salted challenge response authentication mechanism scram
play

Salted Challenge Response Authentication Mechanism (SCRAM) - PowerPoint PPT Presentation

Jan 24, 2023 •109 likes •189 views

Salted Challenge Response Authentication Mechanism (SCRAM) draft-newman-auth-scram-10.txt Abhijit Menon-Sen <ams@oryx.com> Chris Newman <chris.newman@sun.com> Alexey Melnikov <alexey.melnikov@isode.com> Simon Josefsson

  1. Salted Challenge Response Authentication Mechanism (SCRAM) draft-newman-auth-scram-10.txt Abhijit Menon-Sen <ams@oryx.com> Chris Newman <chris.newman@sun.com> Alexey Melnikov <alexey.melnikov@isode.com> Simon Josefsson <simon@josefsson.org> IETF 74, San Francisco

  2. Status • Nearly ready for WGLC, but need to choose between purt-SCRAM and SCRAM-as-GS2 variants • A couple of implementations of SCRAM exist (Dave Cridland, Alexey)

  3. Major Changes since -07 • Moved authorization identity to the second message from the client • Clarified the meaning of the “m” option (mandatory future extensions) • Clarified handling of the “c” (channel binding data) option – Unrecognized channel bindings are ignored by the server • Allow CTL, but disallow NUL in authentication and authorization identities • Added some text on comparison with CRAM-MD5 • Added description of design goals

  4. Open Issues (1 of 4) • Min/Recommended iteration counter value – Simon has recommended to use 4096 – Dave Cridland has suggested that clients can cache SaltedPassword after the first authentication to a server • Some text on this needs to be added to the document • Key derivation – Currently: • ClientKey = H(SaltedPassword) • ServerKey = HMAC(SaltedPassword, salt) – Should this be something like: • ClientKey = HMAC(SaltedPassword, "Client Key") • ServerKey = HMAC(SaltedPassword, "Server Key")

  5. Open Issues (2 of 4) • Use of service name/URI in SCRAM – Can prevent an attack when user credentials are used by a bad server to connect to another server using the same password/salt – This is a weaker protection compared to channel bindings – A similar construct caused problems in DIGEST-MD5 implementations

  6. Open Issues (3 of 4) • GS2 framing ? – Jeff and Nico have a new design with just one all text header to client's first authentication message and to the channel binding (CB) data. – See slides from Nico

  7. Open Issues (4 of 4) • Issues related to GS2 variant: – One or two SASL mechanism names (+ a bit saying which ones were advertised) • One mechanism name indicates that server can do channel bindings (CB), one indicates it can't • The GS2 1st client message/CB data header includes a flag indicating whether the client couldn't, could have, or did do CB

Recommend

SCRAM in LDAP Better Password-based Authentication Kurt Zeilenga Isode Limited What is SCRAM?

SCRAM in LDAP Better Password-based Authentication Kurt Zeilenga Isode Limited What is SCRAM?

SCRAM in LDAP Better Password-based Authentication Kurt Zeilenga Isode Limited What is SCRAM? S alted C hallenge R esponse A uthentication M echanism SCRAM-SHA-1-PLUS An improved SASL mechanism for password authentication of the

469 views • 31 slides
Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password Validate password strength Store salted hash of the password Authentication User sends username/password Retrieve the stored salted

359 views • 20 slides
Challenge/Response Authentication Authentication by what questions you can answer correctly

Challenge/Response Authentication Authentication by what questions you can answer correctly

Challenge/Response Authentication Authentication by what questions you can answer correctly Again, by what you know The system asks the user to provide some information If its provided correctly, the user is authenticated

233 views • 20 slides
Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By Gaetan Leurent Presented by:- Guided By:- Raagi Sukhlecha Prof. Anish Mathuria Lalit Agarwal Outline Introduction APOP What is

953 views • 79 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
SCRAM authentication Heikki Linnakangas / Pivotal pg_hba.conf # TYPE DATABASE USER

SCRAM authentication Heikki Linnakangas / Pivotal pg_hba.conf # TYPE DATABASE USER

SCRAM authentication Heikki Linnakangas / Pivotal pg_hba.conf # TYPE DATABASE USER ADDRESS METHOD # &quot;local&quot; is for Unix domain socket connections only local all all trust # Use

393 views • 25 slides
WHAT IS SCRAM? A SHORT INTRODUCTION . Ms Angela Tuffley, RedBay Consulting Dr Betsy Clark,

WHAT IS SCRAM? A SHORT INTRODUCTION . Ms Angela Tuffley, RedBay Consulting Dr Betsy Clark,

WHAT IS SCRAM? A SHORT INTRODUCTION . Ms Angela Tuffley, RedBay Consulting Dr Betsy Clark, Software Metrics Inc Mr Adrian Pitman, DAEI, CASG CASG SCRAM Principals 2 Schedule Compliance Risk Assessment Methodology: SCRAM SCRAM is a

