Michefall2013catalog 130719170659-phpapp01-130722110728-phpapp01
Authenticationtechnologies 120711134100-phpapp01
-
Upload
hai-nguyen -
Category
Technology
-
view
25 -
download
0
description
Transcript of Authenticationtechnologies 120711134100-phpapp01
![Page 1: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/1.jpg)
AuthenticationWho’s There?
Nicholas A. DavisInformation Systems 365
University of Wisconsin-Madison
![Page 2: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/2.jpg)
Today’s Chocolate Bar• Baby Ruth• Created in 1920 by the Curtiss
Candy Company, in Chicago, now made by Nestle
• Originally named Kandy Kake• Named after President Grover
Cleveland’s daughter, Ruth Cleveland, not after baseball player, Babe Ruth
![Page 3: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/3.jpg)
Passwords – Reading Discussion
• Define the root of a password?• Define the appendage of a
password• ! % & $ _zipcode have gotten too
easy for password crackers• Mix upper and lower case in the
middle of password• Put the appendage in the middle of
your root
![Page 4: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/4.jpg)
University Networks -- Reading
• Centralized vs. decentralized
• Faculty and Staff demand freedom
• Central data handling policies are weak
• What should universities do to make their network more secure?
![Page 5: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/5.jpg)
Overview• Authentication defined• Different types of electronic authentication factors• Username and Password• Dialog Spoofing Authentication Attacks• One Time Password devices (OTP), how they work and don’t work• Biometrics• Digital Certificates• Existing devices which can be used for authentication, Blackberry, Mobile Phone• Shared Secret/Ticket based authentication systems• Knowledge Based Authenticaition• The Initial Credentialing Challenge• Review of Key Concepts• Who is to Blame For This Authentication Mess?• SSO Authentication, the realities• Federated Authentication• Wireless Authentication issues• Remaining Issues With Authentication• What Does the Future Hold?
![Page 6: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/6.jpg)
Authentication Defined“Electronic authentication provides a level
of assurance as to whether someone or something is who or what it claims to be in a digital environment. Thus, electronic authenticationplays a key role in the establishment of trust relationships for electronic commerce, electronic government and many other social interactions. It is also an essential component of any strategy to protect information systems and networks, financial data, personal information and other assets from unauthorised access or identity theft. Electronic authentication is therefore essential for establishing accountability online.”
![Page 7: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/7.jpg)
Authentication Factors
• Three types of electronic authentication
• Something you know – username/password
• Something you have – One time password device
• Something you are – Voiceprint or retinal scan
![Page 8: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/8.jpg)
Single Factor vs. Multifactor vs Dual Factor
• Single Factor – Using one method to authenticate.
• Dual Factor – Using two different types of authentication mechanism to authenticate
• Multifactor – Using multiple forms of the same factor. (Password + identifying an image)
• Some people claim multi factor is just a way around industry regulations. Good test is to ask, could I memorize both of these?
![Page 9: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/9.jpg)
Username and Password - Benefits
• Most widely used electronic authentication mechanism in the world
• Low fixed cost to implement and virtually no variable cost
• Fairly good for low assurance applications
• No physical device required
![Page 10: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/10.jpg)
Username and Password - Drawbacks
• Can be easily shared on purpose
• Can be easily stolen via Shoulder Surfing, Keyboard Logger Packet Sniffer
• Can be guessed• Can be hard to
remember• Password code is
easy to hack• Video 3
![Page 11: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/11.jpg)
If You Choose to Use Passwords..
• Be as long as possible (never shorter than 6 characters).
• Include mixed-case letters, if possible. • Include digits and punctuation marks, if possible. • Not be based on any personal information. • Not be based on any dictionary word, in any
language. • Expire on a regular basis and may not be reused• May not contain any portion of your name,
birthday, address or other publicly available information
![Page 12: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/12.jpg)
Dialog Spoofing Authentication Attacks
• The biggest threat to authentication security is users unintentionally giving away their credentials to a “harvester”
• Dialog spoofing attack makes the user think they are communicating with a trusted source, but actually grabs the credentials for its own malicious use
![Page 13: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/13.jpg)
One Time Password Devices Demystified
• Have an assigned serial number which relates to user-id. For example, ndavis = serial QB43
• Device generates a new password every 30 seconds
• Server on other end knows what to expect from serial QB43 at any point in time
![Page 14: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/14.jpg)
One Time Password Devices
• Time based• Event based• Sold by RSA,
Vasco, Verisign, Aladdin, Entrust and others
• How can event based OTPs be defeated?
