user authentication
play

User Authentication Storing Passwords Selecting Passwords ITS335: - PowerPoint PPT Presentation

Apr 10, 2024 •261 likes •663 views

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

  1. ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l03, Steve/Courses/2013/s2/its335/lectures/auth.tex, r2958 1/40

  2. ITS335 Contents User Authentication User Authentication Authentication Passwords Storing Passwords Password-Based Authentication Selecting Passwords Storing Passwords Tokens Biometrics Summary Selecting Passwords Token-Based Authentication Biometric Authentication Summary 2/40

  3. ITS335 User Authentication User Authentication Authentication Passwords Storing Passwords Selecting Passwords The process of verifying a claim that a system entity or Tokens system resource has a certain attribute value. Biometrics Summary — R. Shirey, “Internet Security Glossary, Version 2”, IETF RFC4949 3/40

  4. ITS335 Two Steps of Authentication User Authentication 1. Identification step: presenting an identifier to the security system Authentication ◮ E.g. user ID Passwords ◮ Generally unique but not secret Storing Passwords 2. Verification step: presenting or generating Selecting Passwords authentication information that acts as evidence to Tokens prove the binding between the attribute and that for Biometrics which it is claimed. Summary ◮ E.g. password, PIN, biometric information ◮ Often secret or cannot be generated by others User authentication is primary line of defence in computer security; other security controls rely on user authentication 4/40

  5. ITS335 Means of Authentication User Authentication Something the individual . . . Authentication Knows Passwords ◮ E.g. password, PIN, question answers Storing Passwords Selecting Passwords Possesses Tokens Biometrics ◮ Token, e.g. keycards, smart card, physical key Summary Is ◮ Static biometrics, e.g. fingerprint, retina, face Does ◮ Dynamic biometrics, e.g. voice pattern, handwriting, typing rhythm 5/40

  6. ITS335 Humans and Computers User Authentication Authentication Passwords Storing Passwords Humans are also large, expensive to maintain, difficult to Selecting manage and they pollute the environment. It is astonishing Passwords that these devices continue to be manufactured and Tokens deployed. But they are sufficiently pervasive that we must Biometrics Summary design our protocols around their limitations. — Kaufman, Perlman, Speciner “Network Security: Private Communication in a Public World”, Prentice Hall 2002 6/40

  7. ITS335 Contents User Authentication User Authentication Authentication Passwords Storing Passwords Password-Based Authentication Selecting Passwords Storing Passwords Tokens Biometrics Summary Selecting Passwords Token-Based Authentication Biometric Authentication Summary 7/40

  8. ITS335 Password-Based Authentication User Authentication ◮ Many multiuser computer systems used combination of ID and password for user authentication Authentication Passwords ◮ System initially stores username and password Storing Passwords ◮ User submits username/password to system; compared Selecting Passwords against stored values; if match, user is authenticated Tokens ◮ Identity (ID): Biometrics ◮ Determines whether user us authorised to gain access to Summary system ◮ Determines privileges of user, e.g. normal or superuser ◮ Used in access control to grant permissions to resources for user ◮ Password: ◮ What is a good password? ◮ How to store the passwords? ◮ How to submit the passwords? ◮ How to respond (if no match)? 8/40

  9. ITS335 Vulnerability of Passwords User Authentication Offline Dictionary Attack Attacker obtains access to ID/password (hash) database; use dictionary to find Authentication passwords Passwords Storing Passwords ◮ Countermeasures: control access to database; Selecting reissue passwords if compromised; strong hashes and Passwords salts Tokens Biometrics Specific Account Attack Attacker submits password guesses Summary on specific account ◮ Countermeasure: lock account after too many failed attempts Popular Password Attack Try popular password with many IDs ◮ Countermeasures: control password selection; block computers that make multiple attempts 9/40

  10. ITS335 Vulnerability of Passwords User Authentication Password Guessing Against Single User Gain knowledge about user and use that to guess password Authentication Passwords ◮ Countermeasures: control password selection; train Storing Passwords users in password selection Selecting Passwords Computer Hijacking Attackers gains access to computer Tokens that user currently logged in to Biometrics ◮ Countermeasure: auto-logout Summary Exploiting User Mistakes Users write down password, share with friends, tricked into revealing passwords, use pre-configured passwords ◮ Countermeasures: user training, passwords plus other authentication 10/40

