SlideShare une entreprise Scribd logo

10.1.1.44.6790

Alok Tripathi
Alok Tripathi
Technologie
1  sur  8
Télécharger pour lire hors ligne
THE S/KEYTM ONE-TIME PASSWORD SYSTEM Neil M. Haller Bellcore Morristown, New Jersey ABSTRACT physical access to the computers attempt to gain improper access. Computing systems have been under increasingly sophisticated attack over the Internet and by using We have built an experimental prototype S/KEY dial-up access ports. One form of attack is authentication system for a UNIX® environment, but eavesdropping on network connections to obtain login there is nothing UNIX-specific about the design. id’s and passwords of legitimate users. This External Threats information is used at a later time to attack the system. We have developed a prototype software system, the There are several ways an external intruder might S/KEYTM one-time password system, to counter this break into a UNIX system. These include guessing type of attack and have been using it experimentally poorly chosen passwords, potentially with dictionary for external access to a research computer complex at attacks; taking advantage of bugs in privileged UNIX Bellcore. system software (an example is the "Morris Worm" of November 1988 that exploited a bug in the Internet The S/KEY system has several advantages compared finger server[1].), and taking advantage of system with other one-time or multi-use authentication configuration errors or poorly chosen system defaults. systems. The user’s secret password never crosses the Properly configured and administered systems are not network during login or when executing other generally vulnerable to these attacks. commands requiring authentication such as the UNIX passwd (change password) or su (change privilege) Other attacks take advantage of the information that commands. No secret information is stored anywhere, crosses communications networks. One can obtain including on the host being protected, and the passwords for later use by passive eavesdropping, and underlying algorithm may be made public. The remote the form of current passwords can be used to guess end (client) of this system can run on any locally future ones. A potential intruder can actively available computer and the host end (server) can be interfere with legitimate network traffic by spoofing or integrated into any application requiring disrupting the communications protocols. authentication. Defenses Against Passive and Active Attacks The S/KEY authentication system has been in Data, including authentication information such as experimental use at Bellcore for two years. It is passwords, are carried on a variety of networks available by anonymous ftp on the Internet. including LANS and private or public data and voice networks. If a potential intruder can gain access, INTRODUCTION either directly or using tools designed for other There are a variety of threats to be considered when functions (such as network management), this access operating a computer system. One can distinguish can be used to monitor traffic from legitimate users between inside jobs and external attacks; in this paper, and collect passwords and other data for later use. we are concerned with attempts to penetrate a system This eavesdropping is classified as a passive network of computers from outside the physical facility. We attack. Alternatively, an attacker might choose to are not concerned with the additional security issues disrupt or divert the communications of legitimate where legitimate users may attempt to increase their users, e.g., by spoofing traffic; this is classified as an privilege (become super-users) or where insiders with active attack. S/KEY is a trademark of Bellcore UNIX is a registered trademark of X/Open.
-2- In recent years, protocols capable of thwarting both computer is vulnerable to an eavesdropping/replay passive and active attacks have been devised and attack. implemented. Many of these, including ours, involve A major strength of Kerberos is that it is capable of an exchange of data between the host being protected protecting against active attacks using encryption. and the client attempting to gain authorized access. This option gets limited use because of the overhead it The defense against passive attacks is to make the data imposes, but the increasing power of low cost crossing the network useless to an eavesdropper; thus computers makes this a short term problem. Given a potential intruder cannot gain improper access by that it is much easier to conduct a passive attack than replaying a saved valid authentication sequence. an active one without risking detection, we feel that The simplest form of such a defense is for the host to there is still value in a system that protects only generate a random string and send it to the client. The against passive attacks. client then uses some computing device to compute a The S/KEY Authentication System key-based cryptographic function (see below, Secure Hash Functions) of this string and then return the The S/KEY authentication system is a scheme that output of this function to the host. The host executes protects user passwords against passive attacks. It can the same function and compares the results.[2] A be easily and quickly added to almost any UNIX weakness of this system is that the secret keys must be system, without requiring any additional hardware and available to the host, and protecting this host becomes without requiring the system to store information a critical link in the security chain. (such as plain text passwords) that would be more sensitive than the encrypted passwords already stored. This system can be implemented in software or as a The S/KEY system can be used with "dumb terminals", special purpose device to be carried by the client. personal computers with conventional The latter offers the advantages of portability and communications programs, or workstations. It is interface independence, but at an increased system conceptually compatible with a potential cost. implementation based on smart cards or pocket Another defense is the use of hand-held device calculators. containing a clock that is synchronized to the host (or security processor). Both generate a sequence based GOALS on a secret seed that is stored in the host and is Eavesdropping Protection therefore a weak link. The primary goal of the S/KEY authentication system The S/KEY system as described here is implemented in is to provide complete protection of the login-time software. It is straightforward to convert this system authentication mechanism against passive to utilize a portable device, but we have not done so. eavesdropping. This protection implies that no A notable example of a security protocol is the information may cross the network that could Kerberos1 [3] authentication system from MIT’s potentially be used for authentication at a later time. project Athena.[4] Kerberos solves the problem of An eavesdropper with complete transcripts of many passive eavesdropping within a single computing user sessions, including password changes, should environment called a realm (multiple realms may be have no information that would be useful in joined). This system does not, however, address the attempting to login to the system. problem of access across a network using client Ease of Use software that is unable to fully participate in the Kerberos protocol. A client using a workstation A security system must be easy to use. Not all users within a realm (or connected realms) is completely are willing to cope with a complex security system and transparently protected by Kerberos against and it is virtually impossible to block all insider built passive attacks, but a client using a simple (non- back-doors. The more user-friendly the system is, the programmable) terminal or a non-participating 2 less likely it will be bypassed. Ideally the system should be as easy to use as a system protected by a conventional multi-use password system. 1. Athena and Kerberos are trademarks of MIT. 2. Most communication programs on non-UNIX systems (both Automated Operation using dial-up and Internet connectivity) are unable to participate in the Kerberos protocol. This is not to say that they could not A common form of remote access to a computing be modified to do so. system is from another computer acting as a terminal using a communications program. This computer may
