High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
Lecture 4
1. Computer Network Security 1
Protection in OS
A brief history
There were no Operating Systems
Programs were entered by users by means of switches
Programs were entered by means of inputs devices like
keyboards
Each user had exclusive access to the computing system
Time sharing
Required to load libraries, compilers, linkers, assemblers
and then clean up for the next user by removing sensitive
code or data
2. Computer Network Security 2
A brief history
The first OS were simple utilities called executives
Designed to assist programmers and to smooth user to user
transition
Provided linkers and loaders, compilers and assemblers,
and automatic loading of subprograms from libraries
Multiprogramming allowed two users to interleave access
to resources of a single computing system
Researchers developed scheduling, sharing and parallel
use
3. Computer Network Security 3
A brief history
Multiprogramming OSs, called monitors oversaw each
program’s execution
While an executive stayed in the background, waiting to be
called into action by the user, a monitor maintained control
of the computing system and gave access to a resource
only if consistent with good use of the system User
Multiprogramming brought complications: one user
making a mistake on an executive would feel foolish, but a
user could not adversely affect the computation of another
user
4. Computer Network Security 4
User authentication
An OS bases much of its protection on knowing who a
user of the system is
In real-life, you may ask for an ID before cashing a
cheque, or issuing a book
Over time organizations and systems have developed
means of authentication: documents, voice recognition,
fingerprint, retina matching etc
In computing, the choices are limited and possibilities are
less secure. Anyone can attempt to login to a computing
system.
A computer can not recognize electrical signals as one
person being any different from another
5. Computer Network Security 5
User authentication
Most computer authentication systems must be based on
something only shared between the user and the computer
Authentication mechanism based on:
Something the user knows: passwords, PINs, mother’s maiden name
Something the user has: identity badges, physical keys, driver’s license
Something the user is: biometrics are based on a physical characteristic of
the user, such as a fingerprint, the pattern of a person's voice.
Two or more forms can be combined for strong security
for example, a bank card and a PIN
6. Computer Network Security 6
Use of passwords
The most common authentication mechanism for
user to operating system is a password
Mutually agreed upon code words, assumed to be
known only to the system and the user
Seems to offer relatively secure system
BUT: human practice sometimes degrades its
quality
7. Computer Network Security 7
Passwords: loose-lipped systems
Consider a would-be intruder:
Knows nothing of the system
Enter a common name as user name
• Invalid user name
• Password dialog
Enter a guessed password
Intruder finds out OS, valid user name
8. Computer Network Security 8
Passwords: additional
authentication information
Day and time of access
Location of access
9. Computer Network Security 9
Attacks on passwords
Passwords are somewhat limited as protection
devices due to relatively small number of bits of
information they contain.
Here are some ways you might be able to
determine a user's password.
Try all possible passwords
Try many probable passwords
Try passwords likely for the user
Search for the system list of passwords
Ask the user
10. Computer Network Security 10
Exhaustive attack: brute force
All possible passwords: usually automated
If a system has a maximum password length of 8
alphabets (26 possibilities):
261
one-character
262
two-character
268
eight-character
26+ 262
+…….+ 268
=5 million
At one password per milliseconds, it will take only
150 years to try all possibilities
At one password per microseconds, only two
months
11. Computer Network Security 11
Probable passwords
We prefer smaller passwords that are easy to remember,
spell and pronounce
At one password per million, it takes only 18.278 seconds
for three character passwords Or about 8 minutes for 4
character Or about 3.5 hours for 5 character
This analysis assumes that people choose passwords like
vxlag and msms as often as they pick enter and boring
However, people tend to choose names or words they can
remember
Programs contain dictionaries of English words
It takes only 80 seconds to test all 80,000 words in a
dictionary as passwords
12. Computer Network Security 12
Passwords likely for a user
People choose passwords that is meaningful to
them
Spouse name
Child’s name
Brother or sister’s name
Pet’s name
Street name
Trying this list takes under a second
One can try ten of these by hand in under two
minutes
13. Computer Network Security 13
Weak passwords
Several web sites post dictionaries of phrases, science
fiction characters, places, mythological names, Chinese
words, Yiddish words, and other specialized lists
These help admins identify weak passwords but the same
dictionaries can also be used by attackers of sites that do
not have such attentive administrators.
