computer security authentication
DESCRIPTION
Computer Security Authentication. Entity Authentication. Entity Authentication is the process of verifying a claimed identity It is based on: something the entity knows something the entity holds something the entity is something the entity does where the entity is. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/1.jpg)
04/22/23 1
Computer SecurityAuthentication
![Page 2: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/2.jpg)
04/22/23 2
Entity AuthenticationEntity Authentication is the process of
verifying a claimed identity It is based on: • something the entity knows• something the entity holds• something the entity is• something the entity does• where the entity is
![Page 3: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/3.jpg)
04/22/23 3
Something the entity knows
The user has to know some secret, such as a password or a personal identification number (PIN).
ThreatsAnybody who knows your secret “is you”!
![Page 4: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/4.jpg)
04/22/23 4
Something the entity holds
The user has to present a physical token (such as key, an identity tag, a card) to be authenticated.
ThreatsThe token can be lost or stolen!
![Page 5: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/5.jpg)
04/22/23 5
Something the entity isUse biometrics, such as fingerprints, palm prints, iris patterns, or retina patterns.With biometrics a stored pattern is compared to an actual taken measurement.
ProblemsFalse positives (accepting the wrong entity) and false negatives!Many users find biometrics unacceptable. Gruesome threats of the kind used in some Hollywood thrillers!
![Page 6: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/6.jpg)
04/22/23 6
Something the entity doesPeople perform some mechanical tasks in a way that is both repeatable and specific to the individual. Examples• hand written signatures • on a writing pad
– the writing speed/pressure of a hand written signature• on the keyboard
– the typing speed and intervals between strokes
ProblemsFalse positives (accepting the wrong entity) and false negatives!
![Page 7: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/7.jpg)
04/22/23 7
Where the entity isThe system may take into account the location of the login.For example, access may only be granted from certain terminals.
With mobile and distributed computing the precise geographical location can be established during authentication by using the services of a global positioning system (GPS).
![Page 8: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/8.jpg)
04/22/23 8
Usernames & PasswordsThe most common authentication mechanism.Although password protection seems to offer relatively good security, human practice degrades its quality.A password is information associated with an entity that
confirms the entity’s identityTypically a sequence of characters
![Page 9: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/9.jpg)
04/22/23 9
Usernames & PasswordsLet• A be a set of authentication information, used by entities
to prove their identity • C a set of complementary information, stored by the
system used to validate the authentication information• F : A C a set of complementary functions• L : A C {true, false}, the set of authentication
information • S a set of selection functions that enable entities to
create or alter authentication and complementary information
![Page 10: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/10.jpg)
04/22/23 10
Example, Unix passwordscrypt(3) for Unix systems
The original UNIX password mechanism does not store passwords online in clear. Instead one of 4,096 functions hashes the password into an 11-character string, and two characters are used to identify the function.
• A is the set of strings up to eight characters (the null character and some others are disallowed).
• Passwords are chosen from a set of at most 127 possible characters and A contains approximately 6.91016 passwords
• C contains strings of exactly 13 characters, so roughly 31023 strings
![Page 11: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/11.jpg)
04/22/23 11
Example, Unix passwords• The UNIX hashing functions f F are based on a permutation of
DES: • F consists of 4,096 such functions.• The UNIX authentication functions l L are login, su and
other such programs that confirm a user’s password during execution.
• The selection functions s S are programs such as passwd and nispasswd, which change the password associated with an entity
![Page 12: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/12.jpg)
04/22/23 12
Cryptographic protectionThe one-way hash functions f F crypt(3) for Unix systems
This uses a slightly modified version of the encryption scheme DES with 25 “rounds” (instead of the 16 rounds)
This encrypts the all zero block using the password x as a key.
The encryption f (x) of the zero block is the hash value.
![Page 13: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/13.jpg)
04/22/23 13
Attacks on passwords Although password protection seems to offer relatively good security, human practice degrades its quality.
Attacks on passwords 1. Exhaustive search2. Try many probable passwords3. Try likely passwords for the user4. Search for the system list of passwords.5. Ask the user!
![Page 14: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/14.jpg)
04/22/23 14
Exhaustive search attacksIf passwords are words consisting of the 26 characters A-Z and have length 8, then we are altogether 268 passwords.This is roughly 2*1011, which seems enough intractable.
