1 / 18

Host and Application Security

Host and Application Security. Lesson 8: You are you… mostly. OS: If we want access control. We must have…. User Authentication. Something the user knows Something the user has Something the user is “Two factor” means just what it says. Passwords.

tave
Télécharger la présentation

Host and Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Host and Application Security Lesson 8: You are you… mostly

  2. OS: If we want access control • We must have…

  3. User Authentication • Something the user knows • Something the user has • Something the user is • “Two factor” means just what it says

  4. Passwords • The most common access control paradigm • Challenges: • Loss • Convenience • Disclosure • Revocation

  5. Additional Restrictions • Time limited access • Geospatial limitations – very clever!

  6. Attacks on Passwords • Brute force • Common passwords • Likely passwords • Find the encrypted password database • Ask!

  7. Exhaustive Attack • Not as hard as one might think… • The search space is actually pretty small • How tractable is this? Very! • GPU Computing makes this very fast

  8. Probable Passwords • Lots of similarities in the way people pick passwords • Which is more likely: • Flatech or 8*fgHi@d? • Time for an xkcd…

  9. Thanks, Randall!

  10. How the Computer Stores Passwords • Cannot (should not) be stored in the clear • Encrypt them! • Originally, in the /etc/passwd file • Then, moved to /etc/shadow • Typically, we store a hash of the password • This introduces a vuln, which is…

  11. NaCl • We add a salt to each password, and store it in the clear • This is made from the process ID and the time, stored in the clear • When the password is hashed the salt is added before the hashing

  12. Spearphishing • Of course, it’s much easier to just ask the user

  13. One Time Passwords • Pretty much a challenge response • The system “asks the user a question”, usually of the form “compute this function”

  14. Biometrics • Some type of biological property • Here, though, we have to think about false positive and false negatives… • Identification versus authentication • “This is Pinkie Pie” • I am Pinkie Pie, and I present this hoof to prove it

  15. Challenges • Cost • Privacy issues • Inexact matching • Single point of failure • Token revocation (ouch!!!)

  16. The Web • How does authentication work on the web?

  17. Assignment • This is deliberately vague… • “Compare Windows and Linux security more broadly. Which is ``more secure`` and why? Justify your position.”

  18. Questions?

More Related