user authentication and passwords
play

User Authentication and Passwords Storing Passwords Selecting - PowerPoint PPT Presentation

Feb 25, 2024 •383 likes •670 views

CSS322 Passwords Authentication Passwords Entropy User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

  1. CSS322 Passwords Authentication Passwords Entropy User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l11, Steve/Courses/2013/s2/css322/lectures/passwords.tex, r2963 1/28

  2. CSS322 Contents Passwords Authentication User Authentication Passwords Entropy Storing Passwords Selecting Password-Based Authentication Passwords Password Entropy Storing Passwords Selecting Passwords 2/28

  3. CSS322 User Authentication Passwords Authentication Passwords Entropy Storing Passwords Selecting The process of verifying a claim that a system entity or Passwords system resource has a certain attribute value. — R. Shirey, “Internet Security Glossary, Version 2”, IETF RFC4949 3/28

  4. CSS322 Two Steps of Authentication Passwords 1. Identification step: presenting an identifier to the Authentication security system Passwords ◮ E.g. user ID Entropy ◮ Generally unique but not secret Storing Passwords 2. Verification step: presenting or generating Selecting authentication information that acts as evidence to Passwords prove the binding between the attribute and that for which it is claimed. ◮ E.g. password, PIN, biometric information ◮ Often secret or cannot be generated by others User authentication is primary line of defence in computer security; other security controls rely on user authentication 4/28

  5. CSS322 Means of Authentication Passwords Something the individual . . . Authentication Knows Passwords Entropy ◮ E.g. password, PIN, question answers Storing Passwords Selecting Passwords Possesses ◮ Token, e.g. keycards, smart card, physical key Is ◮ Static biometrics, e.g. fingerprint, retina, face Does ◮ Dynamic biometrics, e.g. voice pattern, handwriting, typing rhythm 5/28

  6. CSS322 Humans and Computers Passwords Authentication Passwords Entropy Humans are also large, expensive to maintain, difficult to Storing Passwords manage and they pollute the environment. It is astonishing Selecting Passwords that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations. — Kaufman, Perlman, Speciner “Network Security: Private Communication in a Public World”, Prentice Hall 2002 6/28

  7. CSS322 Contents Passwords Authentication User Authentication Passwords Entropy Storing Passwords Selecting Password-Based Authentication Passwords Password Entropy Storing Passwords Selecting Passwords 7/28

  8. CSS322 Password-Based Authentication Passwords ◮ Many multiuser computer systems used combination of Authentication ID and password for user authentication Passwords ◮ System initially stores username and password Entropy Storing Passwords ◮ User submits username/password to system; compared Selecting against stored values; if match, user is authenticated Passwords ◮ Identity (ID): ◮ Determines whether user us authorised to gain access to system ◮ Determines privileges of user, e.g. normal or superuser ◮ Used in access control to grant permissions to resources for user ◮ Password: ◮ What is a good password? ◮ How to store the passwords? ◮ How to submit the passwords? ◮ How to respond (if no match)? 8/28

  9. CSS322 Vulnerability of Passwords Passwords Offline Dictionary Attack Attacker obtains access to Authentication ID/password (hash) database; use dictionary to find Passwords passwords Entropy ◮ Countermeasures: control access to database; Storing Passwords reissue passwords if compromised; strong hashes and Selecting Passwords salts Specific Account Attack Attacker submits password guesses on specific account ◮ Countermeasure: lock account after too many failed attempts Popular Password Attack Try popular password with many IDs ◮ Countermeasures: control password selection; block computers that make multiple attempts 9/28

  10. CSS322 Vulnerability of Passwords Passwords Password Guessing Against Single User Gain knowledge Authentication about user and use that to guess password Passwords ◮ Countermeasures: control password selection; train Entropy users in password selection Storing Passwords Selecting Computer Hijacking Attackers gains access to computer Passwords that user currently logged in to ◮ Countermeasure: auto-logout Exploiting User Mistakes Users write down password, share with friends, tricked into revealing passwords, use pre-configured passwords ◮ Countermeasures: user training, passwords plus other authentication 10/28

  11. CSS322 Vulnerability of Passwords Passwords Exploiting Multiple Password Use Passwords re-used across Authentication different systems/accounts, make easier for attacker to Passwords access resources once one password discovered Entropy ◮ Countermeasure: control selection of passwords on Storing Passwords multiple account/devices Selecting Passwords Electronic Monitoring Attacker intercepts passwords sent across network ◮ Countermeasure: encrypt communications that send passwords 11/28

