Computer security protection in general purpose operating systems
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

Computer Security Protection in general purpose Operating Systems PowerPoint PPT Presentation


  • 238 Views
  • Uploaded on
  • Presentation posted in: General

Computer Security Protection in general purpose Operating Systems. Entity Authentication. Entity Authentication is the process of verifying a claimed identity It is based on: something the entity knows something the entity holds something the entity is something the entity does

Download Presentation

Computer Security Protection in general purpose Operating Systems

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Computer security protection in general purpose operating systems

Computer SecurityProtection in general purpose Operating Systems


Entity authentication

Entity Authentication

EntityAuthentication is the process of verifying a

claimed identity

It is based on:

  • something the entity knows

  • something the entity holds

  • something the entity is

  • something the entity does

  • where the entity is


Something the entity knows

Something the entity knows

The user has to know some secret, such as a

password or a personal identification number (PIN).

Threats

Anybody who knows your secret “is you”!


Something the entity holds

Something the entity holds

The user has to present a physical token (such as key,

an identity tag, a card) to be authenticated.

Threats

The token can be lost or stolen!


Something the entity is

Something the entity is

Use biometrics, such as fingerprints, palm prints, iris

patterns, or retina patterns.

With biometrics a stored pattern is compared to an actual

taken measurement.

Problems

False positives (accepting the wrong entity) and false

negatives!

Many users find biometrics unacceptable.

Gruesome threats of the kind used in some Hollywood thrillers!


Something the entity does

Something the entity does

People perform some mechanical tasks in a way that is both

repeatable and specific to the individual.

Examples

  • hand written signatures

  • on a writing pad

    • the writing speed/pressure of a hand written signature

  • on the keyboard

    • the typing speed and intervals between strokes

      Problems

      False positives (accepting the wrong entity) and false negatives!


Where the entity is

Where the entity is

The system may take into account the location of the login.

For example, access may only be granted from certain terminals.

With mobile and distributed computing the precise

geographical location can be established during

authentication by using the services of a global

positioning system (GPS).


Usernames passwords

Usernames & Passwords

The most common authentication mechanism.

Although password protection seems to offer relatively good

security, human practice degrades its quality.

Attacks on passwords

  • Exhaustive search

  • Try many probable passwords

  • Try likely passwords for the user

  • Search for the system list of passwords.

  • Ask the user!


Exhaustive search attacks

Exhaustive search attacks

If passwords are words consisting of the 26 characters A-Z

and have length 8, then we are altogether 268 passwords.

This is roughly 2*1011, which seems enough intractable.

It would take of the order of about 6 years to test all passwords

at the rate of 1 millisecond per password.

If we were to speed up the search to one microsecond per

password, this would come down to approximately 2 days.


Probable passwords

Probable passwords

People prefer simple passwords.

Our earlier analysis assumes that people choose

passwords such as “vxlagrst”.

Whereas in reality they tend to use names and words

they can remember.

Spelling checkers carry dictionaries of the most common English

words. The typical size of such a dictionary is 80,000 words.

This reduces the search to seconds


Passwords likely for a user

Passwords likely for a user

People prefer words which are related to them, such

as the name of a spouse, a child, a relative, a pet,

a street name or something memorable or familiar.

Some people pick a simple password and replace

certain characters such as

0 (zero) by O,

1 for letter L,

3 for letter E, etc


Passwords defenses

Passwords defenses

  • Password checkers: check password against a

    dictionary of weak passwords.

  • Password generators: users are not allowed to

    pick their own passwords.

  • Password ageing: an expiry date is set for passwords.

  • Limit login attacks.

  • Inform user after a successful login of the last

    login and the number of failed logins since then.


Spoofing attacks

Spoofing attacks

An entity enters a password and the system verifies the

entities identity.

Does that entity know who has received the password?

A spoofing attack is an attack in which:

one person or a program successfully masquerades as another by falsifying data and thereby gaining illegitimate advantage (e.g., access to a users password)


Spoofing attacks1

Spoofing attacks

Defenses

  • Display number of failed attempts

  • Use trusted paths

    (with Windows NT,

    CTRL+ALT+DEL

    invokes the OS login screen)

  • Mutual authentication: the system could be required to identify itself


Protecting the password file

Protecting the password file

To validate passwords the system compares the password

entered against a value stored in the password file.

Defenses

  • cryptographic protection (e.g. use a one-way hash function f: instead of listing passwords x, list their values f(x)

    –beware of dictionary attacks!)

  • access control enforced by the OS (e.g. restrict access to files and other resources to users holding the appropriate privileges)

  • combine both


Cryptographic protection

Cryptographic protection

Use one-way hash function f

Instead of storing the passwordx in the password list,

the hash is stored.

The password list is organized as a two column table

of user IDs (usernames) and the corresponding hashed

values

When the user logs in and enters the password x is it is

hashed (locally) into f(x). This value is then compared

with the stored value.


Cryptographic protection1

Cryptographic protection

The one-way hash function f

crypt(3) for Unix systems

This uses a slightly modified version of the encryption

scheme DES with 25 “rounds” (instead of the 16 rounds)

This encrypts the all zero block using the password x as

a key.

The encryption f(x) of the zero block is the hash value.


Cryptographic protection2

Cryptographic protection

Access control mechanisms in the OS

These restrict access to files and other resources to users

holding the appropriate privileges.

Only privileged users can have write access to the password file:

otherwise an attacker could access data of other users by

changing their password file.

If read access is restricted to privileged users then passwords

should be secure, in theory.

In practice an attacker can still use a dictionary attack.


Cryptographic protection3

Cryptographic protection

Access control mechanisms in the OS

Dictionary attacks can be prevented by using password

salting.

With salting, additional information (the salt) is appended

to the password x before it is hashed to get f(x).

This implies that even if two users have the same

password their salted hashes will be different.


Multiple passwords

Multiple passwords

For additional password protection several passwords

may used.

For example, use

  • the first password for workstation

  • the second password to get onto the network

  • the third password to access the server

  • the fourth to access the database management

    system

  • etc


Passwords single sign on

Passwords –Single sign-on

Remembering many passwords is rather inconvenient.

A single sign-on service solves this problem. You enter

your password once, the system stores it, and then uses

it whenever you have to authenticate yourself again.

However this raises new security concerns.

How do you protect the stored password?

(the password needs to be in cleartext)


  • Login