authentication continued
play

Authentication (Continued) Autumn 2018 Tadayoshi (Yoshi) Kohno - PowerPoint PPT Presentation

Oct 19, 2022 •390 likes •739 views

CSE 484 / CSE M 584: Computer Security and Privacy Authentication (Continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell,

  1. CSE 484 / CSE M 584: Computer Security and Privacy Authentication (Continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Franziska Roesner, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Admin • HW2: Due Nov 7, 4:30pm • Looking ahead, rough plan: • Lab 2 out Nov 5, due Nov 20, 4:30pm – Quiz section this week extended office hours • HW 3 out ~Nov 19, due ~Nov 30 • Lab 3 out ~Nov 26, due Dec 7 (Quiz Section on Nov 29) • No class Nov 21; video review assignment instead 11/8/2018 CSE 484 / CSE M 584 2

  3. Admin • Final Project Proposals: Nov 16 – group member names and brief description • Final Project Checkpoint: Nov 30 – preliminary outline and references • Final Project Presentation: Dec 10 – 12-15-minute video – must be on time • Explore something of interest to you, that could hopefully benefit you or your career in some way – technical topics, current events, etc 11/8/2018 CSE 484 / CSE M 584 3

  4. Review: Many Ways to Prove Who You Are • What you know – Passwords – Answers to questions that only you know • Where you are – IP address, geolocation • What you are – Biometrics • What you have – Secure tokens, mobile devices 11/8/2018 4

  5. Review: Other Password Security Issues • Keystroke loggers – Hardware – Software (spyware) • Shoulder surfing • Same password at multiple sites • Broken implementations – TENEX timing attack 11/8/2018 5

  6. Review: Examples from One Company 11/8/2018 CSE 484 / CSE M 584 - Fall 2017 6

  7. Review: Even More Issues • Usability – Hard-to-remember passwords? – Carry a physical object all the time? • Denial of service – Attacker tries to authenticate as you, account locked after three failures • Social engineering 11/8/2018 7

  8. Default Passwords • Examples from Mitnick’s “Art of Intrusion” – U.S. District Courthouse server: “public” / “public” – NY Times employee database: pwd = last 4 SSN digits • Mirai IoT botnet – Weak and default passwords on routers and other devices 11/8/2018 8

  9. Weak Passwords • RockYou hack – “ Social gaming ” company – Database with 32 million user passwords from partner social networks – Passwords stored in the clear – December 2009: entire database hacked using an SQL injection attack and posted on the Internet – One of many such examples! 11/8/2018 9

  10. Weak Passwords • RockYou hack – “ Social gaming ” company – Database with 32 million user passwords from partner social networks – Passwords stored in the clear – December 2009: entire database hacked using an SQL injection attack and posted on the Internet 11/8/2018 10

  11. [Inglesant and Sasse, “ The True Cost of Unusable Password Policies ” ] Password Policies • Old recommendation: – 7 or 8 characters, at least 3 out of {digits, upper-case, lower-case, non-alphanumeric}, no dictionary words, change every 4 months, password may not be similar to previous 12 passwords… • But … results in frustrated users and less security – Burdens of devising, learning, forgetting passwords – Users construct passwords insecurely, write them down • Can’t use their favorite password construction techniques (small changes to old passwords, etc.) – Heavy password re-use across systems 11/8/2018 11

  12. Password Usability 11/8/2018 12

  13. Image from http://www.interactivetools.com/staff/dave/damons_office/ 11/8/2018 13

  14. [Inglesant and Sasse, “ The True Cost of Unusable Password Policies ” ] Password Policies • Old recommendation: – 7 or 8 characters, at least 3 out of {digits, upper-case, lower-case, non-alphanumeric}, no dictionary words, change every 4 months, password may not be similar to previous 12 passwords… • But … results in frustrated users and less security – Burdens of devising, learning, forgetting passwords – Users construct passwords insecurely, write them down • Can’t use their favorite password construction techniques (small changes to old passwords, etc.) – Heavy password re-use across systems – (Password managers can help) 11/8/2018 14

  15. More Password / Authentication Issues • Credential Stuffing (using stolen credentials on other sites) • Website permits brute force / automated guesses • Not supporting multi-factor authentication (future slides) • Weak password recovery mechanisms (next slides) • Application timeouts too long 11/8/2018 15

  16. Recovering Passwords 11/8/2018 16

  17. Wired Cover Story (Dec 2012) “This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust — seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well — but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat .” 11/8/2018 17

  18. Improving(?) Passwords • Add biometrics – For example, keystroke dynamics or voiceprint • Graphical passwords – Goal: easier to remember? no need to write down? • Password managers – Examples: LastPass, built into browsers – Can have security vulnerabilities … • Two-factor authentication – Leverage phone (or other device) for authentication 11/8/2018 19

  19. Multi-Factor Authentication 11/8/2018 20

  20. FIDO + Hardware Two Factors 11/8/2018 CSE 484 / CSE M 584 21

  21. Graphical Passwords • Many variants… one example: Passfaces – Assumption: easy to recall faces – Problem: to make passwords easy to remember, users choose predictable faces 11/8/2018 22

