Jaap van Ginkel - os3.nl is here • To prevent photo attack, ... In Greek mythology, Kerberos is 3-headed dog that guards entrance to Hades

  • View
    213

  • Download
    1

Embed Size (px)

Text of Jaap van Ginkel - os3.nl is here • To prevent photo attack, ... In Greek...

  • Security of Systems and Networks

    November 19 Lecture 7 Authentication & Kerberos

    Jaap van Ginkel

  • Authentication

    SNE SSN

  • The problem illustrated

    Thanks to Ton Verschuren

  • Terminology Identification: (who are you?) Authentication: (prove it!) (AUTHN) Authorization: (these you can do)

    (AUTHZ) Different levels of authentication:

    Weak (something you know) Strong (something you have and

    something you know) Biometrics (something you are)

  • Examples Something you Know

    password Address/birthday combination Pin code

    Something you Have Key Bank card Drivers license Letter

    Something you Are Finger print DNA profile Iris print

  • User name Password

    Weak authentication User Friendly

    Works everywhere Very common Alternatives difficult Extended Life span

    Awareness Safe implementation

  • Common passwords 123456 1375 Ficken 404 12345367 Hallo362 123456789 260 Schatz253 12345678215

  • Chocolate passwords 2004 Research Liverpool Street Station

    o 70% gave up password for chocolate http://news.bbc.co.uk/2/hi/technology/3639679.stm

  • Alternatives

  • Passfaces

    Click here if you are doing the Passfaces demo for the first time

    http://www.realuser.com/demo/demo.htmhttp://www.realuser.com/demo/demo.htmhttp://www.realuser.com/demo/demo.htm

  • Passclicks

    http://labs.mininova.org/passclicks/

    http://labs.mininova.org/passclicks/http://labs.mininova.org/passclicks/http://labs.mininova.org/passclicks/

  • But where do people click

  • Certificate based Public Key Infrastructure X.509 certificates Open standard Can be used in strong Authentication Complex for end user High cost Used for server side authentication Wide support

  • Smart cards

    Not many successful implementations Card reader Logistics Expensive

    Standardisation poor

  • USB Tokens

    Smartcard with reader

  • SecureID

    One time pad Pin code Easy to integrate Clock sync

  • One Time Pads

    Maurits van der Schee

  • WEBISO

    Web Initial Signon Framework en architectuur Brede steun

  • Athens British 1996 Aimed at libraries Health sector Very successful

    Millions of users Migrated to Shibboleth SAML 2.0

  • PAPI

    Spaans initiatief In productie Bewezen inter

    organistie Redelijke steun Naar SAML

    http://www.rediris.es/app/papi/index.en.html

  • Pubcookie

    University Washington

    Lijkt sterk op A-select Brede steun

  • A-select

    Dutch Initiative SURFnet No open source Many platform2 Harde authenticatie

    met Niegefoon en Niegebach

    DiGID

    http://aselect.surfnet.nl/welcome.html

  • Shibboleth

    Sheveningen Lollapalooza Internet 2 middle ware initiative Good architecture Focus on privacy

  • Shibboleth

  • What is Shibboleth?

    Internet2/MACE project (open source) inter institutional authorization for web

    resources Authorization with privacy User data remains local More control to user and home

    organization More control for publishers

  • Crossing the Jordan

    Pronounciation password War between Ephraimites and Gileadites Bible: Judges 12:1-15 42.000 were killed

  • Oud en Nieuw Zo zeiden zij tot hem: Zeg nu Schibboleth;

    maar hij zeide: Sibbolet, en kon het alzo niet recht spreken; zo grepen zij hem, en versloegen hem aan de veren van de Jordaan, dat te dier tijd van Efraim vielen twee en veertig duizend.

    Onder Embargo tot 17:00 uur.

  • Shibboleth terminologieOnderdelen:

    1. Shibboleth Indexical Reference Establisher (SHIRE).2. Handle Service (HS)3. Where Are You From (WAYF)4. Authentication System (AS)5. Shibboleth Attribute Requestor (SHAR) 6. Resource Manager (RM)

    1. Security Assertion Markup Language (SAML) 2. Attribute Release Policies (ARP).3. Attribute Acceptance Policies (AAP)

  • Shibboleth Architectuur

  • Shibboleth Toegang tot Science Direct

    Science Direct

    WAYF

    UvA Elsevier1

    SHIRE

    Ik ken je niet van welke organisatie

    ben jij eigenlijk3

    2

    Vertel me waar je vandaan komt

    HS

    5

    6

    Ik ken je niet, kun je je

    eerst authenticeren

    7

    User DB

    Credentials

    OK, Nu ken ik je.Ik stuur je verzoek

    door met een handle

    4

    OK, Ik stuur het verzoek naar de Handle Service

    van jouw organisatie.

