1 / 58

Information System Security

Đại học Quốc Gia TPHCM – Đại học Bách Khoa Khoa Khoa học và Kỹ thuật Máy Tính. Identification & Authentication techniques. Information System Security. Đại học Quốc Gia TPHCM – Đại học Bách Khoa Khoa Khoa học và Kỹ thuật Máy Tính. Thành viên : Huỳnh Lưu Triết 50702593

stacey-curtis
Télécharger la présentation

Information System Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Đại học Quốc Gia TPHCM – Đại học Bách Khoa Khoa Khoa học và Kỹ thuật Máy Tính Identification & Authentication techniques Information System Security

  2. Đại học Quốc Gia TPHCM – Đại học Bách Khoa Khoa Khoa học và Kỹ thuật Máy Tính • Thành viên : • Huỳnh Lưu Triết 50702593 • Nguyễn Hoàng Tùng 50702853 Information System Security

  3. Outline • AUTHENTICATION METHODS • Something you know • Something you have • Something you are • AUTHENTICATION PROTOCOLS • Simple authentication protocols • Real-world security protocols Information System Security

  4. Authentication Methods • Something you know • Something you have • Something you are : Password : Smartcard : Fingerprint, Iris Scan Information System Security

  5. Definition • Identification • Authentication ~ Who is someone ? ~ Is something genuine ? Information System Security

  6. Authentication Methods • Something you know • Something you have • Something you are Information System Security

  7. Passwords (1) Password Group A Group B Group C >= 6 characters Passphrases 8 randomly characters Information System Security

  8. Passwords (2) • Password verification • Other password issues Information System Security

  9. Passwords (3) • Password verification • Compare with the correct password • Password x  y = h(x)  store y  verify z  h(z)  compare h(z) with y • Crack : Trudy has “dictionary”  h(x0,x1,…xN-1)  compare each with y • Salt value (s)  y = h(x, s)  store (s, y)  verify z  h(z, s)  compare h(z, s) with y from (s, y) Information System Security

  10. Passwords (4) • Other password issues • Social engineering • Keystroke logging software and spyware • Number password • Cracking tools Information System Security

  11. Authentication Methods • Something you know • Something you have • Something you are Information System Security

  12. Something you have Like credit card, includes a small amount of memory and computing resources Information System Security

  13. Authentication Methods • Something you know • Something you have • Something you are Information System Security

  14. BIOMETRICS (1) • Types of errors • Biometric examples • Biometric error rates • Biometric conclusions Information System Security

  15. BIOMETRICS (2) • Types of errors • Fraud rate • Insult rate Information System Security

  16. BIOMETRICS (3) • Types of errors Alice Fraud rate Information System Security

  17. BIOMETRICS (4) • Types of errors Not Alice Insult rate Information System Security

  18. BIOMETRICS (5) • Biometrics Examples • Fingerprints • Used in ancient China • 1798, J. C. Mayer  fingerprints may unique • 1823, Purkinje  nine “fingerprint patterns” • 1883, Mark Twain  “Life on the Mississippi” • 1892, Sir Francis Galton  “minutia” systems Information System Security

  19. BIOMETRICS (6) • Biometric examples • Fingerprints Information System Security

  20. BIOMETRICS (7) • Biometric examples • Hand geometry • The width and length of the hand and fingers • Hand geometry is easy and quick to measure Information System Security

  21. BIOMETRICS (8) • Biometric examples • Hand geometry Information System Security

  22. BIOMETRICS (9) • Biometric examples • Iris scan • The best for authentication • 1936, Frank Burch suggest using it • The 1980s, resurfaced in James Bond films • 1994, John Daugman - a researcher at Cambridge University, patented  iris scan • A black and white photo of the eye  transform  a 256-byte (2048 bit) “iris code” Information System Security

  23. BIOMETRICS (10) • Biometric examples • Iris scan • Alice : x ; iris scan stored : y • d(x, y) = non-match bits/bits compared. • d(x, y), same is 0.08 and difference is 0.50 • A match : d (x, y) <= 0.32 • How to attack ? • Picture of Alice  How to prevent ??? Information System Security

