三讲用户认证.pptVIP

第三讲 –用户认证 User Authentication User Authentication fundamental security building block basis of access control user accountability is the process of verifying an identity claimed by or for a system entity has two steps: identification - specify identifier verification - bind entity (person) and identifier distinct from message authentication Means of User Authentication four means of authenticating users identity based one something the individual knows - e.g. password, PIN possesses - e.g. key, token, smartcard is (static biometrics) - e.g. fingerprint, retina does (dynamic biometrics) - e.g. voice, sign can use alone or combined all can provide user authentication all have issues Password Authentication widely used user authentication method user provides name/login and password system compares password with that saved for specified login authenticates ID of user logging and that the user is authorized to access system determines the user’s privileges is used in discretionary access control (自主访问控制) Password Vulnerabilities offline dictionary attack specific account attack popular password attack password guessing against single user workstation hijacking exploiting user mistakes exploiting multiple password use electronic monitoring Countermeasures stop unauthorized access to password file intrusion detection measures account lockout mechanisms policies against using common passwords but rather hard to guess passwords training enforcement of policies automatic workstation logout encrypted network links Use of Hashed Passwords UNIX Implementation original scheme 8 character password form 56-bit key 12-bit salt used to modify DES encryption into a one-way hash function 0 value repeatedly encrypted 25 times output translated to 11 character sequence now regarded as woefully insecure e.g. supercomputer, 50 million tests, 80 min sometimes still used for compatibility Improved Implementations have other, stronger, hash/salt variants many systems now use MD5 with 48