Introduction to Computer Security Lecture 3 PDF
Document Details
Uploaded by ExquisiteIron
Luxor University
Dr. Mohamed Abdel Hameed
Tags
Related
- Information & Computer Security 2024 PDF
- Information & Computer Security (352ISM) 2024 PDF
- Database Security and Auditing: Protecting Data Integrity and Accessibility PDF
- Week 4 Notes - Computer Security PDF
- Summary Operating System Security PDF
- Computer Security: Principles and Practice Chapter 3 PDF
Summary
This document is a lecture on Introduction to Computer Security, specifically covering user authentication. It discusses various methods and strategies for securing user access in computer systems. The lecture also covers password security and authentication methods.
Full Transcript
Introduction to Computer Security by Dr. Mohamed Abdel Hameed Computer Science Dept. Lecture 3 1 Lecture Outline Chapter 3: User Authentication Electronic user authentication principles Password-based authenti...
Introduction to Computer Security by Dr. Mohamed Abdel Hameed Computer Science Dept. Lecture 3 1 Lecture Outline Chapter 3: User Authentication Electronic user authentication principles Password-based authentication Token-based authentication Biometric authentication Remote user authentication Security issues for user authentication Practical application: an iris biometric system Case study: security problems for ATM systems 2 Objectives Discuss the four general means of authenticating a user’s identity. Explain the mechanism by which hashed passwords used for user authentication. Understand the use of the Bloom filters in password management. User Authentication Fundamental security building block - basis of access control & user accountability The process of verifying an identity claimed by or for a system entity Two steps: - identification: specify identifier such as access control service. - verification: bind (connect) entity (person) and identifier. Distinct from message authentication when communicating parties are concerned with the integrity of the exchanges messages). In essence, identification is the means by which a user provides a claimed identity to the system; Means of User Authentication There are four general means of authenticating a user's identity, which can be used alone or in combination: Something the individual knows: Examples include a password, a personal identification number (PIN), or answers to a prearranged set of questions. Something the individual possesses: Examples include electronic keycards, smart cards, and physical keys. This type of authenticator is referred to as a token. Something the individual is (static biometrics): Examples include recognition by fingerprint, retina, and face. Something the individual does (dynamic biometrics): Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm. A model for electronic user authentication NIST SP 800-63-2 defines EUA as: the process of establishing confidence in user identity that are electronically presented Risk Assessment for User Authentication Assurance level: the degree of certainty that a user has presented a credential that refers to his/her identity - Level 1: Little confidence (an online forum) - Level 2: Some confidence (professional organizations) - Level 3: High confidence (patent office applicants) - Level 4: Very high confidence (employees accessing restricted/sensitive services) Potential impact: low, moderate, impact. Risk assessment for user authentication Assurance Level Impact Profiles Assurance Level Impact Profiles Potential Impact Categories for 1 2 3 4 Authentication Errors Inconvenience, distress, or Low Mod Mod High damage to standing or reputation Financial loss or organization Low Mod Mod High liability Harm to organization programs or None Low Mod High interests Unauthorized release of sensitive None Low Mod High information Mod/ Personal safety None None Low High Civil or criminal violations None Low Mod High Password Authentication The front line of defense against strangers (intruders) is the password system. The system compares the password to a previously stored password for that user ID, maintained in a system password file. Widely used user authentication method - User provides name/login and password. - System compares password with that saved for specified login. Authenticates ID of user logging - That the user is authorized to access system. - Determines the user’s privileges. Password Attacking Strategies Offline dictionary attack. Specific account attack (user john). Popular password attack (against a wide range of IDs). Password guessing against single user (w/ previous knowledge about the user). Workstation hijacking. Exploiting user mistakes. Exploiting multiple password use. Electronic monitoring. Countermeasures for Password attacks Stop unauthorized access to password file. Intrusion detection measures. Account lockout mechanisms. Policies against using common passwords but rather hard to guess passwords. Automatic workstation logout. Encrypted network links. Use of hashed passwords and a salt value Why a salt value? Prevents duplicate passwords from being visible in the password file. Increases the difficulty of offline dictionary attacks. Nearly impossible to tell if a person used the same password on multiple systems. Password guessing / Cracking Dictionary attacks - The traditional approach to password guessing, or password cracking. - Try each word then obvious variants in large dictionary against hash in password file. Password guessing / Cracking Rainbow table attacks - A large dictionary of possible passwords for each password: Use all character sets (uppercase, lowercase, numbers and special characters). If you create a password with 6 digits, there are one million options. It uses MD5 (message-digest algorithm) hashing algorithm is a one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length digest value. 18 Password Choices/Concerns Users may pick short passwords - e.g. 3% were 3 characters or less, easily guessed. - system can reject choices that are too short. Users may pick guessable passwords - So crackers use lists of likely passwords - e.g. one study of 14000 encrypted passwords guessed nearly 1/4 of them. Case study An analysis of passwords used by 25,000 students Over 10% recovered after 10^10 guesses Password File Access Control Can block offline guessing attacks by denying access to encrypted passwords - Make available only to privileged users. - Often, the hashed passwords are kept in a separate file from the user IDs, referred to as a shadow password file. Shadow password files still have vulnerabilities - Exploit software in O/S (bug). - Accident with permissions making it readable. - Users with the same password on other systems. - Access from unprotected backup media. - Guessing passwords in unprotected network traffic. Using Better Passwords Clearly have problems with passwords Goal to eliminate guessable passwords - Still easy for user to remember To eliminate guessable passwords while allowing the user to select a password that is memorable, four techniques are in use: 1.user education 2.computer-generated passwords 3.reactive password checking (periodic checking) 4.proactive password checking (at the time of selection) Proactive Password Checking Rule enforcement plus user advice, e.g. - 8+ chars long, upper/lower/numeric/punctuation - may not suffice Compile a large dictionary of possible (Password cracker) - list of bad passwords - time and space issues Markov Model - generates guessable passwords - hence reject any password it might generate Bloom Filter - use to build table based on dictionary using hashes - check desired password against this table Token-based Authentication Objects that a user possesses for the purpose of user authentication are called tokens. Now examine two types of tokens that are widely used, which are cards that have the appearance and size of bank cards. These include: - Embossed - Raised characters only, on front, e.g. Old credit card - Magnetic stripe - Magnetic bar on back, characters on front, e.g. Bank card - Memory - has Electronic memory inside, e.g. Prepaid phone card - Smartcard - has Electronic memory and processor inside, e.g. Biometric ID card Embossed Card Example Magnetic Stripe Example Memory Card store but do not process data magnetic stripe card, e.g. bank card electronic memory card used alone for physical access (e.g., hotel rooms) some with password/PIN (e.g., ATMs) Drawbacks of memory cards include: - need special reader - loss of token issues prevents its owner from gaining system access. - user dissatisfaction (OK for ATM, not OK for computer access) Smartcard Like credit-card Has own processor, memory, I/O ports - ROM, EEPROM, RAM memory Executes protocol to authenticate with reader/computer - static: similar to memory cards - dynamic: passwords created every minute; entered manually by user or electronically - challenge-response: computer creates a random number; smart card provides its hash (similar to PK) also have USB dongles. Smartcard Example Electronic identify cards (eID) An important application of smart cards A national e-identity (eID) Serves the same purpose as other national ID cards (e.g., a driver’s license) - Can provide stronger proof of identity. - A German card Personal data, Document number, Card access number (six digit random number), Machine readable zone (MRZ): the password Uses: ePass (government use), eID (general use), eSign (can have private key and certificate) German card Example User authentication with eID Brute force Attack 35