Enviar búsqueda
Cargar
E gov security_tut_session_3
•
0 recomendaciones
•
408 vistas
Mustafa Jarrar
Seguir
Educación
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 54
Descargar ahora
Descargar para leer sin conexión
Recomendados
E gov security_tut_session_4_lab
E gov security_tut_session_4_lab
Mustafa Jarrar
Access control
Access control
Kamil Izzeldin
E gov security_tut_session_9
E gov security_tut_session_9
Mustafa Jarrar
E gov security_tut_session_12
E gov security_tut_session_12
Mustafa Jarrar
Simplifying debugging for multi-core Linux devices and low-power Linux clusters
Simplifying debugging for multi-core Linux devices and low-power Linux clusters
Rogue Wave Software
E gov security_tut_session_11
E gov security_tut_session_11
Mustafa Jarrar
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Ruby Meditation
session7 Firewalls and VPN
session7 Firewalls and VPN
Mustafa Jarrar
Recomendados
E gov security_tut_session_4_lab
E gov security_tut_session_4_lab
Mustafa Jarrar
Access control
Access control
Kamil Izzeldin
E gov security_tut_session_9
E gov security_tut_session_9
Mustafa Jarrar
E gov security_tut_session_12
E gov security_tut_session_12
Mustafa Jarrar
Simplifying debugging for multi-core Linux devices and low-power Linux clusters
Simplifying debugging for multi-core Linux devices and low-power Linux clusters
Rogue Wave Software
E gov security_tut_session_11
E gov security_tut_session_11
Mustafa Jarrar
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Ruby Meditation
session7 Firewalls and VPN
session7 Firewalls and VPN
Mustafa Jarrar
474 Password Not Found
474 Password Not Found
Codemotion
Information Security Whitepaper
Information Security Whitepaper
run_frictionless
Online talent sourcing - a future essentia
Online talent sourcing - a future essentia
HSE Guru
Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2
Paul Fremantle
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
How to write secure code
How to write secure code
Flaskdata.io
Cache Security- The Basics
Cache Security- The Basics
InterSystems Corporation
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CASCouncil
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
Sam Bowne
E gov security_tut_session_1
E gov security_tut_session_1
Mustafa Jarrar
Whatscrypt Messenger for android project
Whatscrypt Messenger for android project
MuthukumaranM13
Computer Networks notes 5- Module 5.pptx
Computer Networks notes 5- Module 5.pptx
SmithaV19
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
APNIC
OpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
Sam Bowne
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
Sam Bowne
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
TEST Huddle
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
Clustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment Analysis
Mustafa Jarrar
Classifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal Ontology
Mustafa Jarrar
Más contenido relacionado
Similar a E gov security_tut_session_3
474 Password Not Found
474 Password Not Found
Codemotion
Information Security Whitepaper
Information Security Whitepaper
run_frictionless
Online talent sourcing - a future essentia
Online talent sourcing - a future essentia
HSE Guru
Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2
Paul Fremantle
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
How to write secure code
How to write secure code
Flaskdata.io
Cache Security- The Basics
Cache Security- The Basics
InterSystems Corporation
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CASCouncil
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
Sam Bowne
E gov security_tut_session_1
E gov security_tut_session_1
Mustafa Jarrar
Whatscrypt Messenger for android project
Whatscrypt Messenger for android project
MuthukumaranM13
Computer Networks notes 5- Module 5.pptx
Computer Networks notes 5- Module 5.pptx
SmithaV19
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
APNIC
OpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
Sam Bowne
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
Sam Bowne
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
TEST Huddle
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
Similar a E gov security_tut_session_3
(20)
474 Password Not Found
474 Password Not Found
Information Security Whitepaper
Information Security Whitepaper
Online talent sourcing - a future essentia
Online talent sourcing - a future essentia
Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
How to write secure code
How to write secure code
Cache Security- The Basics
Cache Security- The Basics
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
E gov security_tut_session_1
E gov security_tut_session_1
Whatscrypt Messenger for android project
Whatscrypt Messenger for android project
Computer Networks notes 5- Module 5.pptx
Computer Networks notes 5- Module 5.pptx
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
OpenId Connect Protocol
OpenId Connect Protocol
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
Más de Mustafa Jarrar
Clustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment Analysis
Mustafa Jarrar
Classifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal Ontology
Mustafa Jarrar
Discrete Mathematics Course Outline
Discrete Mathematics Course Outline
Mustafa Jarrar
Business Process Implementation
Business Process Implementation
Mustafa Jarrar
Business Process Design and Re-engineering
Business Process Design and Re-engineering
Mustafa Jarrar
BPMN 2.0 Analytical Constructs
BPMN 2.0 Analytical Constructs
Mustafa Jarrar
BPMN 2.0 Descriptive Constructs
BPMN 2.0 Descriptive Constructs
Mustafa Jarrar
Introduction to Business Process Management
Introduction to Business Process Management
Mustafa Jarrar
Customer Complaint Ontology
Customer Complaint Ontology
Mustafa Jarrar
Subset, Equality, and Exclusion Rules
Subset, Equality, and Exclusion Rules
Mustafa Jarrar
Schema Modularization in ORM
Schema Modularization in ORM
Mustafa Jarrar
On Computer Science Trends and Priorities in Palestine
On Computer Science Trends and Priorities in Palestine
Mustafa Jarrar
Lessons from Class Recording & Publishing of Eight Online Courses
Lessons from Class Recording & Publishing of Eight Online Courses
Mustafa Jarrar
Presentation curras paper-emnlp2014-final
Presentation curras paper-emnlp2014-final
Mustafa Jarrar
Jarrar: Future Internet in Horizon 2020 Calls
Jarrar: Future Internet in Horizon 2020 Calls
Mustafa Jarrar
Habash: Arabic Natural Language Processing
Habash: Arabic Natural Language Processing
Mustafa Jarrar
Adnan: Introduction to Natural Language Processing
Adnan: Introduction to Natural Language Processing
Mustafa Jarrar
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
Mustafa Jarrar
Bouquet: SIERA Workshop on The Pillars of Horizon2020
Bouquet: SIERA Workshop on The Pillars of Horizon2020
Mustafa Jarrar
Jarrar: Sparql Project
Jarrar: Sparql Project
Mustafa Jarrar
Más de Mustafa Jarrar
(20)
Clustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment Analysis
Classifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal Ontology
Discrete Mathematics Course Outline
Discrete Mathematics Course Outline
Business Process Implementation
Business Process Implementation
Business Process Design and Re-engineering
Business Process Design and Re-engineering
BPMN 2.0 Analytical Constructs
BPMN 2.0 Analytical Constructs
BPMN 2.0 Descriptive Constructs
BPMN 2.0 Descriptive Constructs
Introduction to Business Process Management
Introduction to Business Process Management
Customer Complaint Ontology
Customer Complaint Ontology
Subset, Equality, and Exclusion Rules
Subset, Equality, and Exclusion Rules
Schema Modularization in ORM
Schema Modularization in ORM
On Computer Science Trends and Priorities in Palestine
On Computer Science Trends and Priorities in Palestine
Lessons from Class Recording & Publishing of Eight Online Courses
Lessons from Class Recording & Publishing of Eight Online Courses
Presentation curras paper-emnlp2014-final
Presentation curras paper-emnlp2014-final
Jarrar: Future Internet in Horizon 2020 Calls
Jarrar: Future Internet in Horizon 2020 Calls
Habash: Arabic Natural Language Processing
Habash: Arabic Natural Language Processing
Adnan: Introduction to Natural Language Processing
Adnan: Introduction to Natural Language Processing
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
Bouquet: SIERA Workshop on The Pillars of Horizon2020
Bouquet: SIERA Workshop on The Pillars of Horizon2020
Jarrar: Sparql Project
Jarrar: Sparql Project
Último
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
anjaliyadav012327
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
Maestría en Comunicación Digital Interactiva - UNR
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
fonyou31
mini mental status format.docx
mini mental status format.docx
PoojaSen20
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
nomboosow
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
Disha Kariya
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptx
Shobhayan Kirtania
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
Chameera Dedduwage
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
TechSoup
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
TechSoup
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Pooja Nehwal
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
eniolaolutunde
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
GaneshChakor2
microwave assisted reaction. General introduction
microwave assisted reaction. General introduction
Maksud Ahmed
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
Sapna Thakur
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
VS Mahajan Coaching Centre
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
EduSkills OECD
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Sapana Sha
Último
(20)
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
mini mental status format.docx
mini mental status format.docx
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptx
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
microwave assisted reaction. General introduction
microwave assisted reaction. General introduction
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
E gov security_tut_session_3
1.
