password strength

Download Password Strength

Post on 09-Jul-2015

132 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

Thng 11-2009

PASSWORD V CC VN LIN QUAN

HC VIN CNG NGH BU CHNH VIN THNG C S TI TP.H CH MINH N MN HC:

BO MT THNG TIN

TM HIU V PASSWORD V CC VN LIN QUAN

GVHD:Thy L Phc Nhm sinh vin thc hin: 1. Trng nh Hong 2. Nguyn Th Thanh Minh 3. V Thanh Tho1

Thng 11-2009

PASSWORD V CC VN LIN QUAN

M u

Lc u khi xut hin mng my tnh, ny sinh vn nhiu ngi cng s dng h thng v bo mt thng tin, nn pht sinh ra password. Password lc u ch n gin l ngi ta dng mt chui k t ngn cn s truy cp ca nhng ngi khc. Khi vn password cracking ang ngy mt tng ln, cng vi s tng tc v tc ca my tnh v s r dn ca b nh, kh nng crack password ca hacker ngy cng cao v thi gian ngy cng ngn li. Cng vi l yu cu i vi ngi dng khi s dng password cng ngy cng cao: password phi c thay i theo chu k, phi chn password c mnh theo quy nh, v phi nh password ca mnh cng nh gi b mt n. T cc vn trn,ta thy: password l vn nhy cm trong mt my tnh, trong mt mng nh cho n mng internet rng ln. V vy, ni dung n ny s trnh by tng qut v password v cc vn lin quan nh: xc thc, cracking password, cng nh nh gi mnh ca mt password. T chng ta s rt ra nhng kinh nghim bo v thng tin ca mnh trc cc cuc tn cng.

2

Thng 11-2009

PASSWORD V CC VN LIN QUAN

I.S LC V VN XC THC:Ni mt cch n gin, xc thc l mt qu trnh nhn dng ngi dng. Trong mi trng mng pht trin ngy cng mnh m, vic xc nhn chnh xc quyn truy cp hp l ca ngi dng c ngha rt ln trong bo mt thng tin. Hin nay, c kh nhiu phng php xc thc, hu ht cc phng thc xc thc u da trn: o Nhng g bn bit (Username Password) o Nhng g bn c (Smart Card, Certificate) o Nhng g l bn (Sinh trc hc) A.Xc thc bng username v password:1.HTTP Authentications

a.Basic Authentication

L mt phng thc xc thc ph thng c trn nn tng ng dng Web.N s xut hin khi Client yu cu nhng thng tin phi c xc thc. Gii hn nhng giao thc, cho php nhng k tn cng khai thc.

3

Thng 11-2009

PASSWORD V CC VN LIN QUAN S dng SSL m ha d liu Username Password truyn gia Client v Server. b. Degest Authentication

c thit k nng cao bo mt hn phng thc Basic Authentication c da trn nn tng xc thc Challenge-Response Nng cao bo bo mt hn phng thc Basic Authentication, h thng s m ha Username Password trc khi truyn i trn mng.2.Kt hp vi phng thc xc thc NTLM ca Windows:

S dng cng ngh xc thc NT LAN Manager (NTLM) cho HTTP Ch lm vic vi IE v trn nn tng Web server l IIS. Kt hp vi xc thc trn Windows s thch hp cho mi trng mng cc b ca doanh nghip

4

Thng 11-2009

PASSWORD V CC VN LIN QUAN N l mt phng thc xc thc m khng phi truyn bt k thng tin no v Username password trn mng.

3.Negotiate Authentication Tha thun xc thc:

y l mt phng thc xc thc m rng cho NTLM Authentication Cung cp xc thc da trn nn tng Kerberos S dng qu trnh thng lng quyt nh mc bo mt c s dng. N c cu hnh v s dng khng ch cho mng cc b.

5

Thng 11-2009

PASSWORD V CC VN LIN QUAN B.Xc thc da vo smartcard v cirtificate:1. Xc thc da vo Certificate:

S dng Public Key m ha v chng ch s (Digital Certificate) xc thc ngi dng. N c quan tm v kt hp vi phng thc xc thc two-factor. Khi mt ngi dng bit c Username Password ngi cn phi cung cp Certificate na th mi c xc thc. Ngi dng c th b nh cp Certtificate. Rt nhiu phn mm hin nay h tr xc thc qua chng ch s.

