SlideShare ist ein Scribd-Unternehmen logo

E gov security_tut_session_3

Mustafa Jarrar
Mustafa Jarrar
BildungTechnologie
1 von 54
Downloaden Sie, um offline zu lesen
‫أكاديمية الحكومة اإللكترونية الفلسطينية‬ The Palestinian eGovernment Academy www.egovacademy.ps Security Tutorial Session 3 PalGov © 2011 1
About This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the Commission of the European Communities, grant agreement 511159-TEMPUS-1- 2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps Project Consortium: Birzeit University, Palestine University of Trento, Italy (Coordinator ) Palestine Polytechnic University, Palestine Vrije Universiteit Brussel, Belgium Palestine Technical University, Palestine Université de Savoie, France Ministry of Telecom and IT, Palestine University of Namur, Belgium Ministry of Interior, Palestine TrueTrust, UK Ministry of Local Government, Palestine Coordinator: Dr. Mustafa Jarrar Birzeit University, P.O.Box 14- Birzeit, Palestine Telfax:+972 2 2982935 mjarrar@birzeit.eduPalGov © 2011 2
© Copyright Notes Everyone is encouraged to use this material, or part of it, but should properly cite the project (logo and website), and the author of that part. No part of this tutorial may be reproduced or modified in any form or by any means, without prior written permission from the project, who have the full copyrights on the material. Attribution-NonCommercial-ShareAlike CC-BY-NC-SA This license lets others remix, tweak, and build upon your work non- commercially, as long as they credit you and license their new creations under the identical terms. PalGov © 2011 3
Tutorial 5: Information Security Session 3: Authentication Session 3 Outline: • Session 3 ILO’s. • Authentication (symmetric and asymmetric) • One time password) • Introduction to LDAP PalGov © 2011 4
Tutorial 5: Session 3: Authentication This session will contribute to the following Tutorial 5 ILOs: • A: Knowledge and Understanding • a2: Define security standards and policies. • B: Intellectual Skills • b3: Design end-to-end secure and available systems. • b5: Design user authentication and authorization services. • C: General and Transferable Skills • d2: Systems configurations. • d3: Analysis and identification skills. PalGov © 2011 5
Tutorial 5: Information Security Session 3: Authentication Session 3 Outline: • Session 3 ILO’s. • Authentication (Symmetric and Asymmetric and 1 Time Password) • Introduction to LDAP PalGov © 2011 6
Authentication (Symmetric, Asymmetric and OTP) • Fundamental security block – Forms basis of access control & user accountability • Is the process of verifying an identity. • Has two steps: – Identification – Verification PalGov © 2011 7
Means of User Authentication • Four means of authenticating user's identity – Based on something the individual • knows • possesses • is (static biometrics) • does (dynamic biometrics) – All can provide user authentication (one or multifactor) PalGov © 2011 8
Password Authentication • Widely used user authentication method – User provides name/login and password – System compares password with that saved for specified login • Authenticates ID of user logging and – that the user is authorized to access system – Determines the user’s privileges – Is used in discretionary access control • The password file is a hashed file. PalGov © 2011 9
Password Vulnerabilities • Password Attacks and Guessing – Exploiting user mistakes – Specific account attack – Offline dictionary attack – Workstation hijacking – Multiple password use – Password guessing against single user – Monitoring – Other attacks… PalGov © 2011 10
Countermeasures / Policies and Training • Password policies – Length, Character set, Period of use, Frequency of re-use • Login policies – Timeout period, Session period, Lockout policy (attempts, period, re-instatement) • Countermeasures against different vulnerabilities: • Prevent unauthorized access to the password file, • Intrusion detection measures to identify a compromise, • Rapid re-issuance of passwords should the password file be compromised; • Account lockout mechanism. PalGov © 2011 11
Use of Hashed Passwords PalGov © 2011 12
UNIX Implementation • Original scheme – 8 character password form 56-bit key – 12-bit salt used to modify DES encryption into a one-way hash function – 0 value repeatedly encrypted 25 times – output translated to 11 character sequence – The file is called the shadow file. PalGov © 2011 13
Improved Implementations • Have other, stronger, hash/salt variants • Many systems now use MD5 – with 48-bit salt – password length is unlimited – is hashed with 1000 times inner loop – produces 128-bit hash PalGov © 2011 14
Password Cracking • Dictionary attacks – try each word then obvious variants in large dictionary against hash in password file • Rainbow table attacks – precompute tables of hash values for all salts – a mammoth table of hash values – e.g. 1.4GB table cracks 99.9% of alphanumeric Windows passwords in 13.8 secs – not feasible if larger salt values used • The “salt” is useful for remote attackers, but useless if the attacker can get the shadow file. This is because the salt is not encrypted. PalGov © 2011 15
Password Choices Policies • users may pick short passwords – e.g. 3% were 3 chars or less, easily guessed – system can reject choices that are too short • users may pick guessable passwords – so crackers use lists of likely passwords – e.g. one study of 14000 encrypted passwords guessed nearly 1/4 of them – would take about 1 hour on fastest systems to compute all variants, and only need 1 break! – Recent review by SplashData in 2011 showed two most common passwords on the Internet are: • password • 123456 PalGov © 2011 16
Token Authentication • Object user possesses to authenticate,. – Embossed card (with engraved characters) – Magnetic stripe card ( like ATM cards) – Memory card (like phone cards) – Smartcard (advanced cards) PalGov © 2011 17
Memory Card • Store but do not process data • Magnetic stripe card, e.g. bank card • Electronic memory card • Used alone for physical access • Drawbacks of memory cards include: – user dissatisfaction – need special reader – loss of token issues PalGov © 2011 18
Smartcard • like Credit-card issued by Banks • Has own processor, memory, I/O ports – wired or wireless access by reader – may have crypto co-processor – ROM, EEPROM, RAM memory • Executes protocol to authenticate with reader/computer • Also may have USB dongles PalGov © 2011 19
Remote User Authentication • Very Important for e- gov applications: – Protects against a number of attacks – Authentication over network more complex • problems of eavesdropping, replay – Better to use challenge-response • user sends identity • host responds with random number • user computes f(r,h(P)) and sends the result back • host compares value from user with own computed value, if match user authenticated PalGov © 2011 20
Security Issues with Authentication • Problems with Client attacks • Host/Server attacks • Eavesdropping while communicating • Replay attacks • Denial-of-service attacks PalGov © 2011 21
Practical Application (ATM Machines) • An ATM Machine are programmed with a Terminal Identification Number (aka "TID"). • The ATM connects to the ATM networks. • After the bank or processing network approves the transaction the ATM receives the authorization and dispenses the cash requested. PalGov © 2011 22
Distributed Systems and Password Authentication • How can I gain access to multiple computer systems if password based authentication is used?  Multiple passwords, one for each system  Use same password in each system  Single sign-on application that stores the passwords for each system and has one for itself  Single sign-on where password is stored in just one system and other systems trust this one to perform the authentication properly (e.g. Microsoft Passport, Shibboleth) PalGov © 2011 23
The Multiple Passwords Problem • I have over 50 passwords to remember, for my Internet accounts such as: google, gmail, birzeit, amazon, PPU, yahoo, palgov, arab bank etc. • We are working towards Single Sign On (SSO) schemes for the e-gov applications PalGov © 2011 24
The Mutual Authentication Problem • How can two people authenticate each other using passwords? • Its OK if talking to the correct person, since he already knows my password and I know his, but what if it is not the correct person? – Then give the impersonator my password, – too late to take any action. • You need “zero knowledge password proof” – One can compare secrets without giving them away. – Needham-Schroeder and Kerberos are examples of such a scheme. PalGov © 2011 25
