lecture 4 authentication and access
play

Lecture 4 - Authentication and Access CSE497b - Spring 2007 - PowerPoint PPT Presentation

Nov 03, 2022 •169 likes •403 views

Lecture 4 - Authentication and Access CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professors

  1. Lecture 4 - Authentication and Access CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professors Jaeger

  2. Why authenticate? • Why do we want to verify the identity of a user? CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  3. Control Access • An identity permits access to resources • In computer security this is called – Access control – Authorization • In authorization, we talk about: – Subjects (for whom an action is performed) – Objects (upon what an action is performed) – Operations (the type of action performed) • Authorization limits a subject ’ s access perform an operation on an object – The combination of object and operations allowed are called a permission 3 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  4. “Project” 1 • Login to Playpen VM – We will send you your username, password, IP • Change your password – Do *not* change the root password • Need to do some minor Linux administration • Customize your VM – You have sudo privilege – You are the administrator • Posted on the calendar (due next Th, Feb 1) – If it ’ s good enough for the President... 4 CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  5. A Brief History • Early computing systems had no isolation – Shared memory space – Shared file space • Some physical limitations made this OK – Batch processing – Load the tape/disk for the application – Network? What network? • In the mid-60s people started to work on ‘ multiuser ’ or ‘ time-sharing ’ systems – What about a bug? – What about my data? • Mostly about protection CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  6. Multiprogrammed Systems • Multics project – AT&T, MIT, Honeywell, etc. – General purpose, multi-user system – Comprehensive security • Hardware protection • Subject labeling • Permission management • UNIX project – Arose from the ashes of Multics – A stripped-down multiuser system CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  7. Authentication and Access • Authenticate user – E.g., login and ssh – Verify password or ... • Create processes with appropriate identity (subject) – E.g., UNIX user id • Limit access of these processes using subject – E.g., Access control of files based on subject • Protect one user from another • Q: Is that enough for enforcing security? CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  8. Security vs. Protection • Protection – Focus on process isolation and user separation • Security Requires – Confidentiality: Don ’ t leak your secret files – Integrity: Don ’ t overwrite your important data – Availability: Don ’ t prevent an operation • System Protection Mechanisms are Not Enough! – Do NOT ensure security of user ’ s data against an attacker – Functional demands result in system compromise – Does not scale beyond a single system • Current access control mechanisms fail to enforce security goals CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  9. Your Programs • What permissions are available to programs that you run? – Email – Web browser – Game – A little program that you downloaded from the web • What can these programs do with your permissions? CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  10. Your Programs • They can do anything that you can – Use any permission that you have – Including the owner permission • They can give anyone access to your files • Worse yet, traditional access control is not comprehensive – A program can send a file anywhere • What does this mean to the secrecy of your data? • And it gets even worse... CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  11. Security Model • Adversaries – Who? • Threats – What can they do? • Vulnerabilities – What vulnerabilities can the adversaries leverage? • Trust model – What are you trusting (implicit in the discussion so far)? CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  12. Security Model • Adversaries – Other system users – Program developers – Web responses, emails – Remote parties • Threats – Code running on same system – Input malicious code • Vulnerabilities – User can be tricked • Lots of applications enable the user to run downloaded code – Application vulnerabilities – Misconfigured policy CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  13. Email Clients • In addition to reading emails, – Execute attachments (run with your privileges) – May even run a malicious script w/o opening an attachment (run with your privileges) • What kind of attachments can you open? – From Granny: May be a forged address – Word or Excel: May contain viruses • But, I ’ ve really gotta see it – Plain text – Signed emails – Anti-virus may catch some, but no guarantee CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  14. Access Matrix • Describe all possible accesses – Operations of (S 2 ,O 2 ) O 1 O 2 O 3 – E.g., read, write, execute • Specify which users ’ processes S 1 Y Y N can access which files • Necessary to specify policy to protect users S 2 N Y N S 3 N Y Y CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  15. Manage the Access Matrix • How do you give someone access to your file? O 1 O 2 O 3 • Access matrix also has management permissions S 1 Y Y N – owner permission • A subject with owner permission can S 2 N Y N – Give another user permissions to an object S 3 N Y Y – Even the owner permission itself • This seems necessary, right? CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  16. The Door Is Open • Suppose that you want to download new software – Or a software update • Typically, users lack the permissions to overwrite system files – Why update a system file? – “Penetrate and patch” • For convenience, users run with administrative privileges (e.g., Windows) – Now, the downloaded code (and the email attachment) runs with full privilege CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  17. Tip of the Iceberg • Viruses • Worms • Spyware • Keyloggers • What ’ s next? CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  18. Remote Access • Suppose you are building a service for remote clients – E.g., a web application • How are you going to authenticate identity? • What rights are you going to assign to which identity? • Q: What are your vulnerabilities now? – Consider the network and the remote computer Name/Password Client Your Server Services CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  19. Remote Access • Client selects a name and password – How does the client protect the password? • Server stores state on client for ease of use (cookies) – How do we ensure that attacker can ’ t use this state? • What other forms of authentication are used in e- commerce? Name/Password Client Your Server Services CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  20. Single Signon • Nice feature for users: – Login once, then use any number of remote services • A centralized service provides authenticated users with tokens SSO Name/ Server Password SSO Token Client Your Server Services CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  21. Single Signon • As a remote service provider – What is the basis for trust for the single signon? – Can you trust the token? • Can we run a business-to-business on such trust? – Is there a second-factor for authentication? CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