  12. CSS322 Contents Passwords Authentication User Authentication Passwords Entropy Storing Passwords Selecting Password-Based Authentication Passwords Password Entropy Storing Passwords Selecting Passwords 12/28

  13. CSS322 Strength of Passwords Passwords ◮ Entropy used as indicator of password strength Authentication ◮ Password with entropy of n bits is equivalent to n -bit Passwords key at withstanding brute force Entropy ◮ How many bits needed to represent symbols from Storing Passwords symbol set: Selecting ◮ Digits, 0 . . . 9: 3.32 Passwords ◮ English letters, a . . . z: 4.70 ◮ Printable ASCII characters (94): 6.55 ◮ For 64-bit equivalent strength: ◮ Digits: 20 ◮ English letters: 14 ◮ Printable ASCII characters: 10 ◮ Human generated passwords are not random ◮ Difficult to estimate entropy, NIST have approximations 13/28

  14. CSS322 NIST Estimated Password Strength Passwords Authentication Passwords Entropy Storing Passwords Selecting Passwords NIST Special Publication 800-63, Electronic Authentication Guideline, April 2006. http://csrc.nist.gov/publications/nistpubs/ 800-63/SP800-63V1_0_2.pdf 14/28

  15. CSS322 Contents Passwords Authentication User Authentication Passwords Entropy Storing Passwords Selecting Password-Based Authentication Passwords Password Entropy Storing Passwords Selecting Passwords 15/28

  16. CSS322 Storing Passwords Passwords ◮ Upon initial usage, user ID and password are registered Authentication with system Passwords ◮ ID, password (or information based on it), and Entropy optionally other user information stored on system, e.g. Storing Passwords in file or database Selecting Passwords ◮ To access system, user submits ID and password, compared against stored values ◮ How should passwords be stored? 16/28

  17. CSS322 Storing Passwords in the Clear Passwords Authentication ID , P Passwords Entropy Insider attack: normal user reads the database and learns Storing Passwords other users passwords Selecting ◮ Countermeasure: access control on password database Passwords Insider attack: admin user reads the database and learns other users passwords ◮ Countermeasure: none—admin users must be trusted! Outsider attack: attacker gains unauthorised access to database and learns all passwords ◮ Countermeasure: do not store passwords in the clear 17/28

  18. CSS322 Encrypting the Passwords Passwords Authentication ID , E ( K , P ) Passwords Entropy ◮ Encrypted passwords are stored Storing Passwords ◮ When user submits password, it is encrypted and Selecting Passwords compared to the stored value ◮ Drawback: Secret key, K , must be stored (on file or memory); if attacker can read database, then likely they can also read K 18/28

  19. CSS322 Hashing the Passwords Passwords Authentication ID , H ( P ) Passwords Entropy ◮ Hashes of passwords are stored Storing Passwords ◮ When user submits password, it is hashed and compared Selecting Passwords to the stored value ◮ Practical properties of hash functions: ◮ Variable sized input; produce a fixed length, small output ◮ No collisions ◮ One-way function ◮ If attacker gains database, practically impossible to take a hash value and directly determine the original password 19/28

  20. CSS322 Brute Force Attack on Hashed Passwords Passwords ◮ Aim: given one (or more) target hash value, find the Authentication original password Passwords ◮ Start with large set of possible passwords (e.g. from Entropy dictionary, all possible n -character combinations) Storing Passwords ◮ Calculate hash of possible password, compare with Selecting Passwords target hash ◮ if match, original password is found ◮ else, try next possible password ◮ Attack duration depends on size of possible password set 20/28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords

PASSWORDS CS682: Advanced Security Topics Vasiliki Panteli 3/9/2020 Passwords 1 Passwords Passwords is a user authentication mechanism that is widely adopted for many years Methods for user authentication: Something you know

901 views • 52 slides
USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we have (tokens) What we are (iris, fingerprint) [Accuracy vs. cost trade-off] Other USER AUTHENTICATION INKBLOT AUTHENTICATION Come up with

671 views • 20 slides
ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User Authentication Authentication process Means of authentication Passwords Vulnerabilities of passwords Password Cracking Dictionary Attacks

471 views • 21 slides
Authentication of People what you know (passwords) what you have (keys) what you are

