SlideShare a Scribd company logo

User authentication

Download as PPTX, PDF
CAS
CAS

USER AUTHENTICATION MEANS OF USER AUTHENTICATION PASSWORD AUTHENTICATION PASSWORD VULNERABILITIES USE OF HASHED PASSWORDS – IN UNIX PASSWORD CRACKING TECHNIQUES USING BETTER PASSWORDS TOKEN AUTHENTICATION BIO-METRIC AUTHENTICATION

Technology
1 of 20
COMPUTER SECURITY USERAUTHENTICATION Mr. RAJASEKAR RAMALINGAM Faculty - Department of IT College of Applied Sciences – Sur, Sultanate of Oman. vrrsekar@yahoo.com
CONTENT • USER AUTHENTICATION • MEANS OF USER AUTHENTICATION • PASSWORD AUTHENTICATION • PASSWORD VULNERABILITIES • USE OF HASHED PASSWORDS – IN UNIX • PASSWORD CRACKING TECHNIQUES • USING BETTER PASSWORDS • TOKEN AUTHENTICATION • BIOMETRIC AUTHENTICATION USER AUTHENTICATION 2
3 1. USER AUTHENTICATION • RFC 2828 defines user authentication as: • “The process of verifying an identity claimed by or for a system entity. • Fundamental security building block • Basis of most types of access control & for user accountability. • User authentication is distinct from message authentication. • User authentication process consists of two steps: 1. Identification: Presenting an identifier to the security system. 2. Verification: Binding entity (person) and identifier USER AUTHENTICATION
4 2. MEANS OF USER AUTHENTICATION • Four general means of authenticating a user's identity are • Individual knows: Includes a password, a personal identification number (PIN), or answers to a prearranged set of questions. • Individual possesses: Includes electronic keycards, smart cards, and physical keys. Also known as a token. • Individual is (static biometrics): Includes recognition by fingerprint, retina, and face. • Individual does (dynamic biometrics): Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm. • can use alone or combined • all can provide user authentication & have issues. USER AUTHENTICATION
5 3. PASSWORD AUTHENTICATION • Widely used user authentication method – User provides name/login and password – System compares password with that saved for specified login • Authenticates ID of user logging and – That the user is authorized to access system – Determines the user’s privileges – Is used in Discretionary Access Control USER AUTHENTICATION
4. PASSWORD VULNERABILITIES Offline dictionary attack Specific account attack Popular password attack Password guessing against single user Workstation hijacking Exploiting user mistakes Exploiting multiple password use Eectronic monitoring USER AUTHENTICATION 6
7 Following are the attack strategies: 1. Offline dictionary attack: • A hacker gain access to the system password file. • Compares the password hashes against hashes of commonly used passwords. 2. Specific account attack: • Attacker targets a specific account &submits password guesses until the correct password is discovered. 3. Popular password attack / Against single user: • The attacker chooses a popular password and tries it. • Attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password. USER AUTHENTICATION
8 4. Workstation hijacking: • The attacker waits until a logged-in workstation is unattended. 5. Exploiting user mistakes: • User is more likely to write it down passwords, because it is difficult to remember. 6. Exploiting multiple password use. • Similar password for a many applications 7. Electronic monitoring: • If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping. USER AUTHENTICATION
9 5. USE OF HASHED PASSWORDS – IN UNIX USER AUTHENTICATION
• A widely used password security technique. • Use of hashed passwords and a salt value. • Found on all UNIX and other operating systems. 1. Loading a new password: • The user selects or is assigned a password. • Password combined with a fixed-length salt value. • Salt is a pseudorandom or random number. • PW & salt serve as inputs to a hashing algorithm to produce a fixed-length hash code. • Hashed password then stored, together with a plaintext copy of the salt, in the password file for the corresponding user ID. 2. Verifying a password: • When a user attempts to log on to a system, the user provides an ID and a password. • OS uses the ID to retrieve the plaintext salt and the encrypted password. • The salt and user-supplied password are used as input to the encryption routine. • If the result matches the stored value, the password is accepted. 10USER AUTHENTICATION
