SlideShare a Scribd company logo

Authetication ppt

Pranav Doshi, profile picture
Pranav Doshi

1. The document discusses authentication and user authentication. It covers various authentication mechanisms like passwords, biometrics, and one-time passwords. 2. Passwords are a common authentication method where the user supplies a password that is validated by the computer. Issues like password selection, storage, and cracking techniques are described. 3. Other authentication topics covered include encrypted password files, password guessing approaches, and ways to strengthen authentication like challenge-response systems and using biometrics instead of passwords.

EducationTechnology
1 of 34
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
AuthenticationAuthentication Lecture 4 Prof. S.M.Chaware 1
Authentication • Authentication is the binding of an identity to a principal. • Network-based authentication mechanisms require a principal to authenticate to a single system, either local or remote. • External entity must provide information to enable the• External entity must provide information to enable the system to confirm its identity. 2
Basics continueBasics continue… • Authentication process consists of obtaining the information from an entity analyzing the datainformation from an entity, analyzing the data and determining if it is associated with that entity. • Authentication system components are – Set A – authentication information Set C – complementary information Set F – complementation function S t L th ti ti f tiSet L – authentication functions Set S – selection functions 3
passwordspasswords • Is an example of an authenticationIs an example of an authentication mechanism based on what people know. • User supplies the password, and computerUser supplies the password, and computer validates it. • Password spacePassword space • Verification => one way hash function. 4
Authentication system for password • Set A – characters ( alphabets + digits + i l h t ) 8 h tspecial characters) - 8 characters. • Set C – one way hash function to store password in a file (UNIX – 13characters)password in a file. (UNIX – 13characters) /etc/passwd. • Set F – based on permutation of the DES,p , contains 4096. – login, su. • Set L – system supply proper element of C. • Set S – passwd, nispasswd. 5
Protecting passwordsProtecting passwords • Hide enough information so that one of aHide enough information so that one of a, c or f cannot be found. • Prevent access to the authentication• Prevent access to the authentication functions L. 6
Attacking password systemAttacking password system • Dictionary attack f(g) for each f F.(g) F(g) => complementary information for entity E, then g authenticates E under fentity E, then g authenticates E under f => type 1. l=> L if g => l results true g is correctl=> L, if g => l results true, g is correct password. => type 2. 7
Countering password guessingCountering password guessing • P >= TG/NP >= TG/N. Where P – probability of guessing the passwordpassword. T – no. of time units G – no. of guesses/ unit time. N – no. of possible passwords.p p 8
User Authentication • In-person identification • Must be based on some knowledge shared only by the computing system and the usercomputing system and the user • Three qualities to confirm user’s identity 1. something the user knows1. something the user knows 2. something the user has 3. something the user is (biometrics) 4. Where the entity is (In front of) Two or more forms can be combined 9 Two or more forms can be combined
Use of Passwords • Password – a ‘word ‘ known to computer and user; agreed upon codeword; length and format varies.varies. • Humans: – Short, memorable key (8 characters, 48 bits), directly or as key for longer keyor as key for longer key • Computers: – (Long) high-quality secret( g) g q y – Hidden key (encrypted by password), directly (e.g., hash of the password) • Key versus passwords. • Additional Authentication Information 10
Attacks on Passwords…. 1. Try all possible passwords 2. Try many probable passwords 3. Try passwords likely for the user 4 S h f h li f d4. Search for the system list of password 5. Ask the user 1. Exhaustive Attack Brute force attack 5 * 10^12 passwords for 26 alphabets 2. Probable Passwords Think of a wordThink of a word Length 3 – 18.278 sec. Length 4 – 8 min. Length 5 – 3.5 hours Dictionary 3. Attacking systems via passwords. Outsider normal user administrator. 11
Passwords Likely for a userPasswords Likely for a user • Password 15 0.5% Were a single ASCII chara. Password something meaningful 72 2% Were two single ASCII chara. 464 14% Were three ASCII chara.ASCII chara. 477 14% Were four alphabetic letters W fi 706 21% Were five same case alphabets 605 18% Were six lowercaselowercase alphabets 492 15% Words in dictionaries or list 12 of names 2831 86% Total of all above categories
Passwords Likely for a user 13
Password guessing steps – On-line: limit tries, alarm – Off-line: dictionary attack • No passwordp • The same as the user ID • is, or is derived from the user’s name • Common word list plus common names and patterns • Short college dictionary • Common non-English language dictionaries • Short dictionary with capitalizations and substitutions (PaSsWorD) C l t E li h ith it li ti d b tit ti• Complete English with capitalizations and substitutions • Common non-English with capitalizations and substitutions • Brute force, lowercase alphabets • Brute force full character set• Brute force, full character set 14
Protecting password list file • Problems: • OS is not divided, so all its modules have access to all, privileged information • An intruder can dump a memory at a convenient time to access it • File system can be relocated from a backup • Password file is a copy of a file stored on a disk 15
Encrypted Password File • Password list is hidden by conventional encryption or one way ciphers • One-way encryption • salt – E(pw+saltB) & saltB is stored • Indiscreet Users : -- writing down or telling the password 16
