outline
play

Outline Authentication and Identity Management Authentication - PDF document

Authentication and Identity Management Authentication and Identity Management Operating System and Network Security Operating System and Network Security Cyber war and terrorism Radboud University Nijmegen Cyber war and terrorism Radboud


  1. Authentication and Identity Management Authentication and Identity Management Operating System and Network Security Operating System and Network Security Cyber war and terrorism Radboud University Nijmegen Cyber war and terrorism Radboud University Nijmegen Conclusions Conclusions Outline Authentication and Identity Management Authentication Computer Security: Security at Work Identity management Kerberos, and derivatives Operating System and Network Security Bart Jacobs Security models A very brief look at operating systems Institute for Computing and Information Sciences – Digital Security Radboud University Nijmegen Network security basics Cyber war and terrorism Version: fall 2010 Cyber war Terrorism Conclusions Bart Jacobs Version: fall 2010 Computer Security 1 / 58 Bart Jacobs Version: fall 2010 Computer Security 2 / 58 Authentication and Identity Management Authentication and Identity Management Operating System and Network Security Operating System and Network Security Radboud University Nijmegen Radboud University Nijmegen Cyber war and terrorism Cyber war and terrorism Conclusions Conclusions Human to computer authentication More about passwords It is common wisdom that at least a 64 bit string is needed to be Recall : identification = saying who you are; authentication = secure against password guessing. These 64 bit amount to: proving who you are. • 11 characters, randomly chosen • 16 characters, computer generated but pronounceable The three basic human-to-computer authentication mechanisms • 32 characters, user-chosen are based on: With modern brute force and rule-based techniques, passwords can 1 something you have, like a (physical) key, or card be broken easily. A well-known system to do so is Crack Risk? theft, copying Heuristics 2 something you know, like a password or PIN Risk? eavesdropping (shoulder-surfing), brute-force trials, forgetting Reasonably good passwords come from longer phrases, eg. as first (how secure is the recovery procedure?), social engineering, multiple letters of the words in a sentence: they are relatively easy to use, fake login screens (use wrong password first!) remember, and reasonably arbitrary (with much entropy). It is then still wise to filter on bad passwords. 3 something you are, ie. biometrics, like fingerprints or iris Risk? imitation (non-replaceability), multiple use An alternative is to use one-time passwords, distributed via an independent channel (eg. via a generator, via GSM or TAN-lists). Bart Jacobs Version: fall 2010 Computer Security 4 / 58 Bart Jacobs Version: fall 2010 Computer Security 5 / 58 Authentication and Identity Management Authentication and Identity Management Operating System and Network Security Operating System and Network Security Cyber war and terrorism Radboud University Nijmegen Cyber war and terrorism Radboud University Nijmegen Conclusions Conclusions Password change policies Password recovery What to do when a user forgets his/her password? This happens frequently. Hence recovery procedures should not be too Does it make sense to force users to change their passwords complicated (or expensive). What to do? periodically (say every 3 months)? Some options: • Pro: compromised passwords are usable for only a relatively • self service password reset, by supplying answers to previously short amount of time set security questions, like “where was your mother born?” • Against: lot’s of things: “what’s your first pet’s name?” etc. • the cause of a password compromise (if any) is ignored, and Often, answers can be obtained by social engineering, phishing or may be re-exploited simple research (recall the Sarah Palin mailbox incident in 2008) • users get annoyed, and use escape techniques: • Provide a new password via a different channel • insecure variations: passwd1 , passwd-2010 etc. • face-to-face transfer is best, but not always practical • writing passwords down (so that they become ‘something you have’) • ING bank provides new password via SMS (recall: GSM (esp. SMS) is now broken) • force re-registration (like DigiD does in NL) Bart Jacobs Version: fall 2010 Computer Security 6 / 58 Bart Jacobs Version: fall 2010 Computer Security 7 / 58

Recommend


More recommend