SCU COEN 250 - Authentication Lecture Notes (34 pages)

Previewing pages 1, 2, 16, 17, 18, 33, 34 of 34 page document View the full content.
View Full Document

Authentication Lecture Notes



Previewing pages 1, 2, 16, 17, 18, 33, 34 of actual document.

View the full content.
View Full Document
View Full Document

Authentication Lecture Notes

42 views


Pages:
34
School:
Santa Clara University
Course:
Coen 250 - Computer Forensics
Unformatted text preview:

COEN 250 Authentication Authentication Between human and machine Between machine and machine Human Machine Authentication Authentication protocols are based on What E g password pass phrase secret key private key What you have Physical key smart card What you know you are Biometrics Where you are E g trusted machine access to room Authentication Passwords Predate computers As do some attacks stealing guessing Older cell phone technology transmits originating number with a password Password good call goes through Eavesdropper receives phone number password combination Eavesdropper can now clone the phone Authentication Password Attacks Guessing On line Off line Time consuming Authentication attempts are usually logged Can detect attack long before it is likely to succeed Can disrupt the attack Attacker needs to steal relevant data from which password s can be determined Attacker can use arbitrary amount of computing power Capturing Passwords Eavesdropping Login Trojan Horse Authentication Passwords are stored On each server Alice uses Centrally Authentication Storage Node Each server retrieves the information when it wants to authenticate Alice Centrally Authentication Facilitator Node Each server takes Alice s data and password and goes to the AFN Authentication Password can be stored Unencrypted Simple Dangerous Implicitly as hashes of passwords As in UNIX VMS Encrypted Hashed and Encrypted Authentication Example Network Information Service Yellow Pages Directory service is the authentication storage node Stores hashed passwords of users Typically hashed passwords list is world readable Access by claiming to be a server NIS authentication storage node does not authenticate itself to users Allows impersonation of authentication service Authentication Passwords for machine machine communication can be made difficult to guess Arbitrary length Truly random choice of characters Human machine passwords Guessable Subject to dictionary attack Authentication Dictionary attack Most passwords are natural language words Or derived from natural language words Guess the language Use a dictionary to try out all words in the language Start with common passwords first Replace a single character in a word attach a random character etc Authentication Brute Force Attack Generate all possible password Sometimes make assumptions on the alphabet only printable character characters on a key board Authentication Salting Protects attack hashed passwords against an offline Brute Force attack attacks all passwords in password file simultaneously Authentication Salting Store a salt with each password Hash depends on salt and password Use different salts for different passwords Store salt with password Authentication Salting Brute force attack dictionary attack can only attack a single password Authentication Passwords are compromised By obtaining password file Safeguard by Hashing and Salting Encryption By eavesdropping on an exchange Use one way passwords Lamport Hash Authentication Address Based Common Rtools in early UNIX rhosts In user home directory Computer Account pairs These pairs are allowed access to the user s account etc hosts equiv List of network addresses of equivalent machines Account name on A is equivalent to account name on B Users have to have identical account names Authentication Addressed based authentication threatened by Access escalation Attacker gains access to one hosts Access cascades to equivalent hosts rhosts Spoofing addresses Very easy to spoof source address Harder to intercept traffic back Authentication Ethernet network address impersonation Easy on the same link Hubs do not protect Switches can be spoofed through the ARP protocol Routers are harder to fool but can be attacked and provided with misleading routing data Authentication Cryptographic authentication Alice proves her identity to Bob by proving to Bob that she knows a secret Hashes Secret key cryptography Public key cryptography Human Machine Authentication Initial password distribution to humans Pre expired Through mail Derivable strong passwords from common knowledge Student ID Human Machine Authentication Authentication Token Possession Magnetic stripe as on credit cards Harder to reproduce Impossible to guess Demand special hardware Can be lost or stolen of the token proves right to access Add pin or password protection Are not safe against communication eavesdropping and forging Human Machine Authentication Authentication Token Smart Card Needs to be inserted in a smart card reader Card authenticates to the smart card reader PIN protected smart cards Stops working after a number of false PINs Cryptographic challenge response cards Card contains a cryptographic key Authenticating computer issues a challenge Card solves the challenge after PIN is entered Harder to crack than PIN protected smart cards because key is never revealed Human Machine Authentication Authentication Token Smart Card Readerless smart card Cryptographic calculator Communicates with owner through mini keyboard and display Authenticating computer issues a challenge to Alice Alice types in challenge into readerless smart card Readerless smart card solves the challenge After Alice puts in her password Alice transfers the answer to the computer Human Machine Authentication Biometrics Retinal scanner Fingerprint reader Face recognition Iris scanner Handprint readers Voiceprints Keystroke timing Signatures Authentication Security Policy Defining Protection Levels Partitioning Computing Resources Usually necessary law to have special security for sensitive areas Human Resources Accounting Network can be repartitioned using subnets with special protection and special procedures Authentication Security Policy Defining Protection Levels Partitioning Computing Resources Protection by naming Increase protection by not making certain systems visible from the outside external firewall internal DNS server internal firewall Local LAN external DNS server Internet Authentication Security Policy Defining Protection Levels Human resources accounting and other administrative support systems shall be physically partitioned from the general network in such a manner to control the flow of information to and from those systems Network name services shall be configured to provide Internet users with generic names to accessible internal systems while serving meaning full names to internal organizational users Network addresses shall be predefined for every system


View Full Document

Access the best Study Guides, Lecture Notes and Practice Exams

Loading Unlocking...
Login

Join to view Authentication Lecture Notes and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Authentication Lecture Notes and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?