SlideShare a Scribd company logo

Lecture 4

Download as PPT, PDF
E
Education

This document provides a history of operating system development and discusses various methods for user authentication. It describes how early systems had no OS and each user had exclusive access. Timesharing systems introduced multiprogramming which allowed interleaved access and context switching between users. Passwords became a common authentication method, storing hashed passwords with salts to prevent duplicates. However, passwords are limited and can be cracked through brute force attacks or using dictionaries. The document recommends techniques like longer randomized passwords and one-time passwords to improve security.

Engineering
1 of 28
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Computer Network Security 1 Protection in OS A brief history There were no Operating Systems Programs were entered by users by means of switches Programs were entered by means of inputs devices like keyboards Each user had exclusive access to the computing system Time sharing Required to load libraries, compilers, linkers, assemblers and then clean up for the next user by removing sensitive code or data
Computer Network Security 2 A brief history The first OS were simple utilities called executives Designed to assist programmers and to smooth user to user transition Provided linkers and loaders, compilers and assemblers, and automatic loading of subprograms from libraries Multiprogramming allowed two users to interleave access to resources of a single computing system Researchers developed scheduling, sharing and parallel use
Computer Network Security 3 A brief history Multiprogramming OSs, called monitors oversaw each program’s execution While an executive stayed in the background, waiting to be called into action by the user, a monitor maintained control of the computing system and gave access to a resource only if consistent with good use of the system User Multiprogramming brought complications: one user making a mistake on an executive would feel foolish, but a user could not adversely affect the computation of another user
Computer Network Security 4 User authentication An OS bases much of its protection on knowing who a user of the system is In real-life, you may ask for an ID before cashing a cheque, or issuing a book Over time organizations and systems have developed means of authentication: documents, voice recognition, fingerprint, retina matching etc In computing, the choices are limited and possibilities are less secure. Anyone can attempt to login to a computing system. A computer can not recognize electrical signals as one person being any different from another
Computer Network Security 5 User authentication Most computer authentication systems must be based on something only shared between the user and the computer Authentication mechanism based on: Something the user knows: passwords, PINs, mother’s maiden name Something the user has: identity badges, physical keys, driver’s license Something the user is: biometrics are based on a physical characteristic of the user, such as a fingerprint, the pattern of a person's voice. Two or more forms can be combined for strong security for example, a bank card and a PIN
Computer Network Security 6 Use of passwords The most common authentication mechanism for user to operating system is a password Mutually agreed upon code words, assumed to be known only to the system and the user Seems to offer relatively secure system BUT: human practice sometimes degrades its quality
Computer Network Security 7 Passwords: loose-lipped systems Consider a would-be intruder: Knows nothing of the system Enter a common name as user name • Invalid user name • Password dialog Enter a guessed password Intruder finds out OS, valid user name
Computer Network Security 8 Passwords: additional authentication information Day and time of access Location of access
Computer Network Security 9 Attacks on passwords Passwords are somewhat limited as protection devices due to relatively small number of bits of information they contain. Here are some ways you might be able to determine a user's password. Try all possible passwords Try many probable passwords Try passwords likely for the user Search for the system list of passwords Ask the user
Computer Network Security 10 Exhaustive attack: brute force All possible passwords: usually automated If a system has a maximum password length of 8 alphabets (26 possibilities): 261 one-character 262 two-character 268 eight-character 26+ 262 +…….+ 268 =5 million At one password per milliseconds, it will take only 150 years to try all possibilities At one password per microseconds, only two months
Computer Network Security 11 Probable passwords We prefer smaller passwords that are easy to remember, spell and pronounce At one password per million, it takes only 18.278 seconds for three character passwords Or about 8 minutes for 4 character Or about 3.5 hours for 5 character This analysis assumes that people choose passwords like vxlag and msms as often as they pick enter and boring However, people tend to choose names or words they can remember Programs contain dictionaries of English words It takes only 80 seconds to test all 80,000 words in a dictionary as passwords
