Pgpuam Slides

PGPuam Public Key Authentication for AppleShare Vinnie Moscaritolo Apple Computer, Inc Overview n Existing User Authentication Methods u Common attacks & weaknesses n Getting beyond passwords u Cryptographic signatures n PGPuam u Enhancing AppleShare authentication 1 Who this talk is for n System Administrators n Security conscious users n Mac OS developers See also n AppleShare Authentication Architecture (Weds) n PGPticket - A Secure Authorization Protocol (Thurs) 2 Background Who is Vinnie Moscaritolo? u Apple Developer Services u (formerly Chief Consulting Engineer, PGP) u Hosts the Mac-Crypto Workshop u Not a Cryptographer u Not a Lawyer u Lots of “real world” security experience u <http://www.vmeng.com/vinnie> What has changed? Secure Networks Open Networks Insecure Comm Secure Comm = New threat model 3 Attacks to Network Services n Packet Sniffing n Automated Password Guessing n Replay Attacks n Session Stealing n Infrastructure Penetration n Device Penetration n Social Engineering & Rubber Hose Packet Sniffing n Packet sniffing SW is widely available. n Cleartext passwords are common. u POP u FTP u PPC Toolbox 4 Automated Password Guessing n Brute force vs dictionary attacks n Online attacks u Easily detectable n Offline attacks u Targets password databases u Accessed through other holes (cgi) u Many utilities available for cracking /etc/passwd Replay Attack n Capture previous session n Replay later. 5 Session Stealing n Wait for user to initiate login. n Denial of service attack to client u Forge TCP reset, closes clients connection n Hijack already authenticated session u (with victims authentication & privs) Infrastructure Penetration n Target name-servers or routers u Force reload with infected sw n Initiate Man-in-the-middle attack u User notices no loss of service u Attacker monitors all traffic (even encrypted) 6 Device Penetration n Virus or Trojan Horse n Keystroke capture n Spoofed downloads u Sign your distributions! Social Engineering & Rubber Hose n People are weakest link. u Easily fooled, coerced or intimidated. u Shoulder surfing n Difficult to defend against u Requires management acknowledge the threat, and support threat awareness education for users. 7 User Authentication Methods n Local Authentication u Authentication material never exits user’s control u e.g. Mounting local…