  22. Take Away • We have just looked at the most common mechanisms – Passwords – User-based Access Control • There are a slew of problems with each • But, this is what the world uses – What can we do? That Is the Topic of This Course CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Lecture 15 Access Control Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 15 Access Control Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 15 Access Control Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Authentication vs Authorization Authentication Who goes there? Restrictions on who (or what)

348 views • 21 slides
Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
Remote File Access: Problems and Solutions Authentication and authorization Performance

Remote File Access: Problems and Solutions Authentication and authorization Performance

Remote File Access: Problems and Solutions Authentication and authorization Performance Synchronization Robustness Lecture 13 CS 111 Page 1 Summer 2013 Authorization and Authentication Authorization is determined if someone

886 views • 41 slides
Outline OS protection and isolation (contd) CSci 5271 OS security: authentication

Outline OS protection and isolation (contd) CSci 5271 OS security: authentication

Outline OS protection and isolation (contd) CSci 5271 OS security: authentication Introduction to Computer Security Basics of access control OS authentication and access control (combined lecture) Announcements, Ex. 1 debrief Stephen

440 views • 11 slides
Lecture 22 Access Control Stephen Checkoway Oberlin College Slides based on Baileys ECE

Lecture 22 Access Control Stephen Checkoway Oberlin College Slides based on Baileys ECE

Lecture 22 Access Control Stephen Checkoway Oberlin College Slides based on Baileys ECE 422 Authentication vs Authorization Authentication Who goes there? Restrictions on who (or what) can access system Authorization Are

422 views • 20 slides
Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication Encapsulation Intrusion detection Common sense Lecture 2 Page 1 CS 236 Online Physical Security Lock up your computer Actually,

465 views • 35 slides
CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts

CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts

CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter

493 views • 20 slides
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication Basics

653 views • 42 slides
Session 7 Authentication and Access Control Sbastien Combfis Fall 2019 This work is

Session 7 Authentication and Access Control Sbastien Combfis Fall 2019 This work is

I5020 Computer Security Session 7 Authentication and Access Control Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License. User Authentication

862 views • 43 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Authentication Access control vs. authentication We

CS/COE 1520 pitt.edu/~ach54/cs1520 Authentication Access control vs. authentication We

CS/COE 1520 pitt.edu/~ach54/cs1520 Authentication Access control vs. authentication We want to control how users can interact with information E.g., Users should only be able to view their own messages Users can only

465 views • 12 slides
Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following: Conventional cryptography Hash functions and MACs Public key cryptography Encryption Signatures Identification (Fiat-Shamir) + Zero

213 views • 9 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2016-01-29 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

683 views • 44 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2019-02-08 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

1.19k views • 102 slides
Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication

