Authentication, Password, Phising Flashcards
Identification
announce who you are
Authentication
prove that you are indeed who you claimed to be:
- Knowledge (Passwort, Fragen)
- Posession (Schlüssel)
- physical Characteristiks (Biometrics, Gesichtserkennung, Fingerprint)
- mechanical Tasks (Handwriting, typing Speed)
- Location (certain terminal, GPS based)
2 Faktor Authentication
RSA SecureID Card, AppleID
Passwords
→store Password hashed
Authentication with hashed password
Situation: user hold his Password(P) and user ID
Server only knows the Password hash(H) for a given user
Authentication: user sends hin P/ID to Server → Looks up for hash ID Server computes hash(P) and COmpares it with H
Dictionary Attack
Situation: Attacker knows H and wants to retrieve P, and P is contained in a dictionary file (Pi)
Attack: Attacker computes hash value for all entries in the dictionary (Pi, Hi)
Dictionary Space is significantly smaller than full search space
Salted Passwort hashed
P are stored in salted form → Random value S
Password hash is H = hash(P,S)
Passwort Selection
To avoid dictionary attacks
P →significant length, containt letters, numbers and Special characters
- common Password selection technique (based on a sentence)
Sessions
HTTP is stateless →Problem for Web applications
implement session trackings →Cookies
→Long lived
Cookies
- after receiving credentials, Server has to maintain the Users authenticated dtate
- Instead: Attach authenticated to the session Cookie
- security Problems arise out of These characteristiks
→Authentication with certificates
Phising
= Daten von Internetnutzern bspw. über gefälschte Internetadressen, Email oder SMS abfangen
- Nachahmung Designs einer vertrauenswürdige Webseite
Methode: via Malware/Trojaner Kommunikationsweg abfangen, Register Domain that looks similar
Access Control
Security Technik, mit der man reguliert , wer oder was bestimmte Ressourcen in einer Computing-Umgebung nutzen oder betrachten kann
2. Steps: Authentication (Wer?) + Authorization (bekommt er Zugang?)
Access Control List
List that stores the accesss right to an object with the object itself
Reference Monitor (Access Control)
abstrakte Maschine, that medicates all Access to Object by Subjects zb MS Windows
Access Control Matrix
Matrix in der den Rollen die Rechte zugewiesen werden für ein bestimmten Object