-3- be completely under the control of a single operator, Secure Hash Functions and thus may be trusted. We want our system to be A secure hash function is a function that is easy to nearly as simple to use in this configuration as remote compute in the forward direction, but computationally login using a multi-use password. infeasible to invert. Consider: In some situations, it is useful to have one machine y = f (x) access another without human intervention. Assuming a remote client machine is in a secure environment so If f is the secure hash function with input x and output that it can be trusted with the underlying secret y, then computing y given x is fast and easy, but password, full automatic operation can be achieved. finding an x ′ such that The goal of providing automated operation implies y = f (x ′ ) that our system is primarily a secret based for a given y is extremely difficult. Ideally, there authentication system (something you know). As it should be no way to determine such an x ′ other than requires computation to produce the one-time by trying an infeasible number of values to see which passwords, it is easily convertible to a token based one works. If the number of possible values of x that (something you have) system. must be tried is made large enough, then for all No Secret Algorithms practical purposes the function cannot be inverted. We have chosen a hash function with 264 (about 1019) The security of the authentication system must be values. based entirely on the secret (or secret containing token) and not on secret algorithms. A public As the basis of our secure hash function, we chose the algorithm can be evaluated by the industry, thus MD4 Message Digest algorithm4 designed by Ronald developing confidence in its cryptographic strength. If Rivest[5] of RSA Data Security Inc. MD4 accepts an a system’s security depends on a hidden algorithm, arbitrary number of bits as input and produces 16 there is always a danger of exposure when someone bytes of output. MD4 is fast, and so far it is believed who knows the secret changes jobs or loyalties. to be secure; i.e., there is no known way of finding the input that produced a given output that is better than No Stored Secrets by exhaustively trying possible inputs. Storing secret keys or passwords on a host increases In order to be able to apply the hash function an its attractiveness as a target, and causes a breach of arbitrary number of times, we have defined our security to be more wide-spread. When a common function to take 8 bytes of input and to produce 8 password file is used for many machines, this risk bytes of output. This is done by running the 8 bytes of becomes even greater. On UNIX systems, the input through MD4 and then "folding" pairs of bytes password file contains passwords already processed in the 16-byte MD4 output down to 8 bytes with through a secure hash function and thus the exclusive-OR operations. information in this file is not directly usable to an intruder. We want our system to be no weaker 3 than Generation of One-Time Passwords this UNIX scheme, implying that no usable passwords Our one-time passwords are 64 bits in length. We may be stored on any host. believe that this is long enough to be secure and short enough to be manually entered by users (see below, DESCRIPTION OF THE S/KEY SYSTEM Form of Password, for the representation) when There are two sides to the operation of our one-time necessary. password system. On the remote client side, the Preparatory Step appropriate one-time password must be generated. On the host side, the server must verify the one-time The input to our hash function (described above) is 8 password. This section describes both sides, and the bytes. As the client’s secret password may be (should secure hash function on which the S/KEY authentication system is based. 4. Although the security of MD4 has not been broken, the newer function MD5 has been released. MD5 is slightly slower and more complex; converting to MD5 is simple, but we have 3. Both UNIX password security and S/KEY authentication are chosen to continue using MD4 because of the large number of vulnerable to dictionary attacks unless the passwords are well client password computing programs that have been distributed. chosen.
-4- be) longer, a preparatory step is needed. In this step, unable to log in again. This is done by executing the the password is concatenated with a seed that is keyinit command, that is essentially a special version transmitted from the server in clear text. This non- of the the UNIX passwd command, to start a new secret seed allows a client to use the same secret sequence of one-time passwords. This operation is password on multiple machines (using different identical to a normal authentication, except that the seeds), and to safely recycle secret passwords by one-time password received over the network is not changing the seed. The result of the concatenation is checked against the entry already in the password file passed through MD4, and then reduced to 8 bytes by before it replaces it. In this way, the selection of a new exclusive-OR of the two 8-byte halves. This result, password can be done safely even in the presence of called s below, is passed on to the generation step. an eavesdropper. This mechanism does not defend against an active attack. Generation Step The sequence of one-time passwords p i is produced OPERATION OF S/KEY SYSTEM by applying the secure hash function multiple times. Overview That is, the first one-way password is produced by running the client’s processed secret password s The S/KEY one-time password authentication system through the hash function some specified number of uses computation to generate a finite sequence of times, N. single-use passwords from a single secret. The security is entirely based on a single secret that is p 0 = f N (s) known only to the user5. The single-use passwords The next one-way password is generated by running are related in a way that makes it computationally the user’s password through the hash function only intractable to compute any password from the N − 1 times. preceding sequence. (It is simple, however, to compute previous passwords from the current one.) p 1 = f N − 1 (s) The single use, or one-time, passwords replace all In general, the formula is: authentication password requirements. They are used p i = f N − i (s) at login time and when using the UNIX su command. Even when the underlying secret password is changed, An eavesdropper who has monitored the use of the only a derived one-time password crosses the network. one-time password p i will not be able to generate the The host computer never sees, and has no way of next one in the sequence (p i + 1 ) because doing so learning, the real secret. would require inverting the hash function. Without knowing the secret key that was the starting point of As no secret algorithms are used, and the code is the function iterations, this can not be done. freely available, it is straightforward to build the S/KEY one-time password security system into any System Verification of Passwords command or product requiring authentication. The host is initially given p 0 . When a client attempts Generation of S/KEY One-Time Passwords to be authenticated, the seed and current value of i are passed to the client. The client returns the next one- As mentioned above, the one-time password sequence time password. The host computer first saves a copy is derived from the secret password using a computer. of this one-time password, then it applies the hash The required computation can be executed on any PC function to it. or UNIX class machine. A supplier of credit card size devices estimated that such a device could be built for p i = f ( f N − i − 1 (s)) = f (p i + 1 ) less than $30 in large quantities. If the result does not match the copy stored in the The program can also be stored on and executed from system’s password file, then the request fails. If they a standard floppy disk. This would allow operation on match, then the client’s entry in the system password a remote computer that could not be entirely trusted file is updated with the copy of the one-time password not to contain a Trojan Horse that would attempt to that was saved before the final execution (by the capture the secret password 6. It is also possible to server) of the hash function. This updating advances the password sequence. 5. Alternatively, part of or the entire secret can be stored in a non- Because the number of hash function iterations retrievable way, in the computing device. executed by the user decreases by one each time, at 6. For added security, one might prefer to boot off the floppy. The some point the user must reinitialize the system or be truly paranoid will worry about the integrity of the ROM.
