Authentification

Question 1

Confidentiality

Answer 1

Protect data from unauthorized acces

Question 2

Integrity

Answer 2

Protect data from unauthorized changes

Question 3

Availability

Answer 3

Make data available on request by authorized entity

Question 4

Mental models

Answer 4

The image of the world inside our head

Question 5

Authorization

Answer 5

Includes identification (Id) and authentication (pass). Grants access according to access control policies

Question 6

A good password

Answer 6

Should withstand attacks

Question 7

How to: authentication

Answer 7

1. Passwords
   2.alternative to passwords(graphical pass, biometrics, tokens)
   3.help with passwords and other authentication mechanisms(password managers, account recovery, fallback authentication)

Question 8

Attacks on passwords: Client side

Answer 8

1. Shoulder surfing
2. Phishing and other forms of Social engineering
   3.malware
   4.password reuse across sites

Question 9

Attacks on passwords: network attacks

Answer 9

Man in the middle- attacker takes over ip address

Question 10

Password attacks: server frontend attacks

Answer 10

Online guessing- brute force/dictionary
-breadth first search-target all account
- depth first search- target specific accounts

Question 11

Attacks on password: backend server attacks

Answer 11

Offline guessing= pass cracking
- prerequisite- obtain the pass database. if pass stored in plain text and unprotected - attack done. Else if database protected, cracking it depends on form of protection.

Question 12

Protection of pass databases

Answer 12

1. Plain text storage of pass- offers no protection
2. Reversibly encrypted passwords
3. Hashed passwords

Question 13

Protection of password databases: reversibly encrypted passwords

Answer 13

-Used in practice if legacy system need pass saved in plain text
-encryption key should be protected
-if attack and key leaked then attack is successful
- if attack and key not leaked then attack is impossible

Question 14

Protection of password database: hashed passwords

Answer 14

• The idea is that the server does not store pass, only its hash.
• hash function h(password) =x is cryptographically secure.
• hash function is difficult to reverse. Knowing only h and x difficult to compute h -1(x) = password
• collision resistant: difficult to find two inputs that match to the same hash value
  -possible attacks- password cracking= online guessing
  -possible attack- precomputational- rainbow table lookup; brute force-dictionary attacks

Slow hash — to make it more difficult
Add salt- a string added to the password and than that is hashed

Question 15

How strong is strong for passwords

Answer 15

For passwords that protect against offline attacks- 10^12-10^14

For passwords that protect against online attacks 10^4-10^6

Question 16

Strong passwords

Answer 16

• Reduce risk of offline guessing only if the password database is hashed and salted.
• reduce risk of online guessing-if lockout and stealthy attack monitoring are implementer. Password can then be less strong than in the case of offline guessing.

-might reduce risk of shoulder surfing and insider guessing

• not protected from phishing attacks, client- side malware
• might increase risk of password reuse or writing down since stronger pass tend to be more difficult to remember

Question 17

Pass and human capabilities

Answer 17

• humans have a limited capacity of working memory
• item stores in memory decay over time
• unaided recall is harder than cued recall
• similar passwords get easily confused

-items linger in memory, humans cant forget old passwords

• typing errors- no feedback provided in these cases

Question 18

Why do humans share their password?

Answer 18

-practical needs- if sth happens to me…

-do this task for me

-as a sign of trust

-disabilites

Question 19

NIST password guidelines

Answer 19

For users: at least 8 characters, the longer the better

For providers:
-compare newly chosen pass with dictionaries and lists of know pass

• secure storage: slow hashing and salting (slow hashing reduces speed of cracking attacks)
• restrict nr of login attempts to 10
• password change only if justified

Question 20

Min strength of a password

Answer 20

Nminlog2C

Nmin- min length
C- character space

Question 21

Password creation policies: 3 Factors

Answer 21

1. Composition <required> C <min>. Possible classes: lower characters, upper characters, numbers, special characters.
   Min length = 8/10/12/16
   I.e. 1C8</min></required>

2.blocklist- list of prohibited strings +matching algorithm

3. Min strength estimation - novel algorithm neural network trained on leaked data order to guess the pass

Question 22

Password manager:

Answer 22

Reasonable pass policies:-rule out easily guessed pass -avoid character-class requirements -min length 8

