Authentification Flashcards
Confidentiality
Protect data from unauthorized acces
Integrity
Protect data from unauthorized changes
Availability
Make data available on request by authorized entity
Mental models
The image of the world inside our head
Authorization
Includes identification (Id) and authentication (pass). Grants access according to access control policies
A good password
Should withstand attacks
How to: authentication
- Passwords
2.alternative to passwords(graphical pass, biometrics, tokens)
3.help with passwords and other authentication mechanisms(password managers, account recovery, fallback authentication)
Attacks on passwords: Client side
- Shoulder surfing
- Phishing and other forms of Social engineering
3.malware
4.password reuse across sites
Attacks on passwords: network attacks
Man in the middle- attacker takes over ip address
Password attacks: server frontend attacks
Online guessing- brute force/dictionary
-breadth first search-target all account
- depth first search- target specific accounts
Attacks on password: backend server attacks
Offline guessing= pass cracking
- prerequisite- obtain the pass database. if pass stored in plain text and unprotected - attack done. Else if database protected, cracking it depends on form of protection.
Protection of pass databases
- Plain text storage of pass- offers no protection
- Reversibly encrypted passwords
- Hashed passwords
Protection of password databases: reversibly encrypted passwords
-Used in practice if legacy system need pass saved in plain text
-encryption key should be protected
-if attack and key leaked then attack is successful
- if attack and key not leaked then attack is impossible
Protection of password database: hashed passwords
- The idea is that the server does not store pass, only its hash.
- hash function h(password) =x is cryptographically secure.
- hash function is difficult to reverse. Knowing only h and x difficult to compute h -1(x) = password
- collision resistant: difficult to find two inputs that match to the same hash value
-possible attacks- password cracking= online guessing
-possible attack- precomputational- rainbow table lookup; brute force-dictionary attacks
Slow hash — to make it more difficult
Add salt- a string added to the password and than that is hashed
How strong is strong for passwords
For passwords that protect against offline attacks- 10^12-10^14
For passwords that protect against online attacks 10^4-10^6