  24. BIOMETRICS (11) • Biometric examples • Iris scan Information System Security

  25. BIOMETRICS (12) • Biometric error rates • Fraud rate = Insult rate • Fingerprints (5%) • Hand geometry (0.1%) • Iris scan (0.001%) Information System Security

  26. BIOMETRICS (6) • Biometric conclusions • Difficult to attack • Expensive Information System Security

  27. SUMMARY • Difficult to attack ~ Expensive • Attack : • Biometrics < Smartcard < Password • Cost : • Password < Smartcard < Biometrics Information System Security

  28. AUTHENTICATION PROTOCOLS SIMPLE AUTHENTICATION PROTOCOLS REAL-WORLD SECURITY PROTOCOLS

  29. SIMPLE AUTHENTICATIONPROTOCOLS • Introduction • Simple Security Protocols • Authentication Protocols • Authentication Using Symmetric Keys • Session Keys • Timestamps Information System Security

  30. SIMPLE AUTHENTICATION PROTOCOLS • Introduction • What is Protocol? • Security Protocol? • Differences between Authentication Method and Authentication Protocol • A seemingly innocuous change can make a significant difference in a protocol • Security protocol must meet the specified security requirements Information System Security

  31. SIMPLE AUTHENTICATION PROTOCOLS 2.Simple Security Protocols • Entering into a secure facility, such as the National SecurityAgency • Withdraw money from an ATM machine • Identify Friend or Foe, or IFF Information System Security

  32. SIMPLE AUTHENTICATION PROTOCOLS • Identify Friend or Foe, or IFF Information System Security

  33. SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocols • Efficient? • Trudy can later replay the messages • Alice’s password is sent in the clear • Bob must know Alice’s password Information System Security

  34. SIMPLE AUTHENTICATION PROTOCOLS How to solve? Information System Security

  35. SIMPLE AUTHENTICATION PROTOCOLS • 3.Authentication Protocols Information System Security

  36. SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Authentication Using Symmetric Keys • Encrypting plaintext P with key K to obtain ciphertext C is C = E(P,K) • Decrypting ciphertext C with key K to recover the plaintext P is P = D(C,K). • Alice and Bob share symmetric key KAB Information System Security

  37. SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Authentication Using Symmetric Keys Information System Security

  38. SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Authentication Using Symmetric Keys Is subject to a man-in-the-middle attacks. Information System Security

  39. SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Authentication Using Symmetric Keys Man in the Middle Information System Security

  40. SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Authentication Using Symmetric Keys • Conclusion: • One-way authentication protocol may not be secure for mutual Authentication. • Protocols and attacks on protocols can be subtle. • “Obvious” changes to protocols can raise serious security issues Information System Security

  41. SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Authentication Using Symmetric Keys • Lesson: • Don’t have the two sides do exactly the same thing • Small changes to a protocol can result in big changes in security Information System Security

  42. SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Session Keys • Encrypt data within each connection • Limits the data encrypted with one particular key • Limits the damage if one session key is compromised • Used for confidentiality or integrity protection. Information System Security

  43. SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Session Keys Information System Security

  44. SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Session Keys Information System Security

  45. SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Session Keys • Sign and Encrypt Mutual Authentication Information System Security

  46. SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • Session Keys • Is Sign and Encrypt Mutual Authentication better? Information System Security

  47. SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • TimeStamp • Contains the current time • Timestamp can be used in place of a nonce • Benefit: don’t need to waste any messages exchanging nonces • Used in many real-world security protocols, such as Kerberos • Timestamps create some security concerns Information System Security

  48. SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • TimeStamp • Reduced the number of messages by a third • Using timestamp with the sign and encrypt is secure • What about encrypt and sign? Information System Security

  49. SIMPLE AUTHENTICATION PROTOCOLS 3.Authentication Protocol • TimeStamp Unfortunately, the protocol is subject to attack Information System Security

  50. SIMPLE AUTHENTICATION PROTOCOLS 3. Authentication Protocol • TimeStamp • Timestamp with the sign and encrypt is secure • Timestamp with encrypt and sign is not • So we can never take anything for granted Information System Security

More Related