USER AUTHENTICATION
MEANS OF USER AUTHENTICATION
PASSWORD AUTHENTICATION
PASSWORD VULNERABILITIES
USE OF HASHED PASSWORDS – IN UNIX
PASSWORD CRACKING TECHNIQUES
USING BETTER PASSWORDS
TOKEN AUTHENTICATION
BIO-METRIC AUTHENTICATION
Slides for my lecture "Software security: vulnerabilities, exploits and
possible countermeasures" I had been giving for Samsung Electronics in Suwon, Korea (South).
Introduction to Public key Cryptosystems with block diagrams
Reference : Cryptography and Network Security Principles and Practice , Sixth Edition , William Stalling
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
Key management: Introduction, How public key distribution done, Diffie Hellman Key Exchage Algorithm,Digital Certificate. Key Management using Digital certificate is done etc. wireshark screenshot showing digital cetificate.
In enumeration the hacker now pursuing an in-depth analysis of all targeted devices such as hosts, connected devices. Hacker is mapping out your network to build a offensive attack strategy,**very important topic**
Slides for my lecture "Software security: vulnerabilities, exploits and
possible countermeasures" I had been giving for Samsung Electronics in Suwon, Korea (South).
Introduction to Public key Cryptosystems with block diagrams
Reference : Cryptography and Network Security Principles and Practice , Sixth Edition , William Stalling
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
Key management: Introduction, How public key distribution done, Diffie Hellman Key Exchage Algorithm,Digital Certificate. Key Management using Digital certificate is done etc. wireshark screenshot showing digital cetificate.
In enumeration the hacker now pursuing an in-depth analysis of all targeted devices such as hosts, connected devices. Hacker is mapping out your network to build a offensive attack strategy,**very important topic**
Information and network security 47 authentication applicationsVaibhav Khanna
Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. In Kerberos Authentication server and database is used for client authentication. Kerberos runs as a third-party trusted server known as the Key Distribution Center (KDC).
In this project is to communicate with people with a secure End-to-End Encryption and secure way to communicate.
We have discover to how to implement miniproject into ppt documentation.
Keystroke dynamics, or typing dynamics, is the detailed timing information that describes exactly when each key was pressed and when it was released as a person is typing at a computer keyboard.
An Enhanced Security System for Web Authentication IJMER
Web authentication has low security in these days. Todays, For Authentication purpose,
Textual passwords are commonly used; however, users do not follow their requirements. Users tend to
choose meaningful words from dictionaries, which make textual passwords easy tobreak and vulnerable
to dictionary or brute force attacks. Also, Textual passwords can be identified by 3rd
party software’s.
Many available graphicalpasswords have a password space that is less than or equal to the textual
passwordspace. Smart cards or tokens can be stolen.There are so many biometric authentications have
been proposed; however, users tend to resistusing biometrics because of their intrusiveness and the effect
on their privacy. Moreover,biometrics cannot be evoked.In this paper, we present and evaluate our
contribution,i.e., the OTP and 3-D password. A one-time password (OTP) is a password that isvalid for
only one login session or transaction. OTPs avoid a number of shortcomingsthat are associated with
traditional (static) passwords. The most important shortcoming that is addressed by OTPs is that, in
contrast to static passwords, they are not vulnerable to replay attacks. It means that a potential intruder
who manages to record an OTPthat was already used to log into a service or to conduct a transaction
will not be able toabuse it, since it will be no longer valid. The 3-D password is a multifactor
authenticationscheme. To be authenticated, we present a 3-D virtual environment where the
usernavigates and interacts with various objects. The sequence of actions and interactionstoward the
objects inside the 3-D environment constructs the user’s 3-D password.