-5- pre-compute and print several one-time passwords that password and generates the correct one-time password could be carried on a trip where no trusted local and stuffs it into the keyboard buffer simulating user computation is available such as when using public entry of this password. workstations at a conference. Fully automated operation is obviously possible, but it Description of Operation would require the client machine to know the secret password. This is only acceptable if the client The following narrative describes the procedure for machine is in a physically secure place. logging into a UNIX system using the S/KEY one-time password system. In this example, a hand-held PC Form of Password compatible computer is assumed. Note that the Internally the one-time password is a 64 bit number sequence numbers of successive one-time passwords providing 264 possible unique one-time passwords. decreases. Entering a 64 bit number is not a pleasant task; the 1. The user, call her Sue, identifies herself to the one-time password is therefore converted to a system by login name. sequence of six short words (1 to 4 letters). Each word is chosen from a dictionary of 2048 English 2. The system issues a challenge including the words thus providing a space of 266 possible sequence number of the one-time password sequences. The contents and encoding of this expected and a "seed". This "seed" allows Sue dictionary are not kept secret. to securely use a single secret for several machines. In this example, the seed is "unix3" ADMINISTRATION OF SYSTEM and the sequence number is 54. Installation 3. Sue enters 54 and unix3 into her palm-top computer. She is prompted for her secret. The minimum that must be installed to use this one- time password system on a UNIX host is a replacement 4. Sue enters her secret password that may be of for the login command and an additional command any length. The palm-top computes the 54th similar to passwd. As with the original commands, one-time password and displays it. these must run as root. In addition, it may be useful to 5. Sue enters the one-time password and is install a one-time password version of the su authenticated. command, a new version of ftpd for allowing ftp access via one-time passwords, and a command to 6. Next time Sue wants access, she will be compute one-time passwords. prompted for one-time password sequence number 53. Source Screening Semi-Automated Operation It is frequently desirable for an installation to allow internal access with a multi-use password while We have built semi-automatic interfaces for clients requiring one-time passwords for external access. A using communications software on a MS-DOS7 or screening table provides this function. When this Apple Macintosh8 personal computer. The following table is present, login attempts that pass the screening example describes a client interface that runs under test are permitted to use the normal password or a DOS as a Terminate and Stay Resident (TSR) program. one-time password. Others are notified that the use of Consider Sue in the above example using a the one-time password is required. communications program on a MS-DOS machine. Password echo Before starting the communications program, Sue runs a program that ties itself to a hot-key such as function Normally systems disable printing during the typing of key F10. When the host issues its challenge, Sue a password so that an onlooker cannot steal the presses the hot-key. The program then scans the password. With a one-time password, this is screen for the challenge and extracts the sequence unnecessary. The S/KEY modification of the login number and seed. It then prompts Sue for her secret command allows the user to turn echo on by pressing "return" at the password prompt. This makes it easier to enter the longer one-time password. 7. MS-DOS is a registered trademark of Microsoft Corporation. 8. Macintosh is a trademark of Apple Corporation. EXPERIENCE The S/KEY authentication system has been in experimental use for off-premise access to Bellcore
-6- for about two years. It has been available as an man pages alternative one-time password system to the users of dos DOS client interfaces and documentation in computer resources of one research organization. UNIX man-page format This section is based on this experience as mac Macintosh client interface package unscientificly observed by the biased eyes of the author. SUMMARY Ease of Use Computing systems have been under increasingly sophisticated attack using dial-up and other external User reaction to the S/KEY system varied from delight access ports. The one-time password technology to indifference. Our goal (see above, GOALS) of ease described is a simple and effective way to keep plain of use was not fully met because the reaction of text passwords out of the hands of an eavesdropper. It potential users was mixed based on two factors. is more general than some other systems as it allows Type of Terminal protected access to super-user privilege, and allows its underlying secret password to be securely changed. Those who accessed our systems using terminal No authenticating secret is ever transmitted in a re- programs on personal computers were generally happy usable form. (some were enthusiastic). These people generally used one of the semi-automated client access The S/KEY one-time password system described has programs. Those whose access was from non- been in use for about two years. We have learned that programmable terminals (such as X-Terminals) were ease of use and ease of learning are critical to user less satisfied. They generally had to print lists of one- acceptance. S/KEY is easy to use from workstations time passwords and enter them as required. No one and personal computers, but more difficult from non- liked typing the six-word one-time passwords programmable terminals. In the later case, a self although some preferred it to alternative systems. contained token authentication system seemed preferable to some users. Ease of Learning One-time passwords protect only at the time of Once you know how this system works, it is very easy authentication. They do not protect against an to use. And once you understand the underlying eavesdropper learning the content of the monitored concept, it is easy to understand how it works. But session. They also do not protect against false users are generally not interested in that level of authentication using more sophisticated active attacks. understanding. Several users stated that the system For example, a legitimate user might log into a system was easier to use than other systems, but took longer only to have the network connection "stolen" by an to learn. Several potential users never bothered to intruder. This could happen immediately after login, learn and chose the token authenticator in general use or the intruder could wait until the legitimate user at Bellcore. We learned that documentation is attempts to log out (to reduce the chances of important, and that good user instructions are hard to detection). Attempts to defeat active attacks may write. require more computing power on the user end of the Ease of Installation connection than is frequently available, certainly more than is available on a "dumb" terminal. Techniques Installing the S/KEY system requires replacing the under study include the encryption or protecting with login program. While the changes were cryptographic checksums of some or all of every straightforward, modifying the existing login is packet of data exchanged. impossible for systems without access to source code. In our case, we replaced the SunOS login with a ACKNOWLEDGMENTS modified program from BSD UNIX. The idea behind our system was originally described AVAILABILITY by Leslie Lamport.[6] The specific system described was proposed by Phil Karn who wrote most of the The server code for UNIX and the client interfaces are UNIX software. Additional details of the design were available as-is over the Internet by anonymous ftp. contributed by the author and John S. Walden who Some documentation in the form of man pages is also wrote the initial version of the MS-DOSclient software. available. These files are available from The Macintosh one-time password generator was thumper.bellcore.com in subdirectories of pub/nmh. written by Mark Segal, and the current MS-DOS client The contents of these subdirectories are: interfaces were written by the author. skey UNIX files including source, makefile, and
-7- REFERENCES 1. Eugene H. Spafford, The Internet worm program: An analysis. Computer Communications Review 19(1):17-57, January 1989. 2. R. M. Wong, T. A. Berson, R. J. Feiertag, "Polonius: An Identity Authentication System", Proceedings of the 1985 Symposium on Security and Privacy, pp. 101-107, Oakland, California, April 1985. 3. J. G. Steiner, C. Neuman, and J. I. Schiller. Kerberos: An authentication service for open network systems. USENIX Conference Proceedings, pp. 191-202, Dallas, Texas, February 1988. 4. Champine, G., Geer, D., and Ruh, W. "Project Athena as a Distributed Computer System", IEEE Computer, September 1990. 5. R. L. Rivest, The MD4 Message-Digest Algorithm, Request For Comments (RFC) 1320, MIT and RSA Data Security, Inc., April 1992. 6. Leslie Lamport, "Password Authentication with Insecure Communication", Communications of the ACM 24.11 (November 1981), 770-772.
-8-

