CSCI 530 LabAuthenticationSlide 3How much authentication is needed?How can authentication be broken?Password BreakingSlide 7Rainbow TablesDetecting someone trying to break into a systemThis week’s labCSCI 530 LabAuthenticationAuthenticationAuthentication is verifying the identity of a particular personExample: Logging into a systemExample: PGP – Digital Signature is the authentication mechanismDifferent from AuthorizationAuthorization states what he/she can do on a systemAuthenticationHow do we authenticate:Something they knowPasswordSomething they areRetinaFingerprintDNASomething they ownSmart CardSomewhere they areLogin only works at certain terminalsHow much authentication is needed?We can use either one or a combination of all the aboveClient systemsNormally just a loginMilitary top secret security baseNameBadgePasscodeCredit card purchasesDriver’s licenseNamePictureHow can authentication be broken?For security purposes, we need to know how authentication can be broken so we know how to prevent against itPasswordsCan be GuessedCan be CrackedSmartcardsCan be copied or stolenFingerprintsCan be copied by using scotch tapePassword BreakingDictionary attackList of dictionary words that are tried one after anotherVery quickIf the password is not an exact match to a word on the list, then it will failHybrid attackUses a dictionary list but can detect slight variations to words, or combinations of words.Example: if the word hello is in the database, but the password is Hello, a dictionary attack will not break the password, but a Hybrid attack willGenerally finds many more words than a Dictionary attackNot as quick as Dictionary attackPassword BreakingBruteforce attackWill try every character combination until it finds the passwordEXTREMELY SLOWWill always find the passwordThese techniques can either be used against a system or a file containing the passwordsRainbow TablesPhilippe OechslinUses a reduce function to attempt to map a hash to a passwordUses chains to determine the exact passwordFor a good primer on Rainbow Tables, see:http://kestas.kuliukas.com/RainbowTables/ProsCan break any password in a matter of minutesConsMust have specific Rainbow Table for a particular hashing functionCan be defeated using SaltsDetecting someone trying to break into a systemAuto-logoutIf the user enters the wrong password n times, disable their account for a certain period of timeProtect your password list on your systemMake sure the administrator has access and no one else, so a normal user cannot copy it onto another systemThis week’s labUsing a Virtual Linux systemLogin as root, create user names, then copy the password file to the Windows host systemUse John the Ripper to break the passwords in the password fileMust be done in lab since we are using a Linux virtual
View Full Document