190 likes | 294 Views
Host and Application Security. Lesson 8: You are you… mostly. OS: If we want access control. We must have…. User Authentication. Something the user knows Something the user has Something the user is “Two factor” means just what it says. Passwords.
E N D
Host and Application Security Lesson 8: You are you… mostly
OS: If we want access control • We must have…
User Authentication • Something the user knows • Something the user has • Something the user is • “Two factor” means just what it says
Passwords • The most common access control paradigm • Challenges: • Loss • Convenience • Disclosure • Revocation
Additional Restrictions • Time limited access • Geospatial limitations – very clever!
Attacks on Passwords • Brute force • Common passwords • Likely passwords • Find the encrypted password database • Ask!
Exhaustive Attack • Not as hard as one might think… • The search space is actually pretty small • How tractable is this? Very! • GPU Computing makes this very fast
Probable Passwords • Lots of similarities in the way people pick passwords • Which is more likely: • Flatech or 8*fgHi@d? • Time for an xkcd…
How the Computer Stores Passwords • Cannot (should not) be stored in the clear • Encrypt them! • Originally, in the /etc/passwd file • Then, moved to /etc/shadow • Typically, we store a hash of the password • This introduces a vuln, which is…
NaCl • We add a salt to each password, and store it in the clear • This is made from the process ID and the time, stored in the clear • When the password is hashed the salt is added before the hashing
Spearphishing • Of course, it’s much easier to just ask the user
One Time Passwords • Pretty much a challenge response • The system “asks the user a question”, usually of the form “compute this function”
Biometrics • Some type of biological property • Here, though, we have to think about false positive and false negatives… • Identification versus authentication • “This is Pinkie Pie” • I am Pinkie Pie, and I present this hoof to prove it
Challenges • Cost • Privacy issues • Inexact matching • Single point of failure • Token revocation (ouch!!!)
The Web • How does authentication work on the web?
Assignment • This is deliberately vague… • “Compare Windows and Linux security more broadly. Which is ``more secure`` and why? Justify your position.”