Authentication

Identification is when an entity declares its identity ("I am Stefano", "I am Michele", ...) while authentication is whene the entity provides proof that verifies its identity.

The threee factors of authentication

To know: something that the entity knows. Examples: password, PIN, secrets, etc.
To have: something that the entity has. Examples: key, smart card, token, etc.
To be: something that the entity is. Examples: fingerprints, face, voice, etc.

Multi-factor authentication uses two or three factors.

The "to know" factor: passwords and PINs

Passwords are widly used because they present the following key advantages:

Low cost
Ease of deployment
Low technical baries

However secrets could be:

Stolen/snooped
Guessed
Cracked

Some countermeasures can, costly, be put in place:

Change/expire frequently
Are long and have a rich character set
Are not related to the user

But humans are bad with passwords:

Unable to keep secrets
Unable to remember complex passwords
Unable to remember a lot of different passwords

The "to have" factor

User must prove that it possesses something.

Advantages:

Human factor (less likely to hand out a key)
Relatively low cost
Good level of security

Disadvantages:

Hard to deploy
Can be lost or stolen

Countermeasures:

Use with a second factor

Examples:

One-time password generators
Smart cards

The "to be" factor: biometric authentication

User must prove that it has some specific characteristics.

Advantages:

high level of security
No extra hardware to carry around and no secrets to remember

Disadvantages:

Hard to deploy
Non deterministic matching
Invasive
Clonable
Bio-characteristics change
Privacy
Disabilities

Countermeasures:

Re-mesure often

Single Sign On

Managing are rembering unique passwords is complex. This leads users to re-use passwords over multiple services.

A solution is to use one trusted host to identify. THis host should have high level of security (multi-factor authentication). Users authenticate on the trusted host and other hosts ask the trusted host if a user is authenticated.

The insecrity is that there is a single point of trust which, if compromised, makes all the sites compromised.

Introduction to computer security

Authentication

Access control

Exercises on introduction

Exercises on authentication and access control

Introduction to cryptography and perfect ciphers

Computationally secure ciphers and pseudorandom number generators

Chosen Plaintext Attacks (CPAs)

Data integrity and Message Authentication Codes (MAC)

Asymmetric cryptosystems

Data authentication and digital signatures

The public key binding problem and digital certificates

Fundamentals of Information Theory

Exercises on cryptography

Introduction to software security

Recalls of Linux

Buffer overflows

Format String Bugs

Exercises on software security

Introduction to web security

Cross Site Scripting (XSS)

SQL injection

Cookies and sessions

Cross-Site Requests Forgery (CSRF)

Other vulnerabilities

Exercises on web security

Network Protocol Attacks

Firewalls

Architectures for secure networks

TLS and SET

Exercises on network security

Malwares introduction

Defending againts malware and stealth techniques

Exercises on malwares

Authentication

The threee factors of authentication

The "to know" factor: passwords and PINs

The "to have" factor

The "to be" factor: biometric authentication

Single Sign On

No Comments