Advanced Operating Systems - Lecture 40: Authentication. This lecture will cover the following: user authentication; password based authentication; UNIX password scheme; one-time password schemes; challenge response authentication; biometrics and other authentication schemes; access control and authorization;...
CS703 Advanced Operating Systems By Mr Farhan Zaidi Lecture No. 40 Overview of today’s lecture User authentication Password based authentication UNIX password scheme One-time password schemes Challenge response authentication Biometrics and other authentication schemes Access control and authorization Access control matrix Authentication Usually done with passwords This is usually a relatively weak form of authentication, since it’s something that people have to remember Empirically is typically based on wife’s/husband’s or kid’s name, favorite movie name etc Passwords should not be stored in a directly-readable form Use some sort of one-way-transformation (a “secure hash”) and store that if you look in /etc/passwords will see a bunch of gibberish associated with each name That is the password Problem: to prevent guessing (“dictionary attacks”) passwords should be long and obscure unfortunately easily forgotten and usually written down Authentication (2) Unix password security Encrypt passwords One time passwords Lamport’s clever scheme (Read Tanenbaum for details) Challenge-Response based authentication Used in PPP and many other applications Authentication alternatives Badge or key Does not have to be kept secret usually some sort of picture ID worn on jacket (e.g., at military bases) Should not be forgeable or copy-able Can be stolen, but the owner should know if it is (but what to do? If you issue another, how to invalidate old?) This is similar to the notion of a “capability” that we’ll see later Biometrics Biometrics Example features: Authentication of a person based on a physiological or behavioral characteristic Face, Fingerprints, Hand geometry, Handwriting, Iris, Retinal, Vein, Voice Strong authentication but still need a “Trusted Path” Access control Context System knows who the user is User has entered a name and password, or other info Access requests pass through gatekeeper OS must be designed so monitor cannot be bypassed User process Reference monitor ? Resource Decide whether user can apply operation to resource Access control matrix [Lampson] Objects Subjects … File File File File n User read write - - read User write write write - - User - - - read read write read write read … User m read Two implementation concepts Access control list (ACL) Store column of matrix with the resource Capability User holds a “ticket” for each resource File File … User read write - User write write - User - - read read write write … User m Access control lists are widely used, often with groups Some aspects of capability concept are used in Kerberos, … ... Access control matrix [Lampson] Objects Subjects … File File File File n User read write - - read User write write write - - User - - - read read write read write read … User m read Two implementation concepts.. .Lecture? ?No. 40 Overview of today’s? ?lecture User authentication Password based authentication UNIX password scheme One-time password schemes Challenge... Capability User holds a “ticket” for each resource File File … User read write - User write write - User - - read read write write … User m Access control lists are widely used, often with groups