1 / 18

CMSC 414 Computer and Network Security Lecture 20

This lecture provides an overview of network security authentication, including authentication methods, protocols, and the importance of password selection and storage. It also discusses various attacks and considerations for secure authentication.

tsears
Download Presentation

CMSC 414 Computer and Network Security Lecture 20

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CMSC 414Computer and Network SecurityLecture 20 Jonathan Katz

  2. HW3 • Some students have reported problems when using different grace machines • Logging in to scary.umd.edu should work

  3. Network Security

  4. Authentication: an Overview

  5. Authentication • Verifying the identity of another entity • Computer authenticating to another computer • Person authenticating to a local/remote computer • Important to be clear about what is being authenticated • The user? • The machine? A specific application on the machine? • The data? • What assumptions are being made? • E.g., login from untrusted terminal

  6. Authentication • Mutual authentication vs. unidirectional authentication • Authentication -- two main issues: • How authentication information is stored (at both ends) • Authentication protocol itself

  7. Authentication • Authentication may be based on • What you know • What you have • What you are • Examples? Tradeoffs? • Others? • Can also consider two-factor authentication

  8. Address-based authentication • Is sometimes used • Generally not very secure • Relatively easy to forge source addresses of network packets • But can be useful if the adversary does not know what IP address to forge • E.g., IP address of a user’s home computer

  9. Location-based authentication • More interest lately, as computation becomes more ubiquitous • Re-authentication if laptop moves

  10. Attack taxonomy • Passive attacks • Active attacks • Impersonation • Client impersonation • Server impersonation • Man-in-the-middle • Server compromise • Different attacks may be easier/more difficult in different settings

  11. Password-based protocols • Password-based authentication • Any system based on low-entropy shared secret • Distinguish on-line attacks vs. off-line attacks

  12. Password selection • User selection of passwords is typically very poor • Lower entropy password makes dictionary attacks easier • Typical passwords: • Derived from account names or usernames • Dictionary words, reversed dictionary words, or small modifications of dictionary words • Users typically use the same password for multiple accounts • Weakest account determines the security! • Can use program like pwdHash to correct this

  13. Better password selection • Non-alphanumeric characters • Longer phrases • Can try to enforce good password selection… • …but these types of passwords are difficult for people to memorize and type!

  14. From passwords to keys? • Can potentially use passwords to derive symmetric or public keys • What is the entropy of the resulting key? • Often allows off-line dictionary attacks on the password

  15. Password-based protocols • Any password-based protocol is potentially vulnerable to an “on-line” dictionary attack • On-line attacks can be detected and limited • How? • “Three strikes” • Ratio of successful to failed logins • Gradually slow login response time • Potential DoS • Cache IP address of last successful login

  16. Password-based protocols • Off-line attacks can never be ‘prevented’, but protocols can be made secure against such attacks • Any password-based protocol is vulnerable to off-line attack if the server is compromised • Once the server is compromised, why do we care?

  17. Password-based protocols • Best: Use a password-based protocol which is secure against off-line attacks when server is not compromised • Unfortunately, this has not been the case in practice (e.g., telnet, cell phones, etc.) • This is a difficult problem!

  18. Password storage • In the clear… • Hash of password (done correctly) • Doesn’t always achieve anything! • Makes adversary’s job harder • Potentially protects users who choose good passwords • “Salt”-ed hash of password • Makes bulk dictionary attacks harder, but no harder to attack a particular password • Prevents using ‘rainbow tables’ • Encrypted passwords? (What attack is this defending against?) • Centralized server stores password…

More Related