Recommandé

امن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكاتامن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكاتAmr Rashed
 
Lecture 4 firewalls
Lecture 4 firewallsLecture 4 firewalls
Lecture 4 firewallsrajakhurram
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniLoay Elbasyouni
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocolsOnline
 
Wireless Security Needs For Enterprises
Wireless Security Needs For EnterprisesWireless Security Needs For Enterprises
Wireless Security Needs For Enterprisesshrutisreddy
 
NIDS ppt
NIDS pptNIDS ppt
NIDS pptMahendar Reddy
 
Firewall configuration
Firewall configurationFirewall configuration
Firewall configurationNutan Kumar Panda
 
Firewalls
FirewallsFirewalls
FirewallsSonali Parab
 

Recommandé

امن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكاتامن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكاتAmr Rashed
 
Lecture 4 firewalls
Lecture 4 firewallsLecture 4 firewalls
Lecture 4 firewallsrajakhurram
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniLoay Elbasyouni
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocolsOnline
 
Wireless Security Needs For Enterprises
Wireless Security Needs For EnterprisesWireless Security Needs For Enterprises
Wireless Security Needs For Enterprisesshrutisreddy
 
NIDS ppt
NIDS pptNIDS ppt
NIDS pptMahendar Reddy
 
Firewall configuration
Firewall configurationFirewall configuration
Firewall configurationNutan Kumar Panda
 
Firewalls
FirewallsFirewalls
FirewallsSonali Parab
 
Firewall Architecture
Firewall Architecture Firewall Architecture
Firewall Architecture Yovan Chandel
 
Security Key Management Model for Low Rate Wireless Personal Area Networks
Security Key Management Model for Low Rate Wireless Personal Area NetworksSecurity Key Management Model for Low Rate Wireless Personal Area Networks
Security Key Management Model for Low Rate Wireless Personal Area NetworksCSCJournals
 
Firewalls
FirewallsFirewalls
FirewallsJyoti Akhter
 
Firewalls
FirewallsFirewalls
FirewallsShreya Singireddy
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2sweta dargad
 
Firewall and its configuration
Firewall and its configurationFirewall and its configuration
Firewall and its configurationMuhammad Baqar Kazmi
 
4 (data security in local network using)
4 (data security in local network using)4 (data security in local network using)
4 (data security in local network using)JIEMS Akkalkuwa
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysisBikrant Gautam
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionUmesh Dhital
 
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
Detecting and Preventing Attacks Using Network Intrusion Detection SystemsDetecting and Preventing Attacks Using Network Intrusion Detection Systems
Detecting and Preventing Attacks Using Network Intrusion Detection SystemsCSCJournals
 
Network Security Layers
Network Security LayersNetwork Security Layers
Network Security Layersnatarafonseca
 
Bypassing firewalls
Bypassing firewallsBypassing firewalls
Bypassing firewallsKumar
 
Network security and firewalls
Network security and firewallsNetwork security and firewalls
Network security and firewallsMurali Mohan
 
Firewall
FirewallFirewall
Firewalllmbriscoe
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAAKASH S
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationyogendrasinghchahar
 
Impact to it security of incorrect configuration of firewall policies and thi...
Impact to it security of incorrect configuration of firewall policies and thi...Impact to it security of incorrect configuration of firewall policies and thi...
Impact to it security of incorrect configuration of firewall policies and thi...usman butt
 
Introduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkIntroduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkEng. Mohammed Ahmed Siddiqui
 
Intrusion prevention systems
Intrusion prevention systemsIntrusion prevention systems
Intrusion prevention systemssamis
 
Firewalls
FirewallsFirewalls
Firewallsjunaid15bsse
 
Asynchronous and parallel programming
Asynchronous and parallel programmingAsynchronous and parallel programming
Asynchronous and parallel programmingAnil Kumar
 
Starting with jQuery
Starting with jQueryStarting with jQuery
Starting with jQueryAnil Kumar
 

Contenu connexe

Tendances

Firewall Architecture
Firewall Architecture Firewall Architecture
Firewall Architecture Yovan Chandel
 
Security Key Management Model for Low Rate Wireless Personal Area Networks
Security Key Management Model for Low Rate Wireless Personal Area NetworksSecurity Key Management Model for Low Rate Wireless Personal Area Networks
Security Key Management Model for Low Rate Wireless Personal Area NetworksCSCJournals
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2sweta dargad
 
4 (data security in local network using)
4 (data security in local network using)4 (data security in local network using)
4 (data security in local network using)JIEMS Akkalkuwa
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysisBikrant Gautam
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionUmesh Dhital
 
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
Detecting and Preventing Attacks Using Network Intrusion Detection SystemsDetecting and Preventing Attacks Using Network Intrusion Detection Systems
Detecting and Preventing Attacks Using Network Intrusion Detection SystemsCSCJournals
 
Network Security Layers
Network Security LayersNetwork Security Layers
Network Security Layersnatarafonseca
 
Bypassing firewalls
Bypassing firewallsBypassing firewalls
Bypassing firewallsKumar
 
Network security and firewalls
Network security and firewallsNetwork security and firewalls
Network security and firewallsMurali Mohan
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAAKASH S
 
Impact to it security of incorrect configuration of firewall policies and thi...
Impact to it security of incorrect configuration of firewall policies and thi...Impact to it security of incorrect configuration of firewall policies and thi...
Impact to it security of incorrect configuration of firewall policies and thi...usman butt
 
Introduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkIntroduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkEng. Mohammed Ahmed Siddiqui
 
Intrusion prevention systems
Intrusion prevention systemsIntrusion prevention systems
Intrusion prevention systemssamis
 

Tendances (20)

Firewall Architecture
Firewall Architecture Firewall Architecture
Firewall Architecture
 
Security Key Management Model for Low Rate Wireless Personal Area Networks
Security Key Management Model for Low Rate Wireless Personal Area NetworksSecurity Key Management Model for Low Rate Wireless Personal Area Networks
Security Key Management Model for Low Rate Wireless Personal Area Networks
 
Firewalls
FirewallsFirewalls
Firewalls
 
Firewalls
FirewallsFirewalls
Firewalls
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
 
Firewall and its configuration
Firewall and its configurationFirewall and its configuration
Firewall and its configuration
 
4 (data security in local network using)
4 (data security in local network using)4 (data security in local network using)
4 (data security in local network using)
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysis
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
Detecting and Preventing Attacks Using Network Intrusion Detection SystemsDetecting and Preventing Attacks Using Network Intrusion Detection Systems
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
 
Network Security Layers
Network Security LayersNetwork Security Layers
Network Security Layers
 
Bypassing firewalls
Bypassing firewallsBypassing firewalls
Bypassing firewalls
 
Network security and firewalls
Network security and firewallsNetwork security and firewalls
Network security and firewalls
 
Firewall
FirewallFirewall
Firewall
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Impact to it security of incorrect configuration of firewall policies and thi...
Impact to it security of incorrect configuration of firewall policies and thi...Impact to it security of incorrect configuration of firewall policies and thi...
Impact to it security of incorrect configuration of firewall policies and thi...
 
Introduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkIntroduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for network
 
Intrusion prevention systems
Intrusion prevention systemsIntrusion prevention systems
Intrusion prevention systems
 
Firewalls
FirewallsFirewalls
Firewalls
 

En vedette

Asynchronous and parallel programming
Asynchronous and parallel programmingAsynchronous and parallel programming
Asynchronous and parallel programmingAnil Kumar
 
Starting with jQuery
Starting with jQueryStarting with jQuery
Starting with jQueryAnil Kumar
 
Rates of weathering lesson 6
Rates of weathering lesson 6Rates of weathering lesson 6
Rates of weathering lesson 6Ms Geoflake
 
Gwendolyn willis _lesson_plan_format_plants
Gwendolyn willis _lesson_plan_format_plantsGwendolyn willis _lesson_plan_format_plants
Gwendolyn willis _lesson_plan_format_plantscarmi504
 
Formation Of Soil And Soil Types
Formation Of Soil And Soil TypesFormation Of Soil And Soil Types
Formation Of Soil And Soil TypesElizabeth Nolen
 
Lesson Plan
Lesson PlanLesson Plan
Lesson Plantarakbr
 
4A's Detailed lesson plan in Science 3
4A's Detailed lesson plan in Science 34A's Detailed lesson plan in Science 3
4A's Detailed lesson plan in Science 3janehbasto
 
Detailed Lesson Plan in Science and Health grade 3
Detailed Lesson Plan in Science and Health grade 3Detailed Lesson Plan in Science and Health grade 3
Detailed Lesson Plan in Science and Health grade 3janehbasto
 
Detailed lesson plan science
Detailed lesson plan scienceDetailed lesson plan science
Detailed lesson plan scienceEric Cayetano
 
Detailed Lesson Plan in Science and Health Grade 3 Sense Organ
Detailed Lesson Plan in Science and Health Grade 3 Sense OrganDetailed Lesson Plan in Science and Health Grade 3 Sense Organ
Detailed Lesson Plan in Science and Health Grade 3 Sense Organjanehbasto
 
Detailed lesson plan in filipino
Detailed lesson plan in filipinoDetailed lesson plan in filipino
Detailed lesson plan in filipinoHana Czarina Callo
 
Detailed lesson plan in science 4
Detailed lesson plan in science 4Detailed lesson plan in science 4
Detailed lesson plan in science 4Faty Villaflor
 
Detailed Lesson Plan (ENGLISH, MATH, SCIENCE, FILIPINO)
Detailed Lesson Plan (ENGLISH, MATH, SCIENCE, FILIPINO)Detailed Lesson Plan (ENGLISH, MATH, SCIENCE, FILIPINO)
Detailed Lesson Plan (ENGLISH, MATH, SCIENCE, FILIPINO)Junnie Salud
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017Drift
 

En vedette (19)

Asynchronous and parallel programming
Asynchronous and parallel programmingAsynchronous and parallel programming
Asynchronous and parallel programming
 
Starting with jQuery
Starting with jQueryStarting with jQuery
Starting with jQuery
 
WEATHERING OF ROCKS
WEATHERING OF ROCKSWEATHERING OF ROCKS
WEATHERING OF ROCKS
 
Rates of weathering lesson 6
Rates of weathering lesson 6Rates of weathering lesson 6
Rates of weathering lesson 6
 
Grade 4 School Garden Lesson Plan - Soils Lesson; Make Your Own Soil ~ Massac...
Grade 4 School Garden Lesson Plan - Soils Lesson; Make Your Own Soil ~ Massac...Grade 4 School Garden Lesson Plan - Soils Lesson; Make Your Own Soil ~ Massac...
Grade 4 School Garden Lesson Plan - Soils Lesson; Make Your Own Soil ~ Massac...
 
Lecture17
Lecture17Lecture17
Lecture17
 
Gwendolyn willis _lesson_plan_format_plants
Gwendolyn willis _lesson_plan_format_plantsGwendolyn willis _lesson_plan_format_plants
Gwendolyn willis _lesson_plan_format_plants
 
Formation Of Soil And Soil Types
Formation Of Soil And Soil TypesFormation Of Soil And Soil Types
Formation Of Soil And Soil Types
 
Lesson Plan
Lesson PlanLesson Plan
Lesson Plan
 
4A's Detailed lesson plan in Science 3
4A's Detailed lesson plan in Science 34A's Detailed lesson plan in Science 3
4A's Detailed lesson plan in Science 3
 
Detailed Lesson Plan in Science and Health grade 3
Detailed Lesson Plan in Science and Health grade 3Detailed Lesson Plan in Science and Health grade 3
Detailed Lesson Plan in Science and Health grade 3
 
Detailed lesson plan science
Detailed lesson plan scienceDetailed lesson plan science
Detailed lesson plan science
 
Detailed Lesson Plan in Science and Health Grade 3 Sense Organ
Detailed Lesson Plan in Science and Health Grade 3 Sense OrganDetailed Lesson Plan in Science and Health Grade 3 Sense Organ
Detailed Lesson Plan in Science and Health Grade 3 Sense Organ
 
Detailed lesson plan in filipino
Detailed lesson plan in filipinoDetailed lesson plan in filipino
Detailed lesson plan in filipino
 
Sample of Semi Detailed Lesson Plan
Sample of Semi Detailed Lesson PlanSample of Semi Detailed Lesson Plan
Sample of Semi Detailed Lesson Plan
 
Detailed lesson plan in science 4
Detailed lesson plan in science 4Detailed lesson plan in science 4
Detailed lesson plan in science 4
 
Sample Detailed Lesson Plan
Sample Detailed Lesson PlanSample Detailed Lesson Plan
Sample Detailed Lesson Plan
 
Detailed Lesson Plan (ENGLISH, MATH, SCIENCE, FILIPINO)
Detailed Lesson Plan (ENGLISH, MATH, SCIENCE, FILIPINO)Detailed Lesson Plan (ENGLISH, MATH, SCIENCE, FILIPINO)
Detailed Lesson Plan (ENGLISH, MATH, SCIENCE, FILIPINO)
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017
 

Similaire à 10.1.1.44.6790

Linux Security in Operating System
Linux Security in Operating SystemLinux Security in Operating System
Linux Security in Operating SystemMeghaj Mallick
 
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet KolkataSecurity Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkataamiyadutta
 
Ch19 OS
Ch19 OSCh19 OS
Ch19 OSC.U
 
Network and web security
Network and web securityNetwork and web security
Network and web securityNitesh Saitwal
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Security and ethics
Security and ethicsSecurity and ethics
Security and ethicsArgie242424
 
Firewall protection
Firewall protectionFirewall protection
Firewall protectionVC Infotech
 
Computer security, additionally called cybersecurity or IT security,.pdf
Computer security, additionally called cybersecurity or IT security,.pdfComputer security, additionally called cybersecurity or IT security,.pdf
Computer security, additionally called cybersecurity or IT security,.pdfKUNALHARCHANDANI1
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network securitySreerag Gopinath
 
Backdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerBackdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerIRJET Journal
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and CryptographyManjunath G
 
cybersecurity essay.docx
cybersecurity essay.docxcybersecurity essay.docx
cybersecurity essay.docxssuser719d6b
 
2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)Felipe Prado
 

Similaire à 10.1.1.44.6790 (20)

Lecture 07 networking
Lecture 07 networkingLecture 07 networking
Lecture 07 networking
 
Linux Security in Operating System
Linux Security in Operating SystemLinux Security in Operating System
Linux Security in Operating System
 
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet KolkataSecurity Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
 