Kerberos ticket = (Username+validity+KeyAS)Enc TG Server PalGov © 2011 26
User-AS-TGS Processing • User sends a request to the Kerberos authentication server (enclosing its name and a random number). • AS returns to the user the random number plus a one-off session key to be used for encrypting subsequent messages with the TG server. PalGov © 2011 27
User-AS-TGS Processing • The random number and session key are symmetrically encrypted by the Authentication Server using the user's hashed password as the secret key. • The user decrypt this message in order to obtain the session key, and the user can only do this if he/she knows their own password. PalGov © 2011 28
Kerberos Key Server (TGS) KeyApp B ticket2 = (Username+validity+KeyAB)Enc PalGov © 2011 29
User-TGS processing •The AS encrypts the session key into a ticket using the symmetric key of the TG server, •The ticket is sent to the user (contains the name of the user, the validity time of the ticket and the session key). •The user passes the ticket to the TG server. •The TG server can decrypt the ticket, to get the session key and the user’s name, and with this can decrypt the user’s message. PalGov © 2011 30
User-TGS processing •The TG server then generates a new session key to be used by the user and the application. • It returns this new session key to the user, encrypted using the old session key. •It also give the user a ticket for granting access to the chosen application, this ticket containing the name of the user and the new session key for talking to the application, encrypted with the secret key of the application. PalGov © 2011 31
TGS-User-Application processing • A sends "Key for Application B" to TGS, enciphered using Key AS plus ticket from authentication server containing key AS • TGS generates Key AB (session key for user and application B) • TGS sends "Key AB " to A, enciphered using Key AS and a ticket2 for B • A sends message to B, enciphered using Key AB, plus ticket2 PalGov © 2011 32
Kerberos Disadvantages • Authentication server and TGS are single points of failure. • Servers and application hosts must be time synchronised • Not originally scalable. – Users could only login to their own realms • Kerberos only provides authentication but not authorizations • Does not prevent attacks – dictionary PalGov © 2011 33
One-time passwords-Hardware •An increasingly common authentication method is the use of one-time password cards. These contain a chip capable of making cryptographic calculations. •challenge response mechanism •synchronised clocks. PalGov © 2011 34
Challenge Response OTP •The user logs into the remote server across the internet (usually via a firewall), and the server passes the user a challenge, usually in the form of a numeric string. •The user responds to the challenge with a one-time password that is computed from the string by his card (hardware/software) according to a pre-defined encryption algorithm that is also known to the remote server. • One such system (Securenet from digital pathways) relies on the user having a one-time password card the size of a credit card that is capable of computing the passwords. •The card has a digital display, and requires a pin number /password to be entered before it can be used. Thus it is two factor authentication, since the user must know the PIN and possess the card. PalGov © 2011 35
Clock Synchronised OTP Both the card and the server compute a new password every 60 seconds, according to a pre-defined encryption algorithm which uses the date and time, and a shared secret. (e.g. SecureID from RSA Security), This eliminates the need for a challenge string. With the secureid system, the user must transfer a PIN number plus the computed password, so that if the card is stolen it cannot be used by anyone else. This mechanism is two factor authentication, as it is based on something I possess (the card) and something I know (the PIN). Early versions of secureid used to fail as the clocks in the card and server became out of sync. PalGov © 2011 36
Example: Grid Cards • A unique OTP card containing a grid of characters • Select specific characters from card for authentication • Site can return different characters from user’s card for mutual authentication • Provides two factor authentication: – something you know (PW) – something you posses (grid card) PalGov © 2011 37
Mobile Phone Authentication PalGov © 2011 38
Private Key Storage Techniques • In an encrypted file, protected by a password • In a smart card, protected by a password or PIN • What About Mobile Phones (Discussion!!) PalGov © 2011 39
Tutorial 5: Information Security Session 3: Authentication Session 3 Outline: • Session 3 ILO’s. • Authentication (Symmetric and Asymmetric and 1 Time Password) • Introduction to LDAP PalGov © 2011 40
Introduction to LDAP • Directory Model • X.500 Information Model • LDAP Protocol • Use of LDAP for Security PalGov © 2011 41
The X.500 Model of the Directory PalGov © 2011 42
Server to Client Referrals PalGov © 2011 43
X.500/LDAP Naming • Entry has a Distinguished Name comprised of • SEQUENCE of Relative Distinguished Name comprised of • SET of {Attribute Type, Attribute Value} PalGov © 2011 44
X.500/LDAP Naming LDAP RDN of Entry X.500 Distinguished Distinguished Example DirectoryInformation Tree Name of Entry Name of Entry (DIT) {null} {null) {null) {C=GB} {C=GB} {C=GB} {C=GB, {O=Big PLC, {O=Big PLC} O=Big PLC} C=GB} {O=Sales+ {C=GB, {OU=Sales+ O=Big PLC, L=Swindon, L=Swindon} OU=Sales+ O=Big PLC, L=Swindon} C=GB} PalGov © 2011 45
Relative Distinguished Name (RDN) • Each LDAP entry is assigned an RDN when created. • All children of an entry must have unique RDNs • Attribute value(s) forming the RDN are called the distinguished attribute values • Entries in different parts of the DIT can have the same RDNs PalGov © 2011 46
LDAP Protocol • Connection oriented protocol on top of TCP/IP • Subset of X.500 Directory Access Protocol • Two versions - LDAPv2, LDAPv3 – LDAPv2 published first – RFC 1777 – LDAPv3 has added referrals and other extensions to LDAPv2 – RFC 2251 – LDAPv2 has ceased to be standardized, but still is used prevalently • Client issues a request, Server usually gives a response • Each request elicits one response except Abandon (none), Unbind (none) and Search (multiple) • Requests can be asynchronous or synchronous PalGov © 2011 47
Basic LDAP Protocol Operations • Most protocol messages are sent as ASCII strings – ModifyDN Request, ModifyDN Response – Bind Request, Bind Response – Unbind Request, Abandon Request – Search Request, Search Response – Compare Request, Compare Response – Modify Request, Modify Response – Add Request, Add Response – Delete Request, Delete Response PalGov © 2011 48
LDAPv3 Return Result • Every response contains a Result component • Result comprises 4 elements • Result Code - an integer signifying success or an error code • Matched DN - name of lowest DN matching a request that has a naming error; or null • Error Message - human readable error diagnostic • Referral (optional) PalGov © 2011 49
Using LDAP for Security • Three main uses: – To store user’s passwords in their entries for authentication. The login server contacts LDAP with a Compare operation asking if this entry contains this password. If true it lets the user login – To store user’s attributes that can be used for authorisation – To store Public Key Certificates and Attribute Certificates for strong security PalGov © 2011 50
Public key certificates and CRLs • Certificates can be held within X.500/LDAP directory entries as attributes of type – userCertificate - holds a user’s certificates – cACertificate - holds a CA’s self issued certificates – crossCertificatePair - holds CA cross certificates • CRLs can be held within X.500/LDAP directory entries as attributes of type – certificateRevocationList - for user certificates – authorityRevocationList - for CA certificates – deltaRevocationList - for delta CRLs PalGov © 2011 51
Bibliography • Computer Security: Principles and Practice, by William Stallings and Lawrie Brown. Published by Pearson/Prentice Hall, © 2008. ISBN: 0-13- 600424-5. • Cryptography and Network Security, by Behrouz A. Forouzan. Mcgraw-Hill, ©2008. ISBN: 978-007-126361-0. • Lecture Notes by David Chadwick 2011, True- Trust Ltd. • (ebook) Wiley - Internet Security-Cryptographic Principles, Algorithms and Protocols, 2003 (Man Young Rhee) PalGov © 2011 52
Summary • In this session we discussed the following: – introduced user authentication • using passwords • using tokens • using biometrics – remote user authentication issues • LDAP protocols and standards PalGov © 2011 53
Thanks Radwan Tahboub PalGov © 2011 54