Password Selection Criteria • Use characters other than just A-Z – 6 letter word one case – 100 hours, upper and lower – 2 years • Choose long passwords A id t l d• Avoid actual names or words • Choose an unlikely password -- 2Brn2B or I10veu • • Change the password regularly • Don’t write it down • Don’t tell anyone else 17
Password Selection Criteria….. • Some systems provide meaningful but pronounceable passwords (“bliptab” as “blaptib”( or “blabtip”) • Some systems ask user to change the password • Why reminder process is not good? • Group A: 6 characters with at least one non- letter. 30% are easy to crack. • Group B: based on passpharses. 10%. • Group C: 8 randomly selected characters. 10%. 18 p y
One-Time Password • --is one that changes every time it is used S t i t ti th ti l f ti• System assigns a static mathematical function • Also called as challenge-response systems• Also called as challenge-response systems • f(x) = x + 1( ) • f(x) = r(x) • f(a1a2a3a4a5a6) = a3a1a1a4 • f(E(x)) = E(D(E(x) + 1). 19
Password verificationPassword verification • Store password in a fileStore password in a file. • Store hashed passwords in a file. St i d• Storing passwords – Per-node: /etc/passwd – Server: authentication storage server, retrieved by node (yp/NIS) – Facilitator: server says yes/no • salt – E(pw+saltB) & saltB is stored. 20
Password crackingPassword cracking • 128 choices128 choices. • 8 characters => 1288 = 256 possible passwordspasswords. • 4 cases of success of password crackes: – Without using dictionary of likely passwords. – Using dictionary. – Without using dictionary from hashed file. – Using dictionary. 21
Other password issuesOther password issues • Reuse of passwordReuse of password. • Social engineering K t k l i ft• Keystroke logging software, spy-ware. • Password cracking tools. • Solution: use of biometricsSolution: use of biometrics. 22
Fixing flaws in the Authentication Process • Challenge-Response systems • Impersonation of Login • Authentication other than Passwords –Authentication other than Passwords handprint detectors, voice recognizers, identifiers of patterns in the retinaidentifiers of patterns in the retina 23
biometricsbiometrics • Efforts to find physical characteristics that uniquely identify people include the Bertillion cranial maps, fingerprints and DNA liDNA sampling. • Biometrics is the automated t f bi l i lmeasurement of biological or behavioral features that identify a personperson. • Common features are fingerprints, voices face and keystroke dynamics 24 voices, face and keystroke dynamics.
User selection of passwordsUser selection of passwords • Proactive password selectionp • Passwords based on account names Account name followed by a number A t d d b d li itAccount name surrounded by delimiters • Passwords based on user names Initials repeated 0 or more timesInitials repeated 0 or more times All letters lower-or-uppercase Name reserved First initial followed by last name reversed. 25
Continue… • Passwords based on computer names • Dictionary words • Reversed dictionary words • Dictionary words with some or all letters capitalized. • Patterns form keyboard. • Only digits • Acronyms • Dictionary words with all vowels deleted. 26
Guessing through authentication functions • Solution: Backoff techniques. Expontial backoff Disconnection Disabling jailing 27
Backoff techniquesBackoff techniques • X- parameter selected by system administrator. • Waits for x0=1 sec before reprompting for name and authentication data. If t f il i it f 1• If system fails, again waits for x1=x sec. • After n failures, waits for xn-1 sec. 28
Other techniquesOther techniques • Disconnection – after some number of failed th ti ti tt t th ti iauthentication attempts, the connection is broken. Di bli th t i di bl d til• Disabling – the account is disabled until a security manager can reenable it. • Jailing the unauthenticated user is given• Jailing – the unauthenticated user is given access to a limited part of the system and is gulled into believing that he/she has fullgulled into believing that he/she has full access. The jail records the attacker’s actions. 29
Summary • Memory protection : -- fence, base-bound register, tagged architecture, paging, segmentationsegmentation • file protection : three or four level format• file protection : -- three or four level format, user-group-all • access control in general : -- access control matrix, per-object or per-user basis • user authentication :-- password protection 30
Qu. On OS Security 1. Explain different methods for memory and address protection (183)p ( ) 2. Compare Segmentation with Paging (193) 3. Explain different methods to be used to protect3. Explain different methods to be used to protect objects (196) 4. Explain various schemes for file protection (205)p p ( ) 5. Explain ways to determine a user’s password (212)(212) 31
Qu. On OS Security 6. Explain how a fence register is used for relocating a user's program [MAY-05/IT/5M]relocating a user s program.[MAY 05/IT/5M] 7. Explain why asynchronous I/o activity is . a problem with many memory Protectionproblem with many memory Protection schemes, including base/bounds and paging. Suggest solution to the problem. [MAY-05/IT/7M] 8. Discuss several guidelines for password8. Discuss several guidelines for password selection (218) 32
Qu. On OS Security 9. Authentication means proving identities between entities which happens in different layers of network protocol stack for different reasons Identify these entities andstack for different reasons. Identify these entities and state them. 10. How does OS protect files in main memory and on secondary device. 11.Discuss any two techniques of memory and address protection. 12.Explain the use of temporal separation and physical separation for security in computing environment. 33
Qu. On OS Security 13. (a) Why the user authentication is required? (b) What techniques are used for the authentication? ( ) f(c) What are the flows in the user authentication process? (d) Suggest controls over them.( ) gg 14. Consider a program to accept and tabulate votes in an elector who might want to attack the program? whatelector. who might want to attack the program? what types of harm might they want to cause? what kinds of vulnerabilities might they exploit to cause harm? 34