Computer Network Security 12 Passwords likely for a user People choose passwords that is meaningful to them Spouse name Child’s name Brother or sister’s name Pet’s name Street name Trying this list takes under a second One can try ten of these by hand in under two minutes
Computer Network Security 13 Weak passwords Several web sites post dictionaries of phrases, science fiction characters, places, mythological names, Chinese words, Yiddish words, and other specialized lists These help admins identify weak passwords but the same dictionaries can also be used by attackers of sites that do not have such attentive administrators. Tools such as COPS, Crack, and Satan allow an admin to scan a system for weak passwords People think they can be clever by picking a simple password and replacing certain characters such as 0 for o, 1 for I or l, 3 for E, or @ for a
Computer Network Security 14 Steps an attacker would take Here are attackers some password guessing steps: No password Same as user id User name or derived from it Common: password, secret, private, asdfg, aaaaa Short college dictionary Complete English word list Common non-English dictionary
Computer Network Security 15 Steps an attacker would take Short college dictionary with capitalizations: PaSsWoRd and substitutions of 0 for o etc Complete English with capitalization and substitutions Common non-English dictionary with capitalization and substitutions Brute force, lowercase alphabetic Brute force, full character set
Computer Network Security 16 Plaintext system password list To validate passwords, a system must have a way of comparing entries with actual passwords Rather than trying to guess the password why not target the password file Two column: user ID, password Too obvious: Don’t leave out in the open Have to protect it
Computer Network Security 17 Protecting plaintext password file Various security approaches are used to conceal the password table from those who should not see it. Strong access controls Only OS can access it Not every OS module needs access, e.g. the operating system scheduler, accounting routines, or storage manager have no need to know the table's contents. Avoid dumping of memory An attacker may carefully time the dump of memory Protect system backups
Computer Network Security 18 Encrypted password file Conventional encryption One-way hash
Computer Network Security 19 Conventional encryption Receive user password, decrypt stored password and compare But plain text password is available in memory for a while That is, the password is available to anyone who could obtain access to all of memory. Safer to use one-way hash
Computer Network Security 20 One-way hash The password table's entries are encrypted by a one-way encryption and then stored. When the user enters a password, it is also encrypted and then compared with the table. If the two values are equal, the authentication succeeds. Unix password file can be read by anyone, unless special access controls have been installed. What if two people choose the same password? I notice that another user’s hashed password is the same as mine in the file
Computer Network Security 21 One-way hash - salt Unix circumvents this vulnerability by using a password extension, called the salt. Salt is a 12-bit number derived from the current system time and the process id Likely to be unique for every user Concatenate salt and plaintext password, then hash it Store hash with salt User enters password, fetch salt from file, hash and compare
Computer Network Security 22 Indiscreet users Tape to the monitor Card inside the top desk Give away for sharing files
Computer Network Security 23 Password selection criteria Use characters other than alphabets Choose long passwords Avoid actual names or words Choose an unlikely password: 2BrnB Change password regularly Don’t write down Don’t tell anyone else
Computer Network Security 24 Good password choices Some systems help users by providing meaningless but choices of pronounceable passwords. e.g. VAX VMS Easy to forget and misspell: bliptab Some systems encourage users to change passwords frequently Warn a few days ahead of expiry Leave no choice on day of expiry
Computer Network Security 25 One-time passwords Changes every time it is used Assign a static mathematical function, the system provides an argument to the function, and the user computes and returns the function value. Such systems are also called challenge-response systems f(x)=x+1, f(x)=3x2 -9x+2, f(x)=px, px is the xth prime number f(x)=r(x) use x as seed to a random number generator, or the xth random numbers f(a1a2a3a4a5a6)=a3a1a1a4 f(E(x))=E(D(E(x))+1) System provides encrypted value, decrypt, perform arithmetic, re-encrypt One-time passwords are very effective because intercepted passwords are useless
Computer Network Security 26 Authentication process Even a terrible typist should be able to type password correctly in a few tries A legitimate user will not complain on a delay of 5 to 10 seconds A penetrator’s job would be made unfeasible Repeated failure = not authorized user
Computer Network Security 27 Fixing flaws Trojan horse: a program displays standard prompt e.g. SYSTEM ERROR, DISCONNECTED Make sure system is reinitialized Turn terminal off and then on Pressing break key Ctrl+alt+del System could display something only the user and the system know, such as last login time
Computer Network Security 28 ANY QUESTIONS ?