OSCh19
OSCh19OSCh19
OSCh19
 
OS_Ch19
OS_Ch19OS_Ch19
OS_Ch19
 
Ch19 OS
Ch19 OSCh19 OS
Ch19 OS
 
Network and web security
Network and web securityNetwork and web security
Network and web security
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Security and ethics
Security and ethicsSecurity and ethics
Security and ethics
 
Firewall
Firewall Firewall
Firewall
 
Firewall protection
Firewall protectionFirewall protection
Firewall protection
 
Computer security, additionally called cybersecurity or IT security,.pdf
Computer security, additionally called cybersecurity or IT security,.pdfComputer security, additionally called cybersecurity or IT security,.pdf
Computer security, additionally called cybersecurity or IT security,.pdf
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
 
Backdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerBackdoor Entry to a Windows Computer
Backdoor Entry to a Windows Computer
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
 
Lect13 security
Lect13 securityLect13 security
Lect13 security
 
Network security
Network securityNetwork security
Network security
 
cybersecurity essay.docx
cybersecurity essay.docxcybersecurity essay.docx
cybersecurity essay.docx
 
2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)
 

Dernier

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 

Dernier (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 

10.1.1.44.6790

  • 1. THE S/KEYTM ONE-TIME PASSWORD SYSTEM Neil M. Haller Bellcore Morristown, New Jersey ABSTRACT physical access to the computers attempt to gain improper access. Computing systems have been under increasingly sophisticated attack over the Internet and by using We have built an experimental prototype S/KEY dial-up access ports. One form of attack is authentication system for a UNIX® environment, but eavesdropping on network connections to obtain login there is nothing UNIX-specific about the design. id’s and passwords of legitimate users. This External Threats information is used at a later time to attack the system. We have developed a prototype software system, the There are several ways an external intruder might S/KEYTM one-time password system, to counter this break into a UNIX system. These include guessing type of attack and have been using it experimentally poorly chosen passwords, potentially with dictionary for external access to a research computer complex at attacks; taking advantage of bugs in privileged UNIX Bellcore. system software (an example is the "Morris Worm" of November 1988 that exploited a bug in the Internet The S/KEY system has several advantages compared finger server[1].), and taking advantage of system with other one-time or multi-use authentication configuration errors or poorly chosen system defaults. systems. The user’s secret password never crosses the Properly configured and administered systems are not network during login or when executing other generally vulnerable to these attacks. commands requiring authentication such as the UNIX passwd (change password) or su (change privilege) Other attacks take advantage of the information that commands. No secret information is stored anywhere, crosses communications networks. One can obtain including on the host being protected, and the passwords for later use by passive eavesdropping, and underlying algorithm may be made public. The remote the form of current passwords can be used to guess end (client) of this system can run on any locally future ones. A potential intruder can actively available computer and the host end (server) can be interfere with legitimate network traffic by spoofing or integrated into any application requiring disrupting the communications protocols. authentication. Defenses Against Passive and Active Attacks The S/KEY authentication system has been in Data, including authentication information such as experimental use at Bellcore for two years. It is passwords, are carried on a variety of networks available by anonymous ftp on the Internet. including LANS and private or public data and voice networks. If a potential intruder can gain access, INTRODUCTION either directly or using tools designed for other There are a variety of threats to be considered when functions (such as network management), this access operating a computer system. One can distinguish can be used to monitor traffic from legitimate users between inside jobs and external attacks; in this paper, and collect passwords and other data for later use. we are concerned with attempts to penetrate a system This eavesdropping is classified as a passive network of computers from outside the physical facility. We attack. Alternatively, an attacker might choose to are not concerned with the additional security issues disrupt or divert the communications of legitimate where legitimate users may attempt to increase their users, e.g., by spoofing traffic; this is classified as an privilege (become super-users) or where insiders with active attack. S/KEY is a trademark of Bellcore UNIX is a registered trademark of X/Open.
  • 2. -2- In recent years, protocols capable of thwarting both computer is vulnerable to an eavesdropping/replay passive and active attacks have been devised and attack. implemented. Many of these, including ours, involve A major strength of Kerberos is that it is capable of an exchange of data between the host being protected protecting against active attacks using encryption. and the client attempting to gain authorized access. This option gets limited use because of the overhead it The defense against passive attacks is to make the data imposes, but the increasing power of low cost crossing the network useless to an eavesdropper; thus computers makes this a short term problem. Given a potential intruder cannot gain improper access by that it is much easier to conduct a passive attack than replaying a saved valid authentication sequence. an active one without risking detection, we feel that The simplest form of such a defense is for the host to there is still value in a system that protects only generate a random string and send it to the client. The against passive attacks. client then uses some computing device to compute a The S/KEY Authentication System key-based cryptographic function (see below, Secure Hash Functions) of this string and then return the The S/KEY authentication system is a scheme that output of this function to the host. The host executes protects user passwords against passive attacks. It can the same function and compares the results.[2] A be easily and quickly added to almost any UNIX weakness of this system is that the secret keys must be system, without requiring any additional hardware and available to the host, and protecting this host becomes without requiring the system to store information a critical link in the security chain. (such as plain text passwords) that would be more sensitive than the encrypted passwords already stored. This system can be implemented in software or as a The S/KEY system can be used with "dumb terminals", special purpose device to be carried by the client. personal computers with conventional The latter offers the advantages of portability and communications programs, or workstations. It is interface independence, but at an increased system conceptually compatible with a potential cost. implementation based on smart cards or pocket Another defense is the use of hand-held device calculators. containing a clock that is synchronized to the host (or security processor). Both generate a sequence based GOALS on a secret seed that is stored in the host and is Eavesdropping Protection therefore a weak link. The primary goal of the S/KEY authentication system The S/KEY system as described here is implemented in is to provide complete protection of the login-time software. It is straightforward to convert this system authentication mechanism against passive to utilize a portable device, but we have not done so. eavesdropping. This protection implies that no A notable example of a security protocol is the information may cross the network that could Kerberos1 [3] authentication system from MIT’s potentially be used for authentication at a later time. project Athena.[4] Kerberos solves the problem of An eavesdropper with complete transcripts of many passive eavesdropping within a single computing user sessions, including password changes, should environment called a realm (multiple realms may be have no information that would be useful in joined). This system does not, however, address the attempting to login to the system. problem of access across a network using client Ease of Use software that is unable to fully participate in the Kerberos protocol. A client using a workstation A security system must be easy to use. Not all users within a realm (or connected realms) is completely are willing to cope with a complex security system and transparently protected by Kerberos against and it is virtually impossible to block all insider built passive attacks, but a client using a simple (non- back-doors. The more user-friendly the system is, the programmable) terminal or a non-participating 2 less likely it will be bypassed. Ideally the system should be as easy to use as a system protected by a conventional multi-use password system. 1. Athena and Kerberos are trademarks of MIT. 2. Most communication programs on non-UNIX systems (both Automated Operation using dial-up and Internet connectivity) are unable to participate in the Kerberos protocol. This is not to say that they could not A common form of remote access to a computing be modified to do so. system is from another computer acting as a terminal using a communications program. This computer may
