Download
1 / 23
230 likes | 342 Vues
This document outlines essential readings and resources on identification and authentication for cybersecurity professionals. Key topics include the NIST Handbook on Computer Security, methods of authentication (passwords, biometrics, and smart cards), and the vulnerabilities associated with these methods. It emphasizes strong authentication requirements, password management policies, and the protection against common attacks such as social engineering. The guide highlights both theoretical and practical aspects of maintaining secure identification protocols and offers insights into modern tools for enhancing authentication processes.
E N D
Required reading list: • An Introduction to Computer Security: The NIST Handbook, http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf : Chapter 16, IDENTIFICATION AND AUTHENTICATION, pages 180-192 • Recommended: • Biometrics, from Wikipedia, the free encyclopedia, http://en.wikipedia.org/wiki/Biometrics • John the Ripper password cracker http://www.openwall.com/john/ • Brutus the remote password cracker http://www.hoobie.net/brutus/
Identification • Something you know • Something you own • Who you are • What you are • Where you are
Identification • Allows an entity (a user or a system) to prove its identity to another entity • Typically, the entity whose identity is verified reveals knowledge of some secret S to the verifier • Strong authentication: the entity reveals knowledge of S to the verifier without revealing S to the verifier
Identification Information Must be securely maintained by the system.
Authentication • Authentication mechanism: verifies the identification information • Access control mechanism: grant privileges upon successful authentication • Logging: record security relevant events in an audit trail
Authentication Requirements • Network must ensure • Data exchange is established with addressed peer entity not with an entity that masquerades or replays previous messages • Network must ensure data source is the one claimed
Passwords • Commonly used method • For each user, system stores (user name, F(password)), where F is some transformation (e.g., one-way hash) in a password file • F(password) is easy to compute • From F(password), password is difficult to compute • Password is not stored in the system • When user enters the password, system computes F(password); match provides proof of identity
Vulnerabilities of Passwords • Inherent vulnerabilities • Easy to guess or snoop • No control on sharing • Practical vulnerabilities • Visible if unencrypted in distributed and network environment • Susceptible for replay attacks if encrypted naively • Password advantage • Easy to modify compromised password.
Attacks on Password • Guessing attack/dictionary attack • Social Engineering • Sniffing • Trojan login • Van Eck sniffing
Social Engineering • Attacker asks for password by masquerading as somebody else (not necessarily an authenticated user) • May be difficult to detect • Protection against social engineering: strict security policy and users’ education
Password Management Policy • Educate users to make better choices • Define rules for good password selection and ask users to follow them • Ask or force users to change their password periodically • Actively attempt to break user’s passwords and force users to change broken ones • Screen password choices
One-time Password Use the password exactly once!
Time Synchronized • There is a hand-held authenticator • It contains an internal clock, a secret key, and a display • Display outputs a function of the current time and the key • It changes about once per minute • User supplies the user id and the display value • Host uses the secret key, the function and its clock to calculate the expected output • Login is valid if the values match
Time Synchronized Secret key Time Encryption One Time Password
Challenge Response • Non-repeating challenges from the host is used • The device requires a keypad Network Work station Host User ID Challenge Response
Challenge Response Secret key Challenge Encryption One Time Password
Devices with Personal Identification Number (PIN) • Devices are subject to theft, some devices require PIN (something the user knows) • PIN is used by the device to authenticate the user • Problems with challenge/response schemes • Key database is extremely sensitive • This can be avoided if public key algorithms are used
Smart Cards • Portable devices with a CPU, I/O ports, and some nonvolatile memory • Can carry out computation required by public key algorithms and transmit directly to the host • Some use biometrics data about the user instead of the PIN
Biometrics • Fingerprint • Retina scan • Voice pattern • Signature • Typing style
Problems with Biometrics • Expensive • Retina scan (min. cost) about $ 2,200 • Voice (min. cost) about $ 1,500 • Signature (min. cost) about $ 1,000 • False readings • Retina scan 1/10,000,000+ • Signature 1/50 • Fingerprint 1/500 • Can’t be modified when compromised
Next Class • Microsoft Windows support • for identification and authentication • Forgotten your Windows XP Home password? - Part 1: Introduction, http://support.microsoft.com/kb/894900 • Forgotten your Windows XP Home password? - Part 2: Using a password reset disk, http://support.microsoft.com/kb/894901/en-us • Forgotten your Windows XP Home password? - Part 3: Setting a new password as an administrator, http://support.microsoft.com/kb/894902/en-us