    SHAR

    Handle

    Handle8

    Ik ken de attributen van deze gebruiker niet en vraag ze op

    Handle9AA

    OK, ik geef de attributen door waar de gebruiker toestemming voor geeft

    Attributes 10

    Resourc e

    Manage r

    Attributes

    OK, Op basis van deze attributen

    geef ik toegang

  • Demo Thanks to switch AAI Resource is

    kohala.switch.ch WAYF is

    wayf1.switch.ch Identity Provider is

    maunakea.switch.ch http://www.switch.ch/aai/demo/demo_live.html

    http://www.switch.ch/aai/demo/demo_live.htmlhttp://www.switch.ch/aai/demo/demo_live.html

  • A-Select Integratie met Shibboleth

    Nog geen productie Replacement PubCookie Many authenticatie methods

  • TIQR

  • TIQR Dutch initiative SURFnet OAUTH

    o Initiative for Open Authentication OCRA

    o OATH Challenge-Response Algorithm

  • OpenID provider (OP) OpenID relying party (RP) Microsoft Google Facebook Paypal

  • Biometrics

    Sheets van de uitgever

  • Something You Are Biometric

    You are your key Schneier

    Are

    Know Have

    Examples Fingerprint Handwritten signature Facial recognition Speech recognition Gait (walking) recognition Digital doggie (odor recognition) Many more!

  • Why Biometrics? Biometrics seen as desirable replacement for

    passwords Cheap and reliable biometrics needed Today, a very active area of research Biometrics are used in security today

    Thumbprint mouse Palm print for secure entry Fingerprint to unlock car door, etc.

    But biometrics not too popular Has not lived up to its promise (yet?)

  • Ideal Biometric Universal applies to (almost) everyone

    In reality, no biometric applies to everyone Distinguishing distinguish with certainty

    In reality, cannot hope for 100% certainty Permanent physical characteristic being

    measured never changes In reality, want it to remain valid for a long time

    Collectable easy to collect required data Depends on whether subjects are cooperative

    Safe, easy to use, etc., etc.

  • Biometric Modes

    Identification Who goes there? Compare one to many Example: The FBI fingerprint database

    Authentication Is that really you? Compare one to one Example: Thumbprint mouse

    Identification problem more difficult More random matches since more comparisons

    We are interested in authentication

  • Enrollment vs Recognition Enrollment phase

    Subjects biometric info put into database Must carefully measure the required info OK if slow and repeated measurement needed Must be very precise for good recognition A weak point of many biometric schemes

    Recognition phase Biometric detection when used in practice Must be quick and simple But must be reasonably accurate

  • Cooperative Subjects We are assuming cooperative subjects In identification problem often have

    uncooperative subjects For example, facial recognition

    Proposed for use in Las Vegas casinos to detect known cheaters

    Also as way to detect terrorists in airports, etc. Probably do not have ideal enrollment conditions Subject will try to confuse recognition phase

    Cooperative subject makes it much easier! In authentication, subjects are cooperative

  • Biometric Errors Fraud rate versus insult rate

    Fraud user A mis-authenticated as user B Insult user A not authenticate as user A

    For any biometric, can decrease fraud or insult, but other will increase

    For example 99% voiceprint match low fraud, high insult 30% voiceprint match high fraud, low insult

    Equal error rate: rate where fraud == insult The best measure for comparing biometrics

  • Fingerprint History 1823 Professor Johannes Evangelist Purkinje

    discussed 9 fingerprint patterns 1856 Sir William Hershel used fingerprint (in

    India) on contracts 1880 Dr. Henry Faulds article in Nature about

    fingerprints for ID 1883 Mark Twains Life on the Mississippi a

    murderer IDed by fingerprint

  • Fingerprint History

    1888 Sir Francis Galton (cousin of Darwin) developed classification system His system of minutia is still in use today Also verified that fingerprints do not change

    Some countries require a number of points (i.e., minutia) to match in criminal cases In Britain, 15 points In US, no fixed number of points required

  • Fingerprint Comparison

    Loop (double) Whorl Arch

    Examples of loops, whorls and arches Minutia extracted from these features

  • Fingerprint Biometric

    Capture image of fingerprint Enhance image Identify minutia

  • Fingerprint Biometric

    Extracted minutia are compared with users minutia stored in a database

    Is it a statistical match?

  • Hand Geometry Popular form of biometric Measures shape of hand

    Width of hand, fingers Length of fingers, etc.

    Human hands not unique Hand geometry sufficient for

    many situations Suitable for authentication Not useful for ID problem

  • Hand Geo