Upload
lora-hamilton
View
226
Download
6
Embed Size (px)
Citation preview
CSCE 201CSCE 201
Identification and Identification and Authentication Authentication
Microsoft supportMicrosoft supportFall 2010Fall 2010
CSCE 201 - Farkas 2
One-time PasswordOne-time Password
Use the password exactly once!
CSCE 201 - Farkas 3
Time SynchronizedTime Synchronized
There is a hand-held authenticator– It contains an internal clock, a secret key, and a display– Display outputs a function of the current time and the
key– It changes about once per minute
User supplies the user id and the display value Host uses the secret key, the function and its clock
to calculate the expected output Login is valid if the values match
CSCE 201 - Farkas 4
Time SynchronizedTime Synchronized
Secret key
Time
One Time PasswordEncryption
CSCE 201 - Farkas 5
Challenge ResponseChallenge Response
Work station Host
Network
• Non-repeating challenges from the host is used• The device requires a keypad
User ID
Challenge
Response
CSCE 201 - Farkas 6
Challenge ResponseChallenge Response
Secret key
Challenge
One Time PasswordEncryption
CSCE 201 - Farkas 7
Devices with Personal Devices with Personal Identification Number (PIN)Identification Number (PIN)
Devices are subject to theft, some devices require PIN (something the user knows)
PIN is used by the device to authenticate the user
Problems with challenge/response schemes– Key database is extremely sensitive– This can be avoided if public key algorithms
are used
CSCE 201 - Farkas 8
Smart CardsSmart CardsPortable devices with a CPU, I/O ports, and
some nonvolatile memoryCan carry out computation required by
public key algorithms and transmit directly to the host
Some use biometrics data about the user instead of the PIN
CSCE 201 - Farkas 9
BiometricsBiometricsFingerprintRetina scanVoice patternSignatureTyping style
CSCE 201 - Farkas 10
Problems with BiometricsProblems with Biometrics Expensive
– Retina scan (min. cost) about $ 2,200– Voice (min. cost) about $ 1,500– Signature (min. cost) about $ 1,000
False readings– Retina scan 1/10,000,000+– Signature 1/50– Fingerprint 1/500
Can’t be modified when compromised
CSCE 201 - Farkas 11
Home Computer SecurityHome Computer Security
CSCE 201 - Farkas 12
Required reading:•Forgotten your Windows XP Home password? - Part 1: Introduction, http://support.microsoft.com/kb/894900 •Forgotten your Windows XP Home password? - Part 2: Using a password reset disk, http://support.microsoft.com/kb/894901/en-us •Forgotten your Windows XP Home password? - Part 3: Setting a new password as an administrator, http://support.microsoft.com/kb/894902/en-us
CSCE 201 - Farkas 13
Problem: You don’t remember Problem: You don’t remember your password your password
Solutions: 1. Verify that you have typed the letters of
your password in the correct case 2. Access a password hint on the Welcome
screen3. Use a password reset disk 4. Log on as administrator to assign a new
password to your account
CSCE 201 - Farkas 14
Password Case Sensitivity Password Case Sensitivity
Check CAPS LOCK key
Question: Why do you want to use combination of symbols for your password?
CSCE 201 - Farkas 15
Use a Password HintUse a Password Hint Create a password hint:
– Log on to your computer – Click Start, and then click Control Panel– Double-click User Accounts– Click your user account, and then click Change my
password – Enter your current password, enter a new password, and then
enter the new password again to confirm it– Enter the password hint, and then click Change Password– The change will take effect the next time that you log on
To display the hint, click the question mark (?) that is next to your user account
CSCE 201 - Farkas 16
Create a Password Reset DiskCreate a Password Reset Disk
Click Start, and then click Control Panel Double-click User Accounts Click your user account, and then click Prevent
a forgotten password. The Forgotten Password Wizard starts
Follow the instructions NOTE: A password reset disk is valid until you
create a new one; even if you change your password
CSCE 201 - Farkas 17
Using the Password Reset DiskUsing the Password Reset Disk
Create a password reset disk for your user account at the earliest opportunity
How to use the password reset disk – Microsoft Windows remembers if you have created a
password reset disk. Just click use your password reset disk
– Follow the instructions of the Password Reset Wizard
Question: Why should you safeguard your password reset disk?
CSCE 201 - Farkas 18
Set a New Password as an Set a New Password as an AdministratorAdministrator
Start the computer in Safe Mode Log on as administrator – first time login as
administrator: no password assigned to the account
Reset the password
CSCE 201 - Farkas 19
Reset the PasswordReset the Password
Click Start, click Control Panel, and then double-click User Accounts
Click your user account, and then click Change the password
Enter a new password, enter it again to confirm the password, and then set a password hint. Click Change Password
Set a password for the administrator account if you had none
Question: Why is it recommended that you assign a password to the Administrator account?
CSCE 201 - Farkas 20
Beware of Social Engineering!Beware of Social Engineering!
Kevin Mitnick story T. Espiner: Newsmaker: Kevin Mitnick, the great
pretender, CNET News, 2006, http://news.cnet.com/Kevin-Mitnick,-the-great-pretender/2008-1029_3-6083668.html
T. Shimomura and J. Markoff, Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-By the Man Who Did It, 1996, http://www.amazon.com/Takedown-Pursuit-Americas-Computer-Outlaw/dp/0786889136
Question: Would you hire a reformed hacker to maintain your security?
Next ClassNext ClassAccess Control
An Introduction to Computer Security: The NIST Handbook, http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf : Chapter 17, LOGICAL ACCESS CONTROL, pages 194 - 207Microsoft support, Use access control to restrict who can use your files , 2001, 2005, http://www.microsoft.com/windowsxp/using/security/learnmore/accesscontrol.mspx Sudhakar Govindavajhala and Andrew W. Appel, Windows Access Control Demystied, 2006, http://www.cs.princeton.edu/~appel/papers/winval.pdf