Host and Application

clearsleepingbagSecurity

Nov 30, 2013 (3 years and 10 months ago)

96 views


Host and Application
Security

Lesson 8: You are you… mostly

OS: If we want access control


We must have…

User Authentication


Something the user knows


Something the user has


Something the user is


“Two factor” means just what it says

Passwords


The most common access control paradigm


Challenges:


Loss


Convenience


Disclosure


Revocation

Additional Restrictions


Time limited access


Geospatial limitations


very clever!

Attacks on Passwords


Brute force


Common passwords


Likely passwords


Find the encrypted password database


Ask!

Exhaustive Attack


Not as hard as one might think…


The search space is actually pretty small


How tractable is this? Very!


GPU Computing makes this
very
fast

Probable Passwords


Lots of similarities in the way people pick
passwords


Which is more likely:


Flatech

or 8*
fgHi@d
?


Time for an
xkcd


Thanks, Randall!


How the Computer Stores Passwords


Cannot (should not) be stored in the clear


Encrypt them!


Originally, in the /
etc
/
passwd

file


Then, moved to /
etc
/shadow


Typically, we store a hash of the password


This introduces a
vuln
, which is…

NaCl


We add a salt to each password, and store it in
the clear


This is made from the process ID and the
time, stored in the clear


When the password is hashed the salt is added
before the hashing

Spearphishing


Of course, it’s much easier to just ask the user

One Time Passwords


Pretty much a challenge response


The system “asks the user a question”, usually
of the form “compute this function”

Biometrics


Some type of biological property


Here, though, we have to think about false
positive and false negatives…


Identification versus authentication


“This is Pinkie Pie”


I am Pinkie Pie, and I present this hoof to prove it

Challenges


Cost


Privacy issues


Inexact matching


Single point of failure


Token revocation (ouch!!!)


The Web


How does authentication work on the web?

Assignment


This is deliberately vague…


“Compare Windows and Linux security more
broadly. Which is ``
more secure``
and why?
Justify your position.”

Questions?