The IoT Era Begins
Components of IoT-Enabled Things
IoT Reference model
IoT Security
IoT Security & Privacy Req. defined by ITU-T
An IoT Security Framework
IoT Security Challenges
Internet of Things - Liability
IoT security tools
MEANING OF RESEARCH
OBJECTIVES OF RESEARCH
CHARACTERISTICS OF RESEARCH
CRITERIA OF A GOOD RESEARCH
QUALITIES OF GOOD RESEARCH
RESEARCH MOTIVATIONS
TYPES OF RESEARCH
PROBLEMS IN RESEARCH
RESEARCH APPROACHES
RESEARCH PROCESS
LITERATURE REVIEW
HYPOTHESIS
CRITERIA OF GOOD RESEARCH
PROBLEMS ENCOUNTERED BY RESEARCHER
Symmetric encryption and message confidentialityCAS
Symmetric Encryption Principles
Data Encryption Standard
Advanced Encryption Standard
Stream Ciphers and RC4
Cipher Block Modes of Operation
Key Distribution
12.1 Security Awareness, Training, and Education
12.2 Polices and Employment Practices
12.3 E-Mail and Internet Use Policies
12.4 Computer Security Incident Response Teams
1 Symmetric Encryption
2 Message Authentication and Hash Functions
3 Public-Key Encryption
4 Digital Signatures and Key Management
5 Random and Pseudo random Numbers
6 Practical Application: Encryption of Stored Data
7 Symmetric vs Asymmetric
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
2. CONTENT
• USER AUTHENTICATION
• MEANS OF USER AUTHENTICATION
• PASSWORD AUTHENTICATION
• PASSWORD VULNERABILITIES
• USE OF HASHED PASSWORDS – IN UNIX
• PASSWORD CRACKING TECHNIQUES
• USING BETTER PASSWORDS
• TOKEN AUTHENTICATION
• BIOMETRIC AUTHENTICATION
USER AUTHENTICATION 2
3. 3
1. USER AUTHENTICATION
• RFC 2828 defines user authentication as:
• “The process of verifying an identity claimed by or for a system
entity.
• Fundamental security building block
• Basis of most types of access control & for user accountability.
• User authentication is distinct from message authentication.
• User authentication process consists of two steps:
1. Identification: Presenting an identifier to the security system.
2. Verification: Binding entity (person) and identifier
USER AUTHENTICATION
4. 4
2. MEANS OF USER AUTHENTICATION
• Four general means of authenticating a user's identity are
• Individual knows: Includes a password, a personal identification
number (PIN), or answers to a prearranged set of questions.
• Individual possesses: Includes electronic keycards, smart cards, and
physical keys. Also known as a token.
• Individual is (static biometrics): Includes recognition by fingerprint,
retina, and face.
• Individual does (dynamic biometrics): Examples include recognition
by voice pattern, handwriting characteristics, and typing rhythm.
• can use alone or combined
• all can provide user authentication & have issues.
USER AUTHENTICATION
5. 5
3. PASSWORD AUTHENTICATION
• Widely used user authentication method
– User provides name/login and password
– System compares password with that saved for specified
login
• Authenticates ID of user logging and
– That the user is authorized to access system
– Determines the user’s privileges
– Is used in Discretionary Access Control
USER AUTHENTICATION
7. 7
Following are the attack strategies:
1. Offline dictionary attack:
• A hacker gain access to the system password file.
• Compares the password hashes against hashes of commonly used
passwords.
2. Specific account attack:
• Attacker targets a specific account &submits password guesses until the
correct password is discovered.
3. Popular password attack / Against single user:
• The attacker chooses a popular password and tries it.
• Attacker attempts to gain knowledge about the account holder and system
password policies and uses that knowledge to guess the password.
USER AUTHENTICATION
8. 8
4. Workstation hijacking:
• The attacker waits until a logged-in workstation is unattended.
5. Exploiting user mistakes:
• User is more likely to write it down passwords, because it is
difficult to remember.
6. Exploiting multiple password use.
• Similar password for a many applications
7. Electronic monitoring:
• If a password is communicated across a network to log on to a
remote system, it is vulnerable to eavesdropping.
USER AUTHENTICATION
9. 9
5. USE OF HASHED PASSWORDS – IN UNIX
USER AUTHENTICATION
10. • A widely used password security technique.
• Use of hashed passwords and a salt value.
• Found on all UNIX and other operating systems.
1. Loading a new password:
• The user selects or is assigned a password.
• Password combined with a fixed-length salt value.
• Salt is a pseudorandom or random number.
• PW & salt serve as inputs to a hashing algorithm to produce a fixed-length
hash code.
• Hashed password then stored, together with a plaintext copy of the salt, in
the password file for the corresponding user ID.
2. Verifying a password:
• When a user attempts to log on to a system, the user provides an ID and a
password.
• OS uses the ID to retrieve the plaintext salt and the encrypted password.
• The salt and user-supplied password are used as input to the encryption
routine.
• If the result matches the stored value, the password is accepted.
