authentication Flashcards
authentication
identifies a global or local identity
eg global id
passport number
e.g. local id
student number
authentication factors
what the user knows, is and has
allows you to prove your identity to a system
knowledge based authentication
have to share information with the authentication system
what are some examples of knowledge based authentication
passwords
pins
pass phrase
personal data
word association
what is an alternative to textual passwords
graphical passwords
graphical passwords
interacting with images
e.g. passmap or unlock patterns
can select images draw on an image or select parts of an image
advantages of knowledge based authentication
cheap
easily revoked
widely used and accepted by users
high security potential (long passwords harder to remember)
disadvantages of knowledge based authentication
user accountability
no privilege control once shared
not aware when leaked
password may be leaked to an untrustworthy host
eavesdropping and illicit capture
can be captured by a masquerade/phishing company
how are textual passwords cracked
determine which hash function has been used
decide which attempt to use (brute force/ dictionary attack)
acquire recourses (brute force requires a storage device)
in what context do we use brute force for textual password cracking
to attempts all possible combinations for a particular account
may take many years
in what context do we use dictionary attacks for textual password cracking
checks most likely passwords for many accounts
how do we crack graphical passwords
using brute force as there’s a limited password space
can use smudge attacks from the touch screen
what are the benefits of using one time passwords
not reused so phishing and eavesdropping isn’t possible
most require access to another device that only the user has
what are the 3 forms of possession based authentication (user has )
magnetic strip card
smart cards
one shot password token
smart card
secure storage of data
contents cant be modified or copied without authorisation
has processing and data storage capabilities due to the imbedded processor (computer chip)
magnetic strip card
contains identification information and a signature on the back
mostly used by banking systems
magnetic strip card positives
universally accepted
cheap to produce
magnetic strip card negatives
limited security and functionality as they’re easy to counterfit
what are the two methods of using one shot password tokens
synchronised password
challenge response system
synchronised password (tokens)
a synchronised password generator produces the same sequence of random passwords in a token and host
what is the process behind synchronised password tokens
the user needs to put the correct pin into the token to display the otp
the system clock is included in the algorithm to calculate the otp ensuring time sensitivity and uniqueness
the user can now input the otp to authenticate
failure if there’s a loss of synchronisation between the clocks
challenge response system (tokens)
one party presents a challenge and the other must provide a valid answer
what is the process behind challenge response system
the user and system have a secret key
the user logs on and the host generates a random number (challenge) and displays it
the user enter their pin into the token followed by the challenge
the response is computed as a cryptographic one way function using the secret key and pin which is displayed on the token
the user puts the response into the terminal
the host creates its own function based on the key and pin stored with the users id and if they match then the user is granted access
benefits of possession based authentication (user has )
attacker must have the token
users cant share the token
token can be combined with other methods e.g. otp
aware of if the token has been lost and must report it
illegal token possession is evidence
disadvantages of possession based authentication (user has )
cost of the token plus the reading and checking mechanism
admin work; distributing, recording, lost token reporting, destruction, replacement of expired tokens
biometric based authentication (user is)
biometrics; automated methods of verifying and recognising a person based on physical and behavioural characheristics
examples of physical biometrics
measurements from the human body
fingerprint/face/iris/retina recognition
examples of behavioural biometrics
measurements from actions
voice/signature recognition
keystroke/touch dynamics