6. PASSWORD CRACKING TECHNIQUES Dictionary attacks • Develop a large dictionary of possible passwords and try each against the password file • Each password must be hashed using each salt value and then compared to stored hash values Rainbow table attacks • Pre-compute tables of hash values for all salts • A mammoth table of hash values • Can be countered by using a sufficiently large salt value and a sufficiently large hash length USER AUTHENTICATION 11
12 7. USING BETTER PASSWORDS • Clearly have problems with passwords • Goal to eliminate guessable passwords • At the same time, easy for user to remember • Four basic techniques: 1. User education 2. Computer-generated passwords 3. Reactive password checking 4. Proactive password checking 1. User education: • Users can be told the importance of using hard-to-guess passwords. • Provide users with guidelines for selecting strong passwords. • Can be problematic when have a large user population. • Because many users will simply ignore the guidelines. USER AUTHENTICATION
2. Computer-generated passwords: • Poor acceptance by users. • Random in nature, users will not remember. 3. Reactive password checking: • System periodically runs its own password cracker to find guessable passwords. • The system cancels any passwords that are guessed and notifies the user. • Can be costly in resources to implement. 4. Proactive password checking: • User selects own password which the system then checks to see if it is allowable and, if not, rejects it. 13USER AUTHENTICATION
14 8. TOKEN AUTHENTICATION • Objects that a user possesses for the purpose of user authentication are called tokens. • Token are of different forms, they are: 1. Embossed: Raised characters only, on front, e.g. Old credit card. 2. Magnetic stripe: Magnetic bar on back, characters on front, e.g. Bank card. 3. Memory: Has Electronic memory inside, e.g. Prepaid phone card. 4. Smartcard: Has Electronic memory and processor inside, e.g. Biometric ID card USER AUTHENTICATION
15 8.1 MEMORY CARD / MAGNETIC STRIPS • Store but do not process data • Magnetic stripe card, e.g. bank card • Electronic memory card • Used alone for physical access • With password/PIN for computer use • Drawbacks of memory cards include: – Need special reader – Loss of token issues – User dissatisfaction USER AUTHENTICATION
16 8.2 SMARTCARD / EMBOSED • Credit-Card like • Has own processor, memory, I/O ports – Wired or wireless access by reader – May have crypto co-processor – ROM, EEPROM, RAM memory • Executes protocol to authenticate with reader/computer • Also have USB dongles USER AUTHENTICATION
17 9. BIOMETRIC AUTHENTICATION • Authenticate user based on one of their physical characteristics • Biometric authentication system authenticates an individual based on unique • Physical characteristics like Fingerprints, hand geometry, facial characteristics, and retinal and iris patterns. • Dynamic characteristics like voiceprint and signature. USER AUTHENTICATION
1. Facial characteristics: Characteristics based on location and shape of key facial features, such as eyes, eyebrows, nose, lips, and chin shape. 2. Fingerprints: The pattern of ridges and furrows on the surface of the fingertip. 3. Hand geometry: Identify features of hand,: e.g. shape, lengths & widths of fingers. 4. Retinal pattern: Formed by veins beneath the retinal surface is unique. Uses digital image of the retinal pattern by projecting a low- intensity beam of visual or infrared light into the eye. 5. Signature: Each individual has a unique style of handwriting, especially in signature. 18USER AUTHENTICATION
19 9.1 OPERATION OF A BIOMETRIC SYSTEM USER AUTHENTICATION
Operation of a biometric system. • Each users must first be enrolled in the system. • For biometric system, the user presents a name and a password or PIN. • System senses some biometric characteristic of this user (e.g. fingerprint of right index finger). • The system digitizes the input and then extracts a set of features that can be stored as a number or set of numbers. • This set of numbers is referred to as the user’s template. • User authentication on a biometric system involves either verification or identification. • Verification is similar to a user logging on to a system by using a memory card or smart card coupled with a password or PIN. • In Identification process, the individual uses the biometric sensor but presents no additional information. • The system then compares the presented template with the set of stored templates. If there is a match, then this user is identified. Otherwise, the user is rejected. 20USER AUTHENTICATION

