580 likes | 782 Vues
Đại học Quốc Gia TPHCM – Đại học Bách Khoa Khoa Khoa học và Kỹ thuật Máy Tính. Identification & Authentication techniques. Information System Security. Đại học Quốc Gia TPHCM – Đại học Bách Khoa Khoa Khoa học và Kỹ thuật Máy Tính. Thành viên : Huỳnh Lưu Triết 50702593
E N D
Đại học Quốc Gia TPHCM – Đại học Bách Khoa Khoa Khoa học và Kỹ thuật Máy Tính Identification & Authentication techniques Information System Security
Đại học Quốc Gia TPHCM – Đại học Bách Khoa Khoa Khoa học và Kỹ thuật Máy Tính • Thành viên : • Huỳnh Lưu Triết 50702593 • Nguyễn Hoàng Tùng 50702853 Information System Security
Outline • AUTHENTICATION METHODS • Something you know • Something you have • Something you are • AUTHENTICATION PROTOCOLS • Simple authentication protocols • Real-world security protocols Information System Security
Authentication Methods • Something you know • Something you have • Something you are : Password : Smartcard : Fingerprint, Iris Scan Information System Security
Definition • Identification • Authentication ~ Who is someone ? ~ Is something genuine ? Information System Security
Authentication Methods • Something you know • Something you have • Something you are Information System Security
Passwords (1) Password Group A Group B Group C >= 6 characters Passphrases 8 randomly characters Information System Security
Passwords (2) • Password verification • Other password issues Information System Security
Passwords (3) • Password verification • Compare with the correct password • Password x y = h(x) store y verify z h(z) compare h(z) with y • Crack : Trudy has “dictionary” h(x0,x1,…xN-1) compare each with y • Salt value (s) y = h(x, s) store (s, y) verify z h(z, s) compare h(z, s) with y from (s, y) Information System Security
Passwords (4) • Other password issues • Social engineering • Keystroke logging software and spyware • Number password • Cracking tools Information System Security
Authentication Methods • Something you know • Something you have • Something you are Information System Security
Something you have Like credit card, includes a small amount of memory and computing resources Information System Security
Authentication Methods • Something you know • Something you have • Something you are Information System Security
BIOMETRICS (1) • Types of errors • Biometric examples • Biometric error rates • Biometric conclusions Information System Security
BIOMETRICS (2) • Types of errors • Fraud rate • Insult rate Information System Security
BIOMETRICS (3) • Types of errors Alice Fraud rate Information System Security
BIOMETRICS (4) • Types of errors Not Alice Insult rate Information System Security
BIOMETRICS (5) • Biometrics Examples • Fingerprints • Used in ancient China • 1798, J. C. Mayer fingerprints may unique • 1823, Purkinje nine “fingerprint patterns” • 1883, Mark Twain “Life on the Mississippi” • 1892, Sir Francis Galton “minutia” systems Information System Security
BIOMETRICS (6) • Biometric examples • Fingerprints Information System Security
BIOMETRICS (7) • Biometric examples • Hand geometry • The width and length of the hand and fingers • Hand geometry is easy and quick to measure Information System Security
BIOMETRICS (8) • Biometric examples • Hand geometry Information System Security
BIOMETRICS (9) • Biometric examples • Iris scan • The best for authentication • 1936, Frank Burch suggest using it • The 1980s, resurfaced in James Bond films • 1994, John Daugman - a researcher at Cambridge University, patented iris scan • A black and white photo of the eye transform a 256-byte (2048 bit) “iris code” Information System Security
BIOMETRICS (10) • Biometric examples • Iris scan • Alice : x ; iris scan stored : y • d(x, y) = non-match bits/bits compared. • d(x, y), same is 0.08 and difference is 0.50 • A match : d (x, y) <= 0.32 • How to attack ? • Picture of Alice How to prevent ??? Information System Security
BIOMETRICS (11) • Biometric examples • Iris scan Information System Security
BIOMETRICS (12) • Biometric error rates • Fraud rate = Insult rate • Fingerprints (5%) • Hand geometry (0.1%) • Iris scan (0.001%) Information System Security
BIOMETRICS (6) • Biometric conclusions • Difficult to attack • Expensive Information System Security
SUMMARY • Difficult to attack ~ Expensive • Attack : • Biometrics < Smartcard < Password • Cost : • Password < Smartcard < Biometrics Information System Security
AUTHENTICATION PROTOCOLS SIMPLE AUTHENTICATION PROTOCOLS REAL-WORLD SECURITY PROTOCOLS
SIMPLE AUTHENTICATIONPROTOCOLS • Introduction • Simple Security Protocols • Authentication Protocols • Authentication Using Symmetric Keys • Session Keys • Timestamps Information System Security
SIMPLE AUTHENTICATION PROTOCOLS • Introduction • What is Protocol? • Security Protocol? • Differences between Authentication Method and Authentication Protocol • A seemingly innocuous change can make a significant difference in a protocol • Security protocol must meet the specified security requirements Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 2.Simple Security Protocols • Entering into a secure facility, such as the National SecurityAgency • Withdraw money from an ATM machine • Identify Friend or Foe, or IFF Information System Security
SIMPLE AUTHENTICATION PROTOCOLS • Identify Friend or Foe, or IFF Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocols • Efficient? • Trudy can later replay the messages • Alice’s password is sent in the clear • Bob must know Alice’s password Information System Security
SIMPLE AUTHENTICATION PROTOCOLS How to solve? Information System Security
SIMPLE AUTHENTICATION PROTOCOLS • 3.Authentication Protocols Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Authentication Using Symmetric Keys • Encrypting plaintext P with key K to obtain ciphertext C is C = E(P,K) • Decrypting ciphertext C with key K to recover the plaintext P is P = D(C,K). • Alice and Bob share symmetric key KAB Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Authentication Using Symmetric Keys Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Authentication Using Symmetric Keys Is subject to a man-in-the-middle attacks. Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Authentication Using Symmetric Keys Man in the Middle Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Authentication Using Symmetric Keys • Conclusion: • One-way authentication protocol may not be secure for mutual Authentication. • Protocols and attacks on protocols can be subtle. • “Obvious” changes to protocols can raise serious security issues Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Authentication Using Symmetric Keys • Lesson: • Don’t have the two sides do exactly the same thing • Small changes to a protocol can result in big changes in security Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Session Keys • Encrypt data within each connection • Limits the data encrypted with one particular key • Limits the damage if one session key is compromised • Used for confidentiality or integrity protection. Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Session Keys Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Session Keys Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Session Keys • Sign and Encrypt Mutual Authentication Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Session Keys • Is Sign and Encrypt Mutual Authentication better? Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • TimeStamp • Contains the current time • Timestamp can be used in place of a nonce • Benefit: don’t need to waste any messages exchanging nonces • Used in many real-world security protocols, such as Kerberos • Timestamps create some security concerns Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • TimeStamp • Reduced the number of messages by a third • Using timestamp with the sign and encrypt is secure • What about encrypt and sign? Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • TimeStamp Unfortunately, the protocol is subject to attack Information System Security
SIMPLE AUTHENTICATION PROTOCOLS 3. Authentication Protocol • TimeStamp • Timestamp with the sign and encrypt is secure • Timestamp with encrypt and sign is not • So we can never take anything for granted Information System Security