III

Information Security Identification and authentication Advanced User Authentication II and III

Information Security Identification and authentication Advanced User Authentication II and III (somewhat abbreviated ) 2018-02-09 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background

1.24k views • 106 slides
CS 356 Lecture 5 User Authentication Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 5 User Authentication Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 5 User Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive,

449 views • 24 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III 2016-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture II within this part of the course Background Statistics Statistics in user

1.49k views • 70 slides
Measuring YouTube from Dual-Stacked Hosts Appendix from Dual-Stacked Conclusion Tiroughput and

Measuring YouTube from Dual-Stacked Hosts Appendix from Dual-Stacked Conclusion Tiroughput and

Measuring YouTube Google Global Caches March 2015 Jacobs University Bremen, Bremen, Germany Computer Networks and Distributed Systems Group, Aalto University, Espoo, Finland School of Electrical Engineering, Jrgen Schnwlder Jrg Ott

287 views • 25 slides
Discussion of: Assortative Learning&quot; by Eeckhout and Weng Giuseppe Moscarini Yale and

Discussion of: Assortative Learning&quot; by Eeckhout and Weng Giuseppe Moscarini Yale and

Discussion of: Assortative Learning&quot; by Eeckhout and Weng Giuseppe Moscarini Yale and NBER Recap competitive labor market model with incomplete information about workers general human capital Recap competitive labor market model

517 views • 36 slides
B. Pam Ismail Founder and Director bismailm@umn.edu https://ppic.cfans.umn.edu Plant Protein

B. Pam Ismail Founder and Director bismailm@umn.edu https://ppic.cfans.umn.edu Plant Protein

C OLLABORATIVELY GROWING THE LANDSCAPE OF PLANT - BASED PROTEINS B. Pam Ismail Founder and Director bismailm@umn.edu https://ppic.cfans.umn.edu Plant Protein Innovation Center Mission The Plant Protein Innovation Center (PPIC) mission is to

336 views • 16 slides
Some estimates for the parabolic Anderson model Samy Tindel Purdue University Probability

Some estimates for the parabolic Anderson model Samy Tindel Purdue University Probability

Some estimates for the parabolic Anderson model Samy Tindel Purdue University Probability Seminar - Urbana Champaign 2015 Collaborators: Xia Chen, Yaozhong Hu, Jingyu Huang, Khoa L, David Nualart Samy T. (Purdue) Parabolic Anderson model

626 views • 35 slides
The K - Medoids Clustering Method Find representative objects, called medoids, in clusters PAM

The K - Medoids Clustering Method Find representative objects, called medoids, in clusters PAM

The K - Medoids Clustering Method Find representative objects, called medoids, in clusters PAM (Partitioning Around Medoids, 1987) starts from an initial set of medoids and iteratively replaces one of the medoids by one of the

289 views • 28 slides
Washington Health Benefit Exchange NAHDO November 2019 Leah Hole-Marshall, General Counsel and

Washington Health Benefit Exchange NAHDO November 2019 Leah Hole-Marshall, General Counsel and

CBO Presentation Washington Health Benefit Exchange NAHDO November 2019 Leah Hole-Marshall, General Counsel and Chief Strategist Exchange Operations The Exchange operates Washington Healthplanfinder, a s ingle integrated online portal to

437 views • 27 slides
Blue elephant on-demand: PostgreSQL + Kubernetes FOSDEM 2018, Brussels Oleksii Kliukin, Jan

Blue elephant on-demand: PostgreSQL + Kubernetes FOSDEM 2018, Brussels Oleksii Kliukin, Jan

Please write title, subtitle Please write title, subtitle and speaker name in all and speaker name in all capital letters capital letters Blue elephant on-demand: PostgreSQL + Kubernetes FOSDEM 2018, Brussels Oleksii Kliukin, Jan

871 views • 58 slides
ECEN 5032 Data Networks Communication Theory: PAM Examples Peter Mathys mathys@colorado.edu

ECEN 5032 Data Networks Communication Theory: PAM Examples Peter Mathys mathys@colorado.edu

ECEN 5032 Data Networks Communication Theory: PAM Examples Peter Mathys mathys@colorado.edu University of Colorado, Boulder Data Networks, PAM Examples, c 19962005, P . Mathys p.1/8 Polar PAM,

232 views • 8 slides

More recommend