Message Authentication Codes Digital Signatures Lecture 11 Shafi Goldwasser Authentication Problem Bob Alice k k message M Eve is Active: Can alter messages Can insert new messages Authentication Problem Secrecy is not the only

553 views • 37 slides
Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch

Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch Duke University User Authentication Determining if a user is who they say they are before giving them access. 2 The four means of

1.15k views • 70 slides
A Pluggable Framework for Composable HPC Scheduling Libraries Max Grossman 1 , Vivek Kumar 2 ,

A Pluggable Framework for Composable HPC Scheduling Libraries Max Grossman 1 , Vivek Kumar 2 ,

A Pluggable Framework for Composable HPC Scheduling Libraries Max Grossman 1 , Vivek Kumar 2 , Nick Vrvilo 1 , Zoran Budimlic 1 , Vivek Sarkar 1 1 Habanero Extreme Scale So=ware Research Group, Rice University 2 IIIT-Delhi AsHES 2017 - May 29 2017

596 views • 36 slides
The Shmitah Cycle Common Holy Year 1 Year 2 Year 1 Year 2 Year 3 Year 4 Year 5 Year 6

The Shmitah Cycle Common Holy Year 1 Year 2 Year 1 Year 2 Year 3 Year 4 Year 5 Year 6

The Shmitah Cycle Common Holy Year 1 Year 2 Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7 7 Years The Yovel Cycle Common Holy Year 50 Year Year Year Year Year Year Year Year 1 Year 2 46 48 45 47 49 43 44 49 Years

684 views • 22 slides
James 5:17, Elijah was a man with a nature like ours, and he prayed earnestly that it would

James 5:17, Elijah was a man with a nature like ours, and he prayed earnestly that it would

James 5:17, Elijah was a man with a nature like ours, and he prayed earnestly that it would not rain; and it did not rain on the land for three years and six months. 1 Kings 17:1, And Elijah the Tishbite, of the inhabitants of Gilead,

546 views • 22 slides
Jonah 1 God calls Jonah to Nineveh Jonah goes the other way. Pagan Sailors being awake

Jonah 1 God calls Jonah to Nineveh Jonah goes the other way. Pagan Sailors being awake

Jonah 1 God calls Jonah to Nineveh Jonah goes the other way. Pagan Sailors being awake spiritually Gods Prophet being asleep spiritually Last Week: Jonah prays for and receives physical salvation at the last possible moment The

368 views • 32 slides
Review of burial and cremation law Image thanks to Christchurch City Council Scope of review

Review of burial and cremation law Image thanks to Christchurch City Council Scope of review

Review of burial and cremation law Image thanks to Christchurch City Council Scope of review Places and manner of burial Crematoria Funeral sector Decision making after death Disputes Death certification Where were at

489 views • 17 slides
Spooky Claims 2017 Victor A. Davis October 19, 2017 The webinar will begin shortly. Phone |

Spooky Claims 2017 Victor A. Davis October 19, 2017 The webinar will begin shortly. Phone |

Welcome to todays webinar! Spooky Claims 2017 Victor A. Davis October 19, 2017 The webinar will begin shortly. Phone | 1-800-619-3315 Passcode | 4597908 In order to obtain a CE Certificate or CLE Credit, you must listen to the

774 views • 55 slides
King Ahasuerus [Xerxes] imposed tax on the land and on the coastlands of the sea. 2 And all the

King Ahasuerus [Xerxes] imposed tax on the land and on the coastlands of the sea. 2 And all the

Esther 10:1-3 (ESV) King Ahasuerus [Xerxes] imposed tax on the land and on the coastlands of the sea. 2 And all the acts of his power and might, and the full account of the high honor of Mordecai, to which the king advanced him, are they not

296 views • 14 slides
Information Session January 25 th , 2017 Welcome You made it 750 applicants did not! Mission

Information Session January 25 th , 2017 Welcome You made it 750 applicants did not! Mission

Information Session January 25 th , 2017 Welcome You made it 750 applicants did not! Mission Williams Parkway Sr PS IBT will build the leaders and innovators of the 21 st Century by inspiring a passion for learning, exploring and leading.

1.1k views • 58 slides

More recommend