AUTHENTICATION
AND
THREATS AND ATTACKS TO
INFORMATION SECURITY, POLICES
AND LAWS
• Lê Quốc Thắng
• Nguyễn Minh Tân
1
AUTHENTICATION
2
OUTLINE
Definition
Some basic authentication methods
Authentication Protocols
KerberosAn security protocols in the real world
3
DEFINITION
Access control is concern with access system
resources includes:
Authentication :deal with the problem of
determining whether a user should be allowed
access to particular system or resource
Authorization restrict the action of authenticated
user
4
AUTHENTICATION METHODS
Base on any combination of the following:
Something you know
Something you have
Something you are
5
SOMETHING YOU KNOW
Password
Ex:
Your ATM PIN number
Your date of birth
Pro:
User often choose bad passwords >easy to crack…
But:
Cost
Convenient
6
PASSWORD CRACKING
Consider the key search problems
Here we use 64bit cryptographic key
Trudy must try possible keys <average > to
find the correct one.
If we construct a pass with 8 chars ,with 256
possible choices for each char
The complexity of both problems is the same.
But:
Password
kf&Yw!a[
So with a good dictionary of pass Trudy
can crack your pass
Consider the chance of success /
7
CHOOSING PASSWORDS
Frank
Pikachu
10251960
AustinStamp
Replace by:
jfIej(43jEmmL+y
09864376537263
P0kem0N
FSa7Yago
Passphrase
“four score and seven years ago”
8
ATTACKING SYSTEMS VIA
PASSWORDS
Outsider → normal user → administrator
> one weak pass and our system…
Password attack and system response
Systems often lock after three bad passwords attempts?
>How long?
Some other password issues:
Password reuse
Social engineering
Keystroke logging software
9
SOMETHING YOU ARE
Biometrics
Universal
Distinguishing
Permanent
Collectable
Reliable, robust, and userfriendly
There are two phase in a Biometric system:
enrollment phase
recognition phase
10
BIOMETRICS
Fingerprints:
11
FINGERPRINTS
12
BIOMETRICS
Hand Geometry.
13
BIOMETRICS
Iris Scan
14
BIOMETRICS
In particular, biometrics are difficult, although
not impossible , to forge.
There are also many potential softwarebased
attacks on biometrics
While a broken cryptographic key or password
can be revoked and replaced, it’s not clear how to
revoke a “broken” biometric
15
SOMETHING YOU HAVE
16
AUTHENTICATION PROTOCOLS
o
Basic requirements
Simple Security Protocols
Authentication protocols
Simple Authentication Protocols
Authentications using Symmetric Keys
Authentications using Public Keys
Session Keys and Timestamp
17
SECURITY PROTOCOLS
REQUIREMENTS
Protocols ?
Ex: HTTP , FTP…
Security Protocols?
Ex : SSL , IPSec…
Authentication protocols?
Basic requirements:
Beside security requirements
Efficient in:
Cost
Bandwidth
Should not be too fragile
Anticipate likely change in the environment
Ease of use , implementation, flexibility
18
SIMPLE SECURITY PROTOCOLS
Ex : Withdraw money from an ATM
Insert ATM card into reader
Enter PIN
Is the PIN correct?
• Yes: Conduct your transactions
• No: Machine eats your ATM card
19
SIMPLE SECURITY PROTOCOLS
20
SIMPLE SECURITY PROTOCOLS
21
AUTHENTICATION PROTOCOLS
Simple Authentication Protocols
Authentications using Symmetric Keys
Authentications using Public Keys
Session Keys
22
SIMPLE AUTHENTICATION
PROTOCOLS
23
SIMPLE AUTHENTICATION
PROTOCOLS
24
SIMPLE AUTHENTICATION
PROTOCOLS
25