It would take of the order of about 6 years to test all passwords at the rate of 1 millisecond per password.If we were to speed up the search to one microsecond per password, this would come down to approximately 2 days.
![Page 15: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/15.jpg)
04/22/23 15
Probable passwordsPeople prefer simple passwords.Our earlier analysis assumes that people choose passwords such as “vxlagrst”.Whereas in reality they tend to use names and words they can remember.Spelling checkers carry dictionaries of the most common English words. The typical size of such a dictionary is 80,000 words.This reduces the search to seconds
![Page 16: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/16.jpg)
04/22/23 16
Passwords likely for a userPeople prefer words which are related to them, such as the name of a spouse, a child, a relative, a pet, a street name or something memorable or familiar.Some people pick a simple password and replace certain characters such as 0 (zero) by O, 1 for letter L, 3 for letter E, etc
![Page 17: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/17.jpg)
04/22/23 17
Passwords defenses• Password checkers: check password against a dictionary of weak passwords.• Password generators: users are not allowed to pick their own passwords.• Password ageing: an expiry date is set for passwords.• Limit login attacks.• Inform user after a successful login of the last login and the number of failed logins since then.
![Page 18: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/18.jpg)
04/22/23 18
Spoofing attacksAn entity enters a password and the system verifies the entities identity. Does the user know who has received the password?
Defenses• Display number of failed attempts• Use trusted paths (with Windows NT, CTRL+ALT+DEL
invokes the OS login screen)• Mutual authentication: the system could be required to
identify itself
![Page 19: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/19.jpg)
04/22/23 19
Protecting the password fileTo validate passwords the system compares the password entered against a value stored in the password file.
Defenses• cryptographic protection (e.g. use a one-way hash function f:
instead of listing passwords x, list their values f(x) –beware of dictionary attacks!)• access control enforced by the OS (e.g. restrict access to files and
other resources to users holding the appropriate privileges)• combine both
![Page 20: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/20.jpg)
04/22/23 20
Cryptographic protectionUse one-way hash function fInstead of storing the password x in the password list, the hash is stored.The password list is organized as a two column tableof user IDs (usernames) and the corresponding hashed valuesWhen the user logs in and enters the password x is it is hashed (locally) into f (x). This value is then compared with the stored value.
![Page 21: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/21.jpg)
04/22/23 21
Cryptographic protectionAccess control mechanisms in the OS
These restrict access to files and other resources to users holding the appropriate privileges.Only privileged users can have write access to the password file:otherwise an attacker could access data of other users by changing their password file.If read access is restricted to privileged users then passwords should be secure, in theory.In practice an attacker can still use a dictionary attack.
![Page 22: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/22.jpg)
04/22/23 22
Cryptographic protectionAccess control mechanisms in the OS
Dictionary attacks can be prevented by using password salting.
With salting, additional information (the salt) is appended to the password x before it is hashed to get f(x).This implies that even if two users have the samepassword their salted hashes will be different.
![Page 23: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/23.jpg)
04/22/23 23
Multiple passwordsFor additional password protection several passwords may used.For example, use• the first password for workstation• the second password to get onto the network• the third password to access the server• the fourth to access the database management system• etc
![Page 24: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/24.jpg)
04/22/23 24
Passwords –Single sign-onRemembering many passwords is rather inconvenient.A single sign-on service solves this problem. You enter your password once, the system stores it, and then uses it whenever you have to authenticate yourself again.
However this raises new security concerns.How do you protect the stored password?(the password needs to be in cleartext)
![Page 25: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/25.jpg)
04/22/23 25
Biometrics1. Fingerprints -- scan optically -- use capacitive technique (measure differences in electrical charges to detect those parts touching a chip and those raised).
Data is converted into a graph with vertices the ridges; adjacent ridges are connected.
![Page 26: Computer Security Authentication](https://reader035.vdocument.in/reader035/viewer/2022070423/568167af550346895ddcfffd/html5/thumbnails/26.jpg)
04/22/23 26
Biometrics2. Voices3. Eyes4. Faces5. Keystrokes6. Combinations
Problem: false positives/negatives