Empfohlen

E gov security_tut_session_4_lab
E gov security_tut_session_4_labE gov security_tut_session_4_lab
E gov security_tut_session_4_labMustafa Jarrar
 
Access control
Access controlAccess control
Access controlKamil Izzeldin
 
E gov security_tut_session_9
E gov security_tut_session_9E gov security_tut_session_9
E gov security_tut_session_9Mustafa Jarrar
 
E gov security_tut_session_12
E gov security_tut_session_12E gov security_tut_session_12
E gov security_tut_session_12Mustafa Jarrar
 
Simplifying debugging for multi-core Linux devices and low-power Linux clusters
Simplifying debugging for multi-core Linux devices and low-power Linux clusters Simplifying debugging for multi-core Linux devices and low-power Linux clusters
Simplifying debugging for multi-core Linux devices and low-power Linux clusters Rogue Wave Software
 
E gov security_tut_session_11
E gov security_tut_session_11E gov security_tut_session_11
E gov security_tut_session_11Mustafa Jarrar
 
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Ruby Meditation
 
session7 Firewalls and VPN
session7 Firewalls and VPNsession7 Firewalls and VPN
session7 Firewalls and VPNMustafa Jarrar
 

Empfohlen

E gov security_tut_session_4_lab
E gov security_tut_session_4_labE gov security_tut_session_4_lab
E gov security_tut_session_4_labMustafa Jarrar
 
