1 / 15

Authentication

Authentication. CS 772 Fall 2011. Overview of Authentication Methods. Process of reliably verifying the identity of someone (or something) Password-based authentication---eavesdropping is a problem Not scalable. Password-based authentication. Off-vs. On-line Password Guessing

megan-johnston
Télécharger la présentation

Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication CS 772 Fall 2011

  2. Overview of Authentication Methods • Process of reliably verifying the identity of someone (or something) • Password-based authentication---eavesdropping is a problem • Not scalable

  3. Password-based authentication • Off-vs. On-line Password Guessing • Dictionary attacks • On-line attacks • Storing user passwords: • Alice and server store the passwords independently • Authentication storage node---stores Alice’s info and a server can retrieve it when needed • Authentication facilitator---stores Alice’s info and a server can pass the info that Alice supplied to the server to authenticate it (yes/no is the result) • Store unencrypted hashed of the passwords (Unix)---password guessing attacks possible • Store encrypted passwords---where to store that system key that is used to encrypt

  4. Address-based authentication • Based on the network address from which packets arrive • UNIX: /etc/hosts.equiv file cash:/etc>more hosts.equiv +@odu-net • .rhosts file---<computer, account> pairs which are allowed access to the user’s account

  5. Network Address Impersonation • Easy to transmit a packet with any address as the source address, either at the network layer or at the datalink layer • IP Spoofing: An Introduction • What is iP spoofing: In IP spoofing, an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine by “spoofing” the IP address of that machine.

  6. Authentication of People • Important capabilities for good authentication: (i) ability to store a high-quality cryptographic key (ii) ability to perform cryptographic operations • Computer has both these; human being has neither • Techniques: what you know, what you have, what you are (biometric, voice recognition)

  7. On-line password guessing: poor password choice, limit #of guesses, lock an A/C after a few incorrect guesses, slow down the user with each incorrect guess, report last login time • Off-line password guessing: Through eavesdropping or reading a database, the hash of a password may be obtained; then the attacker can attempt to guess the password; using a salt (store Used ID, salt value, hash(salt| password of user); this way an intruder needs to do more work

  8. How big should a secret be? General rule of thumb: a secret needs to be about 64 bits (or 20- digits) of randomness • Login Trojan horse to capture passwords: logs name and password to a file • Authentication token: Smart card and Java card

  9. Smart card Technology and security • Biometrics

  10. IP Spoofing • IP header: has source IP address and Destination IP address • TCP header: has source port# and destination port#; sequence and acknowledgment #s • By manipulating the source address in IP header, the destination can be fooled (impersonation) • Sequence number prediction can lead to session hijacking

  11. Spoofing attacks • Non-blind spoofing: Attacker is on the same subnet as the victim: The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately. T • Session hijacking. This is accomplished by corrupting the data stream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine. Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection.

  12. Man In the Middle Attack: spoofing is an example of this • Denial of Service Attack (DoS): To flood the victim with as many packets as possible in a short amount of time. In order to prolong the effectiveness of the attack, they spoof source IP addresses to make tracing and stopping the DoS as difficult as possible. When multiple compromised hosts are participating in the attack, all sending spoofed traffic, it is very challenging to quickly block traffic.

  13. Defense against spoofing: • Filtering at the router: implement an ACL (access control list) that blocks private IP addresses on your downstream interface. Additionally, this interface should not accept addresses with your internal range as the source, as this is a common spoofing technique used to circumvent firewalls. On the upstream interface, you should restrict source addresses outside of your valid range. • Encryption and authentication: Both of these features are included in Ipv6, which will eliminate current spoofing threats. Additionally, you should eliminate all host-based authentication measures, which are sometimes common for machines on the same subnet. Ensure that the proper authentication measures are in place and carried out over a secure (encrypted) channel.

  14. Cryptographic authentication: Alice proves her identity to Bob by performing a cryptographic operation on a quantity Bob supplies. • Who is being authenticated? User or a machine? User can remember a short meaningful password; Machine can remember long passwords. • Passwords can be used to acquire a cryptographic key: (i) by hashing a password (ii) use the password to decrypt a higher-quality key, such as an RSA private key, stored in a database

  15. Eavesdropping and server database reading • Alice knows her own private key; Bob knows the public key of Alice. Even if an intruder gets into Bob’s database, no damage is possible

More Related