  11. ITS335 Vulnerability of Passwords User Authentication Exploiting Multiple Password Use Passwords re-used across different systems/accounts, make easier for attacker to Authentication access resources once one password discovered Passwords Storing Passwords ◮ Countermeasure: control selection of passwords on Selecting multiple account/devices Passwords Tokens Electronic Monitoring Attacker intercepts passwords sent Biometrics across network Summary ◮ Countermeasure: encrypt communications that send passwords 11/40

  12. ITS335 Contents User Authentication User Authentication Authentication Passwords Storing Passwords Password-Based Authentication Selecting Passwords Storing Passwords Tokens Biometrics Summary Selecting Passwords Token-Based Authentication Biometric Authentication Summary 12/40

  13. ITS335 Storing Passwords User Authentication ◮ Upon initial usage, user ID and password are registered with system Authentication Passwords ◮ ID, password (or information based on it), and Storing Passwords optionally other user information stored on system, e.g. Selecting in file or database Passwords Tokens ◮ To access system, user submits ID and password, Biometrics compared against stored values Summary ◮ How should passwords be stored? 13/40

  14. ITS335 Storing Passwords in the Clear User Authentication ID , P Authentication Passwords Insider attack: normal user reads the database and learns Storing Passwords other users passwords Selecting Passwords ◮ Countermeasure: access control on password database Tokens Insider attack: admin user reads the database and learns Biometrics other users passwords Summary ◮ Countermeasure: none—admin users must be trusted! Outsider attack: attacker gains unauthorised access to database and learns all passwords ◮ Countermeasure: do not store passwords in the clear 14/40

  15. ITS335 Encrypting the Passwords User Authentication ID , E ( K , P ) Authentication Passwords ◮ Encrypted passwords are stored Storing Passwords Selecting ◮ When user submits password, it is encrypted and Passwords compared to the stored value Tokens Biometrics ◮ Drawback: Secret key, K , must be stored (on file or Summary memory); if attacker can read database, then likely they can also read K 15/40

  16. ITS335 Hashing the Passwords User Authentication ID , H ( P ) Authentication Passwords ◮ Hashes of passwords are stored Storing Passwords Selecting ◮ When user submits password, it is hashed and compared Passwords to the stored value Tokens ◮ Practical properties of hash functions: Biometrics Summary ◮ Variable sized input; produce a fixed length, small output ◮ No collisions ◮ One-way function ◮ If attacker gains database, practically impossible to take a hash value and directly determine the original password 16/40

  17. ITS335 Brute Force Attack on Hashed Passwords User Authentication ◮ Aim: given one (or more) target hash value, find the original password Authentication Passwords ◮ Start with large set of possible passwords (e.g. from Storing Passwords dictionary, all possible n -character combinations) Selecting ◮ Calculate hash of possible password, compare with Passwords target hash Tokens ◮ if match, original password is found Biometrics ◮ else, try next possible password Summary ◮ Attack duration depends on size of possible password set 17/40

  18. ITS335 Pre-calculated Hashes and Rainbow Tables User Authentication ◮ How to speed up brute force attack? Use hash values calculated by someone else Authentication Passwords ◮ Possible passwords and corresponding hashes stored in Storing Passwords database Selecting ◮ Attacker performs lookup on database for target hash Passwords Tokens ◮ How big is such a database of pre-calculated hashes? Biometrics ◮ In raw form, generally too big to be practical (100’s, Summary 1000’s of TB) ◮ Using specialised data structures (e.g. Rainbow tables), can obtain manageable size, e.g. 1 TB ◮ Trade-off: reduce search time, but increase storage space ◮ Countermeasures: ◮ Longer passwords ◮ Slower hash algorithms ◮ Salting the password before hashing 18/40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR CONSULTANTS www.XFactorConsultants.com User Authentication (Auth) The methods by which a web app verifies the identity of a user and limits their

334 views • 8 slides
Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

573 views • 32 slides
Information Security Identification and authentication Advanced User Authentication I 2018-02-02

Information Security Identification and authentication Advanced User Authentication I 2018-02-02

Information Security Identification and authentication Advanced User Authentication I 2018-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

568 views • 41 slides
Information Security Identification and authentication Advanced User Authentication I 2016-01-26

Information Security Identification and authentication Advanced User Authentication I 2016-01-26

Information Security Identification and authentication Advanced User Authentication I 2016-01-26 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

