1 authentication and access control overview. 2 outline definitions authentication factors...
TRANSCRIPT
1
Authentication and access Authentication and access control overviewcontrol overview
2
OutlineOutlineDefinitions
Authentication• Factors• Evaluation• Examples
Focus on password problems and alternatives
Access control
Case study: Convenient SecureID
Case study: Website mutual authentication
3
DefinitionsDefinitions Identification - a claim about identity
• Who or what I am (global or local)
Authentication - confirming that claims are true• I am who I say I am• I have a valid credential
Authorization - granting permission based on a valid claim• Now that I have been validated, I am allowed to access certain
resources or take certain actions
Access control system - a system that authenticates users and gives them access to resources based on their authorizations• Includes or relies upon an authentication mechanism• May include the ability to grant course or fine-grained
authorizations, revoke or delegate authorizations
4
Building blocks of Building blocks of authenticationauthenticationFactors
• Something you know (or recognize)• Something you have• Something you are
Two factors are better than one• Especially two factors from different categories
What are some examples of each of these factors?
What are some examples of two-factor authentication?
5
Authentication mechanismsAuthentication mechanismsText-based passwords
Graphical passwords
Hardware tokens
Public key crypto protocols
Biometrics
6
EvaluationEvaluation Accessibility
Memorability
Security
Cost
Environmental considerations
7
Typical password adviceTypical password advice
8
Typical password adviceTypical password advice Pick a hard to guess password
Don’t use it anywhere else
Change it often
Don’t write it down
So what do you do when every web site you visit asks for a password?
9
Bank = b3aYZ Amazon = aa66x!Phonebill = p$2$ta1
10
11
Problems with PasswordsProblems with Passwords Selection
• Difficult to think of a good password• Passwords people think of first are easy to guess
Memorability• Easy to forget passwords that aren’t frequently used• Difficult to remember “secure” passwords with a mix of upper &
lower case letters, numbers, and special characters
Reuse• Too many passwords to remember• A previously used password is memorable
Sharing• Often unintentional through reuse• Systems aren’t designed to support the way people work together
and share information
12
Four
Mnemonic PasswordsMnemonic Passwords
First letter of each word (with punctuation)
fsasya,oFSubstitute numbers for words or similar-looking letters
4sa7ya,oFSubstitute symbols for words or similar-looking letters
F
4sasya,oF
Four
4sa7ya,oF
4s&7ya,oF
score s andaand seven sseven yearsy ago a ,, our o Fathers F
Source: Cynthia Kuo, SOUPS 2006
13
The Promise?The Promise?Phrases help users incorporate different
character classes in passwords• Easier to think of character-for-word
substitutions
Virtually infinite number of phrases
Dictionaries do not contain mnemonics
Source: Cynthia Kuo, SOUPS 2006
14
The Problem?The Problem?“Goodness” of mnemonic passwords
unknown• Yan et al. compared regular, mnemonic, and
randomly generated passwords Used standard (non-mnemonic) dictionary Effectively evaluated whether mnemonic passwords
contained dictionary words
Source: Cynthia Kuo, SOUPS 2006
15
Source: Cynthia Kuo, SOUPS 2006
Mnemonic password evaluationMnemonic password evaluation Mnemonic passwords are not a panacea for
password creation
No comprehensive dictionary today
May become more vulnerable in future • Many people start to use them• Attackers incentivized to build dictionaries
Publicly available phrases should be avoided!
C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.
16
Password keeper softwarePassword keeper softwareRun on PC or handheld
Only remember one password
17
Single sign-onSingle sign-onLogin once to get access to all your
passwords
18
BiometricsBiometricsBiometricsBiometrics
19
Graphical passwordsGraphical passwordsGraphical passwordsGraphical passwords
20
““Forgotten password” Forgotten password” mechanismmechanism Email password or magic URL to address on file
Challenge questions
Why not make this the normal way to access infrequently used sites?
21
Types of access controlTypes of access controlDiscretionary access control
•Distributed, dynamic, users set access rules for resources they own and can delegate access to others
Role-based access control•Centralized admin assigns users to roles and
sets access rules based on roles
And many others that vary discretionary/mandatory, centralized/distributed, granularity, grouping
22
Access control usability Access control usability problemsproblems
Admins, large organizations understanding large access control policies• Someone in marketing changed a policy and now we
can’t figure out why people in sales no longer have access to a document
• Who has access to this document anyway?
End users creating and understanding policies• Examples: File system permissions, Grey, Perspective,
privacy rules• Home users want to share some files with some other
users, but don’t want to share everything
23
Convenient SecureIDConvenient SecureID
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Sources:
http://worsethanfailure.com/Articles/Security_by_Oblivity.aspx http://fob.webhop.net/
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
What problems do these approaches solve?
What problems do they create?
24
Browser-based mutual Browser-based mutual authenticationauthentication Chris Drake’s “Magic Bullet” proposal
http://lists.w3.org/Archives/Public/public-usable-authentication/2007Mar/0004.html
1. User gets ID, password (or alternative), image, hotspot at enrollment
2. Before user is allowed to login they are asked to confirm URL and SSL cert and click buttons
3. Then login box appears and user enters username and password (or alternative)
4. Server displays set of images, including user’s image (or if user entered incorrect password, random set of images appear)
5. User finds their image and clicks on hotspot Image manipulation can help prevent replay
attacks
What problems does this solve?
What problems doesn’t it solve?
What kind of testing is needed
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.