  • 3. -3- be completely under the control of a single operator, Secure Hash Functions and thus may be trusted. We want our system to be A secure hash function is a function that is easy to nearly as simple to use in this configuration as remote compute in the forward direction, but computationally login using a multi-use password. infeasible to invert. Consider: In some situations, it is useful to have one machine y = f (x) access another without human intervention. Assuming a remote client machine is in a secure environment so If f is the secure hash function with input x and output that it can be trusted with the underlying secret y, then computing y given x is fast and easy, but password, full automatic operation can be achieved. finding an x ′ such that The goal of providing automated operation implies y = f (x ′ ) that our system is primarily a secret based for a given y is extremely difficult. Ideally, there authentication system (something you know). As it should be no way to determine such an x ′ other than requires computation to produce the one-time by trying an infeasible number of values to see which passwords, it is easily convertible to a token based one works. If the number of possible values of x that (something you have) system. must be tried is made large enough, then for all No Secret Algorithms practical purposes the function cannot be inverted. We have chosen a hash function with 264 (about 1019) The security of the authentication system must be values. based entirely on the secret (or secret containing token) and not on secret algorithms. A public As the basis of our secure hash function, we chose the algorithm can be evaluated by the industry, thus MD4 Message Digest algorithm4 designed by Ronald developing confidence in its cryptographic strength. If Rivest[5] of RSA Data Security Inc. MD4 accepts an a system’s security depends on a hidden algorithm, arbitrary number of bits as input and produces 16 there is always a danger of exposure when someone bytes of output. MD4 is fast, and so far it is believed who knows the secret changes jobs or loyalties. to be secure; i.e., there is no known way of finding the input that produced a given output that is better than No Stored Secrets by exhaustively trying possible inputs. Storing secret keys or passwords on a host increases In order to be able to apply the hash function an its attractiveness as a target, and causes a breach of arbitrary number of times, we have defined our security to be more wide-spread. When a common function to take 8 bytes of input and to produce 8 password file is used for many machines, this risk bytes of output. This is done by running the 8 bytes of becomes even greater. On UNIX systems, the input through MD4 and then "folding" pairs of bytes password file contains passwords already processed in the 16-byte MD4 output down to 8 bytes with through a secure hash function and thus the exclusive-OR operations. information in this file is not directly usable to an intruder. We want our system to be no weaker 3 than Generation of One-Time Passwords this UNIX scheme, implying that no usable passwords Our one-time passwords are 64 bits in length. We may be stored on any host. believe that this is long enough to be secure and short enough to be manually entered by users (see below, DESCRIPTION OF THE S/KEY SYSTEM Form of Password, for the representation) when There are two sides to the operation of our one-time necessary. password system. On the remote client side, the Preparatory Step appropriate one-time password must be generated. On the host side, the server must verify the one-time The input to our hash function (described above) is 8 password. This section describes both sides, and the bytes. As the client’s secret password may be (should secure hash function on which the S/KEY authentication system is based. 4. Although the security of MD4 has not been broken, the newer function MD5 has been released. MD5 is slightly slower and more complex; converting to MD5 is simple, but we have 3. Both UNIX password security and S/KEY authentication are chosen to continue using MD4 because of the large number of vulnerable to dictionary attacks unless the passwords are well client password computing programs that have been distributed. chosen.
  • 4. -4- be) longer, a preparatory step is needed. In this step, unable to log in again. This is done by executing the the password is concatenated with a seed that is keyinit command, that is essentially a special version transmitted from the server in clear text. This non- of the the UNIX passwd command, to start a new secret seed allows a client to use the same secret sequence of one-time passwords. This operation is password on multiple machines (using different identical to a normal authentication, except that the seeds), and to safely recycle secret passwords by one-time password received over the network is not changing the seed. The result of the concatenation is checked against the entry already in the password file passed through MD4, and then reduced to 8 bytes by before it replaces it. In this way, the selection of a new exclusive-OR of the two 8-byte halves. This result, password can be done safely even in the presence of called s below, is passed on to the generation step. an eavesdropper. This mechanism does not defend against an active attack. Generation Step The sequence of one-time passwords p i is produced OPERATION OF S/KEY SYSTEM by applying the secure hash function multiple times. Overview That is, the first one-way password is produced by running the client’s processed secret password s The S/KEY one-time password authentication system through the hash function some specified number of uses computation to generate a finite sequence of times, N. single-use passwords from a single secret. The security is entirely based on a single secret that is p 0 = f N (s) known only to the user5. The single-use passwords The next one-way password is generated by running are related in a way that makes it computationally the user’s password through the hash function only intractable to compute any password from the N − 1 times. preceding sequence. (It is simple, however, to compute previous passwords from the current one.) p 1 = f N − 1 (s) The single use, or one-time, passwords replace all In general, the formula is: authentication password requirements. They are used p i = f N − i (s) at login time and when using the UNIX su command. Even when the underlying secret password is changed, An eavesdropper who has monitored the use of the only a derived one-time password crosses the network. one-time password p i will not be able to generate the The host computer never sees, and has no way of next one in the sequence (p i + 1 ) because doing so learning, the real secret. would require inverting the hash function. Without knowing the secret key that was the starting point of As no secret algorithms are used, and the code is the function iterations, this can not be done. freely available, it is straightforward to build the S/KEY one-time password security system into any System Verification of Passwords command or product requiring authentication. The host is initially given p 0 . When a client attempts Generation of S/KEY One-Time Passwords to be authenticated, the seed and current value of i are passed to the client. The client returns the next one- As mentioned above, the one-time password sequence time password. The host computer first saves a copy is derived from the secret password using a computer. of this one-time password, then it applies the hash The required computation can be executed on any PC function to it. or UNIX class machine. A supplier of credit card size devices estimated that such a device could be built for p i = f ( f N − i − 1 (s)) = f (p i + 1 ) less than $30 in large quantities. If the result does not match the copy stored in the The program can also be stored on and executed from system’s password file, then the request fails. If they a standard floppy disk. This would allow operation on match, then the client’s entry in the system password a remote computer that could not be entirely trusted file is updated with the copy of the one-time password not to contain a Trojan Horse that would attempt to that was saved before the final execution (by the capture the secret password 6. It is also possible to server) of the hash function. This updating advances the password sequence. 5. Alternatively, part of or the entire secret can be stored in a non- Because the number of hash function iterations retrievable way, in the computing device. executed by the user decreases by one each time, at 6. For added security, one might prefer to boot off the floppy. The some point the user must reinitialize the system or be truly paranoid will worry about the integrity of the ROM.