More Related Content

Viewers also liked (15)

PDF
Program security chapter 3
Education
 
PDF
SOC Foundation
Masoud Ostad
 
PPTX
Session initiation-protocol
Santhosh Somu
 
PPTX
session initiation protocol - SIP
Mahmoud Abudaqa
 
PPT
H.323 protocol
Habibur Rahman
 
PDF
Hacking SIP Like a Boss!
Fatih Ozavci
 
PDF
Sip Fundamentals and Prospects Tutorial - VoiceCon Orlando 2010
Voxeo Corp
 
PPTX
Session Initiation Protocol
Matt Bynum
 
PDF
SIP - The Basics
Jonas Borjesson
 
PDF
Introduction to SIP(Session Initiation Protocol)
William Lee
 
PPT
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...
ALTANAI BISHT
 
PDF
The Art of VoIP Hacking - Defcon 23 Workshop
Fatih Ozavci
 
PPTX
Call Centre Architecture
apoorva tyagi
 
PPTX
SIP - Introduction to SIP Protocol
LivePerson
 
PDF
Memory management
Rajni Sirohi
 
Program security chapter 3
Education
 
SOC Foundation
Masoud Ostad
 
Session initiation-protocol
Santhosh Somu
 
session initiation protocol - SIP
Mahmoud Abudaqa
 
H.323 protocol
Habibur Rahman
 
Hacking SIP Like a Boss!
Fatih Ozavci
 
Sip Fundamentals and Prospects Tutorial - VoiceCon Orlando 2010
Voxeo Corp
 
Session Initiation Protocol
Matt Bynum
 
SIP - The Basics
Jonas Borjesson
 
Introduction to SIP(Session Initiation Protocol)
William Lee
 
Sip Detailed , Call flows , Architecture descriptions , SIP services , sip se...
ALTANAI BISHT
 
The Art of VoIP Hacking - Defcon 23 Workshop
Fatih Ozavci
 
Call Centre Architecture
apoorva tyagi
 
SIP - Introduction to SIP Protocol
LivePerson
 
Memory management
Rajni Sirohi
 

Similar to Authetication ppt (20)

