outline computer security security at work
play

Outline Computer Security: Security at Work Authentication and - PDF document

May 13, 2023 •350 likes •405 views

Radboud University Nijmegen Radboud University Nijmegen Authentication and Identity Management Authentication and Identity Management Outline Computer Security: Security at Work Authentication and Identity Management Bart Jacobs

  1. Radboud University Nijmegen Radboud University Nijmegen Authentication and Identity Management Authentication and Identity Management Outline Computer Security: Security at Work Authentication and Identity Management Bart Jacobs Authentication Identity management Institute for Computing and Information Sciences – Digital Security Kerberos, and derivatives Radboud University Nijmegen Version: fall 2010 Bart Jacobs Version: fall 2010 Computer Security 1 / 26 Bart Jacobs Version: fall 2010 Computer Security 2 / 26 Authentication and Identity Management Radboud University Nijmegen Authentication and Identity Management Radboud University Nijmegen Real-world and virtual-world authentication Human to computer authentication Recall : identification = saying who you are; authentication = proving who you are. • In daily life we rely on context for many forms of The three basic human-to-computer authentication mechanisms (implicit) authentication are based on: • uniforms / places / 1 something you have, like a (physical) key, or card behaviour / etc Risk? theft, copying 2 something you know, like a password or PIN • In the online world such Risk? eavesdropping (shoulder-surfing), brute-force trials, forgetting contexts are either lacking, (how secure is the recovery procedure?), social engineering, multiple or easy to manipulate (fake use, fake login screens (use wrong password first!) “On the internet nobody e-banking site) knows you’re a dog” 3 something you are, ie. biometrics, like fingerprints or iris (Peter Steiner, New Yorker, 1993) Risk? imitation (non-replaceability), multiple use Bart Jacobs Version: fall 2010 Computer Security 4 / 26 Bart Jacobs Version: fall 2010 Computer Security 5 / 26 Authentication and Identity Management Radboud University Nijmegen Authentication and Identity Management Radboud University Nijmegen More about passwords Password change policies It is common wisdom that at least a 64 bit string is needed to be secure against password guessing. These 64 bit amount to: Does it make sense to force users to change their passwords • 11 characters, randomly chosen periodically (say every 3 months)? • 16 characters, computer generated but pronounceable • Pro: compromised passwords are usable for only a relatively • 32 characters, user-chosen short amount of time • Against: lot’s of things: With modern brute force and rule-based techniques, passwords can • the cause of a password compromise (if any) is ignored, and be broken easily. A well-known system to do so is Crack may be re-exploited Heuristics • users get annoyed, and use escape techniques: • insecure variations: passwd1 , passwd-2010 etc. Reasonably good passwords come from longer phrases, eg. as first • writing passwords down letters of the words in a sentence: they are relatively easy to (so that they become ‘something you have’) remember, and reasonably arbitrary (with much entropy). • more helpdesk calls, because people immediately forget their It is then still wise to filter on bad passwords. latest version An alternative is to use one-time passwords, distributed via an independent channel (eg. via a generator, via GSM or TAN-lists). Bart Jacobs Version: fall 2010 Computer Security 6 / 26 Bart Jacobs Version: fall 2010 Computer Security 7 / 26