6

Thng 11-2009

PASSWORD V CC VN LIN QUAN2.Xc thc da vo Forms:

N khng c h tr trn nn tng HTTP v SSL. N l mt la chn cao cp cho phng thc xc thc s dng mt Form, v thng tch hp dng HTML. L mt phng thc xc thc rt ph bit trn Internet.

7

Thng 11-2009

PASSWORD V CC VN LIN QUAN3.Xc thc da vo RSA Secure Token:

Phng thc xc thc SecureID s dng mt "token V, card). C mt thit b phn cng s sinh ra cc m xc thc sau mi 60 giy v s dng mt tm Card gii m key. Mt ngi dng thc hin qu trnh xc thc v ti nguyn mng s phi in m PIN v s hin th cho SecureID cho mi thi gian .

8

Thng 11-2009

PASSWORD V CC VN LIN QUAN C.Xc thc da vo Sinh trc hc:

Mt h thng xc thc da vo Sinh trc hc s phi c nhng thit b nhn din c ngi dng da vo cc yu t sinh hc nh: Vn tay, mt, mt, bn tay. y l mt phng thc xc thc c tnh bo mt rt cao v thun tin cho ngi s dng khng phi nh mt khu hay mang theo mt tm Card. T nhng iu va trnh by trn, ta c th nhn thy, cc phng php xc thc bng sinh trc hc hay s dng smart card c u im l c tnh bo mt rt cao, hacker kh c th tn cng c h thng v hacker kh c th c c smartcard v cng khng th c c c im sinh hc ging vi users. Th nhng trin khai iu ny ta cn mt chi ph rt ln c bit l chi ph lp t h thng xc thc ny ti cc thit b ca h thng thng tin. T s phn tch trn cho ta thy rng gii php s dng password lun l mt gii php hiu qu khi chi ph thp v d dng s dng vi bo mt chp nhn c, c th n s rt hiu qu nu chng ta c nhng chnh sch hp l. Do vy, chng ta s tp trung tho lun v nghin cu v password v nhng vn bo mt lin quan.9

Thng 11-2009

PASSWORD V CC VN LIN QUAN

II. PASSWORD v VN CRACKING PASSWORD:Ngy nay, vi s pht trin khng ngng ca k thut my tnh, nguy c b hacker tn cng vo h thng thng tin ngy cng gia tng, vn password ngy cng tr nn phc tp, gi y password khng ch n thun l mt chui k t b mt ca ring users, m n lun trong nguy c b cracking cao , do i hi ngi dng cn c nhng kin thc mi v password. Vy password l g? Password ( tm dch l m xc nhn), l mt t hoc mt chui k t b mt, c s dng xc thc, chng minh hoc nhn dng ngi s dng truy cp ti nguyn. Ti sao password li cn thit? o Password gip ta ngn chn vic xm nhp tri php vo h thng, bo v thng tin, v gip ta xc nhn duy nht c nhn ng nhp h thng cng nh ghi vt li nhng hnh ng ca h trn d liu. o Bt c h thng no, mt vi ngi dng nht nh c nhng c quyn m nhng ngi khc khng c. Bng cch nhn dng chnh bn trn chnh my tnh ca bn hoc cc website, bn c tip cn mi trng lm vic ca ring bn v cc d liu cc nhn ca bn, nhng ti liu ny l cc d liu nhy cm v khng mun cng khai. Cc him ha n t password: o Trong khi phn ln cc t chc v 99% ngi dng ti gia vn ph thuc vo passwords nh l mt hnh thc nhn dng c bn i vi cc d liu nhy cm v ring t, th cc mng c c ch bo

