23 Φεβ 2014 (πριν από 3 χρόνια και 3 μήνες)

64 εμφανίσεις


CS 472

Fall 2010

Overview of Authentication

Process of reliably
verifying the identity
of someone (or

eavesdropping is a

Not scalable

Send password in plain text
based authentication

vs. On
line Password Guessing

Dictionary attacks

line attacks

Storing user passwords:

Alice and server store the passwords independently

Authentication storage node
stores Alice’s info and a server
can retrieve it when needed

Authentication facilitator
stores Alice’s info and a server can
pass the info that Alice supplied to the server to authenticate it
(yes/no is the result)

Store unencrypted hashed of the passwords (Unix)
guessing attacks possible

Store encrypted passwords
where to store that system key that
is used to encrypt

based authentication

Based on the network address from which
packets arrive

UNIX: /etc/hosts.equiv file

cash:/etc>more hosts.equiv


.rhosts file
<computer, account> pairs
which are allowed access to the user’s

Network Address Impersonation

Easy to transmit a packet with any address as
the source address, either at the network layer
or at the datalink layer

IP Spoofing: An Introduction

What is iP spoofing:
In IP spoofing, an attacker
gains unauthorized access to a computer or a
network by making it appear that a malicious
message has come from a trusted machine by
“spoofing” the IP address of that machine.

Authentication of People

Important capabilities for good
authentication: (i) ability to store a high
quality cryptographic key (ii) ability to
perform cryptographic operations

Computer has both these; human being
has neither

Techniques: what you know, what you
have, what you are (biometric, voice

line password guessing: poor password
choice, limit #of guesses, lock an A/C after a few
incorrect guesses, slow down the user with each
incorrect guess, report last login time

line password guessing: Through
eavesdropping or reading a database, the hash
of a password may be obtained; then the
attacker can attempt to guess the password;
using a salt (store Used ID, salt value, hash(salt|
password of user); this way an intruder needs to
do more work

How big should a secret be? General rule
of thumb: a secret needs to be about 64
bits (or 20

digits) of randomness

Login Trojan horse to capture passwords:
logs name and password to a file

Authentication token: Smart card and Java

Smart card Technology and security


IP Spoofing

IP header: has source IP address and
Destination IP address

TCP header: has source port# and destination
port#; sequence and acknowledgment #s

By manipulating the source address in IP
header, the destination can be fooled

Sequence number prediction can lead to
session hijacking

Spoofing attacks

blind spoofing: Attacker is on the same subnet as
the victim: The sequence and acknowledgement
numbers can be sniffed, eliminating the potential
difficulty of calculating them accurately.

Session hijacking. This is accomplished by corrupting
the data stream of an established connection, then re
establishing it based on correct sequence and
acknowledgement numbers with the attack machine.
Using this technique, an attacker could effectively
bypass any authentication measures taken place to build
the connection.

Man In the Middle Attack
: spoofing is an
example of this

Denial of Service Attack

(DoS): To flood the
victim with as many packets as possible in a
short amount of time. In order to prolong the
effectiveness of the attack, they spoof source IP
addresses to make tracing and stopping the DoS
as difficult as possible. When multiple
compromised hosts are participating in the
attack, all sending spoofed traffic, it is very
challenging to quickly block traffic.

Defense against spoofing:

Filtering at the router: implement an ACL (access control list) that blocks
private IP addresses on your downstream interface. Additionally, this
interface should not accept addresses with your internal range as the
source, as this is a common spoofing technique used to circumvent
firewalls. On the upstream interface, you should restrict source
addresses outside of your valid range.

Encryption and authentication: Both of these features are included in
Ipv6, which will eliminate current spoofing threats. Additionally, you
should eliminate all host
based authentication measures, which are
sometimes common for machines on the same subnet. Ensure that the
proper authentication measures are in place and carried out over a
secure (encrypted) channel.

Cryptographic authentication:

Alice proves
her identity to Bob by performing a cryptographic
operation on a quantity Bob supplies.

Who is being authenticated? User or a
machine? User can remember a short
meaningful password; Machine can remember
long passwords.

Passwords can be used to acquire a cryptographic
key: (i) by hashing a password (ii) use the password
to decrypt a higher
quality key, such as an RSA
private key, stored in a database

Eavesdropping and server
database reading

Alice knows her own private key; Bob
knows the public key of Alice. Even if an
intruder gets into Bob’s database, no
damage is possible