DOC PREVIEW
PSU CSE 543 - Authentication

This preview shows page 1-2-3-27-28-29 out of 29 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 29 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page CSE 543 - Computer SecurityLecture 6 - AuthenticationSeptember 21, 2006URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Project Background and Related Work•Due 10/10•Questions to Answer:–What is the technical problem?–What has been done to solve it in the past?–Why has no one solved it yet?•On project assignments page (~tjaeger/project_assigns.html)–More resources to investigate answers–Often tip of the iceberg •References in papers•Systems mentioned•Divide up search for information and answer the questions aboveCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page What is Authentication?•Short answer: establishes identity–Answers the question: To whom am I speaking?•Long answer: evaluates the authenticity of identity proving credentials –Credential – is proof of identity–Evaluation – process that assesses the correctness of the association between credential and claimed identity•for some purpose•under some policyCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Why authentication?•Well, we live in a world of rights, permissions, and duties?–Authentication establishes our identity so that we can obtain the set of rights–E.g., we establish our identity with Tiffany’s by providing a valid credit card which gives us rights to purchase goods ~ physical authentication system•Q: How does this relate to security?CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Why authentication (cont.)?•Same in online world, just different constraints–Vendor/customer are not physically co-located, so we must find other ways of providing identity•e.g., by providing credit card number ~ electronic authentication system–Risks (for customer and vendor) are different•Q: How so?•Computer security is crucially dependent on the proper design, management, and application of authentication systems.CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page What is Identity?•That which gives you access … which is largely determined by context–We all have lots of identities–Pseudo-identities•Really, determined by who is evaluating credential–Driver’s License, Passport, SSN prove …–Credit cards prove …–Signature proves …–Password proves …–Voice proves …•Exercise: Give an example of bad mapping between identity and the purpose for which it was used.CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Credentials•… are evidence used to prove identity•Credentials can be–Something I am –Something I have–Something I knowCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Something you know …•Passport number, mothers maiden name, last 4 digits of your social security, credit card number•Passwords and pass-phrases–Note: passwords are generally pretty weak•University of Michigan: 5% of passwords were goblue•Passwords used in more than one place–Not just because bad ones selected: If you can remember it, then a computer can guess it•Computers can often guess very quickly•Easy to mount offline attacks•Easy countermeasures for online attacksCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Something your have …•Tokens (transponders, …)–Speedpass, EZ-pass•Smartcards•Digital Certificates (used by Websites to authenticate themselves to customers)–More on this later …CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Something your are …•Biometrics measure some physical characteristic–Fingerprint, face recognition, retina scanners, voice, signature, DNA–Can be extremely accurate and fast–Active biometrics authenticate–Passive biometrics recognize•What is the fundamental problem?–Revocation – lost fingerprint?–Great for physical security, generally not feasible for on-line systemsCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Web Authentication•Authentication is a bi-directional process–Client–Server–Mutual authentication•Several standard authentication tools–Basic (client)–Digest (client)–Secure Socket Layer (server, mutual)–Cookies (indirect, persistent)•Q: Are cookies good credentials?CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page GET /protected/index.html HTTP/1.0HTTP/1.0 401 UnauthorizedWWW-Authenticate: Basic realm=“Private”GET /protected/index.html HTTP/1.0Authorization: Basic JA87JKAs3NbBDsCLIENTCLIENTCLIENTHow Basic Authentication WorksHow Basic Authentication Works …CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page Setting up Basic auth in Apache•File in directory to protect (.htacess) ! ! AuthType Basic ! ! AuthName Patrick's directions (User ID=pdmcdan)"! ! AuthUserFile /usr/pdmcdan/www-etc/.htpw1! ! AuthGroupFile /dev/null ! ! require valid-user•In /usr/pdmcdan/www-etc/.htpw1! ! pdmcdan:l7FwWEqjyzmNo" generated using htpasswd program•Can use different .htaccess files for different directoriesB20.3157 Computer (and Network) Security - Fall 2005 - Professor McDanielCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page •Passwords easy to intercept•Passwords easy to guess•Just base-64 encoded•Passwords easy to share•No server authentication•Easy to fool client into sending password to malicious server•One intercepted password gives eavesdropper access to many documents14Basic Authentication ProblemsB20.3157 Computer (and Network) Security - Fall 2005 - Professor McDanielCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page GET /protected/index.html HTTP/1.1HTTP/1.1 401 UnauthorizedWWW-Authenticate: Digest realm=“Private” nonce=“98bdc1f9f017..”GET /protected/index.html HTTP/1.1Authorization: Digest username=“lstein” realm=“Private” nonce=“98bdc1f9f017..” response=“5ccc069c4..”CLIENTCLIENTCLIENT15Digest AuthenticationB20.3157 Computer (and Network) Security - Fall 2005 - Professor McDanielCSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger Page •Challenge (“nonce”): any changing string•e.g. MD5(IP address:timestamp:server secret)•Response: challenge hashed with user’s name &


View Full Document

PSU CSE 543 - Authentication

Documents in this Course
Agenda

Agenda

14 pages

HYDRA

HYDRA

11 pages

PRIMA

PRIMA

15 pages

CLIMATE

CLIMATE

15 pages

Load more
Download Authentication
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Authentication and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Authentication 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?