PPT
Lecture 4
Education
 
PPTX
05-Authentication.pptx Software Security
RahmathMohammed4
 
PDF
User Authentication: Passwords and Beyond
Jim Fenton
 
PPTX
chap13_authentication_programming_basics_(1).pptx
disebav528
 
DOCX
Chapter 6Authenticating PeopleChapter 6 OverviewThe th
samirapdcosden
 
PPTX
Access Control authentication and authorization .pptx
birhanugirmay559
 
PPT
Lect5 authentication 5_dec_2012-1
Khawar Nehal [email protected]
 
PPTX
Infor_Security_Authentication_User .pptx
homecooking511
 
PPT
Ch04 after modifications
saeedjaber1
 
PPTX
Passwords
Sonia Rose Mary Karungi
 
PPT
14_526_topic07uuuuuuuuuuuuuuuuuuuuuu.ppt
fzbshf
 
PPTX
Security and protection
Nital Shingala
 
PPTX
Improving Password Based Security
Rare Input
 
PDF
C02
newbie2019
 
PPTX
System Security
Reddhi Basu
 
PPT
Presentation2f_for_passwords_MS_Class.ppt
tahirsaleem54
 
PPTX
User authentication
CAS
 
PDF
Getting authentication right
Andre N. Klingsheim
 
PPT
20-security.ppt
ajajkhan16
 
PPTX
P@ssw0rds
Will Alexander
 
Lecture 4
Education
 
05-Authentication.pptx Software Security
RahmathMohammed4
 
User Authentication: Passwords and Beyond
Jim Fenton
 
chap13_authentication_programming_basics_(1).pptx
disebav528
 
Chapter 6Authenticating PeopleChapter 6 OverviewThe th
samirapdcosden
 
Access Control authentication and authorization .pptx
birhanugirmay559
 
Lect5 authentication 5_dec_2012-1
Khawar Nehal [email protected]
 
Infor_Security_Authentication_User .pptx
homecooking511
 
Ch04 after modifications
saeedjaber1
 
Passwords
Sonia Rose Mary Karungi
 
14_526_topic07uuuuuuuuuuuuuuuuuuuuuu.ppt
fzbshf
 
Security and protection
Nital Shingala
 
Improving Password Based Security
Rare Input
 
C02
newbie2019
 
System Security
Reddhi Basu
 
Presentation2f_for_passwords_MS_Class.ppt
tahirsaleem54
 
User authentication
CAS
 
Getting authentication right
Andre N. Klingsheim
 
20-security.ppt
ajajkhan16
 
P@ssw0rds
Will Alexander
 
Ad

Recently uploaded (20)

PPTX
Constitutional Design Civics Class 9.pptx
bikesh692
 
PDF
Comprehensive Guide to Writing Effective Literature Reviews for Academic Publ...
AJAYI SAMUEL
 
PPTX
Optimizing Cancer Screening With MCED Technologies: From Science to Practical...
i3 Health
 
PDF
Right to Information.pdf by Sapna Maurya XI D
Directorate of Education Delhi
 
PPTX
Various Psychological tests: challenges and contemporary trends in psychologi...
santoshmohalik1
 
PPTX
HIRSCHSPRUNG'S DISEASE(MEGACOLON): NURSING MANAGMENT.pptx
PRADEEP ABOTHU
 
PPTX
How to Configure Storno Accounting in Odoo 18 Accounting
Celine George
 
PDF
Ziehl-Neelsen Stain: Principle, Procedu.
PRASHANT YADAV
 
PPTX
ABDOMINAL WALL DEFECTS:GASTROSCHISIS, OMPHALOCELE.pptx
PRADEEP ABOTHU
 
PDF
A guide to responding to Section C essay tasks for the VCE English Language E...
jpinnuck
 