Access control
Access controlAccess control
Access controlKamil Izzeldin
 
E gov security_tut_session_9
E gov security_tut_session_9E gov security_tut_session_9
E gov security_tut_session_9Mustafa Jarrar
 
E gov security_tut_session_12
E gov security_tut_session_12E gov security_tut_session_12
E gov security_tut_session_12Mustafa Jarrar
 
Simplifying debugging for multi-core Linux devices and low-power Linux clusters
Simplifying debugging for multi-core Linux devices and low-power Linux clusters Simplifying debugging for multi-core Linux devices and low-power Linux clusters
Simplifying debugging for multi-core Linux devices and low-power Linux clusters Rogue Wave Software
 
E gov security_tut_session_11
E gov security_tut_session_11E gov security_tut_session_11
E gov security_tut_session_11Mustafa Jarrar
 
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...
Teach your application eloquence. Logs, metrics, traces - Dmytro Shapovalov (...Ruby Meditation
 
session7 Firewalls and VPN
session7 Firewalls and VPNsession7 Firewalls and VPN
session7 Firewalls and VPNMustafa Jarrar
 
474 Password Not Found
474 Password Not Found474 Password Not Found
474 Password Not FoundCodemotion
 
Information Security Whitepaper
Information Security WhitepaperInformation Security Whitepaper
Information Security Whitepaperrun_frictionless
 
Online talent sourcing - a future essentia
Online talent sourcing - a future essentiaOnline talent sourcing - a future essentia
Online talent sourcing - a future essentiaHSE Guru
 
Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2Paul Fremantle
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
Cache Security- The Basics
Cache Security- The BasicsCache Security- The Basics
Cache Security- The BasicsInterSystems Corporation
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securitySam Bowne
 
E gov security_tut_session_1
E gov security_tut_session_1E gov security_tut_session_1
E gov security_tut_session_1Mustafa Jarrar
 
Whatscrypt Messenger for android project
Whatscrypt Messenger for android projectWhatscrypt Messenger for android project
Whatscrypt Messenger for android projectMuthukumaranM13
 
Computer Networks notes 5- Module 5.pptx
Computer Networks notes 5- Module 5.pptxComputer Networks notes 5- Module 5.pptx
Computer Networks notes 5- Module 5.pptxSmithaV19
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012TEST Huddle
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Clustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment AnalysisClustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment AnalysisMustafa Jarrar
 
Classifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal OntologyClassifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal OntologyMustafa Jarrar
 

Weitere ähnliche Inhalte

Ähnlich wie E gov security_tut_session_3

474 Password Not Found
474 Password Not Found474 Password Not Found
474 Password Not FoundCodemotion
 
Information Security Whitepaper
Information Security WhitepaperInformation Security Whitepaper
Information Security Whitepaperrun_frictionless
 
Online talent sourcing - a future essentia
Online talent sourcing - a future essentiaOnline talent sourcing - a future essentia
Online talent sourcing - a future essentiaHSE Guru
 
Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2Paul Fremantle
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securitySam Bowne
 
E gov security_tut_session_1
E gov security_tut_session_1E gov security_tut_session_1
E gov security_tut_session_1Mustafa Jarrar
 
Whatscrypt Messenger for android project
Whatscrypt Messenger for android projectWhatscrypt Messenger for android project
Whatscrypt Messenger for android projectMuthukumaranM13
 
Computer Networks notes 5- Module 5.pptx
Computer Networks notes 5- Module 5.pptxComputer Networks notes 5- Module 5.pptx
Computer Networks notes 5- Module 5.pptxSmithaV19
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012TEST Huddle
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 

Ähnlich wie E gov security_tut_session_3 (20)

474 Password Not Found
474 Password Not Found474 Password Not Found
474 Password Not Found
 
Information Security Whitepaper
Information Security WhitepaperInformation Security Whitepaper
Information Security Whitepaper
 
Online talent sourcing - a future essentia
Online talent sourcing - a future essentiaOnline talent sourcing - a future essentia
Online talent sourcing - a future essentia
 
Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2Federated Identity for IoT with OAuth2
Federated Identity for IoT with OAuth2
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
Cache Security- The Basics
Cache Security- The BasicsCache Security- The Basics
Cache Security- The Basics
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
 
E gov security_tut_session_1
E gov security_tut_session_1E gov security_tut_session_1
E gov security_tut_session_1
 
Whatscrypt Messenger for android project
Whatscrypt Messenger for android projectWhatscrypt Messenger for android project
Whatscrypt Messenger for android project
 
Computer Networks notes 5- Module 5.pptx
Computer Networks notes 5- Module 5.pptxComputer Networks notes 5- Module 5.pptx
Computer Networks notes 5- Module 5.pptx
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 

Mehr von Mustafa Jarrar

Clustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment AnalysisClustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment AnalysisMustafa Jarrar
 
Classifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal OntologyClassifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal OntologyMustafa Jarrar
 
Discrete Mathematics Course Outline
Discrete Mathematics Course OutlineDiscrete Mathematics Course Outline
Discrete Mathematics Course OutlineMustafa Jarrar
 
Business Process Implementation
Business Process ImplementationBusiness Process Implementation
Business Process ImplementationMustafa Jarrar
 
Business Process Design and Re-engineering
Business Process Design and Re-engineeringBusiness Process Design and Re-engineering
Business Process Design and Re-engineeringMustafa Jarrar
 
BPMN 2.0 Analytical Constructs
BPMN 2.0 Analytical ConstructsBPMN 2.0 Analytical Constructs
BPMN 2.0 Analytical ConstructsMustafa Jarrar
 
