Passwords authentication and access controls
This presentation is the property of its rightful owner.
Sponsored Links
1 / 24

Passwords, Authentication, and Access controls PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on
  • Presentation posted in: General

Passwords, Authentication, and Access controls. Lesson 11. Authentication & Access Controls. Authentication. “Authentication is the process of determining whether information is trustworthy and genuine.”

Download Presentation

Passwords, Authentication, and Access controls

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Passwords authentication and access controls

Passwords, Authentication, and Access controls

Lesson 11


Authentication access controls

Authentication & Access Controls


Authentication

Authentication

  • “Authentication is the process of determining whether information is trustworthy and genuine.”

  • Key question for computers and networks is how do you verify that the user is who they claim to be?

  • 3 general methods to authenticate

    • Something you know

    • Something you have

    • Something about you/that you are

  • Denning likes to add a fourth -- location


Something you know

Something you Know

  • Most common technique for Authentication -- userids/password combination

    • Theoretically not a bad technique if chosen correctly

    • Length and size of character set have direct relationship on the strength of the chosen password

      • For example, if lower case alphabet used:

        • 1 character length = 26 possible passwords

        • 2 character length = 26 x 26 = 676 possible passwords

        • 3 character length = 26 x 26 x 26 = 17,576, and so on

      • If upper and lower case alphabetic characters used

        • 1 character length = 52 possible passwords

        • 2 character length = 52 x 52 = 2704 possible passwords

        • 3 character length = 52 x 52 x 52 = 140,608 possible passwords


Three reasons default accounts are left active

Three Reasons Default accounts are left active

  • The admin is not aware they exist or doesn’t know how to disable them.

  • The admin wants a “failsafe” mechanism (in case the vendor needs to access the system should a major problem occur)

  • The admin wants to make sure that he/she doesn’t get locked out


Passwords

Passwords

  • The problem with passwords is that people don’t always pick good ones.

Passwords cracked from a sample set of 13,797

Number of

Type of passwordMatchesPercentage

User/account name3682.7%

Common names5484.0%

Female Names1611.2%

Male Names1401.0%

Phrases & Patterns2531.8%

Dictionary word10277.4%

Machine names1321.0%

Science fiction590.4%

a total of 3340 passwords guessed

From: Network and Internetwork Security by Stallings


Passwords used in morris worm

Passwords used in Morris Worm


Experience from the author

Experience from the author

  • “I started tracking statistics when I performed security assessments and began to notice an interesting trend. Eighty percent of all the salespeople that I came in contact with had a password of either golf or bogey. If you know the user ID of a salesperson’s account and you want to get into his account, try these two passwords and your chances of success are very high.”


So you want to guess a password

So you want to guess a password

  • If you know anything about the person you have a chance to guess the password. The book used the following examples for a user “John”, try:

    • Sally (his wife)

    • George (his child)

    • Randoff (his wife’s maiden name)

    • Tennis (John’s favorite sport)

    • March9 (date of John’s, or his child’s or wife’s bday)

    • Waterfall (a poster or some object seen in office)

    • Alpha (the brand of computer John uses)


Rules for passwords

Rules for passwords

  • Don’t pick an easy one to guess

    • mix upper and lower case, add special characters and numbers

    • at least 6 characters in length, 8 better, 10 even better

    • maybe use pass-phrases instead of dictionary words

  • Don’t write it down

  • Don’t reuse previous passwords (or just add a # to it)

  • Change it on a regular basis (but not too often), 45 days.

  • If you’re the sysadmin, run a password cracker periodically.

  • If one-time passwords are possible, consider using them (they have their own problems though)


Another experience from the author

Another experience from the author

  • “One common check was to look for passwords that were written down. Because most users wrote their password somewhere, just in case they forgot it, this turned into a battle to see how well the user could hide it and how well the reviewers would search to find it. The creative lengths users would go to always amazed me. Some users would hide their password in their rolodex under a certain name. One clever individual even wrote it on the bottom of his shoe… The key to remember is that users will get creative, but the creativity is limited, which means that if an attacker wants to find the password, he can.”