أكاديمية الحكومة اإللكترونية
الفلسطينية The Palestinian eGovernment Academy www.egovacademy.ps Security Tutorial Session 3 PalGov © 2011 1
2.
About This tutorial is
part of the PalGov project, funded by the TEMPUS IV program of the Commission of the European Communities, grant agreement 511159-TEMPUS-1- 2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps Project Consortium: Birzeit University, Palestine University of Trento, Italy (Coordinator ) Palestine Polytechnic University, Palestine Vrije Universiteit Brussel, Belgium Palestine Technical University, Palestine Université de Savoie, France Ministry of Telecom and IT, Palestine University of Namur, Belgium Ministry of Interior, Palestine TrueTrust, UK Ministry of Local Government, Palestine Coordinator: Dr. Mustafa Jarrar Birzeit University, P.O.Box 14- Birzeit, Palestine Telfax:+972 2 2982935 mjarrar@birzeit.eduPalGov © 2011 2
3.
© Copyright Notes Everyone
is encouraged to use this material, or part of it, but should properly cite the project (logo and website), and the author of that part. No part of this tutorial may be reproduced or modified in any form or by any means, without prior written permission from the project, who have the full copyrights on the material. Attribution-NonCommercial-ShareAlike CC-BY-NC-SA This license lets others remix, tweak, and build upon your work non- commercially, as long as they credit you and license their new creations under the identical terms. PalGov © 2011 3
4.
Tutorial 5:
Information Security Session 3: Authentication Session 3 Outline: • Session 3 ILO’s. • Authentication (symmetric and asymmetric) • One time password) • Introduction to LDAP PalGov © 2011 4
5.
Tutorial 5:
Session 3: Authentication This session will contribute to the following Tutorial 5 ILOs: • A: Knowledge and Understanding • a2: Define security standards and policies. • B: Intellectual Skills • b3: Design end-to-end secure and available systems. • b5: Design user authentication and authorization services. • C: General and Transferable Skills • d2: Systems configurations. • d3: Analysis and identification skills. PalGov © 2011 5
6.
Tutorial 5:
Information Security Session 3: Authentication Session 3 Outline: • Session 3 ILO’s. • Authentication (Symmetric and Asymmetric and 1 Time Password) • Introduction to LDAP PalGov © 2011 6
7.
Authentication
(Symmetric, Asymmetric and OTP) • Fundamental security block – Forms basis of access control & user accountability • Is the process of verifying an identity. • Has two steps: – Identification – Verification PalGov © 2011 7
8.
Means of User
Authentication • Four means of authenticating user's identity – Based on something the individual • knows • possesses • is (static biometrics) • does (dynamic biometrics) – All can provide user authentication (one or multifactor) PalGov © 2011 8
9.
Password Authentication • Widely
used user authentication method – User provides name/login and password – System compares password with that saved for specified login • Authenticates ID of user logging and – that the user is authorized to access system – Determines the user’s privileges – Is used in discretionary access control • The password file is a hashed file. PalGov © 2011 9
10.
Password Vulnerabilities • Password
Attacks and Guessing – Exploiting user mistakes – Specific account attack – Offline dictionary attack – Workstation hijacking – Multiple password use – Password guessing against single user – Monitoring – Other attacks… PalGov © 2011 10
11.
Countermeasures / Policies
and Training • Password policies – Length, Character set, Period of use, Frequency of re-use • Login policies – Timeout period, Session period, Lockout policy (attempts, period, re-instatement) • Countermeasures against different vulnerabilities: • Prevent unauthorized access to the password file, • Intrusion detection measures to identify a compromise, • Rapid re-issuance of passwords should the password file be compromised; • Account lockout mechanism. PalGov © 2011 11
12.
