Authetication ppt

  • 561 views
Uploaded on

 

More in: Education , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
561
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. AuthenticationAuthentication Lecture 4 Prof. S.M.Chaware 1
  • 2. Authentication • Authentication is the binding of an identity to a principal. • Network-based authentication mechanisms require a principal to authenticate to a single system, either local or remote. • External entity must provide information to enable the• External entity must provide information to enable the system to confirm its identity. 2
  • 3. Basics continueBasics continue… • Authentication process consists of obtaining the information from an entity analyzing the datainformation from an entity, analyzing the data and determining if it is associated with that entity. • Authentication system components are – Set A – authentication information Set C – complementary information Set F – complementation function S t L th ti ti f tiSet L – authentication functions Set S – selection functions 3
  • 4. passwordspasswords • Is an example of an authenticationIs an example of an authentication mechanism based on what people know. • User supplies the password, and computerUser supplies the password, and computer validates it. • Password spacePassword space • Verification => one way hash function. 4
  • 5. Authentication system for password • Set A – characters ( alphabets + digits + i l h t ) 8 h tspecial characters) - 8 characters. • Set C – one way hash function to store password in a file (UNIX – 13characters)password in a file. (UNIX – 13characters) /etc/passwd. • Set F – based on permutation of the DES,p , contains 4096. – login, su. • Set L – system supply proper element of C. • Set S – passwd, nispasswd. 5
  • 6. Protecting passwordsProtecting passwords • Hide enough information so that one of aHide enough information so that one of a, c or f cannot be found. • Prevent access to the authentication• Prevent access to the authentication functions L. 6
  • 7. Attacking password systemAttacking password system • Dictionary attack f(g) for each f F.(g) F(g) => complementary information for entity E, then g authenticates E under fentity E, then g authenticates E under f => type 1. l=> L if g => l results true g is correctl=> L, if g => l results true, g is correct password. => type 2. 7
  • 8. Countering password guessingCountering password guessing • P >= TG/NP >= TG/N. Where P – probability of guessing the passwordpassword. T – no. of time units G – no. of guesses/ unit time. N – no. of possible passwords.p p 8
  • 9. User Authentication • In-person identification • Must be based on some knowledge shared only by the computing system and the usercomputing system and the user • Three qualities to confirm user’s identity 1. something the user knows1. something the user knows 2. something the user has 3. something the user is (biometrics) 4. Where the entity is (In front of) Two or more forms can be combined 9 Two or more forms can be combined
  • 10. Use of Passwords • Password – a ‘word ‘ known to computer and user; agreed upon codeword; length and format varies.varies. • Humans: – Short, memorable key (8 characters, 48 bits), directly or as key for longer keyor as key for longer key • Computers: – (Long) high-quality secret( g) g q y – Hidden key (encrypted by password), directly (e.g., hash of the password) • Key versus passwords. • Additional Authentication Information 10
  • 11. Attacks on Passwords…. 1. Try all possible passwords 2. Try many probable passwords 3. Try passwords likely for the user 4 S h f h li f d4. Search for the system list of password 5. Ask the user 1. Exhaustive Attack Brute force attack 5 * 10^12 passwords for 26 alphabets 2. Probable Passwords Think of a wordThink of a word Length 3 – 18.278 sec. Length 4 – 8 min. Length 5 – 3.5 hours Dictionary 3. Attacking systems via passwords. Outsider normal user administrator. 11
  • 12. Passwords Likely for a userPasswords Likely for a user • Password 15 0.5% Were a single ASCII chara. Password something meaningful 72 2% Were two single ASCII chara. 464 14% Were three ASCII chara.ASCII chara. 477 14% Were four alphabetic letters W fi 706 21% Were five same case alphabets 605 18% Were six lowercaselowercase alphabets 492 15% Words in dictionaries or list 12 of names 2831 86% Total of all above categories
  • 13. Passwords Likely for a user 13
  • 14. Password guessing steps – On-line: limit tries, alarm – Off-line: dictionary attack • No passwordp • The same as the user ID • is, or is derived from the user’s name • Common word list plus common names and patterns • Short college dictionary • Common non-English language dictionaries • Short dictionary with capitalizations and substitutions (PaSsWorD) C l t E li h ith it li ti d b tit ti• Complete English with capitalizations and substitutions • Common non-English with capitalizations and substitutions • Brute force, lowercase alphabets • Brute force full character set• Brute force, full character set 14
  • 15. Protecting password list file • Problems: • OS is not divided, so all its modules have access to all, privileged information • An intruder can dump a memory at a convenient time to access it • File system can be relocated from a backup • Password file is a copy of a file stored on a disk 15
  • 16. Encrypted Password File • Password list is hidden by conventional encryption or one way ciphers • One-way encryption • salt – E(pw+saltB) & saltB is stored • Indiscreet Users : -- writing down or telling the password 16
  • 17. Password Selection Criteria • Use characters other than just A-Z – 6 letter word one case – 100 hours, upper and lower – 2 years • Choose long passwords A id t l d• Avoid actual names or words • Choose an unlikely password -- 2Brn2B or I10veu • • Change the password regularly • Don’t write it down • Don’t tell anyone else 17
