Authentication Authentication Most technical security safeguards have authentication
- Slides: 31
Authentication
Authentication Most technical security safeguards have authentication as a precondition How to authenticate: Something you know Something you have Something you are Somewhere you are Password, Secrets Smart Card, Token Biometrie Location
The authentication process Identify Either by claim or by recognizing Authenticate Prove Ask the user for credentials Verification Verify this credentials. Authorization Mark the user as authenticated Commonly here also the AC rights are assigned
Password A secret (word) know by the user and the system
Password Username Some name under which the user is known to the system – hardly secret Secret Password The secret connected to the user name
Entropy for passwords Entropy represents the uncertainty of the password This represents how likely it is to guess the password The entropy is calculated from the reciprocal probability of each observed character in the password H = -Σ pi * ld pi
Good and bad passwords Linkable names (own, child's, . . . ) Linkable numbers (telephone, birthdays, …) Related words (like the car -> Ferrari) Common words from dictionaries Common patterns (qwerty, 123456, …) Fashion words Containing big an small letters Containing numbers and special characters > 8 characters Can be written fast First 3 prevent the search 4 is to prevent observation
Password verification Compare the input with a stored value Passwords need to be stored Plain Encrypted One way Bi-directional Passwords need to be transferred Plain Encrypted
Security of Passwords Security is based mainly on the user but also how it is implemented in the system Systems can implement additional functions to harden passwords
Attacks against passwordsystems Test all possible passwords Guess likely words – lexical attacks Rainbow tables Social engineering Looking for the systems password list Attacking the authentication mechanism Ask the user
Ways to harden Limited number of tries Wrong inputs slow down the process Challenge Respond Authorize also the system Combining different systems Harden the process Require passwords with high entropy
One time passwords A password is only valid one‘s Technqiues Transaction numbers (TAN) Hashed with time stamp
Cryptographic techniques Cryptography for authentication purpose Popular techniques Kerberos Certificates X. 509 Challenge Respond Systems Problems Complex Infrastructure dependent
Security token Something you have Popular Representative Cryptographic Token Smart. Cards Problems Costly Technical Infrastructure
Smart Cards A card with a chip Not necessarily for authentication Different types ROM Cards EEPROM Cards Microprocessor cards
Smart cards Prominent Examples Bank cards Credit cards Mobile phone cards
Attacks against Smart cards Protocol attacks the communication between the smart card and the card reader Blocking signaling block Signals (for example erase signals) Freeze or reset the card make the content of the RAM readable
Attacks against Smart cards Physical Probing reading data directly from the hardware Damage part of the chip for example the address counter Reverse engineering reveal the chip design and gain knowledge Power analysis Measure the difference in powerconsumption
Biometrics The security relies on the property of a human being Measuring some aspects of the human anatomy or physiology and compare it with previously recorded values Problems: Humans change over time
Concepts Physical DNA Face Fingerprint Iris Hand geometry Behavioral Voice Signature Verification
Conventional biometrics Face recognition - ID Cards The oldest and probably most accepted method Average security – result of studies Handwritten signatures Is in Europe highly accepted Good enough security
Fingerprints Look at the friction ridges that cover fingertips Branches and end points geometry – commonly 16 Pores of the skin Easy to deployed and relative limited resistance Problems There is a statistical probability of mismatch – the number of variation is limited Fingerprints are mostly „noisy“ Alteration is easy
Iris Scan Patterns in the Iris are recognized Iris codes provide the lowest false accept rates of any known system – US Study Problems Get people to put there eye into a scanner Systems might be vulnerable to simple photography's
Problems with biometrics Not exact enough False positives and Positive False are common Technical difficult The technology is new Privacy problems Sicknesses can be recognized Social problems Usage of system Revelation generates problems Data leak out incidentally When the use become widespread your data will be known by a lot of people
Singel Sign-on Only one sign-on for all applications Techniques Save password – but how Issue a ticket Trends Identity managment systems
Identity Management Types of Id. M (Systems) Type 1 Type 2 Type 3 Account Management: assigned identity (= Tier 2) Profiling: derived identity abstracted identity (= Tier 3) Management of own identities: chosen identity (= Tier 1) There are hybrid systems that combine characteristics 26 by organisation by user herself/himself supported by service providers
“Identity” is changing IT puts more High. Tech on ID cards Biometrics to bind them closer to a human being Chips to add services (such as a PKI) Profiles may make the „traditional“ ID concept obsolete People are represented not by numbers or ID keys any more but by data sets. Identities become “a fuzzy thing”. New IDs and ID management systems are coming up Mobile communication (GSM) has introduced a globally interoperable „ID token“: the Subscriber Identity Module Ebay lets people trade using Pseudonyms. Europe (the EU) consider joint ID and ID management systems European countries have different traditions on identity card use Compatibility of ID systems is not trivial Work on new standards for Identity management systems and entity authentication are initiated by ISO and ITU 27
Identity Concepts Partial Identities Illustrated Anonymity Work foreign languages education address s e i t n e t Id n e m e g a n a M capabilities Shopping salary name credit cards account number tax status birthdate income denomination Public Authority marital status hobbies insurance Leisure 28 nickname (dis)likes phone number health status blood group Health Care
Changing borders of (partial) identities Anonymity Work foreign languages education address capabilities Shopping salary name credit cards account number tax status birthdate Public Borders Authority are blurring income denomination marital status hobbies insurance Leisure 29 nickname (dis)likes phone number health status blood group Health Care
Changing borders of (partial) identities (cont. ) Anonymity Work foreign languages education Shopping address Communication and contacts capabilities salary name credit cards account number tax status birthdate income denomination Public Authority marital status hobbies insurance Leisure 30 nickname (dis)likes phone number health status blood group Health Care
Questions ?
- Valid safeguards in antt
- Liberty protection safeguards flowchart
- Dimensions of nursing practice
- Objectivity safeguards in research process
- Due process safeguards
- Private securty
- Peer entity authentication definition
- Message authentication and entity authentication
- A 3d shape with 6 faces 8 vertices and 12 edges
- Message authentication code example
- Authentication in cryptography and network security
- System.security.authentication
- Fire security technical
- Osi security model
- Security guide to network security fundamentals
- Wireless security in cryptography and network security
- Explain about visa international security mode
- Electronic mail security in network security
- What is nstissc security model
- E commerce security policy
- Software security building security in
- Security guide to network security fundamentals
- Security guide to network security fundamentals
- Most common computer security threats
- Most general to most specific classification
- Most general to most specific classification
- In the name of allah the most gracious
- The most
- Ponceau pronunciation
- Guddi baji
- Name of organisms
- Arrangement of organisms