Use of Hashed
Passwords PalGov © 2011 12
13.
UNIX Implementation • Original
scheme – 8 character password form 56-bit key – 12-bit salt used to modify DES encryption into a one-way hash function – 0 value repeatedly encrypted 25 times – output translated to 11 character sequence – The file is called the shadow file. PalGov © 2011 13
14.
Improved Implementations • Have
other, stronger, hash/salt variants • Many systems now use MD5 – with 48-bit salt – password length is unlimited – is hashed with 1000 times inner loop – produces 128-bit hash PalGov © 2011 14
15.
Password Cracking • Dictionary
attacks – try each word then obvious variants in large dictionary against hash in password file • Rainbow table attacks – precompute tables of hash values for all salts – a mammoth table of hash values – e.g. 1.4GB table cracks 99.9% of alphanumeric Windows passwords in 13.8 secs – not feasible if larger salt values used • The “salt” is useful for remote attackers, but useless if the attacker can get the shadow file. This is because the salt is not encrypted. PalGov © 2011 15
16.
Password Choices Policies •
users may pick short passwords – e.g. 3% were 3 chars or less, easily guessed – system can reject choices that are too short • users may pick guessable passwords – so crackers use lists of likely passwords – e.g. one study of 14000 encrypted passwords guessed nearly 1/4 of them – would take about 1 hour on fastest systems to compute all variants, and only need 1 break! – Recent review by SplashData in 2011 showed two most common passwords on the Internet are: • password • 123456 PalGov © 2011 16
17.
Token Authentication • Object
user possesses to authenticate,. – Embossed card (with engraved characters) – Magnetic stripe card ( like ATM cards) – Memory card (like phone cards) – Smartcard (advanced cards) PalGov © 2011 17
18.
Memory Card •
Store but do not process data • Magnetic stripe card, e.g. bank card • Electronic memory card • Used alone for physical access • Drawbacks of memory cards include: – user dissatisfaction – need special reader – loss of token issues PalGov © 2011 18
19.
Smartcard • like Credit-card
issued by Banks • Has own processor, memory, I/O ports – wired or wireless access by reader – may have crypto co-processor – ROM, EEPROM, RAM memory • Executes protocol to authenticate with reader/computer • Also may have USB dongles PalGov © 2011 19
20.
Remote User Authentication •
Very Important for e- gov applications: – Protects against a number of attacks – Authentication over network more complex • problems of eavesdropping, replay – Better to use challenge-response • user sends identity • host responds with random number • user computes f(r,h(P)) and sends the result back • host compares value from user with own computed value, if match user authenticated PalGov © 2011 20
21.
Security Issues with
Authentication • Problems with Client attacks • Host/Server attacks • Eavesdropping while communicating • Replay attacks • Denial-of-service attacks PalGov © 2011 21
22.
Practical Application (ATM
Machines) • An ATM Machine are programmed with a Terminal Identification Number (aka "TID"). • The ATM connects to the ATM networks. • After the bank or processing network approves the transaction the ATM receives the authorization and dispenses the cash requested. PalGov © 2011 22
23.
Distributed Systems and
Password Authentication • How can I gain access to multiple computer systems if password based authentication is used? Multiple passwords, one for each system Use same password in each system Single sign-on application that stores the passwords for each system and has one for itself Single sign-on where password is stored in just one system and other systems trust this one to perform the authentication properly (e.g. Microsoft Passport, Shibboleth) PalGov © 2011 23
24.
The Multiple Passwords
Problem • I have over 50 passwords to remember, for my Internet accounts such as: google, gmail, birzeit, amazon, PPU, yahoo, palgov, arab bank etc. • We are working towards Single Sign On (SSO) schemes for the e-gov applications PalGov © 2011 24
25.
The Mutual Authentication
Problem • How can two people authenticate each other using passwords? • Its OK if talking to the correct person, since he already knows my password and I know his, but what if it is not the correct person? – Then give the impersonator my password, – too late to take any action. • You need “zero knowledge password proof” – One can compare secrets without giving them away. – Needham-Schroeder and Kerberos are examples of such a scheme. PalGov © 2011 25
26.