PPTX
Presentation: Climate Citizenship Digital Education
Karl Donert
 
PPTX
PPT on the Development of Education in the Victorian England
Beena E S
 
PPTX
Gall bladder, Small intestine and Large intestine.pptx
rekhapositivity
 
PPTX
CLEFT LIP AND PALATE: NURSING MANAGEMENT.pptx
PRADEEP ABOTHU
 
PPTX
Folding Off Hours in Gantt View in Odoo 18.2
Celine George
 
PDF
IMP NAAC REFORMS 2024 - 10 Attributes.pdf
BHARTIWADEKAR
 
PPTX
Capitol Doctoral Presentation -July 2025.pptx
CapitolTechU
 
PPTX
Maternal and Child Tracking system & RCH portal
Ms Usha Vadhel
 
PPTX
national medicinal plants board mpharm.pptx
SHAHEEN SHABBIR
 
PDF
water conservation .pdf by Nandni Kumari XI C
Directorate of Education Delhi
 
Constitutional Design Civics Class 9.pptx
bikesh692
 
Comprehensive Guide to Writing Effective Literature Reviews for Academic Publ...
AJAYI SAMUEL
 
Optimizing Cancer Screening With MCED Technologies: From Science to Practical...
i3 Health
 
Right to Information.pdf by Sapna Maurya XI D
Directorate of Education Delhi
 
Various Psychological tests: challenges and contemporary trends in psychologi...
santoshmohalik1
 
HIRSCHSPRUNG'S DISEASE(MEGACOLON): NURSING MANAGMENT.pptx
PRADEEP ABOTHU
 
How to Configure Storno Accounting in Odoo 18 Accounting
Celine George
 
Ziehl-Neelsen Stain: Principle, Procedu.
PRASHANT YADAV
 
ABDOMINAL WALL DEFECTS:GASTROSCHISIS, OMPHALOCELE.pptx
PRADEEP ABOTHU
 
A guide to responding to Section C essay tasks for the VCE English Language E...
jpinnuck
 