![Page 15: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/15.jpg)
Entrust Identity Guard Can Be Beaten With a Photocopier!
![Page 16: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/16.jpg)
One Time Passwords - Benefits
• Provides true Dual Factor authentication, making it very difficult to share
• Constantly changing password means it can’t be stolen, shoulder surfed or sniffed
• Coolness factor!
![Page 17: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/17.jpg)
One Time Passwords - Drawbacks
• Cost!• Rank very low on
the washability index
• Uncomfortable• Expiration• Battery Life• Can be forgotten
at home• Video 1
![Page 18: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/18.jpg)
Biometrics
• Use a unique part of your body to authenticate you, such as your voice pattern, your retina, or your fingerprint
![Page 19: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/19.jpg)
Biometrics Benefits
• Harder to steal than even a One Time Password since it is part of the user, not simply in their possession like and OTP device
• Absolute uniqueness of authentication factor
• Coolness factor
![Page 20: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/20.jpg)
Biometrics Drawbacks
• Cost• Complexity of
Administration• Highly invasive• Not always
reliable – false negatives
• Not foolproof• The Gummi Bear
thief!
![Page 21: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/21.jpg)
Other Biometric Methods and Associated Issues
• comparing the face with that on a passport photograph
• fingerprints • DNA fingerprinting • Iris scan • Retina scan • other biometrics • signature • Birthmarks - May be duplicated cosmetically • Dentition - Identity may be mistaken by lack of or
falsification of dental X-ray records
![Page 22: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/22.jpg)
Today’s Agenda
• Collect homework!
• Look at a few password cracking tools, demonstrating why username and password is weak!
• Finish lecture on Authentication!
• Class Discussion!
• Maybe Start Lecture on Cryptography!
![Page 23: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/23.jpg)
Today’s Chocolate Bar! - Twix• Made by Mars• Called “Raider” in Europe until 1991• First produced in the UK in 1967• Introduced to the US in 1979• Twix, Peanut Butter Twix, Cookies –
n- Cream Twix, Chocolate Fudge Twix, Triple Chocolate Twix, Choc –n- Orange Twix
• Not suitable for strict vegetarians!
![Page 24: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/24.jpg)
Digital Certificates
• A digital passport, either contained on a secure device, or on a hard disk
• Secured with a password, making them truly a dual factor solution
• Can be used to authenticate machines as well as humans
![Page 25: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/25.jpg)
Digital Certificate Benefits
• True Dual Factor Authentication
• Low variable cost to produce
• Can contain authorization data as well as authentication data
![Page 26: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/26.jpg)
Digital Certificate Drawbacks
• High fixed cost to build initial infrastructure
• Can be copied and shared if not properly stored
• Expiration
• Often require access to an interface such as a card reader of USB port, not always available at kiosks
![Page 27: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/27.jpg)
Taking Advantage of Existing Technology
• Your mobile phone can serve as a powerful dual factor authentication device
![Page 28: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/28.jpg)
Shared Secret Based Authentication Mechanisms
• Kerberos • Needham-Schroeder protocol • Secure Shell • Encrypted key exchange (EKE) • Secure remote password protocol (SRP) • Closed-loop authentication • RADIUS • Diameter (protocol) • HMAC • EAP • Authentication OSID • CAPTCHA • Java Authentication and Authorization Service • Chip Authentication Program
![Page 29: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/29.jpg)
Knowledge Based Authentication
• Authenticates the user via verification of life events, usually financial in nature, such as:
• Looks great at first!• However, most of this is
public information and that which isn’t public can be easily stolen
• The credit reports on which this knowledge based authentication is based are often contain factual errors
• Cost!
![Page 30: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/30.jpg)
Initial Credentialing• The verification of an individual’s or
machine’s identity prior to assignment of an authentication identifier (DMV, Passport Agency, Library Card, Credit Card Application)
• An authentication credential is only as trustworthy as the underlying credentialing process
• SSN# often serves as base identifier• What do you think about that?• Can you think of a more secure base
identifier than SSN#? When would It have to be assigned and by whom?