Help users with pass mng -sso, pass managers, secure write down

Protection from online guessing - limit online guessing rate

Protection from offline-slow hashing and salting +detection of breaches

Lock out after 10 guessing attempts- detect stealthy online guessing

Be prepared- usable and secure account recovery- strategies for cases of mass breaches

dont reuse pass on important accounts

Dont reuse pass between work and home

Us aids for pass management- like password managers, secure write down

Question 23

Usability and security of of strong pass

Answer 23

Usability issues (Hard to remember;Typing errors;Do not scale to large number of account per user)

Security problems- serious attacks exist

Strong password help only protect from certain attacks

Pass strength = guessing difficulty

Guessing algorithms steadily gets better and faster

Human capabilities remain the same in dealing with passwords

Question 24

usability criteria

Answer 24

-memory-wise effortless

-scalable for users

-nothing to carry

-physically effortless-beyond pressing a button

-easy to learn and recall

-efficent to use -time

-infrequent errors

-easy recovery from loss

Question 25

Security and privacy criteria. Resilience to:

Answer 25

1. Physical observation(shoulder surfing, recording..)

2.targeted impersonation(having info from use does not help)

3.throttled guessing - guessing attempts are limited by the service provider

4.unthrottled guessing: attacker constrained only by computational resources

Internal observation( intercept users input?

Phishing

Theft of physical token

No trusted third party

Privacy protecting- does not reveal info about the user to the service provider

Question 26

Graphical pass schemes

Answer 26

1. Recognition based- cognometrics- recognize images- passfaces
2. Cued-recall-remember specific parts of an image - passpoints

3.recall-based -draw a secret line- android lock pasterns

Question 27

Passfaces- what are they?

Answer 27

Idea: people recognize faces better than they remember passwords

Authentication: 4 panels of faces are shown, one after the other. Order remains the same and each panel has fixed set of faces. Set of faces is unique per panel. Faces on panel randomly permuted.

Question 28

Pass-faces- usability and security

Answer 28

Usability- memorability, creation time, use time

Security- 9^4 password space

Can fall for non guessing attacks such as shoulder surfing, keylogin and screen capture

Scalability- more difficult to remember face for multiple sites

Question 29

Problems with graphical passwords

Answer 29

• security problems- most problems pass have also graphical pass have

-user choices are more or leas easily guessable

-still may be difficult to remember-scalability problems

• can be mixed up
• remembering 20 graphical pass would not be easier than remembering 20 text pass

Question 30

Biometrics/ implicit authentification

Answer 30

Anatomic and behavioral characteristics- finger,iris,voice—heartrate, speaking,typing

Estimated key spaces ~20 bit or 6 digit pass

Recovery from leaks- difficult or impossible

Impersonation through theft of biometric feautures

Usability- not always effortless for the user, adjust positioning, -recovery from loss difficult or impossible

Tradeoff between false positives and false negatives: usability problem: false negatives: user not recognized
False positive: attacker is recognized as user

Question 31

Tokens + 2Fa

Answer 31

Security :2fa-attacker needs both factors
1fa token- only one

If not pin protected- attacker just needs to steal tocken

If pin protected-depends on the guessability of the pin

Usability of 2fa decreases in comparison to pass

Might be faster

Less mental work

Scalability a problem

Usage of multiple devices for login, private keys cant be transferred

Question 32

Password Managers

Answer 32

• pass generator also needed- without it users create weak passwords

-there are different reasons to use PM- 1.convenience-offered by browser 2.stand-alone: used cause of security

-reasons for not using PM- unaware- nth to protect - security concerns(single point of failure)

• usability concerns: login from different device; changing passwords; recovery if PM did not save passwords;

-usability problems faced by PM users: passwords not saved; no autofill; user id not saved; automatic generated password does not fulfill password requirements; manually having to input long passwords in unsynchronized devices; fears of forgetting master password

-

Question 33

Password recovery

Answer 33

Recovery - in case of permanent loss of authentication-i.e. forgot password

Can be done through:
-personal questions
-social authentification
-email based recovery

Question 34

Social authentication

Answer 34

-Several persons hold part of a backup secret for your account- trustees dont have to be warned beforehand, receive emails with part of security code from the system-give the codes to users

Security- can fall for social engineering via phone or email

Usability- slow, might also never finish- user forget their trustees

If locked out- users need reminders, thus the attacker can also get the reminders

Social acceptability- users feel awkward bothering trustees- fear that trustee will think that the emails contain viruses

Question 35

Properties of a good authentication mechanisms

Answer 35

Security - consider frequent or devastating attacks

Privacy - do not require from user to reveal personal info

Usability-goof performance, fast and easy use and enrollment- low user effort-easy recovery