  • 18. Password Selection Criteria….. • Some systems provide meaningful but pronounceable passwords (“bliptab” as “blaptib”( or “blabtip”) • Some systems ask user to change the password • Why reminder process is not good? • Group A: 6 characters with at least one non- letter. 30% are easy to crack. • Group B: based on passpharses. 10%. • Group C: 8 randomly selected characters. 10%. 18 p y
  • 19. One-Time Password • --is one that changes every time it is used S t i t ti th ti l f ti• System assigns a static mathematical function • Also called as challenge-response systems• Also called as challenge-response systems • f(x) = x + 1( ) • f(x) = r(x) • f(a1a2a3a4a5a6) = a3a1a1a4 • f(E(x)) = E(D(E(x) + 1). 19
  • 20. Password verificationPassword verification • Store password in a fileStore password in a file. • Store hashed passwords in a file. St i d• Storing passwords – Per-node: /etc/passwd – Server: authentication storage server, retrieved by node (yp/NIS) – Facilitator: server says yes/no • salt – E(pw+saltB) & saltB is stored. 20
  • 21. Password crackingPassword cracking • 128 choices128 choices. • 8 characters => 1288 = 256 possible passwordspasswords. • 4 cases of success of password crackes: – Without using dictionary of likely passwords. – Using dictionary. – Without using dictionary from hashed file. – Using dictionary. 21
  • 22. Other password issuesOther password issues • Reuse of passwordReuse of password. • Social engineering K t k l i ft• Keystroke logging software, spy-ware. • Password cracking tools. • Solution: use of biometricsSolution: use of biometrics. 22
  • 23. Fixing flaws in the Authentication Process • Challenge-Response systems • Impersonation of Login • Authentication other than Passwords –Authentication other than Passwords handprint detectors, voice recognizers, identifiers of patterns in the retinaidentifiers of patterns in the retina 23
  • 24. biometricsbiometrics • Efforts to find physical characteristics that uniquely identify people include the Bertillion cranial maps, fingerprints and DNA liDNA sampling. • Biometrics is the automated t f bi l i lmeasurement of biological or behavioral features that identify a personperson. • Common features are fingerprints, voices face and keystroke dynamics 24 voices, face and keystroke dynamics.
  • 25. User selection of passwordsUser selection of passwords • Proactive password selectionp • Passwords based on account names Account name followed by a number A t d d b d li itAccount name surrounded by delimiters • Passwords based on user names Initials repeated 0 or more timesInitials repeated 0 or more times All letters lower-or-uppercase Name reserved First initial followed by last name reversed. 25
  • 26. Continue… • Passwords based on computer names • Dictionary words • Reversed dictionary words • Dictionary words with some or all letters capitalized. • Patterns form keyboard. • Only digits • Acronyms • Dictionary words with all vowels deleted. 26
  • 27. Guessing through authentication functions • Solution: Backoff techniques. Expontial backoff Disconnection Disabling jailing 27
  • 28. Backoff techniquesBackoff techniques • X- parameter selected by system administrator. • Waits for x0=1 sec before reprompting for name and authentication data. If t f il i it f 1• If system fails, again waits for x1=x sec. • After n failures, waits for xn-1 sec. 28
  • 29. Other techniquesOther techniques • Disconnection – after some number of failed th ti ti tt t th ti iauthentication attempts, the connection is broken. Di bli th t i di bl d til• Disabling – the account is disabled until a security manager can reenable it. • Jailing the unauthenticated user is given• Jailing – the unauthenticated user is given access to a limited part of the system and is gulled into believing that he/she has fullgulled into believing that he/she has full access. The jail records the attacker’s actions. 29
  • 30. Summary • Memory protection : -- fence, base-bound register, tagged architecture, paging, segmentationsegmentation • file protection : three or four level format• file protection : -- three or four level format, user-group-all • access control in general : -- access control matrix, per-object or per-user basis • user authentication :-- password protection 30
  • 31. Qu. On OS Security 1. Explain different methods for memory and address protection (183)p ( ) 2. Compare Segmentation with Paging (193) 3. Explain different methods to be used to protect3. Explain different methods to be used to protect objects (196) 4. Explain various schemes for file protection (205)p p ( ) 5. Explain ways to determine a user’s password (212)(212) 31
  • 32. Qu. On OS Security 6. Explain how a fence register is used for relocating a user's program [MAY-05/IT/5M]relocating a user s program.[MAY 05/IT/5M] 7. Explain why asynchronous I/o activity is . a problem with many memory Protectionproblem with many memory Protection schemes, including base/bounds and paging. Suggest solution to the problem. [MAY-05/IT/7M] 8. Discuss several guidelines for password8. Discuss several guidelines for password selection (218) 32
  • 33. Qu. On OS Security 9. Authentication means proving identities between entities which happens in different layers of network protocol stack for different reasons Identify these entities andstack for different reasons. Identify these entities and state them. 10. How does OS protect files in main memory and on secondary device. 11.Discuss any two techniques of memory and address protection. 12.Explain the use of temporal separation and physical separation for security in computing environment. 33
  • 34. Qu. On OS Security 13. (a) Why the user authentication is required? (b) What techniques are used for the authentication? ( ) f(c) What are the flows in the user authentication process? (d) Suggest controls over them.( ) gg 14. Consider a program to accept and tabulate votes in an elector who might want to attack the program? whatelector. who might want to attack the program? what types of harm might they want to cause? what kinds of vulnerabilities might they exploit to cause harm? 34