CSC 482582 Computer Security Authentication CSC 482582 Computer
- Slides: 31
CSC 482/582: Computer Security Authentication CSC 482/582: Computer Security
Authentication 1. 2. 3. 4. 5. 6. Identity Groups and Roles Network Identities Authentication Biometrics UNIX Authentication CSC 482/582: Computer Security
What is Identity? Computer’s representation of an entity �Entities can be subjects or objects. Authentication binds a principal to an identity. Example: �username expresses your identity. �password binds the person typing to that particular identity (username). CSC 482/582: Computer Security
Purpose of Identity Access Control �Most systems base access rights on identity of principal executing the process. Accountability �Logging and auditing functions. �Need to track identity across account/role changes (e. g. , su, sudo). CSC 482/582: Computer Security
Groups and Roles An “entity” may be a set of entities referred to by a single identifier. Principals often need to share access to files, and thus are taken as groups. �static: alias for a group of principles. �dynamic: principal changes from one group to another as different privileges are needed. role: a group that ties membership to function CSC 482/582: Computer Security
Network Identity Ethernet (MAC) Address � 48 -bit data link level identifier �example: 00: 0 B: DB: 78: 39: 8 A IP Address � 32 -bit network level identifier �ex: 10. 17. 0. 101 IPv 6 Address � 128 -bit network level identifier �ex: fe 80: : 2 a 0: c 9 ff: fe 97: 153 d/64 Hostname (DNS name) �string application level identifier �ex: www. nku. edu CSC 482/582: Computer Security
What is Authentication? Binding of an identity to a subject Based on: 1. 2. 3. 4. What the entity knows (e. g. , passwords) What the entity has (e. g. , access card) What the entity is (e. g. , fingerprints) Where the entity is (e. g. , local terminal) Two-factor authentication CSC 482/582: Computer Security
What You Know �Passwords �Pass Phrases �PINs CSC 482/582: Computer Security
What You Have �Smart Cards �USB Token �RFID used for toll collection CSC 482/582: Computer Security
USB Tokens and Smart Cards Small device with storage and processor. �USB tokens tend to focus on storage. �Smart cards on processor + small storage. �Differences are growing smaller. Methods of use �By Hand (read card and type one-time password) �USB �Wireless CSC 482/582: Computer Security
RFID Radio Frequency Identification Types of Tags �Passive: use power from reader signal �Active: internal power source Applications EPC RFID Tag �Product tracking (EPC barcode replacement) �Transportation payment �Automotive (embedded in car keys) �Passports �Human implants CSC 482/582: Computer Security
What You Are: Biometrics Identification by human characteristics: 1. 2. Physiological Behavioral A biometric characteristic should be: 1. 2. 3. 4. universal: everyone should have it unique: no two people should share it permanent: it should not change with time quantifiable: it must be practically measurable CSC 482/582: Computer Security
How Biometrics Work 1. User submits sample. 2. Software turns sample into digital template. 3. Software compares template against stored reference template. 4. Authentication based on how closely templates match. CSC 482/582: Computer Security
Biometric Measurement Possible Outcomes: Correct person accepted 2. Imposter rejected 3. Correct person rejected (False Rejection) 4. Imposter accepted (False Acceptance) 1. CSC 482/582: Computer Security
False Positives and Negatives Tradeoff between False Accept Rate False Reject Rate CSC 482/582: Computer Security
Fingerprints Capacitive measurement, using differences in electrical charges of whorls on finger to detect those parts touching chip and those raised. CSC 482/582: Computer Security
Brandon Mayfield �Fingerprints found in 2004 Madrid bombing. �Brandon arrested May 6, 2004. �FBI claimed “ 100 percent positive” match. �Held under a false name. �Then transferred to unidentified location. �Spanish police identify fingerprint as belonging to an Algerian man May 21, 2004. �Brandon released May 25, 2004. CSC 482/582: Computer Security
Eye Biometrics �Iris Scan �Lowest false accept/reject rates of any biometric. �Person must hold head still and look into camera. �Retinal Scan �Cataracts and pregnancy change retina pattern. �Lower false accept/reject rates than fingerprints. �Intrusive and slow. CSC 482/582: Computer Security
Other Types of Biometrics Physiological Behavioral • DNA • Gait recognition • Face recognition • Keyboard dynamics • Hand geometric • Mouse dynamics • Scent detection • Signatures • Voice recognition CSC 482/582: Computer Security
Biometrics are not infallible What are False Accept and Reject Rates? Do the characteristics change over time? �Retina changes during pregnancy. �Fingerprint damage due to work/pipe smoking. �Young and old people have fainter fingerprints. Is it accurate in the installed environment? �Is someone observing fingerprint or voiceprint checks? �i. e. , did you collect biometric from the person? CSC 482/582: Computer Security
Biometrics can be compromised. Unique identifiers, not secrets. �You can change a password. �You can’t change your iris scan. Examples: �You leave your fingerprints every place. �It’s easy to take a picture of your face. Other compromises. �Use faux ATM-style devices to collect biometrics. �Obtain all biometric templates from server. CSC 482/582: Computer Security
