ch 11 Flashcards
what are the type of authenticating credentials
Where you are What you have What you are What you know What you do
what is the biggest weakness to passwords
human memory
Attacks that can be used to discover passwords:
• Attacks on Passwords
Phishing, shoulder surfing, dumpster diving
-Social engineering
Keylogger, protocol analyzer
Man-in-the-middle and replay attacks
Capturing
Attacker gains physical access to computer and resets password
-Resetting
Method used by most password attacks today
Attackers steal file of password digests
Compare with their own digests they have created
-Offline attack
Every possible combination of letters, numbers, and characters used to create encrypted passwords and matched against stolen file
Slowest, most thorough method
Brute force
(N T L M)
New Technology LAN Manager
what kind of attack is when An attacker who can steal the digest of an N T L M password would not need to try to break it
He would simply pretend to be the user and send that hash to the remote system to then be authenticated
Known as a pass the hash attack
A more targeted brute force attack that uses placeholders for characters in certain positions of the password
Mask Attack
Conducts a statistical analysis on the stolen passwords that is used to create a mask to break the largest number of passwords
Rule Attack
Attacker creates digests of common dictionary words
Compares against stolen digest file
Dictionary Attack
Two key stretching algorithms
bcrypt and P B K D F 2
When a user is using more than one type of authentication credential
Multifactor authentication
Using just oneMost common items used for authentication
Single-factor authentication
(O T P)
Used to create a one-time password
Authentication code that can be used only once or for a limited period of time
one-time password (O T P)
where is the hardware token generally
Typically a small device with a window display
where is the software token generally stored
Stored on a general-purpose device like a laptop computer or smartphone
(T O T P)
Time-based one-time password
(H O T P)
HMAC-based one-time password
Two types of O T P s
Time-based one-time password (T O T P)
HMAC-based one-time password (H O T P)
(P I V)
Personal Identity Verification
The smart card standard covering all U.S. government employees
Personal Identity Verification (P I V)
what is a Contact card
a “pad” that allows electronic access to chip contents Contactless cards (proximity cards)
Uses a person’s unique physical characteristics for authentication
Face, hand, or eye characteristics are used to authenticate
Standard biometrics
Retinal scanner uses the human retina as a biometric identifier
Maps the unique patterns of a retina by directing a beam of low-energy infrared light (I R) into a person’s eye
Specialized Biometric Scanners
what fingerprint scanner takes a picture and compares with image on file
Static fingerprint scanner
what fingerprint scanner uses a small slit or opening
Dynamic fingerprint scanner
Voice recognition uses a standard computer microphone to identify users based on the unique characteristics of a person’s voice
Standard Input Devices
Biometric Disadvantages
Cost of hardware scanning devices Readers have some amount of error Reject authorized users Accept unauthorized users Biometric systems can be “tricked
(FAR)
False acceptance rate
(FRR)
False rejection Rate
- what is it called when someone else can log into your device
(FAR) False acceptance rate
what is it called when a user cannot log into their own device
(FRR) False rejection Rate
(CER)
crossover error rate
what is it called when nhow often FAR and FRR happen
(CER) crossover error rate
Relates to perception, thought process, and understanding of the user
Easier for user to remember because it is based on user’s life experiences
Difficult for an attacker to imitate
Cognitive biometrics
(PGA)
Picture password/Picture Gesture Authentication
Users select a picture to use for which there should be at least 10 “points of interest” that could serve as “landmarks” or places to touch
(PGA) Picture password/Picture Gesture Authentication
Authenticates by normal actions the user performs
Keystroke dynamics
Attempts to recognize user’s typing rhythm
Behavioral biometrics
time it takes to press and release a key
Dwell time
time between keystrokes
Flight time
The identification of the location of a person or object using technology
• Geolocation
(FIM)
federated identity management
Using a single authentication credential shared across multiple networks
federated identity management (FIM)
(S S O)
Single sign-on (S S O)
Examples of popular S S O s:
OAuth (used the most), Open ID Connect, and Shibboleth
Microsoft Windows group password settings
Password Policy Settings
Account Lockout Policy
is managed by what?
assign privileges by group (group policy)
A two-way relationship that is automatically created between parent and child domains in a Microsoft Active Directory Forest
• Transitive trust