Recommended

Intruders
IntrudersIntruders
Intruderstechn
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
Program security
Program securityProgram security
Program security
G Prachi
 
Web Security
Web SecurityWeb Security
Web Security
Dipika Bambhaniya
 
System security
System securitySystem security
System security
sommerville-videos
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
IGZ Software house
 

Recommended

Intruders
IntrudersIntruders
Intruderstechn
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
Program security
Program securityProgram security
Program security
G Prachi
 
Web Security
Web SecurityWeb Security
Web Security
Dipika Bambhaniya
 
System security
System securitySystem security
System security
sommerville-videos
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
IGZ Software house
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
rajakhurram
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
BharathiKrishna6
 
Security & protection in operating system
Security & protection in operating systemSecurity & protection in operating system
Security & protection in operating system
Abou Bakr Ashraf
 
Web security
Web securityWeb security
Web security
Subhash Basistha
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
CAS
 
Access Controls
Access ControlsAccess Controls
Access Controls
primeteacher32
 
Software security
Software securitySoftware security
Software security
Roman Oliynykov
 
Operating system security
Operating system securityOperating system security
Operating system security
Ramesh Ogania
 
Network security model.pptx
Network security model.pptxNetwork security model.pptx
Network security model.pptx
ssuserd24233
 
Authentication
AuthenticationAuthentication
Authentication
primeteacher32
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key Cryptosystem
Devakumar Kp
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
G Prachi
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
Kalpesh Kalekar
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
G Prachi
 
Key management
Key managementKey management
Key management
Sujata Regoti
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric keyTriad Square InfoSec
 
Unit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxUnit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptx
Puskar Bhandari
 
Enumeration and system hacking
Enumeration and system hackingEnumeration and system hacking
Enumeration and system hacking
begmohsin
 

More Related Content

What's hot

Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
rajakhurram
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
BharathiKrishna6
 
Security & protection in operating system
Security & protection in operating systemSecurity & protection in operating system
Security & protection in operating system
Abou Bakr Ashraf
 
Web security
Web securityWeb security
Web security
Subhash Basistha
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
CAS
 
Access Controls
Access ControlsAccess Controls
Access Controls
primeteacher32
 
Software security
Software securitySoftware security
Software security
Roman Oliynykov
 
Operating system security
Operating system securityOperating system security
Operating system security
Ramesh Ogania
 
Network security model.pptx
Network security model.pptxNetwork security model.pptx
Network security model.pptx
ssuserd24233
 
Authentication
AuthenticationAuthentication
Authentication
primeteacher32
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key Cryptosystem
Devakumar Kp
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
G Prachi
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
Kalpesh Kalekar
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
G Prachi
 
Key management
Key managementKey management
Key management
Sujata Regoti
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 

What's hot (20)

Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
 
Security & protection in operating system
Security & protection in operating systemSecurity & protection in operating system
Security & protection in operating system
 
Web security
Web securityWeb security
Web security
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Access Controls
Access ControlsAccess Controls
Access Controls
 
Software security
Software securitySoftware security
Software security
 
Operating system security
Operating system securityOperating system security
Operating system security
 
Network security model.pptx
Network security model.pptxNetwork security model.pptx
Network security model.pptx
 
Authentication
AuthenticationAuthentication
Authentication
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key Cryptosystem
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
Key management
Key managementKey management
Key management
 
Information Security
Information SecurityInformation Security
Information Security
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric key
 

Similar to User authentication

Unit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxUnit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptx
Puskar Bhandari
 
Enumeration and system hacking
Enumeration and system hackingEnumeration and system hacking
Enumeration and system hacking
begmohsin
 
Access Control
Access ControlAccess Control
Access Control
Waseem Hamid Hussain
 
Network Security_4th Module_Dr. Shivashankar
Network Security_4th Module_Dr. ShivashankarNetwork Security_4th Module_Dr. Shivashankar
Network Security_4th Module_Dr. Shivashankar
Dr. Shivashankar
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
Setia Juli Irzal Ismail
 
Information and network security 47 authentication applications
Information and network security 47 authentication applicationsInformation and network security 47 authentication applications
Information and network security 47 authentication applications
Vaibhav Khanna
 
cryptographydiksha.pptx
cryptographydiksha.pptxcryptographydiksha.pptx
cryptographydiksha.pptx
DIKSHABORKAR8
 
Cyber Security # Lec 2
Cyber Security # Lec 2Cyber Security # Lec 2
Cyber Security # Lec 2
Kabul Education University
 
INFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYINFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITY
Nishant Pawar
 
Authentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthauthaAuthentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthautha
Olajide Kuku
 
Whatscrypt Messenger for android project
Whatscrypt Messenger for android projectWhatscrypt Messenger for android project
Whatscrypt Messenger for android project
MuthukumaranM13
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos De Pedro
 
Keystroke dynamics
Keystroke dynamicsKeystroke dynamics
Keystroke dynamics
Tushar Kayande
 
Web authentication
Web authenticationWeb authentication
Web authenticationPradeep J V
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
newbie2019
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
IJMER
 
Bank locker system
Bank locker systemBank locker system
Bank locker system
Rahul Wagh
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit v
ArthyR3
 
Arbina project
Arbina projectArbina project
Arbina project
ArbinaSulthana15
 

Similar to User authentication (20)

