Scribd
Upload
383 views22 pages

Pfleeger 9780134093093 Ch02-1

Uploaded by

Reemmoq 12
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
383 views22 pages

Pfleeger 9780134093093 Ch02-1

Uploaded by

Reemmoq 12
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 22

1

SECURITY IN
COMPUTING,
FIFTH EDITION
Chapter 2: Toolbox: Authentication,
Access Control, and Cryptography

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
2

Objectives for Chapter 2


• Survey authentication mechanisms
• List available access control implementation options
• Explain the problems encryption is designed to solve
• Understand the various categories of encryption tools as
well as the strengths, weaknesses, and applications of
each
• Learn about certificates and certificate authorities

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
3

Authentication
• The act of proving that a user is who she says
n
tio
she is t if ic a
en
• Methods: id
e
rat y.
• Something the user knows cu . it
ac is nt
of s o ide .
n
• Something the user is rty p er ted wn
pe a e r no
o o as ll k
s
• Something user has pr h
w at we
e g
: Th r
h
tin g t ic o ate
r .
n se vin ubl riv
t io s
a pro p e p
c a s
n ti n
i is
ally d b
h e t io on pic ul
u t
c a ati ty sho
A t ifi tic are on
d en hen ies ati
I u t t it t ic
A en en
Id uth
A
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
4

Something You Know


• Passwords
• Security questions
• Attacks on “something you know”:
• Dictionary attacks
• Inferring likely passwords/answers
• Guessing
• Defeating concealment
• Exhaustive or brute-force attack
• Rainbow tables

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
5

Distribution of Password Types

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
6

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
7

Password Storage

Plaintext Concealed

Every password can be guessed;


password strength is determined by how many guesses are required.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
The Art and Science of Password Cracking
• authenticate users with a static password.
• system could just store all of the passwords locally and compare
from this file.
• a file of cleartext passwords
• provide a very juicy target for an attacker.
• modern OSs use a one-way hash or encryption.
The Art and Science of Password Cracking
• Password cracking tools
• used to attack this method of password protection.
• An attacker
• will use some exploit (often a buffer overflow)
• to gather the encrypted or hashed password file from a system
• (on a UNIX system without password shadowing, any user can read the
hashed password file).
• uses a password cracking tool to
• determine users’ passwords.
• The cracking tool operates using a loop:
• it guesses a password, hashes or encrypts the password, and
compares it to the hashed password from the stolen file.
• If the hashes
• Match the attacker has the password.
• do not match the loop begins again with another password guess.
The Art and Science of Password Cracking
• Password cracking tools
• base their password guesses on a dictionary or a
complete brute-force attack, attempting every
possible password.
• Dozens of dictionaries are available online, in a multitude of languages, including English, French,
German, Klingon, etc.

• Tools
• John-the-Ripper
• focuses on cracking UNIX passwords.
• 0phtCrack
• used to crack Windows NT passwords.
Password Cracking Defenses
• A password policy should require
• password lengths >8 char >=15
• MIXED
• Alphanumeric
• special characters
• mixed-case
rd s
o
assw
P
y of
u rit
ec
d S
y an
il i t
o rab
m
e Me
Th
https://www.idexx.com/files/password-policy.pdf
To
p
20
pa
ss
wo
rd
s
in
or
de
r
15

• the top 100 most popular passwords for 2018

https://www.abc.net.au/news/2018-06-11/chart-of-the-day-top-100-passwords/9844886?nw=0&r=HtmlFragment

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
16

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
17

https://techcult.com/most-common-passwords/

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
18

• Hackers
• collect long lists (password dictionaries) of these passwords and
• use them to make programs that attempt to break into accounts
using these password dictionaries, one after another, trying
thousands or millions of passwords a second.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Password Cracking Defenses
• Users
• trained in creating
• memorable
• difficult-to-guess passwords.

o rds
assw
P
y of
u rit
c
Se
a nd
y
ilit
o rab
m
e Me
Th
Password Cracking Defenses
• security practitioner
• should
• check system passwords on a periodic basis
• using
• password cracking tools.
• When weak passwords are discovered
• interacting with users whose passwords can be
easily guessed.
Password Cracking Defenses
• Software packages
• are available
• that prevent users from setting their passwords
to easily guessed values.
• check
• The new password
• to
• make sure that it is sufficiently complex and
• is not just a variation of the user name or a dictionary word.
• installed
• on all servers where users establish passwords
22

ASS
• Write a description for brute-force (page 75) and rainbow
attacks and make a comparison between them?
• What about using Cookies for Authentication(page 93)

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

You might also like