Authentication

erosjellyΑσφάλεια

23 Φεβ 2014 (πριν από 3 χρόνια και 3 μήνες)

64 εμφανίσεις

Authentication

CS 472

Fall 2010

Overview of Authentication
Methods


Process of reliably
verifying the identity
of someone (or
something)


Password
-
based
authentication
---
eavesdropping is a
problem


Not scalable


Alice
Bob
Send password in plain text
Password
-
based authentication


Off
-
vs. On
-
line Password Guessing


Dictionary attacks


On
-
line attacks


Storing user passwords:


Alice and server store the passwords independently


Authentication storage node
---
stores Alice’s info and a server
can retrieve it when needed


Authentication facilitator
---
stores Alice’s info and a server can
pass the info that Alice supplied to the server to authenticate it
(yes/no is the result)


Store unencrypted hashed of the passwords (Unix)
---
password
guessing attacks possible


Store encrypted passwords
---
where to store that system key that
is used to encrypt


Address
-
based authentication


Based on the network address from which
packets arrive


UNIX: /etc/hosts.equiv file

cash:/etc>more hosts.equiv

+@odu
-
net


.rhosts file
---
<computer, account> pairs
which are allowed access to the user’s
account

Network Address Impersonation


Easy to transmit a packet with any address as
the source address, either at the network layer
or at the datalink layer


IP Spoofing: An Introduction


What is iP spoofing:
In IP spoofing, an attacker
gains unauthorized access to a computer or a
network by making it appear that a malicious
message has come from a trusted machine by
“spoofing” the IP address of that machine.


Authentication of People


Important capabilities for good
authentication: (i) ability to store a high
-
quality cryptographic key (ii) ability to
perform cryptographic operations


Computer has both these; human being
has neither


Techniques: what you know, what you
have, what you are (biometric, voice
recognition)


On
-
line password guessing: poor password
choice, limit #of guesses, lock an A/C after a few
incorrect guesses, slow down the user with each
incorrect guess, report last login time


Off
-
line password guessing: Through
eavesdropping or reading a database, the hash
of a password may be obtained; then the
attacker can attempt to guess the password;
using a salt (store Used ID, salt value, hash(salt|
password of user); this way an intruder needs to
do more work


How big should a secret be? General rule
of thumb: a secret needs to be about 64
bits (or 20
-

digits) of randomness


Login Trojan horse to capture passwords:
logs name and password to a file


Authentication token: Smart card and Java
card


Smart card Technology and security



Biometrics


IP Spoofing



IP header: has source IP address and
Destination IP address


TCP header: has source port# and destination
port#; sequence and acknowledgment #s


By manipulating the source address in IP
header, the destination can be fooled
(impersonation)


Sequence number prediction can lead to
session hijacking

Spoofing attacks


Non
-
blind spoofing: Attacker is on the same subnet as
the victim: The sequence and acknowledgement
numbers can be sniffed, eliminating the potential
difficulty of calculating them accurately.


Session hijacking. This is accomplished by corrupting
the data stream of an established connection, then re
-
establishing it based on correct sequence and
acknowledgement numbers with the attack machine.
Using this technique, an attacker could effectively
bypass any authentication measures taken place to build
the connection.


Man In the Middle Attack
: spoofing is an
example of this


Denial of Service Attack

(DoS): To flood the
victim with as many packets as possible in a
short amount of time. In order to prolong the
effectiveness of the attack, they spoof source IP
addresses to make tracing and stopping the DoS
as difficult as possible. When multiple
compromised hosts are participating in the
attack, all sending spoofed traffic, it is very
challenging to quickly block traffic.


Defense against spoofing:


Filtering at the router: implement an ACL (access control list) that blocks
private IP addresses on your downstream interface. Additionally, this
interface should not accept addresses with your internal range as the
source, as this is a common spoofing technique used to circumvent
firewalls. On the upstream interface, you should restrict source
addresses outside of your valid range.


Encryption and authentication: Both of these features are included in
Ipv6, which will eliminate current spoofing threats. Additionally, you
should eliminate all host
-
based authentication measures, which are
sometimes common for machines on the same subnet. Ensure that the
proper authentication measures are in place and carried out over a
secure (encrypted) channel.


Cryptographic authentication:

Alice proves
her identity to Bob by performing a cryptographic
operation on a quantity Bob supplies.


Who is being authenticated? User or a
machine? User can remember a short
meaningful password; Machine can remember
long passwords.


Passwords can be used to acquire a cryptographic
key: (i) by hashing a password (ii) use the password
to decrypt a higher
-
quality key, such as an RSA
private key, stored in a database



Eavesdropping and server
database reading


Alice knows her own private key; Bob
knows the public key of Alice. Even if an
intruder gets into Bob’s database, no
damage is possible