More Related Content

PPT
Unit 1 - Introduction to Software Engineering.ppt
DrTThendralCompSci
 
PPTX
Context model
Ubaid423
 
PPTX
Unix operating system architecture with file structure
amol_chavan
 
PPTX
Linux operating system - Overview
Ashita Agrawal
 
PPT
Ch02 System Threats and Risks
Information Technology
 
PPTX
Fault avoidance and fault tolerance
Jabez Winston
 
PPTX
Law and Ethics in Information Security.pptx
EdFeranil
 
PPTX
Password management
Wilmington University
 
Unit 1 - Introduction to Software Engineering.ppt
DrTThendralCompSci
 
Context model
Ubaid423
 
Unix operating system architecture with file structure
amol_chavan
 
Linux operating system - Overview
Ashita Agrawal
 
Ch02 System Threats and Risks
Information Technology
 
Fault avoidance and fault tolerance
Jabez Winston
 
Law and Ethics in Information Security.pptx
EdFeranil
 
Password management
Wilmington University
 

What's hot (20)

PPTX
Operating system windows XP
Rohan Bhatkar
 
PPT
Cyber security for an organization
Tejas Wasule
 
PPT
User Interface Design in Software Engineering SE15
koolkampus
 
PDF
Password management
PortalGuard dba PistolStar, Inc.
 
PPT
Cocomo model
MZ5512
 
PPTX
12 security policies
Saqib Raza
 
PPTX
Human Computer Interaction - Interaction Design
Vrushali Dhanokar
 
PPT
System Analysis and Design
Dr. C.V. Suresh Babu
 
PPTX
User interface design
Naveen Sagayaselvaraj
 
PPT
Ethics in IT Security
mtvvvv
 
DOC
Srs example webapp
Rivaldy Setiawan
 
PPT
Hci
Ge-nerale Kwame Jnr
 
PPT
HCI 3e - Ch 7: Design rules
Alan Dix
 
PPTX
Historical social & economic context of computing
Burhan Ahmed
 
PPT
Chapter_03.ppt
oluobes
 
PPT
Hypertext, multimedia and www
PhD Research Scholar
 
PDF
Software Engineering : Requirement Analysis & Specification
Ajit Nayak
 
PPTX
College Department Management System
JIGAR MAKHIJA
 
PPTX
Text Editor in System software
sundareswaran kannan
 
PPTX
windows 10
karthi keyan
 
Operating system windows XP
Rohan Bhatkar
 
Cyber security for an organization
Tejas Wasule
 
User Interface Design in Software Engineering SE15
koolkampus
 
Password management
PortalGuard dba PistolStar, Inc.
 
Cocomo model
MZ5512
 
12 security policies
Saqib Raza
 
Human Computer Interaction - Interaction Design
Vrushali Dhanokar
 
System Analysis and Design
Dr. C.V. Suresh Babu
 
User interface design
Naveen Sagayaselvaraj
 
Ethics in IT Security
mtvvvv
 
Srs example webapp
Rivaldy Setiawan
 
Hci
Ge-nerale Kwame Jnr
 
HCI 3e - Ch 7: Design rules
Alan Dix
 
Historical social & economic context of computing
Burhan Ahmed
 
Chapter_03.ppt
oluobes
 
Hypertext, multimedia and www
PhD Research Scholar
 
Software Engineering : Requirement Analysis & Specification
Ajit Nayak
 
College Department Management System
JIGAR MAKHIJA
 
Text Editor in System software
sundareswaran kannan
 
windows 10
karthi keyan
 
Ad

Viewers also liked (8)

PDF
Street involved youth
AIDSCalgary
 
PPTX
Alpha Harmreduction 2
AIDSCalgary
 
PPTX
Community impact of the towards patient centered addiction care project
AIDSCalgary
 
PDF
Working with street involved pregnant women
AIDSCalgary
 
PDF
Street involved pregnant women part 2
AIDSCalgary
 
PPT
Lecture 6
Education
 
PPT
Understanding operating systems 5th ed ch01
BarrBoy
 
PPT
Os Swapping, Paging, Segmentation and Virtual Memory
sgpraju
 
Street involved youth
AIDSCalgary
 
Alpha Harmreduction 2
AIDSCalgary
 
Community impact of the towards patient centered addiction care project
AIDSCalgary
 