  2. Radboud University Nijmegen Radboud University Nijmegen Authentication and Identity Management Authentication and Identity Management Password recovery Biometrics: intro Biometrics refers to the use of physical characteristics or deeply What to do when a user forgets his/her password? This happens ingrained behaviour or skills to identify a person. frequently. Hence recovery procedures should not be too complicated (or expensive). What to do? • Physical characteristics: facial features, fingerprints, iris, voice, DNA, and the shape of hands or even ears. Some options: • Behaviour or skill: handwritten signature, but also someone’s • self service password reset, by supplying answers to previously set security questions, like “where was your mother born?” gait, or the rhythm in which someone types on a keyboard. “what’s your first pet’s name?” etc. Different types of biometrics have important differences in: Often, answers can be obtained by social engineering, phishing or • accuracy (percentage of false matches/non-matches) simple research (recall the Sarah Palin mailbox incident in 2008) • how easy they are to fake • Provide a new password via a different channel • which population groups they discriminate against • face-to-face transfer is best, but not always practical • ING bank provides new password via SMS • how much information they reveal about us, and how sensitive (recall: GSM (esp. SMS) is now broken) this information is (eg. your DNA may reveal health risks of • force re-registration (like DigiD does in NL) interest to insurance companies) Bart Jacobs Version: fall 2010 Computer Security 8 / 26 Bart Jacobs Version: fall 2010 Computer Security 9 / 26 Authentication and Identity Management Radboud University Nijmegen Authentication and Identity Management Radboud University Nijmegen Biometrics: intentional or unintentional Biometric systems in operation A biometric system works in several steps 1 its sensors capture a presented biometric Important difference between types of biometrics: 2 this input signal is then processes to extract features from it • necessarily intentional and conscious production, like with 3 these features are compared to previously recorded and stored signature (except under extreme coercion) biometric information • possibly unintentional production: people leave copies of their 4 it is decided if there is a match or not fingerprints and samples of their DNA wherever they go. Ideally, not the raw biometric information is stored, but a template • With the increased use of surveillance cameras we also leave with crucial info about features extracted from the raw data our facial image and gait in many places. This is what enables such biometrics to be used in law enforcement Fingerprint example • It also makes fingerprint information more valuable to the • raw information: image of the fingerprint (stored eg. in e-passport) owner, and to potential attackers, as fake fingerprints could be planted at a crime scene. • template: so-called minutiae, bifurcations and endpoints of ridges, which most fingerprint recognition systems use Storing such templates goes some way towards preventing abuse, assuming that fingerprints cannot be reconstructed from the templates. Bart Jacobs Version: fall 2010 Computer Security 10 / 26 Bart Jacobs Version: fall 2010 Computer Security 11 / 26 Authentication and Identity Management Radboud University Nijmegen Authentication and Identity Management Radboud University Nijmegen Biometrics for verification or identification Biometric systems are not perfect Biometrics can be used in two completely separate ways: • False match: the system reports a match when in fact the • Verification: a person is matched with one particular stored stored biometric comes from someone else biometric (template), eg. the fingerprint on his e-passport, to check that someone has a certain claimed identity Example : innocent person barred from boarding a plane • Identication: a person is matched with a large collection of • False non-match: the system reports that the two don’t stored biometrics, for example to see if he occurs in a match, even though both are from the same person database of known criminals, or has not already applied for a Example : Bin Laden gets on board passport under a different name (Clearly, this is more error-prone than one-to-one matches, since in Note on terminology one-to-many matches errors accumulate) False matches are often called false accepts, and false non-matches false rejects. e-Passport example in NL This can be confusing: if a database of biometrics is used to check that • originally proposed for verification only (against look-alike fraud) known terrorists do not enter the country, then a false non-match leads to a false accept (into the country), not a false reject • function creep happened in the form of central storage of all biometrics: now usable for identification and law enforcement Bart Jacobs Version: fall 2010 Computer Security 12 / 26 Bart Jacobs Version: fall 2010 Computer Security 13 / 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline The web from a security perspective CSci 5271 Introduction to Computer Security SQL

Outline The web from a security perspective CSci 5271 Introduction to Computer Security SQL

Outline The web from a security perspective CSci 5271 Introduction to Computer Security SQL injection Web security, part 1 Announcements intermission Stephen McCamant University of Minnesota, Computer Science & Engineering Web

522 views • 5 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

419 views • 4 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

219 views • 5 slides
Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security Important? Computer Security allows

690 views • 19 slides
Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer Security Logistics intermission Day 2: Intro to Software and OS Security Example security failures Stephen McCamant University of Minnesota, Computer

395 views • 7 slides
Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer Security Logistics intermission Day 2: Intro to Software and OS Security Example security failures Stephen McCamant University of Minnesota, Computer

608 views • 8 slides
Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security policies Computer Security Basic concepts Peter Reiher Security policies for real systems January 13, 2005 Lecture 2 Lecture 2 Page 1

347 views • 9 slides
Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security Council Security Council Affairs Division Department of Political Affairs United Nations August 2013 Outline What is the Security Council?