BPMN 2.0 Descriptive Constructs
BPMN 2.0 Descriptive Constructs BPMN 2.0 Descriptive Constructs
BPMN 2.0 Descriptive Constructs Mustafa Jarrar
 
Introduction to Business Process Management
Introduction to Business Process ManagementIntroduction to Business Process Management
Introduction to Business Process ManagementMustafa Jarrar
 
Customer Complaint Ontology
Customer Complaint Ontology Customer Complaint Ontology
Customer Complaint Ontology Mustafa Jarrar
 
Subset, Equality, and Exclusion Rules
Subset, Equality, and Exclusion RulesSubset, Equality, and Exclusion Rules
Subset, Equality, and Exclusion RulesMustafa Jarrar
 
Schema Modularization in ORM
Schema Modularization in ORMSchema Modularization in ORM
Schema Modularization in ORMMustafa Jarrar
 
On Computer Science Trends and Priorities in Palestine
On Computer Science Trends and Priorities in PalestineOn Computer Science Trends and Priorities in Palestine
On Computer Science Trends and Priorities in PalestineMustafa Jarrar
 
Lessons from Class Recording & Publishing of Eight Online Courses
Lessons from Class Recording & Publishing of Eight Online CoursesLessons from Class Recording & Publishing of Eight Online Courses
Lessons from Class Recording & Publishing of Eight Online CoursesMustafa Jarrar
 
Presentation curras paper-emnlp2014-final
Presentation curras paper-emnlp2014-finalPresentation curras paper-emnlp2014-final
Presentation curras paper-emnlp2014-finalMustafa Jarrar
 
Jarrar: Future Internet in Horizon 2020 Calls
Jarrar: Future Internet in Horizon 2020 CallsJarrar: Future Internet in Horizon 2020 Calls
Jarrar: Future Internet in Horizon 2020 CallsMustafa Jarrar
 
Habash: Arabic Natural Language Processing
Habash: Arabic Natural Language ProcessingHabash: Arabic Natural Language Processing
Habash: Arabic Natural Language ProcessingMustafa Jarrar
 
Adnan: Introduction to Natural Language Processing
Adnan: Introduction to Natural Language Processing Adnan: Introduction to Natural Language Processing
Adnan: Introduction to Natural Language Processing Mustafa Jarrar
 
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
Riestra: How to Design and engineer Competitive Horizon 2020 ProposalsRiestra: How to Design and engineer Competitive Horizon 2020 Proposals
Riestra: How to Design and engineer Competitive Horizon 2020 ProposalsMustafa Jarrar
 
Bouquet: SIERA Workshop on The Pillars of Horizon2020
Bouquet: SIERA Workshop on The Pillars of Horizon2020Bouquet: SIERA Workshop on The Pillars of Horizon2020
Bouquet: SIERA Workshop on The Pillars of Horizon2020Mustafa Jarrar
 
Jarrar: Sparql Project
Jarrar: Sparql ProjectJarrar: Sparql Project
Jarrar: Sparql ProjectMustafa Jarrar
 

Mehr von Mustafa Jarrar (20)

Clustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment AnalysisClustering Arabic Tweets for Sentiment Analysis
Clustering Arabic Tweets for Sentiment Analysis
 
Classifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal OntologyClassifying Processes and Basic Formal Ontology
Classifying Processes and Basic Formal Ontology
 
Discrete Mathematics Course Outline
Discrete Mathematics Course OutlineDiscrete Mathematics Course Outline
Discrete Mathematics Course Outline
 
Business Process Implementation
Business Process ImplementationBusiness Process Implementation
Business Process Implementation
 
Business Process Design and Re-engineering
Business Process Design and Re-engineeringBusiness Process Design and Re-engineering
Business Process Design and Re-engineering
 
BPMN 2.0 Analytical Constructs
BPMN 2.0 Analytical ConstructsBPMN 2.0 Analytical Constructs
BPMN 2.0 Analytical Constructs
 
BPMN 2.0 Descriptive Constructs
BPMN 2.0 Descriptive Constructs BPMN 2.0 Descriptive Constructs
BPMN 2.0 Descriptive Constructs
 
Introduction to Business Process Management
Introduction to Business Process ManagementIntroduction to Business Process Management
Introduction to Business Process Management
 
Customer Complaint Ontology
Customer Complaint Ontology Customer Complaint Ontology
Customer Complaint Ontology
 
Subset, Equality, and Exclusion Rules
Subset, Equality, and Exclusion RulesSubset, Equality, and Exclusion Rules
Subset, Equality, and Exclusion Rules
 
Schema Modularization in ORM
Schema Modularization in ORMSchema Modularization in ORM
Schema Modularization in ORM
 
On Computer Science Trends and Priorities in Palestine
On Computer Science Trends and Priorities in PalestineOn Computer Science Trends and Priorities in Palestine
On Computer Science Trends and Priorities in Palestine
 
Lessons from Class Recording & Publishing of Eight Online Courses
Lessons from Class Recording & Publishing of Eight Online CoursesLessons from Class Recording & Publishing of Eight Online Courses
Lessons from Class Recording & Publishing of Eight Online Courses
 
Presentation curras paper-emnlp2014-final
Presentation curras paper-emnlp2014-finalPresentation curras paper-emnlp2014-final
Presentation curras paper-emnlp2014-final
 
Jarrar: Future Internet in Horizon 2020 Calls
Jarrar: Future Internet in Horizon 2020 CallsJarrar: Future Internet in Horizon 2020 Calls
Jarrar: Future Internet in Horizon 2020 Calls
 
Habash: Arabic Natural Language Processing
Habash: Arabic Natural Language ProcessingHabash: Arabic Natural Language Processing
Habash: Arabic Natural Language Processing
 