Working with street involved pregnant women
AIDSCalgary
 
Street involved pregnant women part 2
AIDSCalgary
 
Lecture 6
Education
 
Understanding operating systems 5th ed ch01
BarrBoy
 
Os Swapping, Paging, Segmentation and Virtual Memory
sgpraju
 
Ad

Similar to Lecture 4 (20)

PDF
Authetication ppt
Pranav Doshi
 
PPTX
computer security authorization Authentication.pptx
RajendraKumarVerma10
 
PPTX
Security and protection
Nital Shingala
 
PPTX
05-Authentication.pptx Software Security
RahmathMohammed4
 
PPT
20-security.ppt
ajajkhan16
 
PPTX
Network and system administration Chapter 5.pptx
gadisaadamu101
 
PDF
How to Design Passwords
University of Hertfordshire
 
PPTX
Personal Internet Security System
Matthew Bricker
 
PPTX
Protection in general purpose operating system
Prachi Gulihar
 
PPTX
Passwords
Sonia Rose Mary Karungi
 
PPTX
chapter 7.pptx
MelkamtseganewTigabi1
 
PPTX
Communication security
Sotheavy Nhoung
 
PPTX
System Security
Reddhi Basu
 
PPTX
Survey of file protection techniques
Prachi Gulihar
 
PDF
Network security
Hasham Nabeel
 
PPTX
chap13_authentication_programming_basics_(1).pptx
disebav528
 
PPT
Information Security Audit and Analysis Module
AvinashAvuthu2
 
PPT
Network security
Mahmoud Abdeen
 
PDF
User Authentication: Passwords and Beyond
Jim Fenton
 
PPT
MyTutorialON Cryptography.ppt
halosidiq1
 
Authetication ppt
Pranav Doshi
 
computer security authorization Authentication.pptx
RajendraKumarVerma10
 
Security and protection
Nital Shingala
 
05-Authentication.pptx Software Security
RahmathMohammed4
 
20-security.ppt
ajajkhan16
 
Network and system administration Chapter 5.pptx
gadisaadamu101
 
How to Design Passwords
University of Hertfordshire
 
Personal Internet Security System
Matthew Bricker
 
Protection in general purpose operating system
Prachi Gulihar
 
Passwords
Sonia Rose Mary Karungi
 
chapter 7.pptx
MelkamtseganewTigabi1
 
Communication security
Sotheavy Nhoung
 
System Security
Reddhi Basu
 
Survey of file protection techniques
Prachi Gulihar
 
Network security
Hasham Nabeel
 
chap13_authentication_programming_basics_(1).pptx
disebav528
 
Information Security Audit and Analysis Module
AvinashAvuthu2
 
Network security
Mahmoud Abdeen
 
User Authentication: Passwords and Beyond
Jim Fenton
 
MyTutorialON Cryptography.ppt
halosidiq1
 

More from Education (11)

PDF
A friendly introduction to differential equations
Education
 
PDF
High-order Assembly Language/Shuttle (HAL/S)
Education
 
PDF
assembly language programming and organization of IBM PC" by YTHA YU
Education
 
PDF
Program security chapter 3
Education
 
PDF
Network security chapter 1,2
Education
 
PPT
Lecture 7
Education
 
PPT
Lecture 5
Education
 
PPT
Lecture 3
Education
 
PPT
Lecture 2
Education
 
PPT
Lecture 1
Education
 
PDF
Data warehousing labs maunal
Education
 
A friendly introduction to differential equations
Education
 
High-order Assembly Language/Shuttle (HAL/S)
Education
 
assembly language programming and organization of IBM PC" by YTHA YU
Education
 
Program security chapter 3
Education
 
Network security chapter 1,2
Education
 
Lecture 7
Education
 
Lecture 5
Education
 
Lecture 3
Education
 
Lecture 2
Education
 
Lecture 1
Education
 
Data warehousing labs maunal
Education
 

Recently uploaded (20)

PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PPTX
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
PDF
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PDF
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
PDF
Well-logging-methods_new................
ZafriFarid
 
PDF
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
DOCX
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
PPTX
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
PPTX
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
PDF
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
PPTX
Welding lecture in detail for understanding
sahilpoonia10
 
PDF
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
PDF
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PPT
CRASH COURSE IN ALTERNATIVE PLUMBING CLASS
rene militante
 