Presentation: Climate Citizenship Digital Education
Karl Donert
 
PPT on the Development of Education in the Victorian England
Beena E S
 
Gall bladder, Small intestine and Large intestine.pptx
rekhapositivity
 
CLEFT LIP AND PALATE: NURSING MANAGEMENT.pptx
PRADEEP ABOTHU
 
Folding Off Hours in Gantt View in Odoo 18.2
Celine George
 
IMP NAAC REFORMS 2024 - 10 Attributes.pdf
BHARTIWADEKAR
 
Capitol Doctoral Presentation -July 2025.pptx
CapitolTechU
 
Maternal and Child Tracking system & RCH portal
Ms Usha Vadhel
 
national medicinal plants board mpharm.pptx
SHAHEEN SHABBIR
 
water conservation .pdf by Nandni Kumari XI C
Directorate of Education Delhi
 
Ad

Authetication ppt

  • 2. Authentication • Authentication is the binding of an identity to a principal. • Network-based authentication mechanisms require a principal to authenticate to a single system, either local or remote. • External entity must provide information to enable the• External entity must provide information to enable the system to confirm its identity. 2
  • 3. Basics continueBasics continue… • Authentication process consists of obtaining the information from an entity analyzing the datainformation from an entity, analyzing the data and determining if it is associated with that entity. • Authentication system components are – Set A – authentication information Set C – complementary information Set F – complementation function S t L th ti ti f tiSet L – authentication functions Set S – selection functions 3
  • 4. passwordspasswords • Is an example of an authenticationIs an example of an authentication mechanism based on what people know. • User supplies the password, and computerUser supplies the password, and computer validates it. • Password spacePassword space • Verification => one way hash function. 4
  • 5. Authentication system for password • Set A – characters ( alphabets + digits + i l h t ) 8 h tspecial characters) - 8 characters. • Set C – one way hash function to store password in a file (UNIX – 13characters)password in a file. (UNIX – 13characters) /etc/passwd. • Set F – based on permutation of the DES,p , contains 4096. – login, su. • Set L – system supply proper element of C. • Set S – passwd, nispasswd. 5
  • 6. Protecting passwordsProtecting passwords • Hide enough information so that one of aHide enough information so that one of a, c or f cannot be found. • Prevent access to the authentication• Prevent access to the authentication functions L. 6
  • 7. Attacking password systemAttacking password system • Dictionary attack f(g) for each f F.(g) F(g) => complementary information for entity E, then g authenticates E under fentity E, then g authenticates E under f => type 1. l=> L if g => l results true g is correctl=> L, if g => l results true, g is correct password. => type 2. 7
  • 8. Countering password guessingCountering password guessing • P >= TG/NP >= TG/N. Where P – probability of guessing the passwordpassword. T – no. of time units G – no. of guesses/ unit time. N – no. of possible passwords.p p 8
  • 9. User Authentication • In-person identification • Must be based on some knowledge shared only by the computing system and the usercomputing system and the user • Three qualities to confirm user’s identity 1. something the user knows1. something the user knows 2. something the user has 3. something the user is (biometrics) 4. Where the entity is (In front of) Two or more forms can be combined 9 Two or more forms can be combined
  • 10. Use of Passwords • Password – a ‘word ‘ known to computer and user; agreed upon codeword; length and format varies.varies. • Humans: – Short, memorable key (8 characters, 48 bits), directly or as key for longer keyor as key for longer key • Computers: – (Long) high-quality secret( g) g q y – Hidden key (encrypted by password), directly (e.g., hash of the password) • Key versus passwords. • Additional Authentication Information 10
  • 11. Attacks on Passwords…. 1. Try all possible passwords 2. Try many probable passwords 3. Try passwords likely for the user 4 S h f h li f d4. Search for the system list of password 5. Ask the user 1. Exhaustive Attack Brute force attack 5 * 10^12 passwords for 26 alphabets 2. Probable Passwords Think of a wordThink of a word Length 3 – 18.278 sec. Length 4 – 8 min. Length 5 – 3.5 hours Dictionary 3. Attacking systems via passwords. Outsider normal user administrator. 11
  • 12. Passwords Likely for a userPasswords Likely for a user • Password 15 0.5% Were a single ASCII chara. Password something meaningful 72 2% Were two single ASCII chara. 464 14% Were three ASCII chara.ASCII chara. 477 14% Were four alphabetic letters W fi 706 21% Were five same case alphabets 605 18% Were six lowercaselowercase alphabets 492 15% Words in dictionaries or list 12 of names 2831 86% Total of all above categories
  • 13. Passwords Likely for a user 13
  • 14. Password guessing steps – On-line: limit tries, alarm – Off-line: dictionary attack • No passwordp • The same as the user ID • is, or is derived from the user’s name • Common word list plus common names and patterns • Short college dictionary • Common non-English language dictionaries • Short dictionary with capitalizations and substitutions (PaSsWorD) C l t E li h ith it li ti d b tit ti• Complete English with capitalizations and substitutions • Common non-English with capitalizations and substitutions • Brute force, lowercase alphabets • Brute force full character set• Brute force, full character set 14
  • 15. Protecting password list file • Problems: • OS is not divided, so all its modules have access to all, privileged information • An intruder can dump a memory at a convenient time to access it • File system can be relocated from a backup • Password file is a copy of a file stored on a disk 15
  • 16. Encrypted Password File • Password list is hidden by conventional encryption or one way ciphers • One-way encryption • salt – E(pw+saltB) & saltB is stored • Indiscreet Users : -- writing down or telling the password 16
  • 17. Password Selection Criteria • Use characters other than just A-Z – 6 letter word one case – 100 hours, upper and lower – 2 years • Choose long passwords A id t l d• Avoid actual names or words • Choose an unlikely password -- 2Brn2B or I10veu • • Change the password regularly • Don’t write it down • Don’t tell anyone else 17