Unit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxUnit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptx
 
Enumeration and system hacking
Enumeration and system hackingEnumeration and system hacking
Enumeration and system hacking
 
Access Control
Access ControlAccess Control
Access Control
 
Network Security_4th Module_Dr. Shivashankar
Network Security_4th Module_Dr. ShivashankarNetwork Security_4th Module_Dr. Shivashankar
Network Security_4th Module_Dr. Shivashankar
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Information and network security 47 authentication applications
Information and network security 47 authentication applicationsInformation and network security 47 authentication applications
Information and network security 47 authentication applications
 
cryptographydiksha.pptx
cryptographydiksha.pptxcryptographydiksha.pptx
cryptographydiksha.pptx
 
Cyber Security # Lec 2
Cyber Security # Lec 2Cyber Security # Lec 2
Cyber Security # Lec 2
 
INFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYINFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITY
 
Authentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthauthaAuthentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthautha
 
Whatscrypt Messenger for android project
Whatscrypt Messenger for android projectWhatscrypt Messenger for android project
Whatscrypt Messenger for android project
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1
 
Keystroke dynamics
Keystroke dynamicsKeystroke dynamics
Keystroke dynamics
 
Web authentication
Web authenticationWeb authentication
Web authentication
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
 
Bank locker system
Bank locker systemBank locker system
Bank locker system
 
Address book
Address bookAddress book
Address book
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit v
 
Arbina project
Arbina projectArbina project
Arbina project
 

More from CAS

CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CAS
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
CAS
 
RRB JE Stage 2 Computer and Applications Questions Part 4
RRB JE Stage 2 Computer and Applications Questions Part 4RRB JE Stage 2 Computer and Applications Questions Part 4
RRB JE Stage 2 Computer and Applications Questions Part 4
CAS
 
RRB JE Stage 2 Computer and Applications Questions part 3
RRB JE Stage 2 Computer and Applications Questions part 3RRB JE Stage 2 Computer and Applications Questions part 3
RRB JE Stage 2 Computer and Applications Questions part 3
CAS
 
RRB JE Stage 2 Computer and Applications Questions Part 2
RRB JE Stage 2 Computer and Applications Questions Part 2RRB JE Stage 2 Computer and Applications Questions Part 2
RRB JE Stage 2 Computer and Applications Questions Part 2
CAS
 
RRB JE Stage 2 Computer and Applications Questions Part 1
RRB JE Stage 2 Computer and Applications Questions Part 1RRB JE Stage 2 Computer and Applications Questions Part 1
RRB JE Stage 2 Computer and Applications Questions Part 1
CAS
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
CAS
 
Introduction to research methodology
Introduction to research methodologyIntroduction to research methodology
Introduction to research methodology
CAS
 
Can you solve this
Can you solve thisCan you solve this
Can you solve this
CAS
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentiality
CAS
 
Public key cryptography and message authentication
Public key cryptography and message authenticationPublic key cryptography and message authentication
Public key cryptography and message authentication
CAS
 
Malicious software
Malicious softwareMalicious software
Malicious software
CAS
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspects
CAS
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
CAS
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and procedures
CAS
 
Human resources security
Human resources securityHuman resources security
Human resources security
CAS
 
Database security
Database securityDatabase security
Database security
CAS
 
Cryptographic tools
Cryptographic toolsCryptographic tools
Cryptographic tools
CAS
 
Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)
CAS
 
IP Security Part 2
IP Security Part 2IP Security Part 2
IP Security Part 2
CAS
 

More from CAS (20)

CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
 
RRB JE Stage 2 Computer and Applications Questions Part 4
RRB JE Stage 2 Computer and Applications Questions Part 4RRB JE Stage 2 Computer and Applications Questions Part 4
RRB JE Stage 2 Computer and Applications Questions Part 4
 
RRB JE Stage 2 Computer and Applications Questions part 3
RRB JE Stage 2 Computer and Applications Questions part 3RRB JE Stage 2 Computer and Applications Questions part 3
RRB JE Stage 2 Computer and Applications Questions part 3
 
RRB JE Stage 2 Computer and Applications Questions Part 2
RRB JE Stage 2 Computer and Applications Questions Part 2RRB JE Stage 2 Computer and Applications Questions Part 2
RRB JE Stage 2 Computer and Applications Questions Part 2
 
