cs687 information systems security n.
Skip this Video
Loading SlideShow in 5 Seconds..
CS687 Information Systems Security PowerPoint Presentation
Download Presentation
CS687 Information Systems Security

play fullscreen
1 / 95

CS687 Information Systems Security

107 Views Download Presentation
Download Presentation

CS687 Information Systems Security

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. CS687Information Systems Security Authentication By Solomon

  2. Text Book William Stallings & Lawrie Brown, “Computer Security: Principles and Practice”, Pearson, 2008 By Solomon

  3. References • Bruice Schneier, “Applied Cryptography – Protocols, Algorithms, […]”, Second Edition, Wiley Student Edition, 2006 • Stuart McClure et al, “Hacking Exposed”, McGraw Hill, 2009 By Solomon

  4. Topics in this chapter • Password based • Token based • Dongle • Biometric • Authentication protocol design • Real examples • Password cracking • Cryptographic authentication • Certificate Authority: X.509, VeriSign, Microsoft, peer to peer (see Phil Zimmeman – Cacert.org) • Single sign on • Kerberos, Sesame • Smart card • Certification • Mutual Authentication • Authentication in Windows and in UNIX By Solomon

  5. Entity An entity can be a human user, a machine, a server or a process in “whose” name an activity is performed and logged. By Solomon

  6. Identity A piece of information that describes an entity. That piece of information can be a name, a fingerprint, a voice signature, an iris image, etc or a combination. By Solomon

  7. AuthenticationIdentification The binding of an identity to an entity. By Solomon

  8. Authentication • What the entity knows (passwords or passphrases) • What the entity has (a badge or smartcard) • What the entity is (such as fingerprints or retinal characteristics) • How the entity behaves (key strokes) • [Where the entity is (such as in front of a particular terminal) – no matter who sits there!] By Solomon

  9. Authentication Process Enrolment Verification By Solomon

  10. Enrolment • The identity of the entity is established and stored in some kind of repository. • Password, fingerprint, retinal image, etc/some time damaged or change after long time • This stored information is critical from the security point of view and hence must be managed properly. • This information may need to be changed from time to time (password renewal). • It is usually the subject of strict control and policy (password policy: length, strength, etc) By Solomon

  11. Verification This is a process of establishing the identity of a person’s claimed identity from its previously enrolled information. By Solomon

  12. Authentication Types Simple password Challenge-response Token-based Biometric By Solomon

  13. Simple Password A shared secret string used to authenticate a user to a system or a service. What the entity knows. By Solomon

  14. Password Authentication Protocol (PAP – MS Windows) Password Authentication Protocol (PAP) is a simple authentication protocol in which the user name and password is sent to the (remote access) server in a plaintext form. By Solomon

  15. Attack against passwords • Dictionary • Brute-force • Compromise the authentication process (eg. The login program, su, and the like). • This attack is even more dangerous because it can not even be logged By Solomon

  16. Countering the Attacks • Back-off • Disconnection • Disabling • Jailing • Password policy By Solomon

  17. Back-off Technique • Increasingly delay the re-prompt (request) in direct proportion with the number of failed attempts. • Arithmetic progression • Geometric progression By Solomon

  18. Disconnection After some number of failed authentication attempts, the connection is broken and the user must re-establish it. By Solomon

  19. Disconnection … Any disconnection attempt in the Windows and UNIX environment ? By Solomon

  20. Disabling If n consecutive attempts to log in to an account fail, the account is disabled until a security manager can re-enable it. This alerts security personnel to an attempted attack. They can take appropriate action to counter the threat. By Solomon

  21. Jailing The unauthenticated user is given access to a limited part of the system and is made to believe that he or she has full access. The jail then records the attacker's actions. This technique is used to determine what the attacker wants or simply to waste the attacker's time. By Solomon

  22. Password Policy Provide and enforce enterprise wide password policy that regiments the selection, renewal and disposal of passwords. The policy may also dictate actions to be taken in case of attempts to crack passwords. By Solomon

  23. Simple Password Auth: Problems • Passwords are reusable and hence are exposed to different attacks as seen above (such as replay, dictionary, etc). • Not appropriate for network environments. The clear passwords could easily be sniffed while in transit. By Solomon

  24. Challenge Response Authentication Simple password authentication is a “simple” form of challenge-response whereby an entity is challenged to provide a previously shared password and the entity responds with same. But this challenge-response mechanism can be made more and more complex. A family of such authentication mechanisms are called Challenge Response Authentication. By Solomon

  25. CR: Improvements • Using one-time password • Using the shared secret differently rather than transmitting it over the network • etc By Solomon

  26. CR: Multiple passwords • The user registers a list of passwords in the system. • Whenever the user connects to the system, the user is prompted for the password number where upon the user chooses from his list and supplies it.//server send me ex. password number 5 By Solomon

  27. CR: Multiple passwords Do you see any drawbacks? By Solomon

  28. CAPTCHA Captcha is a means to determine whether a viewer of a Web application is a real person. The challenge sent to the viewer is a distorted image of some text, and the viewer responds by typing in that text. The distortion is designed to make automated optical character recognition (OCR) difficult and preventing a computer program from passing as human. By Solomon

