Authentication

Authentication - Chapter 9 Overview of Authentication...

Info iconThis preview shows pages 1–4. Sign up to view the full content.

View Full Document Right Arrow Icon
Chapter 9 – Overview of Authentication Systems Authentication is verifying that something (or someone) is what it claims to be. For example, at login, a user of a workstation authenticate to the file server to access their files. Another example is at boot up, a workstation authenticates to the domain controller to access applications assigned to that workstation. Authentication can take many forms. The one most familiar to us is entering our username and password at login. This is password based authentication. For authenticating users, the password is often short so it is easy to remember, chosen so as to be pronounceable so it is easy to remember, a user chosen pass phrase so it is easy to remember. The fact that a person has to remember it greatly reduces its length and complexity. For authenticating a machine to a machine, the password can be much longer and more complex. The computer can do cryptographic functions like hashing and encryption during authentication. Some additional properties of passwords: They can be copied They can be shared They can be stolen They can be guessed They can be overheard
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Password Guessing – on-line If you repeatedly enter guesses at a terminal, this is on-line password guessing. If you try to find the administrator password on a Windows PC, how many times can you guess? Let’s run secpol.msc and change some of the default account and password options. Online password guessing can be done by typing at the keyboard or using a network connection, if users can login over the network. Typing at the keyboard is slow compared to repeated login attempts over a network. If the system doesn’t restrict login failures over the network, there are many online password attack tools that use a dictionary of passwords and a username list to attempt to find a working password. IPCscan demo A securely configured computer should have a password policy on each login method (local and remote). The policy should require passwords be of at least some minimal length and meet certain complexity requirements. For example, at least 14 characters long and contain at least one uppercase letter, lowercase letter, number, and symbol. At a minimum, login failures should be logged, so that the username and type of login (remote or local) are recorded. This logging is invaluable in detecting suspicious activity on a users account.
Background image of page 2
Password Guessing – off-line If an attacker is able to access the stored passwords while the system is not running or if the password file can be copied while the system is running, then an off-line password attack is possible. In this case, many more passwords can be tried more quickly since the account and password policies can be bypassed. Most operating systems store the passwords encrypted or hashed.
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 4
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 15

Authentication - Chapter 9 Overview of Authentication...

This preview shows document pages 1 - 4. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online