865 views • 40 slides
User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we have (tokens) What we are (iris, fingerprint) [Accuracy vs. cost trade-off] Other USER AUTHENTICATION INKBLOT AUTHENTICATION Come up with

671 views • 20 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2016-01-29 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

683 views • 44 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2019-02-08 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

1.19k views • 102 slides
Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

5/25/2019 Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this Lecture 5/25/2019 Password Topic 3: User Authentication Password strength Salt_(cryptography) Password cracking

1.03k views • 75 slides
Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III 2016-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture II within this part of the course Background Statistics Statistics in user

1.49k views • 70 slides
User authentication on the web Joseph Bonneau

User authentication on the web Joseph Bonneau

User authentication on the web Joseph Bonneau Computer Laboratory Part II Security lecture 2012 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 1 / 41

1.72k views • 132 slides
Information Security Identification and authentication Advanced User Authentication II and III

Information Security Identification and authentication Advanced User Authentication II and III

Information Security Identification and authentication Advanced User Authentication II and III (somewhat abbreviated ) 2018-02-09 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background

1.24k views • 106 slides
TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication After the Handshake The user navigates to the sites landing page, no client authentication required. Eventually, the user requests a

69 views • 6 slides
ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User Authentication Authentication process Means of authentication Passwords Vulnerabilities of passwords Password Cracking Dictionary Attacks

471 views • 21 slides
Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password Validate password strength Store salted hash of the password Authentication User sends username/password Retrieve the stored salted

359 views • 20 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
(username, password) ? x ? ? ? ? but (username,hash(password))

(username, password) ? x ? ? ? ? but (username,hash(password))

Hash Functions - Bart Preneel June 2016 Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 Introduction to the SHA-512 SHA-1 Design and Cryptanalysis of Cryptographic Hash Functions This is an input to a crypto-

517 views • 10 slides
Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 7

Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 7

Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 7 Page 1 CS 236 Online Outline Introduction Basic authentication mechanisms Lecture 7 Page 2 CS 236 Online Introduction Much of

799 views • 30 slides
Salting Loft 1 WEEK STARTS COST 1 02-Jan 420.00 2 9 420.00 3 16 420.00 4 23

Salting Loft 1 WEEK STARTS COST 1 02-Jan 420.00 2 9 420.00 3 16 420.00 4 23

Salting Loft 1 WEEK STARTS COST 1 02-Jan 420.00 2 9 420.00 3 16 420.00 4 23 420.00 5 30 420.00 6 06-Feb 420.00 7 13 470.00 8 20 420.00 9 27 420.00 10 06-Mar 420.00 11 13 420.00 12 20

624 views • 3 slides
MIT KDC integration Andreas Schneider <asn@samba.org> G unther Deschner

MIT KDC integration Andreas Schneider <asn@samba.org> G unther Deschner

MIT KDB Design Ongoing development Remaining bits Heimdal sacrifices MIT KDC integration Andreas Schneider <asn@samba.org> G unther Deschner <gd@samba.org> Red Hat May 21th, 2015 Andreas Schneider <asn@samba.org> G

1.17k views • 29 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
Learning from Adobe Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013 Quickly,

Learning from Adobe Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013 Quickly,

Better PHP Security Learning from Adobe Bill Condo @mavrck PHP Security: Adobe Hack Drupal Camp Ohio 2013 Quickly, about me Consultant Senior Engineer Developer Senior Developer Director of Tech Hosting Manager Support

478 views • 32 slides
Encryption The Problem Using HTTP , anyone with access to your packets can see everything you

Encryption The Problem Using HTTP , anyone with access to your packets can see everything you

Encryption The Problem Using HTTP , anyone with access to your packets can see everything you are doing online This includes your passwords! Who has access to my packets? Your ISP at home UBIT on campus Tier 1 Networks

232 views • 22 slides
AEAD Ciphers for Highly Constrained Networks Ren Struik e-mail: rstruik.ext@gmail.com Slide

AEAD Ciphers for Highly Constrained Networks Ren Struik e-mail: rstruik.ext@gmail.com Slide

August 13, 2013 DIAC 2013 AEAD Ciphers for Highly Constrained Networks Ren Struik e-mail: rstruik.ext@gmail.com Slide 1 Ren Struik (Struik Security Consultancy) August 13, 2013 DIAC 2013 Outline 1. Highly Constrained Networks

559 views • 30 slides

More recommend