PPTX
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
Well-logging-methods_new................
ZafriFarid
 
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
Welding lecture in detail for understanding
sahilpoonia10
 
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
CRASH COURSE IN ALTERNATIVE PLUMBING CLASS
rene militante
 
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 

Lecture 4

  • 1. Computer Network Security 1 Protection in OS A brief history There were no Operating Systems Programs were entered by users by means of switches Programs were entered by means of inputs devices like keyboards Each user had exclusive access to the computing system Time sharing Required to load libraries, compilers, linkers, assemblers and then clean up for the next user by removing sensitive code or data
  • 2. Computer Network Security 2 A brief history The first OS were simple utilities called executives Designed to assist programmers and to smooth user to user transition Provided linkers and loaders, compilers and assemblers, and automatic loading of subprograms from libraries Multiprogramming allowed two users to interleave access to resources of a single computing system Researchers developed scheduling, sharing and parallel use
  • 3. Computer Network Security 3 A brief history Multiprogramming OSs, called monitors oversaw each program’s execution While an executive stayed in the background, waiting to be called into action by the user, a monitor maintained control of the computing system and gave access to a resource only if consistent with good use of the system User Multiprogramming brought complications: one user making a mistake on an executive would feel foolish, but a user could not adversely affect the computation of another user
  • 4. Computer Network Security 4 User authentication An OS bases much of its protection on knowing who a user of the system is In real-life, you may ask for an ID before cashing a cheque, or issuing a book Over time organizations and systems have developed means of authentication: documents, voice recognition, fingerprint, retina matching etc In computing, the choices are limited and possibilities are less secure. Anyone can attempt to login to a computing system. A computer can not recognize electrical signals as one person being any different from another
  • 5. Computer Network Security 5 User authentication Most computer authentication systems must be based on something only shared between the user and the computer Authentication mechanism based on: Something the user knows: passwords, PINs, mother’s maiden name Something the user has: identity badges, physical keys, driver’s license Something the user is: biometrics are based on a physical characteristic of the user, such as a fingerprint, the pattern of a person's voice. Two or more forms can be combined for strong security for example, a bank card and a PIN
  • 6. Computer Network Security 6 Use of passwords The most common authentication mechanism for user to operating system is a password Mutually agreed upon code words, assumed to be known only to the system and the user Seems to offer relatively secure system BUT: human practice sometimes degrades its quality
  • 7. Computer Network Security 7 Passwords: loose-lipped systems Consider a would-be intruder: Knows nothing of the system Enter a common name as user name • Invalid user name • Password dialog Enter a guessed password Intruder finds out OS, valid user name
  • 8. Computer Network Security 8 Passwords: additional authentication information Day and time of access Location of access
  • 9. Computer Network Security 9 Attacks on passwords Passwords are somewhat limited as protection devices due to relatively small number of bits of information they contain. Here are some ways you might be able to determine a user's password. Try all possible passwords Try many probable passwords Try passwords likely for the user Search for the system list of passwords Ask the user
  • 10. Computer Network Security 10 Exhaustive attack: brute force All possible passwords: usually automated If a system has a maximum password length of 8 alphabets (26 possibilities): 261 one-character 262 two-character 268 eight-character 26+ 262 +…….+ 268 =5 million At one password per milliseconds, it will take only 150 years to try all possibilities At one password per microseconds, only two months
  • 11. Computer Network Security 11 Probable passwords We prefer smaller passwords that are easy to remember, spell and pronounce At one password per million, it takes only 18.278 seconds for three character passwords Or about 8 minutes for 4 character Or about 3.5 hours for 5 character This analysis assumes that people choose passwords like vxlag and msms as often as they pick enter and boring However, people tend to choose names or words they can remember Programs contain dictionaries of English words It takes only 80 seconds to test all 80,000 words in a dictionary as passwords
  • 12. Computer Network Security 12 Passwords likely for a user People choose passwords that is meaningful to them Spouse name Child’s name Brother or sister’s name Pet’s name Street name Trying this list takes under a second One can try ten of these by hand in under two minutes