Adnan: Introduction to Natural Language Processing
Adnan: Introduction to Natural Language Processing Adnan: Introduction to Natural Language Processing
Adnan: Introduction to Natural Language Processing
 
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
Riestra: How to Design and engineer Competitive Horizon 2020 ProposalsRiestra: How to Design and engineer Competitive Horizon 2020 Proposals
Riestra: How to Design and engineer Competitive Horizon 2020 Proposals
 
Bouquet: SIERA Workshop on The Pillars of Horizon2020
Bouquet: SIERA Workshop on The Pillars of Horizon2020Bouquet: SIERA Workshop on The Pillars of Horizon2020
Bouquet: SIERA Workshop on The Pillars of Horizon2020
 
Jarrar: Sparql Project
Jarrar: Sparql ProjectJarrar: Sparql Project
Jarrar: Sparql Project
 

Kürzlich hochgeladen

CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...RKavithamani
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 

Kürzlich hochgeladen (20)

CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 

E gov security_tut_session_3

  • 1. ‫أكاديمية الحكومة اإللكترونية الفلسطينية‬ The Palestinian eGovernment Academy www.egovacademy.ps Security Tutorial Session 3 PalGov © 2011 1
  • 2. About This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the Commission of the European Communities, grant agreement 511159-TEMPUS-1- 2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps Project Consortium: Birzeit University, Palestine University of Trento, Italy (Coordinator ) Palestine Polytechnic University, Palestine Vrije Universiteit Brussel, Belgium Palestine Technical University, Palestine Université de Savoie, France Ministry of Telecom and IT, Palestine University of Namur, Belgium Ministry of Interior, Palestine TrueTrust, UK Ministry of Local Government, Palestine Coordinator: Dr. Mustafa Jarrar Birzeit University, P.O.Box 14- Birzeit, Palestine Telfax:+972 2 2982935 mjarrar@birzeit.eduPalGov © 2011 2
  • 3. © Copyright Notes Everyone is encouraged to use this material, or part of it, but should properly cite the project (logo and website), and the author of that part. No part of this tutorial may be reproduced or modified in any form or by any means, without prior written permission from the project, who have the full copyrights on the material. Attribution-NonCommercial-ShareAlike CC-BY-NC-SA This license lets others remix, tweak, and build upon your work non- commercially, as long as they credit you and license their new creations under the identical terms. PalGov © 2011 3
  • 4. Tutorial 5: Information Security Session 3: Authentication Session 3 Outline: • Session 3 ILO’s. • Authentication (symmetric and asymmetric) • One time password) • Introduction to LDAP PalGov © 2011 4
  • 5. Tutorial 5: Session 3: Authentication This session will contribute to the following Tutorial 5 ILOs: • A: Knowledge and Understanding • a2: Define security standards and policies. • B: Intellectual Skills • b3: Design end-to-end secure and available systems. • b5: Design user authentication and authorization services. • C: General and Transferable Skills • d2: Systems configurations. • d3: Analysis and identification skills. PalGov © 2011 5
  • 6. Tutorial 5: Information Security Session 3: Authentication Session 3 Outline: • Session 3 ILO’s. • Authentication (Symmetric and Asymmetric and 1 Time Password) • Introduction to LDAP PalGov © 2011 6
  • 7. Authentication (Symmetric, Asymmetric and OTP) • Fundamental security block – Forms basis of access control & user accountability • Is the process of verifying an identity. • Has two steps: – Identification – Verification PalGov © 2011 7
  • 8. Means of User Authentication • Four means of authenticating user's identity – Based on something the individual • knows • possesses • is (static biometrics) • does (dynamic biometrics) – All can provide user authentication (one or multifactor) PalGov © 2011 8
  • 9. Password Authentication • Widely used user authentication method – User provides name/login and password – System compares password with that saved for specified login • Authenticates ID of user logging and – that the user is authorized to access system – Determines the user’s privileges – Is used in discretionary access control • The password file is a hashed file. PalGov © 2011 9
  • 10. Password Vulnerabilities • Password Attacks and Guessing – Exploiting user mistakes – Specific account attack – Offline dictionary attack – Workstation hijacking – Multiple password use – Password guessing against single user – Monitoring – Other attacks… PalGov © 2011 10
  • 11. Countermeasures / Policies and Training • Password policies – Length, Character set, Period of use, Frequency of re-use • Login policies – Timeout period, Session period, Lockout policy (attempts, period, re-instatement) • Countermeasures against different vulnerabilities: • Prevent unauthorized access to the password file, • Intrusion detection measures to identify a compromise, • Rapid re-issuance of passwords should the password file be compromised; • Account lockout mechanism. PalGov © 2011 11
  • 12. Use of Hashed Passwords PalGov © 2011 12
  • 13. UNIX Implementation • Original scheme – 8 character password form 56-bit key – 12-bit salt used to modify DES encryption into a one-way hash function – 0 value repeatedly encrypted 25 times – output translated to 11 character sequence – The file is called the shadow file. PalGov © 2011 13
  • 14. Improved Implementations • Have other, stronger, hash/salt variants • Many systems now use MD5 – with 48-bit salt – password length is unlimited – is hashed with 1000 times inner loop – produces 128-bit hash PalGov © 2011 14
  • 15. Password Cracking • Dictionary attacks – try each word then obvious variants in large dictionary against hash in password file • Rainbow table attacks – precompute tables of hash values for all salts – a mammoth table of hash values – e.g. 1.4GB table cracks 99.9% of alphanumeric Windows passwords in 13.8 secs – not feasible if larger salt values used • The “salt” is useful for remote attackers, but useless if the attacker can get the shadow file. This is because the salt is not encrypted. PalGov © 2011 15