Password management

Password Management

  • Password management issues

    • Default accounts

    • Easily guessed or cracked passwords

    • Unpassworded accounts

    • Shared accounts

    • Password aging

    • Password policy enforcement

    • Password auditing

      • Audit frequency

      • Control access to results


Cracking passwords

Cracking Passwords


One time passwords

One-Time Passwords

  • User given device that generates a password at certain time intervals (e.g. every minute)

  • The device is keyed with the server, so that both devices generate the same password at the same time.

  • If you want to log into the server, look at the display and type in the password you see.

  • Even if the password is sniffed, it was only good for the minute it was used.


Questionnaires

Questionnaires

  • Another “something you know” method

  • user is validated based on a series of questions that an intruder is unlikely to know.

  • Examples include:

    • name of pet, favorite teacher, favorite color…

    • user may even be asked to write his/her own question

  • not likely to be used in high security situation, used as a secondary method frequently on the web.


Something you have

Something you have

  • May combine this method and userid/password

  • Physical keys

  • Magnetic cards

    • information stored on card, example is credit card

  • Smart cards

    • more information stored, may be encrypted

  • “calculators”

    • device that looks like (and may even function as) a calculator.

    • Process may proceed as follows:

      • user presents userid or name

      • system responds with challenge

      • challenge punched into calculator and returns response

      • user supplies response to system


Something about you

Something about you

  • Biometrics

  • Voice prints

  • Fingerprint

  • Retinal Scan

  • Hand Geometry

  • Signature analysis


Problems with the 3 basic authentication techniques

Problems with the 3 basic Authentication Techniques

  • Something you know:

    • people write things down, they choose poorly

  • Something you have

    • requires additional hardware ($)

    • People lose them

  • Something about you

    • requires additional hardware ($$)

    • things about you can change


Location based authentication

Location-Based Authentication

  • Involves authenticating entities based on geodetic location (lat, long, alt).

  • Grounds cyberspace in the real world, aids in stopping spoofing attempts.

  • Uses GPS to compute and validate a location.

  • Best suited for fixed sites -- wouldn’t work for portable laptops.

  • Expensive equipment, potential for DoS if GPS signal jammed.

    • May also be used offensively to track user’s location


Access controls

Access Controls

  • “Access controls serve to enforce an authorization policy, which specifies what activity is allowed and who is allowed to initiate it.”

  • Governs not only activities by human actors but non-human actors as well.

  • Can apply to any media – print, tapes, networks, memory, . . .


Nt access control lists acl

NT Access Control Lists (ACL)

  • All securable objects are assigned a security descriptor when created.

    • Descriptor controls who has what access to the object

    • Consists of

      • Owner SID: The owner’s security ID

      • Group SID: The security ID fo the primary group.

      • Discretionary Access Control List (DACL): specifies who has what access to the object.

      • System Access Control List (SACL): Specifies which operations by which users should be logged in the security audit log.


Nt acls

NT ACLs

  • The access control list is made up of an ACL header and 0 or more access control entry (ACE) structures. An ACL with 0 ACEs is called a nullACL and indicates that no user has access to the object.

Access Control List

File Object

Object

header

Security

Descriptor

Allow

DAVEC

Read data

Allow

TEAMA

Read data

Write Data

Allow

Everyone

File Execute

ACE

ACE

ACE


Protection bits

Protection Bits

  • A modification of ACLs.

  • Protection bits are attached to each file but instead of providing a complete list of all users they specify permissions for specific classes.

  • Sometimes referred to as “permission bits”.

  • Example classes: Owner, Group, World

File 1r,w,x, , , r, ,x, , , , , x, , ,

File 2r, ,x,d, , r, ,x, , , , , , , ,


Protection bits1

Protection Bits

Owner

Group

World

R W E D L

R W E D L

R W E D L

Generalized Example

Owner

Group

World

R W E

R W E

R W E

UNIX Example

UNIX Example: R W E, R, , E, , , E

1 1 1 1 0 1 0 0 1

7 5 1

Thus, permission set for this object can be contained in 9 bits


  • Login