  • 13. Computer Network Security 13 Weak passwords Several web sites post dictionaries of phrases, science fiction characters, places, mythological names, Chinese words, Yiddish words, and other specialized lists These help admins identify weak passwords but the same dictionaries can also be used by attackers of sites that do not have such attentive administrators. Tools such as COPS, Crack, and Satan allow an admin to scan a system for weak passwords People think they can be clever by picking a simple password and replacing certain characters such as 0 for o, 1 for I or l, 3 for E, or @ for a
  • 14. Computer Network Security 14 Steps an attacker would take Here are attackers some password guessing steps: No password Same as user id User name or derived from it Common: password, secret, private, asdfg, aaaaa Short college dictionary Complete English word list Common non-English dictionary
  • 15. Computer Network Security 15 Steps an attacker would take Short college dictionary with capitalizations: PaSsWoRd and substitutions of 0 for o etc Complete English with capitalization and substitutions Common non-English dictionary with capitalization and substitutions Brute force, lowercase alphabetic Brute force, full character set
  • 16. Computer Network Security 16 Plaintext system password list To validate passwords, a system must have a way of comparing entries with actual passwords Rather than trying to guess the password why not target the password file Two column: user ID, password Too obvious: Don’t leave out in the open Have to protect it
  • 17. Computer Network Security 17 Protecting plaintext password file Various security approaches are used to conceal the password table from those who should not see it. Strong access controls Only OS can access it Not every OS module needs access, e.g. the operating system scheduler, accounting routines, or storage manager have no need to know the table's contents. Avoid dumping of memory An attacker may carefully time the dump of memory Protect system backups
  • 18. Computer Network Security 18 Encrypted password file Conventional encryption One-way hash
  • 19. Computer Network Security 19 Conventional encryption Receive user password, decrypt stored password and compare But plain text password is available in memory for a while That is, the password is available to anyone who could obtain access to all of memory. Safer to use one-way hash
  • 20. Computer Network Security 20 One-way hash The password table's entries are encrypted by a one-way encryption and then stored. When the user enters a password, it is also encrypted and then compared with the table. If the two values are equal, the authentication succeeds. Unix password file can be read by anyone, unless special access controls have been installed. What if two people choose the same password? I notice that another user’s hashed password is the same as mine in the file
  • 21. Computer Network Security 21 One-way hash - salt Unix circumvents this vulnerability by using a password extension, called the salt. Salt is a 12-bit number derived from the current system time and the process id Likely to be unique for every user Concatenate salt and plaintext password, then hash it Store hash with salt User enters password, fetch salt from file, hash and compare
  • 22. Computer Network Security 22 Indiscreet users Tape to the monitor Card inside the top desk Give away for sharing files
  • 23. Computer Network Security 23 Password selection criteria Use characters other than alphabets Choose long passwords Avoid actual names or words Choose an unlikely password: 2BrnB Change password regularly Don’t write down Don’t tell anyone else
  • 24. Computer Network Security 24 Good password choices Some systems help users by providing meaningless but choices of pronounceable passwords. e.g. VAX VMS Easy to forget and misspell: bliptab Some systems encourage users to change passwords frequently Warn a few days ahead of expiry Leave no choice on day of expiry
  • 25. Computer Network Security 25 One-time passwords Changes every time it is used Assign a static mathematical function, the system provides an argument to the function, and the user computes and returns the function value. Such systems are also called challenge-response systems f(x)=x+1, f(x)=3x2 -9x+2, f(x)=px, px is the xth prime number f(x)=r(x) use x as seed to a random number generator, or the xth random numbers f(a1a2a3a4a5a6)=a3a1a1a4 f(E(x))=E(D(E(x))+1) System provides encrypted value, decrypt, perform arithmetic, re-encrypt One-time passwords are very effective because intercepted passwords are useless
  • 26. Computer Network Security 26 Authentication process Even a terrible typist should be able to type password correctly in a few tries A legitimate user will not complain on a delay of 5 to 10 seconds A penetrator’s job would be made unfeasible Repeated failure = not authorized user
  • 27. Computer Network Security 27 Fixing flaws Trojan horse: a program displays standard prompt e.g. SYSTEM ERROR, DISCONNECTED Make sure system is reinitialized Turn terminal off and then on Pressing break key Ctrl+alt+del System could display something only the user and the system know, such as last login time
  • 28. Computer Network Security 28 ANY QUESTIONS ?