  • 16. Password Choices Policies • users may pick short passwords – e.g. 3% were 3 chars or less, easily guessed – system can reject choices that are too short • users may pick guessable passwords – so crackers use lists of likely passwords – e.g. one study of 14000 encrypted passwords guessed nearly 1/4 of them – would take about 1 hour on fastest systems to compute all variants, and only need 1 break! – Recent review by SplashData in 2011 showed two most common passwords on the Internet are: • password • 123456 PalGov © 2011 16
  • 17. Token Authentication • Object user possesses to authenticate,. – Embossed card (with engraved characters) – Magnetic stripe card ( like ATM cards) – Memory card (like phone cards) – Smartcard (advanced cards) PalGov © 2011 17
  • 18. Memory Card • Store but do not process data • Magnetic stripe card, e.g. bank card • Electronic memory card • Used alone for physical access • Drawbacks of memory cards include: – user dissatisfaction – need special reader – loss of token issues PalGov © 2011 18
  • 19. Smartcard • like Credit-card issued by Banks • Has own processor, memory, I/O ports – wired or wireless access by reader – may have crypto co-processor – ROM, EEPROM, RAM memory • Executes protocol to authenticate with reader/computer • Also may have USB dongles PalGov © 2011 19
  • 20. Remote User Authentication • Very Important for e- gov applications: – Protects against a number of attacks – Authentication over network more complex • problems of eavesdropping, replay – Better to use challenge-response • user sends identity • host responds with random number • user computes f(r,h(P)) and sends the result back • host compares value from user with own computed value, if match user authenticated PalGov © 2011 20
  • 21. Security Issues with Authentication • Problems with Client attacks • Host/Server attacks • Eavesdropping while communicating • Replay attacks • Denial-of-service attacks PalGov © 2011 21
  • 22. Practical Application (ATM Machines) • An ATM Machine are programmed with a Terminal Identification Number (aka "TID"). • The ATM connects to the ATM networks. • After the bank or processing network approves the transaction the ATM receives the authorization and dispenses the cash requested. PalGov © 2011 22
  • 23. Distributed Systems and Password Authentication • How can I gain access to multiple computer systems if password based authentication is used?  Multiple passwords, one for each system  Use same password in each system  Single sign-on application that stores the passwords for each system and has one for itself  Single sign-on where password is stored in just one system and other systems trust this one to perform the authentication properly (e.g. Microsoft Passport, Shibboleth) PalGov © 2011 23
  • 24. The Multiple Passwords Problem • I have over 50 passwords to remember, for my Internet accounts such as: google, gmail, birzeit, amazon, PPU, yahoo, palgov, arab bank etc. • We are working towards Single Sign On (SSO) schemes for the e-gov applications PalGov © 2011 24
  • 25. The Mutual Authentication Problem • How can two people authenticate each other using passwords? • Its OK if talking to the correct person, since he already knows my password and I know his, but what if it is not the correct person? – Then give the impersonator my password, – too late to take any action. • You need “zero knowledge password proof” – One can compare secrets without giving them away. – Needham-Schroeder and Kerberos are examples of such a scheme. PalGov © 2011 25
  • 26. Kerberos ticket = (Username+validity+KeyAS)Enc TG Server PalGov © 2011 26
  • 27. User-AS-TGS Processing • User sends a request to the Kerberos authentication server (enclosing its name and a random number). • AS returns to the user the random number plus a one-off session key to be used for encrypting subsequent messages with the TG server. PalGov © 2011 27
  • 28. User-AS-TGS Processing • The random number and session key are symmetrically encrypted by the Authentication Server using the user's hashed password as the secret key. • The user decrypt this message in order to obtain the session key, and the user can only do this if he/she knows their own password. PalGov © 2011 28
  • 29. Kerberos Key Server (TGS) KeyApp B ticket2 = (Username+validity+KeyAB)Enc PalGov © 2011 29
  • 30. User-TGS processing •The AS encrypts the session key into a ticket using the symmetric key of the TG server, •The ticket is sent to the user (contains the name of the user, the validity time of the ticket and the session key). •The user passes the ticket to the TG server. •The TG server can decrypt the ticket, to get the session key and the user’s name, and with this can decrypt the user’s message. PalGov © 2011 30
  • 31. User-TGS processing •The TG server then generates a new session key to be used by the user and the application. • It returns this new session key to the user, encrypted using the old session key. •It also give the user a ticket for granting access to the chosen application, this ticket containing the name of the user and the new session key for talking to the application, encrypted with the secret key of the application. PalGov © 2011 31
  • 32. TGS-User-Application processing • A sends "Key for Application B" to TGS, enciphered using Key AS plus ticket from authentication server containing key AS • TGS generates Key AB (session key for user and application B) • TGS sends "Key AB " to A, enciphered using Key AS and a ticket2 for B • A sends message to B, enciphered using Key AB, plus ticket2 PalGov © 2011 32
  • 33. Kerberos Disadvantages • Authentication server and TGS are single points of failure. • Servers and application hosts must be time synchronised • Not originally scalable. – Users could only login to their own realms • Kerberos only provides authentication but not authorizations • Does not prevent attacks – dictionary PalGov © 2011 33
  • 34. One-time passwords-Hardware •An increasingly common authentication method is the use of one-time password cards. These contain a chip capable of making cryptographic calculations. •challenge response mechanism •synchronised clocks. PalGov © 2011 34
