Computer Security Principles and Practice Chapter 3 User
- Slides: 27
Computer Security: Principles and Practice Chapter 3 – User Authentication First Edition by William Stallings and Lawrie Brown Lecturer: Ming Hour Yang
User Authentication Ø fundamental security building block l basis of access control & user accountability Ø is the process of verifying an identity claimed by or for a system entity Ø has two steps: l l identification - specify identifier verification - bind entity (person) and identifier Ø distinct from message authentication
Means of User Authentication Ø four means of authenticating user's identity Ø based one something the individual l l knows - e. g. password, PIN possesses - e. g. key, token, smartcard is (static biometrics) - e. g. fingerprint, retina does (dynamic biometrics) - e. g. voice, sign Ø can use alone or combined Ø all can provide user authentication Ø all have issues
Password Authentication Ø widely used user authentication method l l user provides name/login and password system compares password with that saved for specified login Ø authenticates ID of user logging and l l l that the user is authorized to access system determines the user’s privileges is used in discretionary access control
Password Vulnerabilities Ø offline dictionary attack Ø specific account attack Ø popular password attack Ø password guessing against single user Ø workstation hijacking Ø exploiting user mistakes Ø exploiting multiple password use Ø electronic monitoring
Countermeasures Ø stop unauthorized access to password file Ø intrusion detection measures Ø account lockout mechanisms Ø policies against using common passwords but rather hard to guess passwords Ø training & enforcement of policies Ø automatic workstation logout Ø encrypted network links
Use of Hashed Passwords
UNIX Implementation Ø original scheme l l 8 character password form 56 -bit key 12 -bit salt used to modify DES encryption into a one-way hash function 0 value repeatedly encrypted 25 times output translated to 11 character sequence Ø now regarded as woefully insecure l e. g. supercomputer, 50 million tests, 80 min Ø sometimes still used for compatibility
Improved Implementations Ø have other, stronger, hash/salt variants Ø many systems now use MD 5 l l with 48 -bit salt password length is unlimited is hashed with 1000 times inner loop produces 128 -bit hash Ø Open. BSD uses Blowfish block cipher based hash algorithm called Bcrypt l uses 128 -bit salt to create 192 -bit hash value
Password Cracking Ø dictionary attacks l try each word then obvious variants in large dictionary against hash in password file Ø rainbow table attacks l l precompute tables of hash values for all salts a mammoth table of hash values e. g. 1. 4 GB table cracks 99. 9% of alphanumeric Windows passwords in 13. 8 secs not feasible if larger salt values used
Password Choices Ø users may pick short passwords l l e. g. 3% were 3 chars or less, easily guessed system can reject choices that are too short Ø users may pick guessable passwords l l l so crackers use lists of likely passwords e. g. one study of 14000 encrypted passwords guessed nearly 1/4 of them would take about 1 hour on fastest systems to compute all variants, and only need 1 break!
Password File Access Control Ø can block offline guessing attacks by denying access to encrypted passwords l l make available only to privileged users often using a separate shadow password file Ø still have vulnerabilities l l l exploit OS/software bugs accident with permissions making it readable users with same password on other systems access from unprotected backup media sniff passwords in unprotected network traffic
Using Better Passwords Ø clearly have problems with passwords Ø goal to eliminate guessable passwords Ø whilst still easy for user to remember Ø techniques: l l user education computer-generated passwords reactive password checking proactive password checking
Proactive Password Checking Ø rule enforcement plus user advice, e. g. l l Ø password cracker l Ø time and space issues Markov Model l l Ø 8+ chars, upper/lower/numeric/punctuation may not suffice generates guessable passwords hence reject any password it might generate Bloom Filter l l use to build table based on dictionary using hashes check desired password against this table
Token Authentication Ø object user possesses to authenticate, e. g. l l embossed card magnetic stripe card memory card smartcard
Memory Card Ø store but do not process data Ø magnetic stripe card, e. g. bank card Ø electronic memory card Ø used alone for physical access Ø with password/PIN for computer use Ø drawbacks of memory cards include: l l l need special reader loss of token issues user dissatisfaction
Smartcard credit-card like Ø has own processor, memory, I/O ports Ø l l l wired or wireless access by reader may have crypto co-processor ROM, EEPROM, RAM memory executes protocol to authenticate with reader/computer Ø also have USB dongles Ø
Biometric Authentication Ø authenticate user based on one of their physical characteristics
Operation of a Biometric System
Biometric Accuracy Ø never get identical templates Ø problems of false match / false non-match
Biometric Accuracy Ø can plot characteristic curve Ø pick threshold balancing error rates
Remote User Authentication Ø authentication over network more complex l problems of eavesdropping, replay Ø generally use challenge-response l l user sends identity host responds with random number user computes f(r, h(P)) and sends back host compares value from user with own computed value, if match user authenticated Ø protects against a number of attacks
Authentication Security Issues Ø client attacks Ø host attacks Ø eavesdropping Ø replay Ø trojan horse Ø denial-of-service
Practical Application
Case Study: ATM Security
Summary Ø introduced user authentication l l l using passwords using tokens using biometrics Ø remote user authentication issues Ø example application and case study
- Computer security principles and practice 4th edition
- Computer security principles and practice solutions
- Computer security principles and practice 4th edition
- Computer security principles and practice
- Private secuirty
- Single user and multiple user operating system
- Types of operating systems
- Principles of computer security
- Psychology principles in practice chapter 1
- Security program and policies principles and practices
- Security program and policies principles and practices
- Security program and policies principles and practices
- Security program and policies principles and practices
- Security program and policies principles and practices
- Interface between user and computer
- Security mechanism x.800
- Wireless security in cryptography
- E commerce security meaning
- Principles of input design
- Graphical user interface design principles
- What are the three principles of user-centered design?
- Rfc 4949
- End user computing audit
- User interface design principles in software engineering
- Myeplg
- Computer user logo
- Flatbed sheet fed pen and handheld are types of
- Computer parts labeling