RRB JE Stage 2 Computer and Applications Questions Part 1
RRB JE Stage 2 Computer and Applications Questions Part 1RRB JE Stage 2 Computer and Applications Questions Part 1
RRB JE Stage 2 Computer and Applications Questions Part 1
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
 
Introduction to research methodology
Introduction to research methodologyIntroduction to research methodology
Introduction to research methodology
 
Can you solve this
Can you solve thisCan you solve this
Can you solve this
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentiality
 
Public key cryptography and message authentication
Public key cryptography and message authenticationPublic key cryptography and message authentication
Public key cryptography and message authentication
 
Malicious software
Malicious softwareMalicious software
Malicious software
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspects
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and procedures
 
Human resources security
Human resources securityHuman resources security
Human resources security
 
Database security
Database securityDatabase security
Database security
 
Cryptographic tools
Cryptographic toolsCryptographic tools
Cryptographic tools
 
Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)
 
IP Security Part 2
IP Security Part 2IP Security Part 2
IP Security Part 2
 

Recently uploaded

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 

Recently uploaded (20)

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 

User authentication

  • 1. COMPUTER SECURITY USERAUTHENTICATION Mr. RAJASEKAR RAMALINGAM Faculty - Department of IT College of Applied Sciences – Sur, Sultanate of Oman. vrrsekar@yahoo.com
  • 2. CONTENT • USER AUTHENTICATION • MEANS OF USER AUTHENTICATION • PASSWORD AUTHENTICATION • PASSWORD VULNERABILITIES • USE OF HASHED PASSWORDS – IN UNIX • PASSWORD CRACKING TECHNIQUES • USING BETTER PASSWORDS • TOKEN AUTHENTICATION • BIOMETRIC AUTHENTICATION USER AUTHENTICATION 2
  • 3. 3 1. USER AUTHENTICATION • RFC 2828 defines user authentication as: • “The process of verifying an identity claimed by or for a system entity. • Fundamental security building block • Basis of most types of access control & for user accountability. • User authentication is distinct from message authentication. • User authentication process consists of two steps: 1. Identification: Presenting an identifier to the security system. 2. Verification: Binding entity (person) and identifier USER AUTHENTICATION
  • 4. 4 2. MEANS OF USER AUTHENTICATION • Four general means of authenticating a user's identity are • Individual knows: Includes a password, a personal identification number (PIN), or answers to a prearranged set of questions. • Individual possesses: Includes electronic keycards, smart cards, and physical keys. Also known as a token. • Individual is (static biometrics): Includes recognition by fingerprint, retina, and face. • Individual does (dynamic biometrics): Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm. • can use alone or combined • all can provide user authentication & have issues. USER AUTHENTICATION
  • 5. 5 3. PASSWORD AUTHENTICATION • Widely used user authentication method – User provides name/login and password – System compares password with that saved for specified login • Authenticates ID of user logging and – That the user is authorized to access system – Determines the user’s privileges – Is used in Discretionary Access Control USER AUTHENTICATION
  • 6. 4. PASSWORD VULNERABILITIES Offline dictionary attack Specific account attack Popular password attack Password guessing against single user Workstation hijacking Exploiting user mistakes Exploiting multiple password use Eectronic monitoring USER AUTHENTICATION 6
  • 7. 7 Following are the attack strategies: 1. Offline dictionary attack: • A hacker gain access to the system password file. • Compares the password hashes against hashes of commonly used passwords. 2. Specific account attack: • Attacker targets a specific account &submits password guesses until the correct password is discovered. 3. Popular password attack / Against single user: • The attacker chooses a popular password and tries it. • Attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password. USER AUTHENTICATION
  • 8. 8 4. Workstation hijacking: • The attacker waits until a logged-in workstation is unattended. 5. Exploiting user mistakes: • User is more likely to write it down passwords, because it is difficult to remember. 6. Exploiting multiple password use. • Similar password for a many applications 7. Electronic monitoring: • If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping. USER AUTHENTICATION
  • 9. 9 5. USE OF HASHED PASSWORDS – IN UNIX USER AUTHENTICATION