10USER AUTHENTICATION
11. 6. PASSWORD CRACKING TECHNIQUES
Dictionary attacks
• Develop a large dictionary of possible passwords and try
each against the password file
• Each password must be hashed using each salt value and
then compared to stored hash values
Rainbow table attacks
• Pre-compute tables of hash values for all salts
• A mammoth table of hash values
• Can be countered by using a sufficiently large salt value
and a sufficiently large hash length
USER AUTHENTICATION 11
12. 12
7. USING BETTER PASSWORDS
• Clearly have problems with passwords
• Goal to eliminate guessable passwords
• At the same time, easy for user to remember
• Four basic techniques:
1. User education
2. Computer-generated passwords
3. Reactive password checking
4. Proactive password checking
1. User education:
• Users can be told the importance of using hard-to-guess passwords.
• Provide users with guidelines for selecting strong passwords.
• Can be problematic when have a large user population.
• Because many users will simply ignore the guidelines.
USER AUTHENTICATION
13. 2. Computer-generated passwords:
• Poor acceptance by users.
• Random in nature, users will not remember.
3. Reactive password checking:
• System periodically runs its own password cracker to
find guessable passwords.
• The system cancels any passwords that are guessed and
notifies the user.
• Can be costly in resources to implement.
4. Proactive password checking:
• User selects own password which the system then
checks to see if it is allowable and, if not, rejects it.
13USER AUTHENTICATION
14. 14
8. TOKEN AUTHENTICATION
• Objects that a user possesses for the purpose of user
authentication are called tokens.
• Token are of different forms, they are:
1. Embossed: Raised characters only, on front, e.g. Old credit
card.
2. Magnetic stripe: Magnetic bar on back, characters on front,
e.g. Bank card.
3. Memory: Has Electronic memory inside, e.g. Prepaid phone
card.
4. Smartcard: Has Electronic memory and processor inside, e.g.
Biometric ID card
USER AUTHENTICATION
15. 15
8.1 MEMORY CARD / MAGNETIC STRIPS
• Store but do not process data
• Magnetic stripe card, e.g. bank card
• Electronic memory card
• Used alone for physical access
• With password/PIN for computer use
• Drawbacks of memory cards include:
– Need special reader
– Loss of token issues
– User dissatisfaction
USER AUTHENTICATION
16. 16
8.2 SMARTCARD / EMBOSED
• Credit-Card like
• Has own processor, memory, I/O ports
– Wired or wireless access by reader
– May have crypto co-processor
– ROM, EEPROM, RAM memory
• Executes protocol to authenticate with reader/computer
• Also have USB dongles
USER AUTHENTICATION
17. 17
9. BIOMETRIC AUTHENTICATION
• Authenticate user based on one of their physical
characteristics
• Biometric authentication system authenticates an
individual based on unique
• Physical characteristics like Fingerprints, hand
geometry, facial characteristics, and retinal and iris
patterns.
• Dynamic characteristics like voiceprint and signature.
USER AUTHENTICATION
18. 1. Facial characteristics:
Characteristics based on location and shape of key facial features,
such as eyes, eyebrows, nose, lips, and chin shape.
2. Fingerprints:
The pattern of ridges and furrows on the surface of the fingertip.
3. Hand geometry:
Identify features of hand,: e.g. shape, lengths & widths of fingers.
4. Retinal pattern:
Formed by veins beneath the retinal surface is unique.
Uses digital image of the retinal pattern by projecting a low-
intensity beam of visual or infrared light into the eye.
5. Signature: Each individual has a unique style of handwriting,
especially in signature.
18USER AUTHENTICATION
20. Operation of a biometric system.
• Each users must first be enrolled in the system.
• For biometric system, the user presents a name and a password or
PIN.
• System senses some biometric characteristic of this user (e.g.
fingerprint of right index finger).
• The system digitizes the input and then extracts a set of features that
can be stored as a number or set of numbers.
• This set of numbers is referred to as the user’s template.
• User authentication on a biometric system involves either
verification or identification.
• Verification is similar to a user logging on to a system by using a
memory card or smart card coupled with a password or PIN.
• In Identification process, the individual uses the biometric sensor
but presents no additional information.
• The system then compares the presented template with the set of
stored templates. If there is a match, then this user is identified.
Otherwise, the user is rejected. 20USER AUTHENTICATION