第三讲用户认证1.ppt
《第三讲用户认证1.ppt》由会员分享,可在线阅读,更多相关《第三讲用户认证1.ppt(34页珍藏版)》请在三一文库上搜索。
1、第三讲 用户认证 User Authentication,User Authentication,fundamental security building block basis of access control & user accountability is the process of verifying an identity claimed by or for a system entity has two steps: identification - specify identifier verification - bind entity (person) and iden
2、tifier distinct from message authentication,(RFC 2828) 验证系统实体声称的身份的过程,Means of User Authentication,four means of authenticating users identity based one something the individual knows - e.g. password, PIN possesses - e.g. key, token, smartcard is (static biometrics) - e.g. fingerprint, retina does (
3、dynamic biometrics) - e.g. voice, sign can use alone or combined all can provide user authentication all have issues,Password Authentication,widely used user authentication method user provides name/login and password system compares password with that saved for specified login authenticates ID of u
4、ser logging and that the user is authorized to access system determines the users privileges is used in discretionary access control (自主访问控制),Password Vulnerabilities,offline dictionary attack specific account attack popular password attack password guessing against single user workstation hijacking
5、 exploiting user mistakes exploiting multiple password use electronic monitoring,Countermeasures,stop unauthorized access to password file intrusion detection measures account lockout mechanisms policies against using common passwords but rather hard to guess passwords training & enforcement of poli
6、cies automatic workstation logout encrypted network links,Use of Hashed Passwords,盐值:与分配用户口令的时间相关;伪随机数或随机数 使用盐值的目的: 防止重复的口令在口令文件中可见 增加离线字典攻击难度 使得攻击者不可能发现用户是否在多个系统中使用了相同的口令,加载新口令,验证口令,UNIX Implementation,original scheme 8 character password form 56-bit key 12-bit salt used to modify DES encryption in
7、to a one-way hash function 0 value repeatedly encrypted 25 times output translated to 11 character sequence now regarded as woefully insecure e.g. supercomputer, 50 million tests, 80 min sometimes still used for compatibility,Improved Implementations,have other, stronger, hash/salt variants many sys
8、tems now use MD5 with 48-bit salt password length is unlimited is hashed with 1000 times inner loop produces 128-bit hash OpenBSD uses Blowfish block cipher based hash algorithm called Bcrypt uses 128-bit salt to create 192-bit hash value,Password Cracking(口令破解),dictionary attacks try each word then
9、 obvious variants in large dictionary against hash in password file rainbow table attacks precompute tables of hash values for all salts a mammoth table of hash values e.g. 1.4GB table cracks 99.9% of alphanumeric Windows passwords in 13.8 secs not feasible if larger salt values used,Password Choice
10、s,users may pick short passwords e.g. 3% were 3 chars or less, easily guessed system can reject choices that are too short users may pick guessable passwords so crackers use lists of likely passwords e.g. one study of 14000 encrypted passwords guessed nearly 1/4 of them would take about 1 hour on fa
11、stest systems to compute all variants, and only need 1 break!,口令破解使用的策略,尝试名字、姓名缩写、帐户名、其他个人信息,对每个用户尝试130中不同的组合 尝试不同字典中出现的词汇 将词汇进行排列来尝试破解,包括第一字母大写或添加控制符,所有字符都大写、反写单词、把字母“O”变成“0”等,这些排列增加100万个词汇 对前两部未考虑的词汇,尝试尝试各种大写置换,将为口令词汇列表增加约200万个词汇 这种约300万个词汇的枚举搜索,用最快速的思维机方案,并用所有可能的盐值加密所有的词汇,破解时间不超过1小时,对包含13797个账户样本
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 三讲 用户 认证
链接地址:https://www.31doc.com/p-2258829.html