4. Auth-AC - Control Questions Flashcards
What do we mean by (user) authentication?
user authentication = process of proving a claimed identity
What are the 3 approaches to user authentication in computer systems?
○ three basic approaches to user authentication
■ passwords and alike (what you know)
■ hardware tokens (what you have)
■ biometrics (what you are)
What are the advantages and the disadvantages of passwords?
○ advantages
■ simple and intuitive (easy to understand by average users)
■ cheap to implement
○ disadvantages
■ password must be memorized by the user
● users tend to choose guessable passwords
● users tend to use the same password on multiple systems
■ passwords or password hashes must be stored by the verifier
● password files can be stolen and analyzed off-line
● brute force and dictionary attacks are possible
■ password can be obtained on its way from the user to the verifier
● key stroke logging, shoulder surfing
● eavesdropping (encrypted transport between remote parties is essential)
● replay attacks (encryption alone is not enough)
■ passwords are easy to reveal and share
● social engineering attacks are possible
What is the model of password based authentication? (figure)
ábra
What do salting and stretching mean and what is their goal in case of password hashing?
○ design principles:
○ multiple iterations make exhaustive search slower (stretching)
○ user salt makes pre-computation attacks impractical
○ modified DES prevented the use of off-the-shelf DES hardware
+ ábra
What are the main weaknesses of Windows’ LM hash?
○ two halves can be cracked separately
○ conversion to uppercase reduces the size of the password space
What is a dictionary attack in the context of password based authentication?
list contains words from a dictionary (and their variations)
■ user-chosen passwords are often meaningful words that can be found in dictionaries
■ password cracking programs using dictionaries are available on the Web
Why does salting make a rainbow table based attack too expensive for the attacker?
time-memory trade-off:
■ given a fixed pre-computation effort t*m, we can adjust the time (~t 2 ) needed to break a
hash by changing the memory requirement (~2m)
■ hash cracking can be faster at the expense of more storage
How can we measure the strength of a randomly chosen password?
○ strength of randomly chosen passwords against brute force attack can be calculated with
precision:
■ H = L * log 2 N
○ where N is the number of possible symbols and L is the length of the password (in symbols), and
the unit of H is a bit
○ H is essentially the entropy of a randomly chosen password
What is the model of smart card based authentication? (figure)
ábra
What is the untrusted terminal problem?
○ smart cards have no user interface → PIN must be entered through the user terminal
○ a malicious terminal can use the PIN to request a signature from the smart card on any message
examples for potentially untrusted terminals:
■ a terminal installed at a public place (e.g., a PC in a hotel or airport lounge, Internet cafe,
…)
■ a terminal operated by an untrusted principal (e.g., an ATM or a payment terminal of an
unknown merchant in a foreign country)
■ the user’s own PC or smart phone ???
What is the basic model of biometric authentication? (figure)
ábra
What properties should a physiological feature have to be usable for biometric authentication?
○ universality – every person should have the characteristic
○ uniqueness – no two persons should be the same in terms of the characteristic
○ permanence – the characteristic should be invariant with time
○ collectability – the characteristic can be measured quantitatively
○ circumvention – it should be difficult to fool the system by fraudulent techniques
Give a few examples for biometric authentication approaches!
○ fingerprint ○ iris ○ retina ○ face ○ ear ○ hand ○ geometry ○ voice ○ thermogram (face) ○ key stroke dynamics (behavioral) ○ dynamics of handwritten signature (behavioral)
What is a fingerprint minutia?
○ ending: termination of a ridge ○ bifurcation: split of a ridge from a single path to two paths (Y-junction) ○ minutiae are represented by their: ■ type (ending, bifurcation) ■ position ■ direction