240 likes | 258 Vues
COEN 350: Network Security. Authentication. Authentication. Between human and machine Between machine and machine. Human Machine Authentication. Authentication protocols are based on What you know. E.g. password, pass-phrase, (secret key, private key). What you have.
E N D
COEN 350: Network Security Authentication
Authentication • Between human and machine • Between machine and machine
Human Machine Authentication • Authentication protocols are based on • What you know. • E.g. password, pass-phrase, (secret key, private key). • What you have. • Physical key, smart card. • What you are. • Biometrics. • Where you are. • E.g. trusted machine, access to room, …
Authentication • Passwords • Predate computers. • As do some attacks (stealing, guessing) • Older cell phone technology transmits originating number with a password. • Password good, call goes through. • Eavesdropper receives phone number – password combination. • Eavesdropper can now clone the phone.
Authentication • Password Attacks • Guessing • On-line • Time consuming. • Authentication attempts are usually logged. • Can detect attack long before it is likely to succeed. • Can disrupt the attack. • Off-line • Attacker needs to steal relevant data from which password(s) can be determined. • Attacker can use arbitrary amount of computing power. • Capturing Passwords • Eavesdropping • Login Trojan Horse
Authentication • Passwords are stored • On each server Alice uses. • Centrally: Authentication Storage Node: • Each server retrieves the information when it wants to authenticate Alice. • Centrally: Authentication Facilitator Node: • Each server takes Alice’s data and password and goes to the AFN.
Authentication • Password can be stored • Unencrypted • Simple • Dangerous • Implicitly as hashes of passwords • As in UNIX, VMS • Encrypted • Hashed and Encrypted
Authentication • Example: Network Information Service • (Yellow Pages) • Directory service is the authentication storage node. • Stores hashed passwords of users. • Typically, hashed passwords list is world readable • Access by claiming to be a server. • NIS authentication storage node does not authenticate itself to users. • Allows impersonation of authentication service.
Authentication • Passwords for machine – machine communication can be made difficult to guess. • Arbitrary length • Truly random choice of characters. • Human-machine passwords • Guessable • Subject to dictionary attack.
Authentication • Dictionary attack • Most passwords are natural language words. • Or derived from natural language words. • Guess the language. • Use a dictionary to try out all words in the language. • Start with common passwords first. • Replace a single character in a word, attach a random character, etc.
Authentication • Brute-Force Attack • Generate all possible password. • Sometimes make assumptions on the alphabet • only printable character • characters on a key-board
Authentication • Salting • Protects hashed passwords against an offline attack. • Brute Force attack attacks all passwords in password file simultaneously.
Authentication • Salting • Store a salt with each password • Hash depends on salt and password. • Use different salts for different passwords. • Store salt with password.
Authentication • Salting • Brute force attack, dictionary attack can only attack a single password.
Authentication • Passwords are compromised: • By obtaining password file. • Safeguard by • Hashing and Salting • Encryption • By eavesdropping on an exchange • Use one-way passwords: • Lamport Hash
Authentication • Address Based • Common in early UNIX • Rtools: • .rhosts • In user home directory • (Computer, Account) pairs • These pairs are allowed access to the user’s account • /etc/hosts.equiv • List of network addresses of “equivalent” machines • Account name on A is equivalent to account name on B. • Users have to have identical account names.
Authentication • Addressed based authentication threatened by • Access escalation • Attacker gains access to one hosts. • Access cascades to equivalent hosts / rhosts. • Spoofing addresses • Very easy to spoof source address. • Harder to intercept traffic back.
Authentication • Ethernet network address impersonation • Easy on the same link. • Hubs do not protect. • Switches can be spoofed through the ARP protocol. • Routers are harder to fool, but can be attacked and provided with misleading routing data.
Authentication • Cryptographic authentication • Alice proves her identity to Bob by proving to Bob that she knows a secret. • Hashes • Secret key cryptography • Public key cryptography.
Human Machine Authentication • Initial password distribution to humans • Pre-expired, strong passwords • Through mail • Derivable from common knowledge • Student ID
Human Machine Authentication • Authentication Token • Possession of the token proves right to access. • Magnetic stripe as on credit cards. • Harder to reproduce • “Impossible” to guess • Demand special hardware • Can be lost or stolen • Add pin or password protection • Are not safe against communication eavesdropping and forging
Human Machine Authentication • Authentication Token • Smart Card. • Needs to be inserted in a smart card reader. • Card authenticates to the smart card reader. • PIN protected smart cards. • Stops working after a number of false PINs. • Cryptographic challenge / response cards • Card contains a cryptographic key. • Authenticating computer issues a challenge. • Card solves the challenge after PIN is entered. • Harder to crack than PIN protected smart cards because key is never revealed.
Human Machine Authentication • Authentication Token • Smart Card. • Readerless smart card (Cryptographic calculator) • Communicates with owner through mini-keyboard and display. • Authenticating computer issues a challenge to Alice. • Alice types in challenge into readerless smart card. • Readerless smart card solves the challenge. • After Alice puts in her password. • Alice transfers the answer to the computer.
Human Machine Authentication • Biometrics • Retinal scanner • Fingerprint reader • Face recognition • Iris scanner • Handprint readers • Voiceprints • Keystroke timing • Signatures