Kerberos ticket = (Username+validity+KeyAS)Enc
TG Server PalGov © 2011 26
27.
User-AS-TGS Processing • User
sends a request to the Kerberos authentication server (enclosing its name and a random number). • AS returns to the user the random number plus a one-off session key to be used for encrypting subsequent messages with the TG server. PalGov © 2011 27
28.
User-AS-TGS Processing •
The random number and session key are symmetrically encrypted by the Authentication Server using the user's hashed password as the secret key. • The user decrypt this message in order to obtain the session key, and the user can only do this if he/she knows their own password. PalGov © 2011 28
29.
Kerberos Key Server
(TGS) KeyApp B ticket2 = (Username+validity+KeyAB)Enc PalGov © 2011 29
30.
User-TGS processing •The AS
encrypts the session key into a ticket using the symmetric key of the TG server, •The ticket is sent to the user (contains the name of the user, the validity time of the ticket and the session key). •The user passes the ticket to the TG server. •The TG server can decrypt the ticket, to get the session key and the user’s name, and with this can decrypt the user’s message. PalGov © 2011 30
31.
User-TGS processing •The TG
server then generates a new session key to be used by the user and the application. • It returns this new session key to the user, encrypted using the old session key. •It also give the user a ticket for granting access to the chosen application, this ticket containing the name of the user and the new session key for talking to the application, encrypted with the secret key of the application. PalGov © 2011 31
32.
TGS-User-Application processing •
A sends "Key for Application B" to TGS, enciphered using Key AS plus ticket from authentication server containing key AS • TGS generates Key AB (session key for user and application B) • TGS sends "Key AB " to A, enciphered using Key AS and a ticket2 for B • A sends message to B, enciphered using Key AB, plus ticket2 PalGov © 2011 32
33.
Kerberos Disadvantages • Authentication
server and TGS are single points of failure. • Servers and application hosts must be time synchronised • Not originally scalable. – Users could only login to their own realms • Kerberos only provides authentication but not authorizations • Does not prevent attacks – dictionary PalGov © 2011 33
34.
One-time passwords-Hardware •An increasingly common authentication
method is the use of one-time password cards. These contain a chip capable of making cryptographic calculations. •challenge response mechanism •synchronised clocks. PalGov © 2011 34
35.
Challenge Response OTP •The
user logs into the remote server across the internet (usually via a firewall), and the server passes the user a challenge, usually in the form of a numeric string. •The user responds to the challenge with a one-time password that is computed from the string by his card (hardware/software) according to a pre-defined encryption algorithm that is also known to the remote server. • One such system (Securenet from digital pathways) relies on the user having a one-time password card the size of a credit card that is capable of computing the passwords. •The card has a digital display, and requires a pin number /password to be entered before it can be used. Thus it is two factor authentication, since the user must know the PIN and possess the card. PalGov © 2011 35
36.
Clock Synchronised OTP Both
the card and the server compute a new password every 60 seconds, according to a pre-defined encryption algorithm which uses the date and time, and a shared secret. (e.g. SecureID from RSA Security), This eliminates the need for a challenge string. With the secureid system, the user must transfer a PIN number plus the computed password, so that if the card is stolen it cannot be used by anyone else. This mechanism is two factor authentication, as it is based on something I possess (the card) and something I know (the PIN). Early versions of secureid used to fail as the clocks in the card and server became out of sync. PalGov © 2011 36
37.
Example: Grid Cards •
A unique OTP card containing a grid of characters • Select specific characters from card for authentication • Site can return different characters from user’s card for mutual authentication • Provides two factor authentication: – something you know (PW) – something you posses (grid card) PalGov © 2011 37
38.
Mobile Phone Authentication
PalGov © 2011 38
39.
Private Key Storage
Techniques • In an encrypted file, protected by a password • In a smart card, protected by a password or PIN • What About Mobile Phones (Discussion!!) PalGov © 2011 39
40.
Tutorial 5:
Information Security Session 3: Authentication Session 3 Outline: • Session 3 ILO’s. • Authentication (Symmetric and Asymmetric and 1 Time Password) • Introduction to LDAP PalGov © 2011 40
41.