250 views • 23 slides
Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication servers) Kerberos Challenge-response Symm.Key What do we learn from previous attacks? Timestamps: are valid only in a small time window

334 views • 22 slides
Whither Challenge Question Authentication? 12 May 2009 Mike Just University of Edinburgh

Whither Challenge Question Authentication? 12 May 2009 Mike Just University of Edinburgh

University of Cambridge Security Seminar Series Whither Challenge Question Authentication? 12 May 2009 Mike Just University of Edinburgh Outline What are Challenge Questions? Challenge Question Research Our Research Collecting

765 views • 28 slides
A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in

A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in

A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in Authentication Workshop (WAY) 2019 Nikita Samarin, Donald Sannella Traditional Passwords Most common mechanism of authenticating users online

251 views • 14 slides
SCRAM Instructions II Philipp Koehn 23 February 2018 Philipp Koehn Computer Systems

SCRAM Instructions II Philipp Koehn 23 February 2018 Philipp Koehn Computer Systems

SCRAM Instructions II Philipp Koehn 23 February 2018 Philipp Koehn Computer Systems Fundamentals: SCRAM Instructions II 23 February 2018 Reminder 1 Fully work through a computer circuit assembly code Simple but Complete Random

822 views • 33 slides
Personal Choice and Challenge Questions: A Security and Usability Assessment 16 July 2009 Mike

Personal Choice and Challenge Questions: A Security and Usability Assessment 16 July 2009 Mike

SOUPS 2009 Personal Choice and Challenge Questions: A Security and Usability Assessment 16 July 2009 Mike Just University of Edinburgh (joint work with David Aspinall) Challenge Question Authentication Authentication credential is answer

394 views • 20 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
SCRAM Instructions Philipp Koehn 16 September 2019 Philipp Koehn Computer Systems Fundamentals:

SCRAM Instructions Philipp Koehn 16 September 2019 Philipp Koehn Computer Systems Fundamentals:

SCRAM Instructions Philipp Koehn 16 September 2019 Philipp Koehn Computer Systems Fundamentals: SCRAM Instructions 16 September 2019 Reminder 1 Fully work through a computer circuit assembly code Simple but Complete Random

1k views • 73 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Attacking RO-PUFs with Enhanced Challenge-Response Pairs Nils Wisiol and Marian Margraf

Attacking RO-PUFs with Enhanced Challenge-Response Pairs Nils Wisiol and Marian Margraf

Attacking RO-PUFs with Enhanced Challenge-Response Pairs Nils Wisiol and Marian Margraf {firstname.lastname}@fu-berlin.de 1. Physically Unclonable Functions 2. Ring Oscillator PUF with Enhanced Outline Challenge-Response Pairs 3.

197 views • 19 slides
Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such

Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such

Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such as MD5 Challenge/Response such as APOP * APOP * Yu Sasaki ( The University of Electro-Communications ) Go Yamamoto (NTT) Kazumaro Aoki (NTT)

436 views • 8 slides
Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is weak authentication mechanism. Use Brute Force to find the password. We are using Hashing and Salt to protect the password. Passwords: Two factors

559 views • 51 slides
Authentication Using Pulse-Response Biometrics Kasper B. Rasmussen 1 Marc Roeschlin 2 Ivan

Authentication Using Pulse-Response Biometrics Kasper B. Rasmussen 1 Marc Roeschlin 2 Ivan

Authentication Using Pulse-Response Biometrics Kasper B. Rasmussen 1 Marc Roeschlin 2 Ivan Martinovic 1 Gene Tsudik 3 1 University of Oxford 2 ETH Zurich 3 UC Irvine Clermont Ferrand, 2014 Slide 1. A Bit About Myself Lecturer at University of

598 views • 37 slides
2018 2019 Demand Response Auction Mechanism ( DRAM DRAM 3) 3) Pre Bi Pre Bid

2018 2019 Demand Response Auction Mechanism ( DRAM DRAM 3) 3) Pre Bi Pre Bid

2018 2019 Demand Response Auction Mechanism ( DRAM DRAM 3) 3) Pre Bi Pre Bid (Bidder dders) Web Conf We Confer erence ence Ma March 21, 21, 2017 2017 Presenta Pre entation will ill begi begin at at 10:00 10:00 a.m a.m.

693 views • 51 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
SCRAM Introduction Philipp Koehn 13 September 2019 Philipp Koehn Computer Systems Fundamentals:

SCRAM Introduction Philipp Koehn 13 September 2019 Philipp Koehn Computer Systems Fundamentals:

SCRAM Introduction Philipp Koehn 13 September 2019 Philipp Koehn Computer Systems Fundamentals: SCRAM Introduction 13 September 2019 A Simple Computer 1 Fully work through a computer circuit assembly code Simple but Complete

350 views • 31 slides

More recommend