  29. CR: The password as Encryption Key • System challenges the client by sending a randomly generated text (could be a number) • Client responds by returning the “text” encrypted with the shared secret key. • Take care of replay attacks. By Solomon

  30. CR: Digested Password • System challenges by sending a random text. • Client responds by returning a hashed value of the shared password and the random text. By Solomon

  31. CHAP in MS Windows In Challenge Handshake Authentication Protocol (CHAP), the remote access server sends a challenge to the remote client. The remote client computes a digest (using MD5) based on the challenge and the user's password. The server also computes its side of the text and compares the result to the one sent by the client. If the results match, the credentials of the remote access client are considered authentic. By Solomon

  32. One-time Password (OTP) A One-time password is a password that expires as soon as it is used. By Solomon

  33. One-time Password (OTP) • OTP is a kind of challenge-response where a given password is used only once. • OTP is randomly generated and synchronized between the user and the system. By Solomon

  34. Generation and Synchronization • Using a mathematical algorithm to generate a new password based on the previous password. //change the first password based o the prevoius password • Counter-synchronized where the new password is based on a counting of the number of passwords already generated. • Time-synchronization between the clients and the system (per client).//each system same as client machin time sync By Solomon

  35. How the user generates the OTPs • Key generation tools that is synchronized with the server. • Special electronic tokens that the user carries and that generate OTPs. A good example is RSA SecureID token (dongle).//the dongle and server both of them generate the same password • Software that runs on the user's mobile phone. • Server generates them and then send it to the user using a pre-agreed out-of-band channel such as SMS messaging!! By Solomon

  36. Time and Counter Synchronization Counter and time-synchronized OTP are usually supported with special devices called tokens (see token-based authentication). By Solomon

  37. Time-synchronizedChallenge Problems caused by clock skew. That is, if the authentication server and the user’s “environment” don't keep the same time, then the expected OTP value won't be match. By Solomon

  38. Generation of OTPS/Key as Example • Let h be a one-way hash function (S/Key uses MD4 or MD5, depending on the version). • Then the user chooses an initial seed k, and the key generator calculates: • h(k) = k1, h(k1) = k2, ..., h(kn-1) = kn • The passwords are p1 = kn, p2 = kn-1, ..., pn-1 = k2, pn = k1//the user and system have the same sequency of password then //the can generate the same hash function • Both the user and the system could generate same sequence of passwords if they start from the same seed value k. By Solomon

  39. Synchronization of OTPSecure/Key as Example Both need to keep the initial seed value k and the last index they have used. The users and the server have the same password By Solomon

  40. Token Based Authentication This is a form of Challenge Response supported by tokens. By Solomon

  41. Token Tokens are portable computing device such as smartcards, USB tokens, USB thumb drives, SecureID, RFID tokens etc. By Solomon

  42. “Token” Technologies • Memory Cards: keeps information but cannot process information. • Smartcards: Keeps and process information. By Solomon

  43. Hardware Supported CRToken-based authentication • Provides mechanisms for hashing or enciphering information. With this type of device, the system sends a challenge. The user enters it into the device. The device returns the appropriate response. Some devices require the user to enter a personal identification number or password. • The RSA SecureID card uses a system based on time. In addition to the features described above, the password is invalidated once a login succeeds. By Solomon

  44. Smartcards • Smart cards are small, tamper-resistant devices providing users with convenient storage and processing capability. • Suitable for cryptographic implementations because they contain many security features that enable the protection of sensitive cryptographic data and provide for a secure processing environment. //use encrypt and hash also • Private keys can be made to be generated in a smartcard and can be processed without the need to ever leave the card. • A PIN is usually needed to access the smartcard. Or else a fingerprint of the owner maybe used to access the data. By Solomon

  45. Biometrics Biometrics are automated methods of identifying a person or verifying the identity of a person based on a physiological or behavioural characteristic.//oldest form authontication By Solomon

  46. Biometrics … • Fingerprint • Palm Scan • Hand Geometry • Iris • Retina • Facial Scan • Hand Topography • Voice Print // has tow part • Signature Dynamics • Keyboard Dynamics//system analysis tic tic By Solomon

  47. The Process Acquisition (at enrolment) Verification (at authentication) By Solomon

  48. Acquisition • This is the first contact of the user with the biometric system. • The user’s biometric sample is obtained using an input device. • Quality of the first biometric sample is crucial for further authentications. • Take care of the ‘fail to enrol’ (FTE) group first By Solomon

  49. Verification • The user’s biometric sample is taken. • It is compared with the previously stored biometric template of the user. By Solomon

  50. Requirements to biometrics • Universality: everyone should have it (what about the visually impaired, the “handicapped”, etc • Uniqueness: small probability that two persons are the same in terms of their biometrics • Permanence: invariance with the time • Collectability: can be measured quantitatively • Performance: Processing speed //example in Germany airways use irsh check it is vry fast to verify without showing pasport just use that • Acceptability: acceptance by people • Security: how easy to fool the system by fraudulent technique By Solomon