189 views • 16 slides
Outline Elections and their security CSci 5271 Introduction to Computer Security System

Outline Elections and their security CSci 5271 Introduction to Computer Security System

Outline Elections and their security CSci 5271 Introduction to Computer Security System security of electronic voting Electronic voting Announcements intermission Stephen McCamant University of Minnesota, Computer Science & Engineering

420 views • 5 slides
Outline OS security: protection and isolation CSci 5271 OS security: authentication

Outline OS security: protection and isolation CSci 5271 OS security: authentication

Outline OS security: protection and isolation CSci 5271 OS security: authentication Introduction to Computer Security Announcements intermission Day 9: OS security basics Stephen McCamant Basics of access control University of Minnesota,

269 views • 8 slides
System Security Chapter 29 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

System Security Chapter 29 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

System Security Chapter 29 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 29-1 Outline Introduction Policy Networks Users Authentication Processes Files Retrospective Computer Security: Art

951 views • 59 slides
Outline SSL/TLS DNSSEC CSci 5271 Introduction to Computer Security Announcements intermission

Outline SSL/TLS DNSSEC CSci 5271 Introduction to Computer Security Announcements intermission

Outline SSL/TLS DNSSEC CSci 5271 Introduction to Computer Security Announcements intermission Day 19: Web security, part 1 The web from a security perspective Stephen McCamant University of Minnesota, Computer Science & Engineering SQL

492 views • 9 slides
Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them? Lecture 1 Page 1 CS 236 Online Why Is Security Necessary? Because people arent always nice Because a lot of

415 views • 25 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
Quick Intro to Computer Security What is computer security? Securing communication

Quick Intro to Computer Security What is computer security? Securing communication

Carnegie Mellon Quick Intro to Computer Security What is computer security? Securing communication Cryptographic tools Access control User authentication Computer security and usability Thanks to Mike Reiter for the

412 views • 38 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
Identity in the Information Society: Exploring Legal Approaches to the Use of Biometric Data

Identity in the Information Society: Exploring Legal Approaches to the Use of Biometric Data

Identity in the Information Society: Exploring Legal Approaches to the Use of Biometric Data Annemarie Sprokkereef ICS - University of Leeds TILT- University of Tilburg What is Biometrics? Biometric technology identifies individuals by

614 views • 12 slides
Mobile Platform Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks

Mobile Platform Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell,

791 views • 35 slides
Multiple inheritance Aside: how to safely read data Execute /hw4/array enter junk

Multiple inheritance Aside: how to safely read data Execute /hw4/array enter junk

Multiple inheritance Aside: how to safely read data Execute /hw4/array enter junk (after 1 st iteration) Can derive a class from more than one base class Use ctrl-C to stop the infinite loop, because that e.g., class

261 views • 3 slides
Introduction to Computing Principles

Introduction to Computing Principles

Introduction to Computing Principles Computer = hardware + software The computer is an amazingly useful general-purpose technology, to the point that now cameras,

429 views • 23 slides
Finding Yourself Is The Key University of Haifa Biometric Key Derivation that Joint work

Finding Yourself Is The Key University of Haifa Biometric Key Derivation that Joint work

Orr Dunkelman, Finding Yourself Is The Key University of Haifa Biometric Key Derivation that Joint work with Mahmood Sharif and Margarita Keeps Your Privacy Osadchy Overview Motivation Background : The Fuzziness Problem

810 views • 53 slides
Secure Sketch for Set Distance on Noisy Data KMS Annual Meeting 2014 Jung Hee Cheon and Yongsoo

Secure Sketch for Set Distance on Noisy Data KMS Annual Meeting 2014 Jung Hee Cheon and Yongsoo

Secure Sketch for Set Distance on Noisy Data KMS Annual Meeting 2014 Jung Hee Cheon and Yongsoo Song Seoul National University Oct 25, 2014 1 / 14 Noisy information in cryptography Classical cryptographic applications Lack of error-tolerance

166 views • 14 slides
Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software

Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software

Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords

520 views • 38 slides
Introduction to Pattern Recognition Selim Aksoy Department of Computer Engineering Bilkent

Introduction to Pattern Recognition Selim Aksoy Department of Computer Engineering Bilkent

Introduction to Pattern Recognition Selim Aksoy Department of Computer Engineering Bilkent University saksoy@cs.bilkent.edu.tr CS 551, Spring 2019 CS 551, Spring 2019 2019, Selim Aksoy (Bilkent University) c 1 / 39 Human Perception

3.87k views • 39 slides

More recommend