  • 5. -5- pre-compute and print several one-time passwords that password and generates the correct one-time password could be carried on a trip where no trusted local and stuffs it into the keyboard buffer simulating user computation is available such as when using public entry of this password. workstations at a conference. Fully automated operation is obviously possible, but it Description of Operation would require the client machine to know the secret password. This is only acceptable if the client The following narrative describes the procedure for machine is in a physically secure place. logging into a UNIX system using the S/KEY one-time password system. In this example, a hand-held PC Form of Password compatible computer is assumed. Note that the Internally the one-time password is a 64 bit number sequence numbers of successive one-time passwords providing 264 possible unique one-time passwords. decreases. Entering a 64 bit number is not a pleasant task; the 1. The user, call her Sue, identifies herself to the one-time password is therefore converted to a system by login name. sequence of six short words (1 to 4 letters). Each word is chosen from a dictionary of 2048 English 2. The system issues a challenge including the words thus providing a space of 266 possible sequence number of the one-time password sequences. The contents and encoding of this expected and a "seed". This "seed" allows Sue dictionary are not kept secret. to securely use a single secret for several machines. In this example, the seed is "unix3" ADMINISTRATION OF SYSTEM and the sequence number is 54. Installation 3. Sue enters 54 and unix3 into her palm-top computer. She is prompted for her secret. The minimum that must be installed to use this one- time password system on a UNIX host is a replacement 4. Sue enters her secret password that may be of for the login command and an additional command any length. The palm-top computes the 54th similar to passwd. As with the original commands, one-time password and displays it. these must run as root. In addition, it may be useful to 5. Sue enters the one-time password and is install a one-time password version of the su authenticated. command, a new version of ftpd for allowing ftp access via one-time passwords, and a command to 6. Next time Sue wants access, she will be compute one-time passwords. prompted for one-time password sequence number 53. Source Screening Semi-Automated Operation It is frequently desirable for an installation to allow internal access with a multi-use password while We have built semi-automatic interfaces for clients requiring one-time passwords for external access. A using communications software on a MS-DOS7 or screening table provides this function. When this Apple Macintosh8 personal computer. The following table is present, login attempts that pass the screening example describes a client interface that runs under test are permitted to use the normal password or a DOS as a Terminate and Stay Resident (TSR) program. one-time password. Others are notified that the use of Consider Sue in the above example using a the one-time password is required. communications program on a MS-DOS machine. Password echo Before starting the communications program, Sue runs a program that ties itself to a hot-key such as function Normally systems disable printing during the typing of key F10. When the host issues its challenge, Sue a password so that an onlooker cannot steal the presses the hot-key. The program then scans the password. With a one-time password, this is screen for the challenge and extracts the sequence unnecessary. The S/KEY modification of the login number and seed. It then prompts Sue for her secret command allows the user to turn echo on by pressing "return" at the password prompt. This makes it easier to enter the longer one-time password. 7. MS-DOS is a registered trademark of Microsoft Corporation. 8. Macintosh is a trademark of Apple Corporation. EXPERIENCE The S/KEY authentication system has been in experimental use for off-premise access to Bellcore
  • 6. -6- for about two years. It has been available as an man pages alternative one-time password system to the users of dos DOS client interfaces and documentation in computer resources of one research organization. UNIX man-page format This section is based on this experience as mac Macintosh client interface package unscientificly observed by the biased eyes of the author. SUMMARY Ease of Use Computing systems have been under increasingly sophisticated attack using dial-up and other external User reaction to the S/KEY system varied from delight access ports. The one-time password technology to indifference. Our goal (see above, GOALS) of ease described is a simple and effective way to keep plain of use was not fully met because the reaction of text passwords out of the hands of an eavesdropper. It potential users was mixed based on two factors. is more general than some other systems as it allows Type of Terminal protected access to super-user privilege, and allows its underlying secret password to be securely changed. Those who accessed our systems using terminal No authenticating secret is ever transmitted in a re- programs on personal computers were generally happy usable form. (some were enthusiastic). These people generally used one of the semi-automated client access The S/KEY one-time password system described has programs. Those whose access was from non- been in use for about two years. We have learned that programmable terminals (such as X-Terminals) were ease of use and ease of learning are critical to user less satisfied. They generally had to print lists of one- acceptance. S/KEY is easy to use from workstations time passwords and enter them as required. No one and personal computers, but more difficult from non- liked typing the six-word one-time passwords programmable terminals. In the later case, a self although some preferred it to alternative systems. contained token authentication system seemed preferable to some users. Ease of Learning One-time passwords protect only at the time of Once you know how this system works, it is very easy authentication. They do not protect against an to use. And once you understand the underlying eavesdropper learning the content of the monitored concept, it is easy to understand how it works. But session. They also do not protect against false users are generally not interested in that level of authentication using more sophisticated active attacks. understanding. Several users stated that the system For example, a legitimate user might log into a system was easier to use than other systems, but took longer only to have the network connection "stolen" by an to learn. Several potential users never bothered to intruder. This could happen immediately after login, learn and chose the token authenticator in general use or the intruder could wait until the legitimate user at Bellcore. We learned that documentation is attempts to log out (to reduce the chances of important, and that good user instructions are hard to detection). Attempts to defeat active attacks may write. require more computing power on the user end of the Ease of Installation connection than is frequently available, certainly more than is available on a "dumb" terminal. Techniques Installing the S/KEY system requires replacing the under study include the encryption or protecting with login program. While the changes were cryptographic checksums of some or all of every straightforward, modifying the existing login is packet of data exchanged. impossible for systems without access to source code. In our case, we replaced the SunOS login with a ACKNOWLEDGMENTS modified program from BSD UNIX. The idea behind our system was originally described AVAILABILITY by Leslie Lamport.[6] The specific system described was proposed by Phil Karn who wrote most of the The server code for UNIX and the client interfaces are UNIX software. Additional details of the design were available as-is over the Internet by anonymous ftp. contributed by the author and John S. Walden who Some documentation in the form of man pages is also wrote the initial version of the MS-DOSclient software. available. These files are available from The Macintosh one-time password generator was thumper.bellcore.com in subdirectories of pub/nmh. written by Mark Segal, and the current MS-DOS client The contents of these subdirectories are: interfaces were written by the author. skey UNIX files including source, makefile, and
  • 7. -7- REFERENCES 1. Eugene H. Spafford, The Internet worm program: An analysis. Computer Communications Review 19(1):17-57, January 1989. 2. R. M. Wong, T. A. Berson, R. J. Feiertag, "Polonius: An Identity Authentication System", Proceedings of the 1985 Symposium on Security and Privacy, pp. 101-107, Oakland, California, April 1985. 3. J. G. Steiner, C. Neuman, and J. I. Schiller. Kerberos: An authentication service for open network systems. USENIX Conference Proceedings, pp. 191-202, Dallas, Texas, February 1988. 4. Champine, G., Geer, D., and Ruh, W. "Project Athena as a Distributed Computer System", IEEE Computer, September 1990. 5. R. L. Rivest, The MD4 Message-Digest Algorithm, Request For Comments (RFC) 1320, MIT and RSA Data Security, Inc., April 1992. 6. Leslie Lamport, "Password Authentication with Insecure Communication", Communications of the ACM 24.11 (November 1981), 770-772.
  • 8. -8-