Authentication And Threats and Attacks to information security, polices and laws

1. AuthenticationAndThreats and Attacks to information security, polices and laws • Lê Quốc Thắng • Nguyễn Minh Tân

2. Authentication

3. Outline • Definition • Some basic authentication methods • Authentication Protocols • Kerberos-An security protocols in the real world

4. Definition • Access control is concern with access system resources includes: • Authentication :deal with the problem of determining whether a user should be allowed access to particular system or resource • Authorization restrict the action of authenticated user

5. Authentication Methods • Base on any combination of the following: • Something you know • Something you have • Something you are

6. Something you know • Password • Ex: • Your ATM PIN number • Your date of birth • Pro: • User often choose bad passwords ->easy to crack… • But: • Cost • Convenient

7. Password Cracking • Consider the key search problems • Here we use 64-bit cryptographic key • Trudy must try possible keys <average > to find the correct one. • If we construct a pass with 8 chars ,with 256 possible choices for each char • The complexity of both problems is the same. • But: • Password • kf&Yw!a[ • So with a good dictionary of pass Trudy can crack your pass • Consider the chance of success /

8. Choosing Passwords • Frank • Pikachu • 10251960 • AustinStamp • Replace by: • jfIej(43j-EmmL+y • 09864376537263 • P0kem0N • FSa7Yago • Passphrase • “four score and seven years ago”

9. Attacking Systems via Passwords • Outsider → normal user → administrator -> one weak pass and our system… • Password attack and system response Systems often lock after three bad passwords attempts? ->How long? • Some other password issues: • Password reuse • Social engineering • Keystroke logging software

10. Something you are • Biometrics • Universal • Distinguishing • Permanent • Collectable • Reliable, robust, and user-friendly • There are two phase in a Biometric system: • enrollment phase • recognition phase

11. Biometrics • Fingerprints:

12. Fingerprints

13. Biometrics • Hand Geometry.

14. Biometrics • Iris Scan

15. Biometrics • In particular, biometrics are difficult, although not impossible , to forge. • There are also many potential software-based attacks on biometrics • While a broken cryptographic key or password can be revoked and replaced, it’s not clear how to revoke a “broken” biometric

16. Something you have

17. Authentication Protocols • Basic requirements • Simple Security Protocols • Authentication protocols • Simple Authentication Protocols • Authentications using Symmetric Keys • Authentications using Public Keys • Session Keys and Timestamp

18. Security Protocols Requirements • Protocols ? Ex: HTTP , FTP… • Security Protocols? Ex : SSL , IPSec… • Authentication protocols? • Basic requirements: • Beside security requirements • Efficient in: • Cost • Bandwidth • Should not be too fragile • Anticipate likely change in the environment • Ease of use , implementation, flexibility

19. Simple Security Protocols • Ex : Withdraw money from an ATM • Insert ATM card into reader • Enter PIN • Is the PIN correct? • Yes: Conduct your transactions • No: Machine eats your ATM card

20. Simple Security Protocols

21. Simple Security Protocols

22. Authentication Protocols • Simple Authentication Protocols • Authentications using Symmetric Keys • Authentications using Public Keys • Session Keys

23. Simple Authentication Protocols

24. Simple Authentication Protocols

25. Simple Authentication Protocols

26. Authentications using Symmetric Keys • C=E(P,K) • P=D(C,K) • KAB

27. Authentications using Symmetric Keys

28. Authentications using Symmetric Keys

29. Authentications using Symmetric Keys

30. Authentications using Symmetric Keys

31. Authentications using Symmetric Keys

32. Authentications using Public Keys • C={M}Alice • M=[C]Alice • S=[M]Alice • [{M}Alice]Alice=M • {[M]Alice}=M

33. Authentications using Public Keys

34. Authentications using Public Keys

35. Session Key

36. Session Key

37. Session Key

38. Timestamp • Content the current time • Cons: • Don’t need messages for nonce • Pros: • We must accept any timestamp that is close to the current time-> conditions for replay attacks

39. Timestamp

40. Timestamp

41. Kerberos • A trusted third party models • Employs a key distribution center, or KDC KDC KKDC Bob KB Alice KA Trudy KT

42. Kerberized Login • The key KA is derived from Alice’s password as KA = h(Alice’s password). • The KDC creates the session key SA. • Alice’s computer decrypts using KA to obtain SA and the TGT, and then the computer forgets KA. • TGT = E(“Alice”,SA;KKDC).

43. Kerberos Ticket

44. Kerberos Security • Recall that, when Alice logs in, the KDC sends E(SA,TGT;KA) to Alice, where TGT = E(“Alice”,SA;KKDC).Since the TGT is encrypted with KKDC, why is the TGT encrypted again with the key KA? • The KDC does not need to know who is making the REQUEST in order to decrypt it, since all TGTs are encrypted with KKDC. • Why is “ticket to Bob” sent to Alice, when Alice simply forwards it on to Bob? • How does Kerberos prevent replay attacks? • Kerberos could have chosen to have Alice’s computer remember her password and use that for authentication? • Can we have the KDC remember session keys instead of putting these in the TGT?

45. Q&AAuthentication

46. Threats and Attacks to information security, polices and laws

47. Agenda • Risk analysis and risk management • Information security policies • Threat to information security • Q&A

48. Risk analysis & risk management • Definition • Information security life cycle • Risk analysis process • Risk mitigation • Choose & evaluate

49. 1.Definition • The process that allows business managers to balance operational and economic costs of protective measure. • Some questions: • Why & when ? • How’s the success of risk analysis measured ?

50. 2.Information Security Life Cycle