Scribd
Upload
17 views

Lecture - Authentication

The document discusses various authentication schemes including password based authentication, one-time passwords, challenge-response authentication, and biometrics. It also covers access control and authorization methods like access control matrices and access control lists.

Uploaded by

faheem tariq
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
17 views

Lecture - Authentication

The document discusses various authentication schemes including password based authentication, one-time passwords, challenge-response authentication, and biometrics. It also covers access control and authorization methods like access control matrices and access control lists.

Uploaded by

faheem tariq
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 9

CS703 - Advanced

Operating Systems
Overview of today’s lecture
• User authentication
• Password based authentication
• UNIX password scheme
• One-time password schemes
• Challenge response authentication
• Biometrics and other authentication schemes
• Access control and authorization
• Access control matrix
Authentication
• Usually done with passwords.
• This is usually a relatively weak form of authentication, since it’s
something that people have to remember
• Empirically is typically based on wife’s/husband’s or kid’s name,
favorite movie name etc.
• Passwords should not be stored in a directly-readable form
• Use some sort of one-way-transformation (a “secure hash”) and
store that
• if you look in /etc/passwords will see a bunch of gibberish
associated with each name. That is the password
• Problem: to prevent guessing (“dictionary attacks”) passwords should
be long and obscure
• unfortunately easily forgotten and usually written down.
Authentication (2)

• Unix password security


Encrypt passwords
• One time passwords
Lamport’s clever scheme (Read Tanenbaum for details)
• Challenge-Response based authentication
Used in PPP and many other applications
Authentication alternatives
• Badge or key
Does not have to be kept secret. usually some sort of picture ID
worn on jacket (e.g., at military bases)
• Should not be forgeable or copy-able
• Can be stolen, but the owner should know if it is
• (but what to do? If you issue another, how to invalidate old?)
• This is similar to the notion of a “capability” that we’ll see later
Biometrics
• Biometrics
• Authentication of a person based on a physiological or behavioral
characteristic.
• Example features:
• Face, Fingerprints, Hand geometry, Handwriting,
• Iris, Retinal, Vein, Voice.
• Strong authentication but still need a “Trusted Path”.
Access control
• Context
• System knows who the user is
• User has entered a name and password, or other info
• Access requests pass through gatekeeper
• OS must be designed so monitor cannot be bypassed

Reference
User monitor
process ? Resource

Decide whether user can apply operation to resource


Access control matrix [Lampson]
Object
s

File 1 File 2 File 3 … File n

User 1 read write - - read


User 2 write write write - -
Subject
s User 3 - - - read read


User m read write read write read
Two implementation concepts

• Access control list (ACL) File 1 File 2 …


• Store column of matrix
User 1 read write -
with the resource
• Capability User 2 write write -
• User holds a “ticket” for User 3 - - read
each resource

User m read write write

Access control lists are widely used, often with groups


Some aspects of capability concept are used in Kerberos, …

You might also like