  • 10. • A widely used password security technique. • Use of hashed passwords and a salt value. • Found on all UNIX and other operating systems. 1. Loading a new password: • The user selects or is assigned a password. • Password combined with a fixed-length salt value. • Salt is a pseudorandom or random number. • PW & salt serve as inputs to a hashing algorithm to produce a fixed-length hash code. • Hashed password then stored, together with a plaintext copy of the salt, in the password file for the corresponding user ID. 2. Verifying a password: • When a user attempts to log on to a system, the user provides an ID and a password. • OS uses the ID to retrieve the plaintext salt and the encrypted password. • The salt and user-supplied password are used as input to the encryption routine. • If the result matches the stored value, the password is accepted. 10USER AUTHENTICATION
  • 11. 6. PASSWORD CRACKING TECHNIQUES Dictionary attacks • Develop a large dictionary of possible passwords and try each against the password file • Each password must be hashed using each salt value and then compared to stored hash values Rainbow table attacks • Pre-compute tables of hash values for all salts • A mammoth table of hash values • Can be countered by using a sufficiently large salt value and a sufficiently large hash length USER AUTHENTICATION 11
  • 12. 12 7. USING BETTER PASSWORDS • Clearly have problems with passwords • Goal to eliminate guessable passwords • At the same time, easy for user to remember • Four basic techniques: 1. User education 2. Computer-generated passwords 3. Reactive password checking 4. Proactive password checking 1. User education: • Users can be told the importance of using hard-to-guess passwords. • Provide users with guidelines for selecting strong passwords. • Can be problematic when have a large user population. • Because many users will simply ignore the guidelines. USER AUTHENTICATION
  • 13. 2. Computer-generated passwords: • Poor acceptance by users. • Random in nature, users will not remember. 3. Reactive password checking: • System periodically runs its own password cracker to find guessable passwords. • The system cancels any passwords that are guessed and notifies the user. • Can be costly in resources to implement. 4. Proactive password checking: • User selects own password which the system then checks to see if it is allowable and, if not, rejects it. 13USER AUTHENTICATION
  • 14. 14 8. TOKEN AUTHENTICATION • Objects that a user possesses for the purpose of user authentication are called tokens. • Token are of different forms, they are: 1. Embossed: Raised characters only, on front, e.g. Old credit card. 2. Magnetic stripe: Magnetic bar on back, characters on front, e.g. Bank card. 3. Memory: Has Electronic memory inside, e.g. Prepaid phone card. 4. Smartcard: Has Electronic memory and processor inside, e.g. Biometric ID card USER AUTHENTICATION
  • 15. 15 8.1 MEMORY CARD / MAGNETIC STRIPS • Store but do not process data • Magnetic stripe card, e.g. bank card • Electronic memory card • Used alone for physical access • With password/PIN for computer use • Drawbacks of memory cards include: – Need special reader – Loss of token issues – User dissatisfaction USER AUTHENTICATION
  • 16. 16 8.2 SMARTCARD / EMBOSED • Credit-Card like • Has own processor, memory, I/O ports – Wired or wireless access by reader – May have crypto co-processor – ROM, EEPROM, RAM memory • Executes protocol to authenticate with reader/computer • Also have USB dongles USER AUTHENTICATION
  • 17. 17 9. BIOMETRIC AUTHENTICATION • Authenticate user based on one of their physical characteristics • Biometric authentication system authenticates an individual based on unique • Physical characteristics like Fingerprints, hand geometry, facial characteristics, and retinal and iris patterns. • Dynamic characteristics like voiceprint and signature. USER AUTHENTICATION
  • 18. 1. Facial characteristics: Characteristics based on location and shape of key facial features, such as eyes, eyebrows, nose, lips, and chin shape. 2. Fingerprints: The pattern of ridges and furrows on the surface of the fingertip. 3. Hand geometry: Identify features of hand,: e.g. shape, lengths & widths of fingers. 4. Retinal pattern: Formed by veins beneath the retinal surface is unique. Uses digital image of the retinal pattern by projecting a low- intensity beam of visual or infrared light into the eye. 5. Signature: Each individual has a unique style of handwriting, especially in signature. 18USER AUTHENTICATION
  • 19. 19 9.1 OPERATION OF A BIOMETRIC SYSTEM USER AUTHENTICATION
  • 20. Operation of a biometric system. • Each users must first be enrolled in the system. • For biometric system, the user presents a name and a password or PIN. • System senses some biometric characteristic of this user (e.g. fingerprint of right index finger). • The system digitizes the input and then extracts a set of features that can be stored as a number or set of numbers. • This set of numbers is referred to as the user’s template. • User authentication on a biometric system involves either verification or identification. • Verification is similar to a user logging on to a system by using a memory card or smart card coupled with a password or PIN. • In Identification process, the individual uses the biometric sensor but presents no additional information. • The system then compares the presented template with the set of stored templates. If there is a match, then this user is identified. Otherwise, the user is rejected. 20USER AUTHENTICATION