Tools such as COPS, Crack, and Satan allow an admin to
scan a system for weak passwords
People think they can be clever by picking a simple
password and replacing certain characters such as 0 for o,
1 for I or l, 3 for E, or @ for a
14. Computer Network Security 14
Steps an attacker would take
Here are attackers some password guessing steps:
No password
Same as user id
User name or derived from it
Common: password, secret, private, asdfg, aaaaa
Short college dictionary
Complete English word list
Common non-English dictionary
15. Computer Network Security 15
Steps an attacker would take
Short college dictionary with capitalizations: PaSsWoRd
and substitutions of 0 for o etc
Complete English with capitalization and substitutions
Common non-English dictionary with capitalization and
substitutions
Brute force, lowercase alphabetic
Brute force, full character set
16. Computer Network Security 16
Plaintext system password list
To validate passwords, a system must have
a way of comparing entries with actual
passwords
Rather than trying to guess the password
why not target the password file
Two column: user ID, password
Too obvious: Don’t leave out in the open
Have to protect it
17. Computer Network Security 17
Protecting plaintext password file
Various security approaches are used to conceal
the password table from those who should not see
it.
Strong access controls
Only OS can access it
Not every OS module needs access, e.g. the operating
system scheduler, accounting routines, or storage
manager have no need to know the table's contents.
Avoid dumping of memory
An attacker may carefully time the dump of memory
Protect system backups
19. Computer Network Security 19
Conventional encryption
Receive user password, decrypt stored
password and compare
But plain text password is available in
memory for a while That is, the password is
available to anyone who could obtain
access to all of memory.
Safer to use one-way hash
20. Computer Network Security 20
One-way hash
The password table's entries are encrypted by a
one-way encryption and then stored. When the
user enters a password, it is also encrypted and
then compared with the table. If the two values are
equal, the authentication succeeds.
Unix password file can be read by anyone, unless
special access controls have been installed.
What if two people choose the same password?
I notice that another user’s hashed password is the
same as mine in the file
21. Computer Network Security 21
One-way hash - salt
Unix circumvents this vulnerability by using a
password extension, called the salt.
Salt is a 12-bit number derived from the current
system time and the process id
Likely to be unique for every user
Concatenate salt and plaintext password, then hash
it
Store hash with salt
User enters password, fetch salt from file, hash
and compare
22. Computer Network Security 22
Indiscreet users
Tape to the monitor
Card inside the top desk
Give away for sharing files
23. Computer Network Security 23
Password selection criteria
Use characters other than alphabets
Choose long passwords
Avoid actual names or words
Choose an unlikely password: 2BrnB
Change password regularly
Don’t write down
Don’t tell anyone else
24. Computer Network Security 24
Good password choices
Some systems help users by providing
meaningless but choices of pronounceable
passwords. e.g. VAX VMS
Easy to forget and misspell: bliptab
Some systems encourage users to change
passwords frequently
Warn a few days ahead of expiry
Leave no choice on day of expiry
25. Computer Network Security 25
One-time passwords
Changes every time it is used
Assign a static mathematical function, the system provides an
argument to the function, and the user computes and returns the
function value. Such systems are also called challenge-response
systems
f(x)=x+1, f(x)=3x2
-9x+2, f(x)=px, px is the xth
prime number
f(x)=r(x) use x as seed to a random number generator, or the xth
random numbers
f(a1a2a3a4a5a6)=a3a1a1a4
f(E(x))=E(D(E(x))+1) System provides encrypted value, decrypt,
perform arithmetic, re-encrypt
One-time passwords are very effective because intercepted passwords
are useless
26. Computer Network Security 26
Authentication process
Even a terrible typist should be able to type
password correctly in a few tries
A legitimate user will not complain on a
delay of 5 to 10 seconds
A penetrator’s job would be made
unfeasible
Repeated failure = not authorized user
27. Computer Network Security 27
Fixing flaws
Trojan horse: a program displays standard prompt
e.g. SYSTEM ERROR, DISCONNECTED
Make sure system is reinitialized
Turn terminal off and then on
Pressing break key
Ctrl+alt+del
System could display something only the user and
the system know, such as last login time