1 / 18

Authentication

Learn about authentication mechanisms, dictionary attacks, and how to defend against attacks by creating strong and secure passwords.

friend
Download Presentation

Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004

  2. Outline • Authentication mechanisms • Dictionary attacks • Passwords • Defense against attacks

  3. Authentication • Authentication is the binding of an identity to a subject • How? • what the subject knows • what the subject has • what the subject is • where the subject is

  4. Authentication Mechanisms (1/2) • Set A of authentication information: specific information used to prove identity (belongs to subject) • Set C of complementation information: system stores this to use for validation • Set F of complementation functions: generate complementation information from authentication information f  F, f: A  C

  5. Authentication Mechanisms (2/2) • Set L of authentication functions: verify identity l  L, l: A  C  { true, false } • Set S of selection functions: enable a subject to create or alter the authentication and complementation information

  6. Passwords • A password is information associated with a user that confirms the user's identity • Passwords may be generated by a system and given to users or selected by the users

  7. Dictionary Attack • Guess a password by repeated trial and error using a list of words (the dictionary) • Type 1: complementation information C and complementation function f are known • compute f(g) for each guess g • look for match in C • Type 2: • use l(a, g) for each guess g

  8. Bad Passwords (1/6) • Many user-selected passwords are easy to guess via dictionary attack • Passwords based on account names • Passwords based on user names • Passwords based on computer names • Dictionary words • Reversed dictionary words • Dictionary words with some or all letters capitalized

  9. Bad Passwords (2/6) • Reversed dictionary words with some or all letters capitalized • Dictionary words with arbitrary letters turned into control characters

  10. Bad Passwords (3/6) • Dictionary words with any of the following changes: • a -> 2 or 4 • e -> 3 • h -> 4 • i -> 1 • l -> 1 • o -> 0 • s -> 5 or $ • z -> 5

  11. Bad Passwords (4/6) • Conjugations or declensions of dictionary words • Patterns from the keyboard • Passwords shorter than 6 characters • Passwords containing only digits • Passwords containing only uppercase or lowercase letters, or letters and numbers, or letters and punctuation • Passwords that look like license plate numbers

  12. Bad Passwords (5/6) • Acronyms or abbreviations • Passwords used in the past • Concatenations of dictionary words • Dictionary words preceded or followed by digits, punctuation marks, or spaces • Dictionary words with all vowels deleted • Dictionary words with white spaces deleted

  13. Bad Passwords (6/6) • Passwords with too many characters in common with the previous (current) password

  14. Good Passwords (1/2) • at least one digit • at least one letter • at least one punctuation symbol

  15. Good Passwords (2/2) • Take a verse and select from it "Where were you when we were getting high?" -> wwywwwgh? • Change repetition to count wwywwwgh? -> w2yw3gh?

  16. Defensive Strategies • Salting: change the complementation function based on the user • Backoff: wait longer after each failed attempt • Disconnection • Disabling

  17. Password Aging • Require new password every N days • Need to prevent "changing" to same password • Could prevent reuse of a password for a fixed time period • Need to give users notice before requiring a new password

  18. Challenge Response • System and user share a secret function f • System sends random message m [challenge] • User replies with f(m) [response]

More Related