Authentification Flashcards

1
Q

Confidentiality

A

Protect data from unauthorized acces

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Integrity

A

Protect data from unauthorized changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Availability

A

Make data available on request by authorized entity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Mental models

A

The image of the world inside our head

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Authorization

A

Includes identification (Id) and authentication (pass). Grants access according to access control policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A good password

A

Should withstand attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How to: authentication

A
  1. Passwords
    2.alternative to passwords(graphical pass, biometrics, tokens)
    3.help with passwords and other authentication mechanisms(password managers, account recovery, fallback authentication)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Attacks on passwords: Client side

A
  1. Shoulder surfing
  2. Phishing and other forms of Social engineering
    3.malware
    4.password reuse across sites
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Attacks on passwords: network attacks

A

Man in the middle- attacker takes over ip address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Password attacks: server frontend attacks

A

Online guessing- brute force/dictionary
-breadth first search-target all account
- depth first search- target specific accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Attacks on password: backend server attacks

A

Offline guessing= pass cracking
- prerequisite- obtain the pass database. if pass stored in plain text and unprotected - attack done. Else if database protected, cracking it depends on form of protection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Protection of pass databases

A
  1. Plain text storage of pass- offers no protection
  2. Reversibly encrypted passwords
  3. Hashed passwords
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Protection of password databases: reversibly encrypted passwords

A

-Used in practice if legacy system need pass saved in plain text
-encryption key should be protected
-if attack and key leaked then attack is successful
- if attack and key not leaked then attack is impossible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Protection of password database: hashed passwords

A
  • The idea is that the server does not store pass, only its hash.
  • hash function h(password) =x is cryptographically secure.
  • hash function is difficult to reverse. Knowing only h and x difficult to compute h -1(x) = password
  • collision resistant: difficult to find two inputs that match to the same hash value
    -possible attacks- password cracking= online guessing
    -possible attack- precomputational- rainbow table lookup; brute force-dictionary attacks

Slow hash — to make it more difficult
Add salt- a string added to the password and than that is hashed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How strong is strong for passwords

A

For passwords that protect against offline attacks- 10^12-10^14

For passwords that protect against online attacks 10^4-10^6

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Strong passwords

A
  • Reduce risk of offline guessing only if the password database is hashed and salted.
  • reduce risk of online guessing-if lockout and stealthy attack monitoring are implementer. Password can then be less strong than in the case of offline guessing.

-might reduce risk of shoulder surfing and insider guessing

  • not protected from phishing attacks, client- side malware
  • might increase risk of password reuse or writing down since stronger pass tend to be more difficult to remember
17
Q

Pass and human capabilities

A
  • humans have a limited capacity of working memory
  • item stores in memory decay over time
  • unaided recall is harder than cued recall
  • similar passwords get easily confused

-items linger in memory, humans cant forget old passwords

  • typing errors- no feedback provided in these cases
18
Q

Why do humans share their password?

A

-practical needs- if sth happens to me…

-do this task for me

-as a sign of trust

-disabilites

19
Q

NIST password guidelines

A

For users: at least 8 characters, the longer the better

For providers:
-compare newly chosen pass with dictionaries and lists of know pass

  • secure storage: slow hashing and salting (slow hashing reduces speed of cracking attacks)
  • restrict nr of login attempts to 10
  • password change only if justified
20
Q

Min strength of a password

A

Nminlog2C

Nmin- min length
C- character space

21
Q

Password creation policies: 3 Factors

A
  1. Composition <required> C <min>. Possible classes: lower characters, upper characters, numbers, special characters.
    Min length = 8/10/12/16
    I.e. 1C8</min></required>

2.blocklist- list of prohibited strings +matching algorithm

  1. Min strength estimation - novel algorithm neural network trained on leaked data order to guess the pass
22
Q

Password manager:

A

Reasonable pass policies:-rule out easily guessed pass -avoid character-class requirements -min length 8

Help users with pass mng -sso, pass managers, secure write down

Protection from online guessing - limit online guessing rate

Protection from offline-slow hashing and salting +detection of breaches

Lock out after 10 guessing attempts- detect stealthy online guessing

Be prepared- usable and secure account recovery- strategies for cases of mass breaches

dont reuse pass on important accounts

Dont reuse pass between work and home

Us aids for pass management- like password managers, secure write down

23
Q

Usability and security of of strong pass

A

Usability issues (Hard to remember;Typing errors;Do not scale to large number of account per user)