Use and Misuse of Biometrics Employee identification. �Employee enters login name. �System uses fingerprint to verify employee is who he claims to be. �Problem: Does biometric match the employee? Criminal search (Superbowl 2001) �System uses face recognition to search for criminals in public places. �Problem: Does any biometric in database match anyone in a crowd of people? �Assume system is 99. 99% accurate and 1 in 10 million people is a terrorist. Result: 1000 false positives for each terrorist. CSC 482/582: Computer Security
Location Classic: only allow access from a particular terminal or a particular set of remote hosts. Modern: GPS-based �Location Signature Sensor (LSS) for host and user. �Access rules permit user only to access host with specific LSS values. �Cell-phones track location, and some states use them to track drivers’ speed and locations. CSC 482/582: Computer Security
UNIX Authentication UNIX identifies user with a UID �Username is for humans, UID for computers. � 15 -bit to 32 -bit unsigned integer. �UID=0 is the superuser, root. Identity and authentication data stored in �/etc/passwd �/etc/shadow �/etc/group CSC 482/582: Computer Security
/etc/{passwd, shadow} Central file(s) describing UNIX user accounts. /etc/passwd �Username �UID �Default GID �GCOS �Home directory �Login shell /etc/shadow �Username �Encrypted password �Date of last pw change. �Days ‘til change allowed. �Days `til change required. �Expiration warning time. �Expiration date. student: x: 1000: Example User, , 555 -1212, : /home/student: /bin/bash student: $1$w/Uu. Kt. LF$ot. SSv. Xt. SN/x. Jz. UOGFEl. Nz 0: 13226: 0: 99999: 7: : : CSC 482/582: Computer Security
Groups and GIDs are 32 -bit non-negative integers. Each user has a default GID. �File group ownership set to default GID. �Temporarily change default GID: newgrp. Groups are described in /etc/group �Users may belong to multiple groups. �Format: group name, pw, GID, user list. �wheel: x: 10: root, waldenj, bergs CSC 482/582: Computer Security
Superuser Powers Superuser can • Read any file. • Modify any file. • Add / remove users. • Become any user. • Kill any process. • Reprioritize processes. • Configure network. • Set date/time. • Shutdown / reboot. CSC 482/582: Computer Security Superuser can’t • Change read-only filesystem. • Decrypt hashed passwords. • Modify NFS-mounted filesystems. • Read or modify SELinux protected files.
Switching Users The su command allows you to switch users. > id uid=102(wj) groups=102(wj) > su Password: # id uid=0(root) groups=0(root), 1(bin), 2(daemon), 3(sys), 4(adm), 6(disk), 10(wheel) # su john$ id uid=1995(john) groups=1995(john) john$ exit # exit > id uid=102(wj) groups=102(wj) CSC 482/582: Computer Security
Real and Effective UIDs Real UID �The UID matching the username you logged in as. Effective UID �The UID that is checked for access control. �The su command changes your EUID. SUID programs �A SUID program executes with an EUID of the owner of the program instead of yours. �/usr/bin/passwd is SUID root. Why? CSC 482/582: Computer Security
Key Points 1. 2. Access control is based on identity. Authentication consists of an entity, the user, attempting to convince another entity, the verifier, of the user’s identity 1. 2. 3. something you know something you have something you are Authentication Types 1. 2. 3. Passwords Security Tokens Biometrics CSC 482/582: Computer Security
References 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. Phil Agre. “Your Face is not a Bar Code, ” http: //polaris. gseis. ucla. edu/pagre/bar-code. html, 2003. Ross Anderson, Security Engineering, Wiley, 2001. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. Digital. Persona, http: //www. digitalpersona. com/company/news/press. Kit. php, 2006. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3/e O’Reilly, 2003. Ben Mook, “Md. pilot program tracks drivers’ speed, location via cell phones, ” The Daily Record, October 21, 2005, http: //www. mddailyrecord. com/pub/5_398_friday/businessnews/172883 -1. html Bruce Schneier, “Biometrics: Truths and Fictions, ” Cryptogram, http: //www. schneier. com/crypto-gram-9808. html#biometrics, 1998. Bruce Schneier, “The Curse of the Secret Question, ” http: //www. schneier. com/essay-081. html, 2005. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006. Wikipedia, http: //en. wikipedia. org/wiki/Biometrics, 2006. Wikipedia, http: //en. wikipedia. org/wiki/Fingerprint, 2006. Wikipedia, http: //en. wikipedia. org/wiki/Iris_%28 anatomy%29, 2006. Wikipedia, http: //en. wikipedia. org/wiki/RFID, 2006. Wikipedia, http: //en. wikipedia. org/wiki/Security_token, 2006. Orville Wilson, “Privacy & Identity - Security and Usability: The viability of Passwords & Biometrics, ” http: //facweb. cs. depaul. edu/research/vc/CIPLIT 2004/ppt/Orville_Wilson. ppt, 2004. “Simple Anatomy of the Retina, ” http: //webvision. med. utah. edu/sretina. html, 2006. CSC 482/582: Computer Security
Peer entity authentication
Iff
Private secruity
Cipher based message authentication code
Authentication in cryptography and network security
System.security.authentication
What is osi security architecture
Security guide to network security fundamentals
Wireless security in cryptography
Visa international security model
Electronic mail security in network security
Cnss model 27 cells example
E commerce security meaning
Software security touchpoints
Security guide to network security fundamentals
Security guide to network security fundamentals
Transportation worker identification credential
Contextual authentication
Authentication in distributed systems
Approaches to message authentication
Ca advanced authentication
Cristian solano
Aem authentication handler
Aaf authentication
Kerberos x.509 authentication service
Rfc4949
12 ways to defeat multi-factor authentication
Broken authentication acunetix
Remote authentication dial-in user service
Gfipm
Slidetodoc
Authentification diagbox