Introduction to LDAP •
Directory Model • X.500 Information Model • LDAP Protocol • Use of LDAP for Security PalGov © 2011 41
42.
The X.500 Model
of the Directory PalGov © 2011 42
43.
Server to Client
Referrals PalGov © 2011 43
44.
X.500/LDAP Naming • Entry
has a Distinguished Name comprised of • SEQUENCE of Relative Distinguished Name comprised of • SET of {Attribute Type, Attribute Value} PalGov © 2011 44
45.
X.500/LDAP Naming
LDAP RDN of Entry X.500 Distinguished Distinguished Example DirectoryInformation Tree Name of Entry Name of Entry (DIT) {null} {null) {null) {C=GB} {C=GB} {C=GB} {C=GB, {O=Big PLC, {O=Big PLC} O=Big PLC} C=GB} {O=Sales+ {C=GB, {OU=Sales+ O=Big PLC, L=Swindon, L=Swindon} OU=Sales+ O=Big PLC, L=Swindon} C=GB} PalGov © 2011 45
46.
Relative Distinguished Name
(RDN) • Each LDAP entry is assigned an RDN when created. • All children of an entry must have unique RDNs • Attribute value(s) forming the RDN are called the distinguished attribute values • Entries in different parts of the DIT can have the same RDNs PalGov © 2011 46
47.
LDAP Protocol • Connection
oriented protocol on top of TCP/IP • Subset of X.500 Directory Access Protocol • Two versions - LDAPv2, LDAPv3 – LDAPv2 published first – RFC 1777 – LDAPv3 has added referrals and other extensions to LDAPv2 – RFC 2251 – LDAPv2 has ceased to be standardized, but still is used prevalently • Client issues a request, Server usually gives a response • Each request elicits one response except Abandon (none), Unbind (none) and Search (multiple) • Requests can be asynchronous or synchronous PalGov © 2011 47
48.
Basic LDAP Protocol
Operations • Most protocol messages are sent as ASCII strings – ModifyDN Request, ModifyDN Response – Bind Request, Bind Response – Unbind Request, Abandon Request – Search Request, Search Response – Compare Request, Compare Response – Modify Request, Modify Response – Add Request, Add Response – Delete Request, Delete Response PalGov © 2011 48
49.
LDAPv3 Return Result •
Every response contains a Result component • Result comprises 4 elements • Result Code - an integer signifying success or an error code • Matched DN - name of lowest DN matching a request that has a naming error; or null • Error Message - human readable error diagnostic • Referral (optional) PalGov © 2011 49
50.
Using LDAP for
Security • Three main uses: – To store user’s passwords in their entries for authentication. The login server contacts LDAP with a Compare operation asking if this entry contains this password. If true it lets the user login – To store user’s attributes that can be used for authorisation – To store Public Key Certificates and Attribute Certificates for strong security PalGov © 2011 50
51.
Public key certificates
and CRLs • Certificates can be held within X.500/LDAP directory entries as attributes of type – userCertificate - holds a user’s certificates – cACertificate - holds a CA’s self issued certificates – crossCertificatePair - holds CA cross certificates • CRLs can be held within X.500/LDAP directory entries as attributes of type – certificateRevocationList - for user certificates – authorityRevocationList - for CA certificates – deltaRevocationList - for delta CRLs PalGov © 2011 51
52.
Bibliography • Computer Security:
Principles and Practice, by William Stallings and Lawrie Brown. Published by Pearson/Prentice Hall, © 2008. ISBN: 0-13- 600424-5. • Cryptography and Network Security, by Behrouz A. Forouzan. Mcgraw-Hill, ©2008. ISBN: 978-007-126361-0. • Lecture Notes by David Chadwick 2011, True- Trust Ltd. • (ebook) Wiley - Internet Security-Cryptographic Principles, Algorithms and Protocols, 2003 (Man Young Rhee) PalGov © 2011 52
53.
Summary • In this
session we discussed the following: – introduced user authentication • using passwords • using tokens • using biometrics – remote user authentication issues • LDAP protocols and standards PalGov © 2011 53
54.
Thanks
Radwan Tahboub PalGov © 2011 54
Descargar ahora