Authentication Flashcards
What is authentication?
Who are you? Prove it.
Checks if requester has access to resource
TCB needs to know who is requesting
Processes request on behalf of user, subject or principal
User associated with identity should be able to authenticate themselves
What are the different ways authentication can be implemented?
User knows (password) User has (RFA token) User is (biometrics)
What are the threat models for passwords?
Attacker guesses password
Login program is spoofed
Keylogging
What is a trusted path?
Required to be provided by OS
Special kind of input that leads to a display under OS control
Example: Ctrl+Alt+Delete
How do we authenticate passwords?
- Store password in a system file
- Store password hashes
Why is storing passwords in a file dangerous?
Needs to be readable by a root/admin account
In a breach, all passwords are compromised
Easy to mess up access permissions
What is the problem with storing the password hashes in a file?
Can be brute forced to figure out the hashes
Workaround: SALT the hash
What does salt the password mean?
Pad the front of the hash value with a random value
How can brute forcing a password be more effective?
Try popular passwords first
Rainbow table
What are the problems with passwords?
- As passwords get longer and complexity increases, usability suffers
- Not robust against social engineering
- Once stolen, passwords can be used multiple times
- People can’t remember a lot of passwords
What are other authentication methods?
- Use something you have (may require additional hardware, a challenge response)
- Use something you are (biometrics)
- Multi-factor authentication