Authentication of People what you know (passwords) what you have (keys) what you are

people 1 Authentication of People what you know (passwords) what you have (keys) what you are (biometric devices) where you are (physical) October 26, 2000 people 2 Passwords initial password distribution (students)

559 views • 13 slides
Authentication of People what you know (passwords) what you have (keys) what you are

Authentication of People what you know (passwords) what you have (keys) what you are

people 1 Authentication of People what you know (passwords) what you have (keys) what you are (biometric devices) where you are (physical) Slide 1 Passwords initial password distribution (students) limit password guessing

305 views • 7 slides
Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is weak authentication mechanism. Use Brute Force to find the password. We are using Hashing and Salt to protect the password. Passwords: Two factors

559 views • 51 slides
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication Basics

653 views • 42 slides
Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

Hour #1: Passwords Identification, Authentication, and Authorization Identification: You

CSCI E-170 Computer Security, Usability & Privacy Hour #1: Passwords Identification, Authentication, and Authorization Identification: You give your name Authentication: Youve proven that its really you.

486 views • 31 slides
Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR CONSULTANTS www.XFactorConsultants.com User Authentication (Auth) The methods by which a web app verifies the identity of a user and limits their

334 views • 8 slides
Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret

Crypto with Passwords Lecture 22 Passwords Password or passphrase: Low-entropy shared secret Typical goal: client authenticating to server, without being tied to a device holding a cryptographic key. On authentication, a session key should be

344 views • 11 slides
Information Security Identification and authentication Advanced User Authentication I 2018-02-02

Information Security Identification and authentication Advanced User Authentication I 2018-02-02

Information Security Identification and authentication Advanced User Authentication I 2018-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

568 views • 41 slides
Information Security Identification and authentication Advanced User Authentication I 2016-01-26

Information Security Identification and authentication Advanced User Authentication I 2016-01-26

Information Security Identification and authentication Advanced User Authentication I 2016-01-26 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

865 views • 40 slides
Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

573 views • 32 slides
Authentication: Beyond Passwords Prof. Tom Austin San Jos State University Biometrics

Authentication: Beyond Passwords Prof. Tom Austin San Jos State University Biometrics

CS 166: Information Security Authentication: Beyond Passwords Prof. Tom Austin San Jos State University Biometrics Something You Are Biometric You are your key Schneier Examples Fingerprint Are Handwritten

800 views • 32 slides
User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as

Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as

Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as all keys are shared Use protocols to agree on a shared key (see earlier) Public key: bind identity to public key Crucial as people will

690 views • 41 slides
Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON.

Dragonblood : Weaknesses in WPA3s Dragonfly Handshake Mathy Vanhoef and Eyal Ronen BruCON. Belgium, 11 October 2019. 2 Background: Dragonfly in WPA3 and EAP-pwd = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual

1.97k views • 56 slides
Applied Cryptography December 2017 ECDLP is the problem of finding an ECC user's secret key,

Applied Cryptography December 2017 ECDLP is the problem of finding an ECC user's secret key,

Applied Cryptography December 2017 ECDLP is the problem of finding an ECC user's secret key, given the user's public key. Unfortunately, there is a gap between ECDLP difficulty and ECC security.There are many attacks that break

527 views • 18 slides
KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting Bobs secret key is sk [ B ] and its associated public key is pk [ B ]. The public key setting assumes Alice is in possession of pk [ B ]. Alice pk [ B

619 views • 48 slides
BITCRACKER Elena Agostini, Massimo Bernaschi 2 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER

BITCRACKER Elena Agostini, Massimo Bernaschi 2 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER

BITLOCKER MEETS GPUS BITCRACKER Elena Agostini, Massimo Bernaschi 2 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER Windows Vista, 7, 8.1 and 10 encryption feature (Ultimate, Pro, Enterprise, etc..) It encrypts several types of memory units

904 views • 30 slides
Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton

Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton

Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton Institute, NUI Maynooth. 19 April 2012 How to Guess a Password? Passwords are everywhere. If you dont know the password, can you guess it? 1. Make a

420 views • 18 slides
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David

319 views • 14 slides
Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks

Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks

Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks and Telematics University of Freiburg Free-Net Ian Clarke, Oskar Sandberg, Brandon Wiley, Theodore Hong, 2000 Goal - peer-to-peer network -

746 views • 36 slides

More recommend