![Page 31: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/31.jpg)
Key Concepts
• Current online authentication techniques are weak at best: Most rely on multiple single factors
• Credentials are easily stolen from consumers and rarely change
• Lack of consistency in authentication processes confuse consumers
![Page 32: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/32.jpg)
Who Is to Blame For the State of Digital Authentication?• No individual contributor is at fault• This is really a failure of multiple parties• OS Providers• Browser Providers• Financial & Commerce • Software Providers• Security Vendors• The Financial and Commerce Institutions
![Page 33: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/33.jpg)
It All Starts With a Better OS
• OS Must have security/auth services baked-in
• Must not rely on 3rd party applications to enforce security/auth processes
• Best position within the consumer access stack to enforce consistency
![Page 34: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/34.jpg)
Unified Browser and Web Design Standards Needed
• The Internet access browser must contain consistent security/auth processes and indicators for consumers
• Must not try and re-invent the security wheel continuously
• This is usually why users pick weak passwords – to preserve their sanity and avoid “token necklace” or “fat wallet syndrome”
![Page 35: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/35.jpg)
Single Sign On (SSO), More like RSO
• Single Sign On (SSO) (also known as Enterprise Single Sign On or "ESSO") is the ability for a user to enter the same id and password to logon to multiple applications within an enterprise.
• True SSO is rare, but Reduced Sign On is quite workable
![Page 36: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/36.jpg)
Single Sign On Benefits
• Ability to enforce uniform enterprise authentication and/or authorization policies across the enterprise
• End to end user audit sessions to improve security reporting and auditing
• Removes application developers from having to understand and implement identity security in their applications
• Usually results in significant password help desk cost savings
![Page 37: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/37.jpg)
Document Authentication
• Humans and machines are easy to authenticate, but what about documents?
• Digital certificates to the rescue• A digital signature, generated by a
private key can prove who authored the document and can verify that the contents have not been altered from their original form
![Page 38: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/38.jpg)
Authentication Federation
• The average user today interacts with all sorts of social, business, financial and government agencies digitally.
• Each of these requires their own id and password as user authentication.
• As a result, the user is increasingly frustrated with:
• Having to remember multiple user id and passwords
• Providing more identity information than they would otherwise chose to each entity
![Page 39: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/39.jpg)
Authentication Federation
• Allows transitional trust among institutional membership
• For example, If Nick wants to look up a scholarly article at Penn State, UW can tell Penn State that this request comes from an authenticated and authorized user without giving out my name, etc.
• Hard to enforce credentialing standards• Relies a LOT on trusting that the other
institution did the right thing
![Page 40: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/40.jpg)
Wireless Authentication
• Wiring actually provides an additional layer of protection, requiring physical access
• Once this goes away, as is the case on a wireless network, you need to find another method to make up for the loss of physical security which best emulates physical access
• Authenticate with username/password + MAC address, for example.
• Put the wireless network on a firewalled subnet• WPA is better than WEP, but not the answer to
everything.• “Opportunity to Authenticate” is the principle to
keep in mind here as the most serious threat…
![Page 41: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/41.jpg)
Securing Wireless Network Authentication
• All wireless LAN devices need to be secured, MAC address, static IP address, secure subnet, etc.
• All users of the wireless network need to be educated in wireless network security
• All wireless networks need to be actively monitored for weaknesses and breaches
![Page 42: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/42.jpg)
Wireless is Still Too New to Be Trusted
• Too many competing protocols, each of which can have its own set of security risks
• WEP encryption, WPA, WPA2, 802.1X, LEAP, PEAP, TKIP, RADIUS, WAPI…The list goes on!
![Page 43: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/43.jpg)
Remaining Issues With Authentication
• Authenticating the originator is as important as authenticating the receiver, but few people pay attention to this issue
• Currently, when we send email, we simply trust that [email protected] really is the President…This isn’t sufficient
• We need a method to lookup people in a trustworthy manner
• Trusted and centralized LDAP to the rescue!• Sadly, inter-organizational trusted LDAP access
isn’t used.
![Page 44: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/44.jpg)
The Best Solution is a Hybrid Solution• No, not that kind of
hybrid! Way overused term
• Passwords can be guessed or hacked
• Physical devices can be stolen
• Biometrics are costly and unreliable
• Use a mix of the above technologies to achieve the best authentication security
• Audit, Audit, Audit!!!
![Page 45: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/45.jpg)
What Does the Future Hold?
• Will the federal government get involved with **official** electronic credentials such as a “U.S. Citizen Digital Identity”?
• Benefits of a federal digital identity system?
• Drawbacks of a federal digital identity system?
• How do you feel about the current state of electronic authentication systems?
![Page 46: Authenticationtechnologies 120711134100-phpapp01](https://reader036.fdocuments.us/reader036/viewer/2022070304/54b8deb04a79599d1e8b459d/html5/thumbnails/46.jpg)