10

Thng 11-2009

PASSWORD V CC VN LIN QUAN mt thp v hnh chung to ra cc l hng cho hacker tip cn ti nguyn ca cng ty v ti sn ngi dng. o Mc d passwords l phng tin cn thit, thn thin vi ngi dng nht nhn dng ngi dng khi tip cn mng hoc c s d liu ca h, nhng s tht ngi dng rt l l vi nhng yu cu l h cn thay i password, cn to ra mt password c tnh bo mt v lm theo nhng ch dn gi n cng b mt cng tt. Kt qu l mt s lng ln cc password c th d c, cc passwords ging nhau trn nhiu h thng, v ngi dng phi ghi ch ng nhp gm password v c tn ng nhp. Nhng nguy him khi password bi l: o Identity theft (trm thng tin nhn dng): identity theft xy ra khi d liu ti khon ca bn b mt ngi no khc s dng. iu ny a n nhng tn hi v ti chnh, cng nh l tn hi c nhn (dng ti khon ca bn rt tin, v.v.) o Sensitive data exposure (l d liu nhy cm): ni dung ca th in t , cc d n, ti liu, nh b phi by trc cc hacker, hay cc c nhn nhm n bn vi mc ch xu. o Company data exposure (l d liu cng ty): cc hot ng gin ip ly cc thng tin nhy cm ni b thng qua d liu ti khon c duy tr v gi gn thiu cn thn dn n s nh hng v cng to ln n cng ty bn ang lm vic. o S dng cho cc hot ng ti phm: ti khon ca bn s b s dng cho mc ch ti phm nu khng gi n cn thn. ng qun rng du vt s ln li ti khon ca bn v do bn khng trnh khi lin quan.

Vy tn cng password l gi? Tn cng password l ta tm cch c c password ca mt userID no xm nhp vo h thng ca h. Mt password c th b tn cng vi rt nhiu hnh thc khc nhau:

11

Thng 11-2009

PASSWORD V CC VN LIN QUAN o L hng bo mt vt l: mt l hng vt l ca my tnh s hon ton b khai thc ngay c khi phng php nhn dng phc tp nht, phng php m ha bo mt nht. V d: mt chng trnh theo di cc thao tc trn bn phm (keylogger), c phn mm ln phn cng c ci t,kha ca bn s b l, do mi d liu m ha v ti khon b tn hi. Bt chp password ca bn di v bo mt n u th l hng bo mt vt l l mt trong nhng trng hp nguy him nht. o Packet sniffers: bt mt khu trn mi trng khng m ha tt, t bit trong mi trng mng Lan khi cc my ra Net bt buc phi i ra default gateway. Cc h thng truyn t thng tin qua mng i khi khng chc chn lm v li dng iu ny, hacker c th truy cp vo data paths nghe trm hoc c trm lung d liu truyn qua.Hacker nghe trm s truyn t thng tin, d liu s chuyn n sniffing hoc snooping. N s thu thp nhng thng tin qu gi v h thng nh mt packet cha password v username ca mt ai . Cc chng trnh nghe trm cn c gi l cc sniffing. Cc sniffing ny c nhim v lng nghe cc cng ca mt h thng m hacker mun nghe trm. N s thu thp d liu trn cc cng ny v chuyn v cho hacker. o Trojan horse programs: xut hin nh dng link trn cc trang web lm chi ngi dng tin tng click vo, bt ci activex khi ngi dng mun logon vo mt trang web, trong cc phn mm ci t, emailSau khi Trojan v my ngi dng th n c th ly password khi ngi dng nhp v gi v kh ch. o Tn cng dng Cookies :Cookie l nhng phn t d liu nh c cu trc c chia s gia website v trnh duyt ca ngi dng. Cookies c lu tr di nhng file d liu nh dng text (size di 4KB). Chng c cc site to ra lu tr, truy tm, nhn bit cc thng tin v ngi dng gh thm site v nhng vng m h i qua trong site. Nhng thng tin ny c th bao gm tn, nh danh ngi dng, mt khu, s thch, thi quen, Cookies c Browser ca ngi dng chp nhn lu trn a cng ca my tnh, khng phi Browser no cng h tr cookies.

12

Thng 11-2009

PASSWORD V CC VN LIN QUAN o B kha: c hai phng php l b kha bng tay v b kha t ng B kha bng tay: s dng mt userID hp l ( hacker c th d dng tm c bng cch s dng war dailer ), d on mt khu m user c th s dng. Sau th tng mt khu cho n khi thnh cng. B kha t ng: tm file m ha password, sau tin hnh gii m c c file password dng plantext.

tm hiu v vn ny, trc ht ta phi tm hiu v c ch m ha v xc nhn password. M ha password: hin nay, a s password c bm mt chiu bng cc hm bm v d nh SHA hoc MD5. Do d trn cc ng dng tt, password ch c lu di dng chui k t c bm ch khng bao gi c lu di dng plaintext. Xc nhn password: Gi s user A c password l a, p

Recommended

View more >