  • 35. Challenge Response OTP •The user logs into the remote server across the internet (usually via a firewall), and the server passes the user a challenge, usually in the form of a numeric string. •The user responds to the challenge with a one-time password that is computed from the string by his card (hardware/software) according to a pre-defined encryption algorithm that is also known to the remote server. • One such system (Securenet from digital pathways) relies on the user having a one-time password card the size of a credit card that is capable of computing the passwords. •The card has a digital display, and requires a pin number /password to be entered before it can be used. Thus it is two factor authentication, since the user must know the PIN and possess the card. PalGov © 2011 35
  • 36. Clock Synchronised OTP Both the card and the server compute a new password every 60 seconds, according to a pre-defined encryption algorithm which uses the date and time, and a shared secret. (e.g. SecureID from RSA Security), This eliminates the need for a challenge string. With the secureid system, the user must transfer a PIN number plus the computed password, so that if the card is stolen it cannot be used by anyone else. This mechanism is two factor authentication, as it is based on something I possess (the card) and something I know (the PIN). Early versions of secureid used to fail as the clocks in the card and server became out of sync. PalGov © 2011 36
  • 37. Example: Grid Cards • A unique OTP card containing a grid of characters • Select specific characters from card for authentication • Site can return different characters from user’s card for mutual authentication • Provides two factor authentication: – something you know (PW) – something you posses (grid card) PalGov © 2011 37
  • 38. Mobile Phone Authentication PalGov © 2011 38
  • 39. Private Key Storage Techniques • In an encrypted file, protected by a password • In a smart card, protected by a password or PIN • What About Mobile Phones (Discussion!!) PalGov © 2011 39
  • 40. Tutorial 5: Information Security Session 3: Authentication Session 3 Outline: • Session 3 ILO’s. • Authentication (Symmetric and Asymmetric and 1 Time Password) • Introduction to LDAP PalGov © 2011 40
  • 41. Introduction to LDAP • Directory Model • X.500 Information Model • LDAP Protocol • Use of LDAP for Security PalGov © 2011 41
  • 42. The X.500 Model of the Directory PalGov © 2011 42
  • 43. Server to Client Referrals PalGov © 2011 43
  • 44. X.500/LDAP Naming • Entry has a Distinguished Name comprised of • SEQUENCE of Relative Distinguished Name comprised of • SET of {Attribute Type, Attribute Value} PalGov © 2011 44
  • 45. X.500/LDAP Naming LDAP RDN of Entry X.500 Distinguished Distinguished Example DirectoryInformation Tree Name of Entry Name of Entry (DIT) {null} {null) {null) {C=GB} {C=GB} {C=GB} {C=GB, {O=Big PLC, {O=Big PLC} O=Big PLC} C=GB} {O=Sales+ {C=GB, {OU=Sales+ O=Big PLC, L=Swindon, L=Swindon} OU=Sales+ O=Big PLC, L=Swindon} C=GB} PalGov © 2011 45
  • 46. Relative Distinguished Name (RDN) • Each LDAP entry is assigned an RDN when created. • All children of an entry must have unique RDNs • Attribute value(s) forming the RDN are called the distinguished attribute values • Entries in different parts of the DIT can have the same RDNs PalGov © 2011 46
  • 47. LDAP Protocol • Connection oriented protocol on top of TCP/IP • Subset of X.500 Directory Access Protocol • Two versions - LDAPv2, LDAPv3 – LDAPv2 published first – RFC 1777 – LDAPv3 has added referrals and other extensions to LDAPv2 – RFC 2251 – LDAPv2 has ceased to be standardized, but still is used prevalently • Client issues a request, Server usually gives a response • Each request elicits one response except Abandon (none), Unbind (none) and Search (multiple) • Requests can be asynchronous or synchronous PalGov © 2011 47
  • 48. Basic LDAP Protocol Operations • Most protocol messages are sent as ASCII strings – ModifyDN Request, ModifyDN Response – Bind Request, Bind Response – Unbind Request, Abandon Request – Search Request, Search Response – Compare Request, Compare Response – Modify Request, Modify Response – Add Request, Add Response – Delete Request, Delete Response PalGov © 2011 48
  • 49. LDAPv3 Return Result • Every response contains a Result component • Result comprises 4 elements • Result Code - an integer signifying success or an error code • Matched DN - name of lowest DN matching a request that has a naming error; or null • Error Message - human readable error diagnostic • Referral (optional) PalGov © 2011 49
  • 50. Using LDAP for Security • Three main uses: – To store user’s passwords in their entries for authentication. The login server contacts LDAP with a Compare operation asking if this entry contains this password. If true it lets the user login – To store user’s attributes that can be used for authorisation – To store Public Key Certificates and Attribute Certificates for strong security PalGov © 2011 50
  • 51. Public key certificates and CRLs • Certificates can be held within X.500/LDAP directory entries as attributes of type – userCertificate - holds a user’s certificates – cACertificate - holds a CA’s self issued certificates – crossCertificatePair - holds CA cross certificates • CRLs can be held within X.500/LDAP directory entries as attributes of type – certificateRevocationList - for user certificates – authorityRevocationList - for CA certificates – deltaRevocationList - for delta CRLs PalGov © 2011 51
  • 52. Bibliography • Computer Security: Principles and Practice, by William Stallings and Lawrie Brown. Published by Pearson/Prentice Hall, © 2008. ISBN: 0-13- 600424-5. • Cryptography and Network Security, by Behrouz A. Forouzan. Mcgraw-Hill, ©2008. ISBN: 978-007-126361-0. • Lecture Notes by David Chadwick 2011, True- Trust Ltd. • (ebook) Wiley - Internet Security-Cryptographic Principles, Algorithms and Protocols, 2003 (Man Young Rhee) PalGov © 2011 52
  • 53. Summary • In this session we discussed the following: – introduced user authentication • using passwords • using tokens • using biometrics – remote user authentication issues • LDAP protocols and standards PalGov © 2011 53
  • 54. Thanks Radwan Tahboub PalGov © 2011 54