identification and authentication
play

Identification and Authentication CSM27 Computer Security Dr Hans - PowerPoint PPT Presentation

Identification and Authentication CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2009 Week 4 Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 Week 4 1 / 32 Introduction Background


  1. Identification and Authentication CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2009 – Week 4 Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 1 / 32

  2. Introduction Background Outline Introduction 1 Background Definitions Password management Attacks 2 Guessing Passwords Spoofing Passwords The password file Closing Words 3 Alternative Approaches User convenience Exercises Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 2 / 32

  3. Introduction Background Session objectives Recognise the purposes of (password) identification. Be aware of the potential vulnerabilities in password authentication caused by organisational, human, and technical issues. Be able to identify and apply some security mechanisms for password distribution and management. Draw general security lessons from the familiar scenario of password authentication. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 3 / 32

  4. Introduction Background A familiar scenario How many usernames and passwords do you have? How many different passwords do you use? Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 4 / 32

  5. Introduction Definitions Outline Introduction 1 Background Definitions Password management Attacks 2 Guessing Passwords Spoofing Passwords The password file Closing Words 3 Alternative Approaches User convenience Exercises Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 5 / 32

  6. Introduction Definitions Identification and Authentication Identification e.g. giving your username. You reveal your identity to the system. Entity Authentication e.g. giving a password. The process of verifying a claimed identity. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 6 / 32

  7. Introduction Definitions The purpose of passwords The computer system can know who the user is. Enables the two features: Audit trail The system logs activity, and in the case of unauthorised and illegal activities, the logs can be used to trace the guilty user. Authorisation Use is restricted to recognised users, based on payment or membership. Remark Authorisation does not necessarily require identification, there are alternative approaches. However, using the audit trail to prosecute misbehaving users can hardly be done without identification. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 7 / 32

  8. Introduction Definitions The purpose of passwords The computer system can know who the user is. Enables the two features: Audit trail The system logs activity, and in the case of unauthorised and illegal activities, the logs can be used to trace the guilty user. Authorisation Use is restricted to recognised users, based on payment or membership. Remark Authorisation does not necessarily require identification, there are alternative approaches. However, using the audit trail to prosecute misbehaving users can hardly be done without identification. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 7 / 32

  9. Introduction Definitions The purpose of passwords The computer system can know who the user is. Enables the two features: Audit trail The system logs activity, and in the case of unauthorised and illegal activities, the logs can be used to trace the guilty user. Authorisation Use is restricted to recognised users, based on payment or membership. Remark Authorisation does not necessarily require identification, there are alternative approaches. However, using the audit trail to prosecute misbehaving users can hardly be done without identification. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 7 / 32

  10. Introduction Definitions The purpose of passwords The computer system can know who the user is. Enables the two features: Audit trail The system logs activity, and in the case of unauthorised and illegal activities, the logs can be used to trace the guilty user. Authorisation Use is restricted to recognised users, based on payment or membership. Remark Authorisation does not necessarily require identification, there are alternative approaches. However, using the audit trail to prosecute misbehaving users can hardly be done without identification. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 7 / 32

  11. Introduction Password management Outline Introduction 1 Background Definitions Password management Attacks 2 Guessing Passwords Spoofing Passwords The password file Closing Words 3 Alternative Approaches User convenience Exercises Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 8 / 32

  12. Introduction Password management The bootstrap problem How do you identify the user when you give him the first password? How did you get your first password at Surrey? Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 9 / 32

  13. Introduction Password management Forgotten passwords What do you do if the user forgets his password? Has anyone ever forgotten the password? What did you do to have it reset? Forgotten passwords is an accessibility threat We have to reissue passwords to maintain accessibility Creates a vulnerability an intruder pretend to be an authorised user having forgotten his password. Misissuing a password is a confidentiality threat Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 10 / 32

  14. Introduction Password management Forgotten passwords What do you do if the user forgets his password? Has anyone ever forgotten the password? What did you do to have it reset? Forgotten passwords is an accessibility threat We have to reissue passwords to maintain accessibility Creates a vulnerability an intruder pretend to be an authorised user having forgotten his password. Misissuing a password is a confidentiality threat Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 10 / 32

  15. Introduction Password management Forgotten passwords What do you do if the user forgets his password? Has anyone ever forgotten the password? What did you do to have it reset? Forgotten passwords is an accessibility threat We have to reissue passwords to maintain accessibility Creates a vulnerability an intruder pretend to be an authorised user having forgotten his password. Misissuing a password is a confidentiality threat Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 10 / 32

  16. Introduction Password management Forgotten passwords What do you do if the user forgets his password? Has anyone ever forgotten the password? What did you do to have it reset? Forgotten passwords is an accessibility threat We have to reissue passwords to maintain accessibility Creates a vulnerability an intruder pretend to be an authorised user having forgotten his password. Misissuing a password is a confidentiality threat Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 10 / 32

  17. Introduction Password management Forgotten passwords What do you do if the user forgets his password? Has anyone ever forgotten the password? What did you do to have it reset? Forgotten passwords is an accessibility threat We have to reissue passwords to maintain accessibility Creates a vulnerability an intruder pretend to be an authorised user having forgotten his password. Misissuing a password is a confidentiality threat Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 10 / 32

  18. Introduction Password management Verification techniques Authorised channel Do not give a password to a caller on the phone, but call back on an authorised phone number. Courier for personal delivery. Independent witness Call back someone else, like the requestor’s manager. Damage limitation One-time password, forcing the user to change it immediately. Independent verification channel Confirmation by a different channel before the password is activated. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 11 / 32

  19. Introduction Password management Verification techniques Authorised channel Do not give a password to a caller on the phone, but call back on an authorised phone number. Courier for personal delivery. Independent witness Call back someone else, like the requestor’s manager. Damage limitation One-time password, forcing the user to change it immediately. Independent verification channel Confirmation by a different channel before the password is activated. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 11 / 32

  20. Introduction Password management Verification techniques Authorised channel Do not give a password to a caller on the phone, but call back on an authorised phone number. Courier for personal delivery. Independent witness Call back someone else, like the requestor’s manager. Damage limitation One-time password, forcing the user to change it immediately. Independent verification channel Confirmation by a different channel before the password is activated. Dr Hans Georg Schaathun Identification and Authentication Autumn 2009 – Week 4 11 / 32

Recommend


More recommend