  22. Graphical Passwords • Another variant: draw on the image (Windows 8) • Problem: users choose predictable points/lines 11/8/2018 23

  23. Unlock Patterns • Problems: – Predictable patterns (sound familiar by now??) – Smear patterns – Side channels: apps can use accelerometer and gyroscope to extract pattern! 11/8/2018 24

  24. What About Biometrics? • Authentication: What you are • Unique identifying characteristics to authenticate user or create credentials – Biological and physiological: Fingerprints, iris scan – Behaviors characteristics - how perform actions: Handwriting, typing, gait • Advantages: – Nothing to remember – Passive – Can’t share (generally) – With perfect accuracy, could be fairly unique 11/8/2018 25

  25. Issues with Biometrics • Private, but not secret – Maybe encoded on the back of an ID card? – Maybe encoded on your glass, door handle, ... – Sharing between multiple systems? • Revocation is difficult (impossible?) – Sorry, your iris has been compromised, please create a new one... • Physically identifying – Soda machine to cross-reference fingerprint with DMV? • Birthday paradox – With false accept rate of 1 in a million, probability of false match is above 50% with only 1609 samples 11/8/2018 26

  26. Web Tracking 11/8/2018 33

  27. Ads That Follow You Advertisers (and others) track your browsing behaviors for the purposes of targeted ads, website analytics, and personalized content. 11/8/2018 34

  28. Third-Party Web Tracking Browsing profile ile for or use ser 12 123: 3: cnn.com theonion.com political-site.com other-sensitive-site.com These ads allow crit riteo.c .com to link your visits between sites, even if you never click on the ads. 11/8/2018 35

  29. Concerns About Privacy (2010 – 2011) 11/8/2018 36

  30. First and Third Parties • First-party cookie: belongs to top-level domain. • Third-party cookie: belongs to domain of embedded content (such as image, iframe). www.bar.com’s Bar’s Server st par (1 st coo ookie (1 party) www.bar.com www.foo.com’s www.foo.com Foo’s Server rd part coo ookie (3 (3 rd party) 11/8/2018 37

  31. Anonymous Tracking Trackers included in other sites use third-party cookies containing unique identifiers to create browsing profiles. cookie: id=789 cri riteo.com use user 789 789: theonion.com, cnn.com, sensitive- site.com, … cookie: id=789 11/8/2018 38

  32. Basic Tracking Mechanisms • Tracking requires: (1) re-identifying a user. (2) communicating id + visited site back to tracker. 11/8/2018 39

  33. Tracking Technologies • HTTP Cookies • Flash cookies • HTTP Auth • Silverlight storage • HTTP Etags • TLS session ID & resume • Content cache • Browsing history • IE userData • window.name • HTML5 protocol and • HTTP STS content handlers • DNS cache • HTML5 storage • “Zombie” cookies that respawn (http://samy.pl/evercookie) 11/8/2018 40

  34. Fingerprinting Web Browsers • User agent • Installed fonts • HTTP ACCEPT headers • Cookies enabled? • Browser plug-ins • Browser add-ons • MIME support • Screen resolution • Clock skew • HTML5 canvas (differences in graphics SW/HW!) 11/8/2018 41

Recommend

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Cryptography: Symmetric Encryption (continued), Hash Functions,

Cryptography: Symmetric Encryption (continued), Hash Functions,

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (continued), Hash Functions, Message Authentication Codes Spring

676 views • 23 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides
HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication

THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication

THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication overview Current state of Authentication The future of authentication MY JOURNEY 2012-2015 2004-2011 2015-Present 1998-2004 Staff at MIT

453 views • 34 slides
User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2019-02-08 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

1.19k views • 102 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2016-01-29 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

683 views • 44 slides
e-authentication Practices: A road to global implementation of e-authentication for

e-authentication Practices: A road to global implementation of e-authentication for

Market-driven e-authentication Practices: A road to global implementation of e-authentication for cross-bordered trade document Mr. Wanawit Ahkuputra Deputy Executive Director of ETDA Thailand HOD and AFACT chair. Building Soft

533 views • 13 slides
IT350 Web and Internet Programming SlideSet #18: HTTP Authentication

IT350 Web and Internet Programming SlideSet #18: HTTP Authentication

IT350 Web and Internet Programming SlideSet #18: HTTP Authentication http://www.httpwatch.com/httpgallery/authentication/ http://httpd.apache.org/docs/2.2/howto/auth.html Outline HTTP Basic Authentication HTTP Digest Authentication 1

349 views • 8 slides
Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that messages come from the alleged source, unaltered SMU CSE 5349/7349 Authentication Functions Message encryption Ciphertext itself serves as

1.16k views • 69 slides
Authentication Frequency (and Continuous Authentication) Mike Just Interactive and Trustworthy

Authentication Frequency (and Continuous Authentication) Mike Just Interactive and Trustworthy

Authentication Frequency (and Continuous Authentication) Mike Just Interactive and Trustworthy Technologies Group Glasgow Caledonian University SOUPS 2014 WAY Workshop 9 July 2014 Outline Authentication frequency Continuous

502 views • 12 slides
Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

573 views • 32 slides

More recommend