  • 18. Password Selection Criteria….. • Some systems provide meaningful but pronounceable passwords (“bliptab” as “blaptib”( or “blabtip”) • Some systems ask user to change the password • Why reminder process is not good? • Group A: 6 characters with at least one non- letter. 30% are easy to crack. • Group B: based on passpharses. 10%. • Group C: 8 randomly selected characters. 10%. 18 p y
  • 19. One-Time Password • --is one that changes every time it is used S t i t ti th ti l f ti• System assigns a static mathematical function • Also called as challenge-response systems• Also called as challenge-response systems • f(x) = x + 1( ) • f(x) = r(x) • f(a1a2a3a4a5a6) = a3a1a1a4 • f(E(x)) = E(D(E(x) + 1). 19
  • 20. Password verificationPassword verification • Store password in a fileStore password in a file. • Store hashed passwords in a file. St i d• Storing passwords – Per-node: /etc/passwd – Server: authentication storage server, retrieved by node (yp/NIS) – Facilitator: server says yes/no • salt – E(pw+saltB) & saltB is stored. 20
  • 21. Password crackingPassword cracking • 128 choices128 choices. • 8 characters => 1288 = 256 possible passwordspasswords. • 4 cases of success of password crackes: – Without using dictionary of likely passwords. – Using dictionary. – Without using dictionary from hashed file. – Using dictionary. 21
  • 22. Other password issuesOther password issues • Reuse of passwordReuse of password. • Social engineering K t k l i ft• Keystroke logging software, spy-ware. • Password cracking tools. • Solution: use of biometricsSolution: use of biometrics. 22
  • 23. Fixing flaws in the Authentication Process • Challenge-Response systems • Impersonation of Login • Authentication other than Passwords –Authentication other than Passwords handprint detectors, voice recognizers, identifiers of patterns in the retinaidentifiers of patterns in the retina 23
  • 24. biometricsbiometrics • Efforts to find physical characteristics that uniquely identify people include the Bertillion cranial maps, fingerprints and DNA liDNA sampling. • Biometrics is the automated t f bi l i lmeasurement of biological or behavioral features that identify a personperson. • Common features are fingerprints, voices face and keystroke dynamics 24 voices, face and keystroke dynamics.
  • 25. User selection of passwordsUser selection of passwords • Proactive password selectionp • Passwords based on account names Account name followed by a number A t d d b d li itAccount name surrounded by delimiters • Passwords based on user names Initials repeated 0 or more timesInitials repeated 0 or more times All letters lower-or-uppercase Name reserved First initial followed by last name reversed. 25
  • 26. Continue… • Passwords based on computer names • Dictionary words • Reversed dictionary words • Dictionary words with some or all letters capitalized. • Patterns form keyboard. • Only digits • Acronyms • Dictionary words with all vowels deleted. 26
  • 27. Guessing through authentication functions • Solution: Backoff techniques. Expontial backoff Disconnection Disabling jailing 27
  • 28. Backoff techniquesBackoff techniques • X- parameter selected by system administrator. • Waits for x0=1 sec before reprompting for name and authentication data. If t f il i it f 1• If system fails, again waits for x1=x sec. • After n failures, waits for xn-1 sec. 28
  • 29. Other techniquesOther techniques • Disconnection – after some number of failed th ti ti tt t th ti iauthentication attempts, the connection is broken. Di bli th t i di bl d til• Disabling – the account is disabled until a security manager can reenable it. • Jailing the unauthenticated user is given• Jailing – the unauthenticated user is given access to a limited part of the system and is gulled into believing that he/she has fullgulled into believing that he/she has full access. The jail records the attacker’s actions. 29
  • 30. Summary • Memory protection : -- fence, base-bound register, tagged architecture, paging, segmentationsegmentation • file protection : three or four level format• file protection : -- three or four level format, user-group-all • access control in general : -- access control matrix, per-object or per-user basis • user authentication :-- password protection 30
  • 31. Qu. On OS Security 1. Explain different methods for memory and address protection (183)p ( ) 2. Compare Segmentation with Paging (193) 3. Explain different methods to be used to protect3. Explain different methods to be used to protect objects (196) 4. Explain various schemes for file protection (205)p p ( ) 5. Explain ways to determine a user’s password (212)(212) 31
  • 32. Qu. On OS Security 6. Explain how a fence register is used for relocating a user's program [MAY-05/IT/5M]relocating a user s program.[MAY 05/IT/5M] 7. Explain why asynchronous I/o activity is . a problem with many memory Protectionproblem with many memory Protection schemes, including base/bounds and paging. Suggest solution to the problem. [MAY-05/IT/7M] 8. Discuss several guidelines for password8. Discuss several guidelines for password selection (218) 32
  • 33. Qu. On OS Security 9. Authentication means proving identities between entities which happens in different layers of network protocol stack for different reasons Identify these entities andstack for different reasons. Identify these entities and state them. 10. How does OS protect files in main memory and on secondary device. 11.Discuss any two techniques of memory and address protection. 12.Explain the use of temporal separation and physical separation for security in computing environment. 33
  • 34. Qu. On OS Security 13. (a) Why the user authentication is required? (b) What techniques are used for the authentication? ( ) f(c) What are the flows in the user authentication process? (d) Suggest controls over them.( ) gg 14. Consider a program to accept and tabulate votes in an elector who might want to attack the program? whatelector. who might want to attack the program? what types of harm might they want to cause? what kinds of vulnerabilities might they exploit to cause harm? 34