Security problems- serious attacks exist

Strong password help only protect from certain attacks

Pass strength = guessing difficulty

Guessing algorithms steadily gets better and faster

Human capabilities remain the same in dealing with passwords

24
Q

usability criteria

A

-memory-wise effortless

-scalable for users

-nothing to carry

-physically effortless-beyond pressing a button

-easy to learn and recall

-efficent to use -time

-infrequent errors

-easy recovery from loss

25
Q

Security and privacy criteria. Resilience to:

A
  1. Physical observation(shoulder surfing, recording..)

2.targeted impersonation(having info from use does not help)

3.throttled guessing - guessing attempts are limited by the service provider

4.unthrottled guessing: attacker constrained only by computational resources

Internal observation( intercept users input?

Phishing

Theft of physical token

No trusted third party

Privacy protecting- does not reveal info about the user to the service provider

26
Q

Graphical pass schemes

A
  1. Recognition based- cognometrics- recognize images- passfaces
  2. Cued-recall-remember specific parts of an image - passpoints

3.recall-based -draw a secret line- android lock pasterns

27
Q

Passfaces- what are they?

A

Idea: people recognize faces better than they remember passwords

Authentication: 4 panels of faces are shown, one after the other. Order remains the same and each panel has fixed set of faces. Set of faces is unique per panel. Faces on panel randomly permuted.

28
Q

Pass-faces- usability and security

A

Usability- memorability, creation time, use time

Security- 9^4 password space

Can fall for non guessing attacks such as shoulder surfing, keylogin and screen capture

Scalability- more difficult to remember face for multiple sites

29
Q

Problems with graphical passwords

A
  • security problems- most problems pass have also graphical pass have

-user choices are more or leas easily guessable

-still may be difficult to remember-scalability problems

  • can be mixed up
  • remembering 20 graphical pass would not be easier than remembering 20 text pass
30
Q

Biometrics/ implicit authentification

A

Anatomic and behavioral characteristics- finger,iris,voice—heartrate, speaking,typing

Estimated key spaces ~20 bit or 6 digit pass

Recovery from leaks- difficult or impossible

Impersonation through theft of biometric feautures

Usability- not always effortless for the user, adjust positioning, -recovery from loss difficult or impossible

Tradeoff between false positives and false negatives: usability problem: false negatives: user not recognized
False positive: attacker is recognized as user

31
Q

Tokens + 2Fa

A

Security :2fa-attacker needs both factors
1fa token- only one

If not pin protected- attacker just needs to steal tocken

If pin protected-depends on the guessability of the pin

Usability of 2fa decreases in comparison to pass

Might be faster

Less mental work

Scalability a problem

Usage of multiple devices for login, private keys cant be transferred

32
Q

Password Managers

A
  • pass generator also needed- without it users create weak passwords

-there are different reasons to use PM- 1.convenience-offered by browser 2.stand-alone: used cause of security

-reasons for not using PM- unaware- nth to protect - security concerns(single point of failure)

  • usability concerns: login from different device; changing passwords; recovery if PM did not save passwords;

-usability problems faced by PM users: passwords not saved; no autofill; user id not saved; automatic generated password does not fulfill password requirements; manually having to input long passwords in unsynchronized devices; fears of forgetting master password

-

33
Q

Password recovery

A

Recovery - in case of permanent loss of authentication-i.e. forgot password

Can be done through:
-personal questions
-social authentification
-email based recovery

34
Q

Social authentication

A

-Several persons hold part of a backup secret for your account- trustees dont have to be warned beforehand, receive emails with part of security code from the system-give the codes to users

Security- can fall for social engineering via phone or email

Usability- slow, might also never finish- user forget their trustees

If locked out- users need reminders, thus the attacker can also get the reminders

Social acceptability- users feel awkward bothering trustees- fear that trustee will think that the emails contain viruses

35
Q

Properties of a good authentication mechanisms

A

Security - consider frequent or devastating attacks

Privacy - do not require from user to reveal personal info

Usability-goof performance, fast and easy use and enrollment- low user effort-easy recovery