ch 4 - sm.luth.se

advertisement
Computer System Security and Management
Identification and Authentication
When you login to a system you enter Username and Password.
Username = Identification
Password = Authentication
If username or password is incorrect , login fails.
Some systems keep a count of failed login attempts and prevent or delay further
attempts when a certain threshold has been reached.
Computer System Security and Management
Identification and Authentication
Bootstrapping password protection
• How to bootstrap a system so that the password ends up in the right places, but
nowhere else?
• A password could be sent by mail, email, phone or entered by the user on a web
page.
• There is always a risk that the password can be stolen.
• Some Solutions:
Passwords that are valid only for a single login request so that the user has to
change immediately to a new password.
Send mail by courier with personal delivery.
Enter a password on web page and send confirmation by SMS.
Computer System Security and Management
Identification and Authentication
Guessing passwords
Password choice is a critical security issue.
The following strategies could be used to guess passwords:
•Exhaustive search (brute force) – try all possible combinations of valid symbols, up
to a certain length.
•Intelligent search – Try passwords that are somehow associated with a user such as
name, names of friends and relatives etc…
This strategy use dictionary attack-trying all passwords from a dictionary.
Common sense:
•Change default password.
•Consider password length: Min 8 chars.
•Consider password format: Mix upper and lower case symbols and include
numerical and non-alphabetical symbols.
•Avoid obvious passwords.
Computer System Security and Management
Identification and Authentication
Guessing passwords
System can help to improve password security:
• Password checkers: Check passwords against some dictionary of weak passwords
and prevent users from choosing such passwords.
• Password generation: Password generated by the system.
• Password ageing: Force user to change password after 30 days.
• Limit login attempts: Lock the user account after unsuccessful login attempts.
Problem:
Users are unlikely to memorize long and complicated passwords.
Such passwords will be written down on a piece of paper kept close to the computer.
Computer System Security and Management
Identification and Authentication
Phishing, spoofing and social engineering
In phishing and spoofing attacks the user voluntarily sends username and password
over a channel, but is misled about the end point of the channel.
•In a spoofing attack the attacker runs a program that presents a fake login screen on
a machine.
•The victim logs in with the username and password.
•The inputs are collected by the attacker’s program.
•The victim remain unaware of the fact that the password has been stolen.
Solution against spoofing:
•Display the number of failed login may indicate to the user that an attack has
happened.
•Trusted path: guarantee that the user communicates with the OS and not with the
spoofing program.
Phishing attacks ask users for their password under some false pretense.
Computer System Security and Management
Identification and Authentication
Password Cashing
The system can cache the password temporarily in intermediate storage locations
such as buffers, caches or even web page.
This problem is common on web browsers. The browser asks you if you would like
that it remembers username and password.
Computer System Security and Management
Identification and Authentication
Protecting the password file
To protect the password file, there is the following options:
• Cryptographic protection. One way function. Given x it is easy to computer f(x),
but given f(x) it is hard to compute x.
• Access control enforce by the OS
• A combination of cryptographic protection and access control
Linux uses shadow password file:
-rw-r----- 1 root shadow 955 Dec 18 2012 /etc/shadow
Notice that the file is not world-readable and is owned by root.
The content of shadow file:
root:$6$/X7iA72G$RgVm8vz1FqNRSX9TMVuVStKK1KMwEVMB3fNTsjyUMQewaQEg
R2JWlQK6O/LKmMezPh43ZCVa94qPT1RFtpbPz0:15692:0:99999:7:::
Computer System Security and Management
Identification and Authentication
Single sign on
Single sign-on (SSO) is a session/user authentication process that permits a user to
enter one name and password in order to access multiple applications.
The process authenticates the user for all the applications they have been given
rights to and eliminates further prompts when they switch applications during a
particular session.
Computer System Security and Management
Identification and Authentication
Alternative approach
As a user, you can be authenticated on the basis of
•Something you know: Your cat’s name.
•Something you hold: A key, card or identity tag.
•Who you are: Read your fingerprints, Iphone 5S.
•What you do: Hand-written signature
•Where you are: Grant access only if you log on from a certain terminal.
Computer System Security and Management
Identification and Authentication
Good book:
The Cuckoo's Egg: Tracking a Spy Through the Maze of
Computer Espionage
by Clifford Stoll
Download