Chapter 2 - Identification and Authentication Flashcards

1
Q

What is identification?

A

The claim of what someone or something is.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is authentication?

A

Establishes whether this claim is true. We can see such processes taking place on a daily basis in a wide variety of ways.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is identity verification?

A

Is a step between identification and authentication, in which the identity is verified in some way. This is a step better than just a claim, but not an authentication. For example, a driver’s license is an identity verification, to help in showing the name given is true.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What else is identity verification used in, besides in personal interactions?

A

Computer systems. In many cases, such as when we send an email, the identity we provide is taken to be true, without any additional steps taken to authenticate us.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are authentication factors?

A

There are several methods we can use, with each category referred to as a factor. Within each factor, there are a number of possible methods we can use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the benefit of using more factors?

A

When attemting to authenticate a claim, the more we use, the more positive our results will be.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the five factors?

A

Something you know

Something you are

Something you have

Something you do

Where you are

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

This factor is very common.

It can include passwords, PINS, passphrases, etc.

Which one is it?

A

Something you know

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

This factor includes an item or device, although this factor can extend into some logical concepts as well. We can see such factors in general use in the form of ATM cards, state of federally issued identity cards, or software based security tokens.

Which is it?

A

Something you have: A factor generally based on the physical possession of an item or device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

This factor can be based on simple attributes, such as height, weight, hair color, or eye color.

More reliable methods include fingerprints, iris or retina patterns, or facial characteristics.

A

Something you are: A factor based on the relatively unique physical attributes of an individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are biometrics?

A

Another name for “something you are”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What factor is based on physical presence at a location or locations?

A

Where you are: A geographically based authentication factor. This factor operates differently than the other factors, as its method of authentication depends on the person being authenticated being present at a particular location.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What method is based on actions or behaviours of an individual?

A

Something you do, sometimes considered a variation of something you are, is a factor based on actions or behaviours.

This includes a person’s gait, measurement of multiple factors in his or her handwriting, the time delay between keystrokes as he or she types a pass phrase, or similar factors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is multifactor authentication?

A

Uses one or more of the factors we discussed in the preceding section. This practice is also referred to in some cases, as two-factor authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is mutual authentication?

A

Refers to an authentication mechanism in which both parties authenticate each other.

in the standard process, which is a one-way authentication, the client authenticates to the server to prove that it is the party that should be accessing the resources the server provides.

In mutual authentication, not only does the client authenticate to the server, but the server authenticates to the client as well.

Digital certificates are often used to accomplish mutual authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Without mutual authentication, what do we leave ourselves open to?

A

Impersonation attacks, often referred to as “man-in-the-middle” attacks. In these, the attacker inserts himself between the client and the server and impersonates the server to the client, and the client to the server.

This becomes considerably more difficult when mutual authentication is in place.

17
Q

Reversing the process of verifying an identity with biometrics, we can do what?

A

We can use biometrics as a method of identification.

18
Q

When using biometrics as a method of identification or verification, we need to do what beforehand?

A

We must put the user through the enrollment process. This involves recording the chosen biometric characteristic from the user, so that it can be later matched in the system.

19
Q

What are the seven characteristics of biometric factors?

A
Universality
Uniqueness
Permanence
Collectability
Performance
Acceptability
Circumvention
20
Q

The biometric factor characteristic “universality” is defined by what?

A

Universality stipulates that we should be able to find our chosen biometric characteristic in the majority of people we expect to enroll in the system.

For example, use of a fingerprint may be hindered if someone does not have a particular finger anymore.

21
Q

The biometric factor characteristic “uniqueness” is defined by what?

A

Uniqueness is a measure of how unique a particular characteristic is among individuals. For example, if we choose to use height or weight as a biometric identifier, we would stand a very good chance of finding several people in any given group who are of the same height or weight.

22
Q

What is permanence?

A

Permanence is a characteristic of a biometric factor:

Permanence tests show how well a particular characteristic resists change over time and with advancing age. If we choose a factor that can easily vary, such as height, weight, or hand geometry, we will eventually find ourselves in the position of not being able to authenticate a legitimate user.

23
Q

What is collectability?

A

Collectability is a characteristic of a biometric factor:

Collectability measures how easy it is to aquire a characteristic with which we can later authenticate a user. Most commonly used biometrics, such as fingerprints, are relatively easy to acquire, and this is one reason they are in common use. If we choose a characteristic that is more difficult to acquire, such as a footprint, the user will need to remove his show and sock in order to enroll.

24
Q

What is performance?

A

Is a characteristic of biometric factors:

Performance is a set of metrics that judge how well a given system functions. Such factors include speed, accuracy, and error rate. We will discuss the performance of biometric systems at greater length later in this section.

25
Q

What is acceptability?

A

Acceptability is a characteristic of a biometric factor:

A measure of how acceptable the particular characteristic is to the users of the system. in general, systems that are slow, difficult to use, or awkward to use are less likely to be acceptable to the user. Systems that require users to remove their clothes, touch devices that have been repeatedly used by others, or provide tissue or bodily fluids will likely not enjoy a high degree of acceptability.

26
Q

What is circumvention?

A

Circumvention is a characteristic of a biometric factor:

Circumvention describes the ease with which a system can be tricked by a falsified biometric identifier. The classic example of a circumvention attack against the fingerprint as a biometric identifier is found in the “gummy finger”. In this type of attack, a fingerprint is lifted from the surface, potentially in a covert fashion, and is used to create a mold with which the attacker can cast a positive image of the fingerprint in gelatin.

27
Q

What do we use to measure performance of a biometric system?

A

False acceptance rate FAR

False Rejection Rate FRR

Equal Error Rate EER

28
Q

What is a False Acceptance Rate?

A

Occurs when we accept a user whom we should actually have rejected. This type of issue is also referred to as a false positive.

29
Q

What is a False Rejection Rate?

A

Is a problem of rejecting a legitimate user when we should have accepted her. This type of issue if commonly known outside the biometrics world as a false negative.

30
Q

What is an Equal Error Rate?

A

What we try to achieve with biometric systems is a balance between false positives and false negatives, this is found in ERR, which is the intersection of FRR and FAR.

31
Q

What are the issues found in biometric systems?

A

Biometrics can be easily forged.

Privacy issues

False biometrics left in systems.

32
Q

What is a hardware token?

A

A standard hardware token is a small device, typically in the general form factor of a credit card or keychain fob. The simplest hardware tokens look identical to a USB flash drive and contain a small amount of storage holding a certificate or unique identifier, and are often called dongles. More complex hardware tokens incorporate LCD displays, as shown in Figure 2.4, keypads for entering passwords, biometric readers, wireless devices, and additional features to enhance security.

Hardware tokens represent the something you have authentication factor.

33
Q

If we are using an identity card as the basis for our authentication scheme, what steps might we add to the process in order to allow us to move to multifactor authentication?

A

Different factors are: (1) something you know, (2) something you are,
(3) something you have, (4) something you do, and (5) the place you are.
So the answers might be:
– identity card (factor-3) and pin numbers (factor-1)
– identity card (factor-3) and different types of biometrics (factor-2 or factor-4)
– identity card (factor-3) and location information (factor-5)
– or any combination of the above.

34
Q

If we are using an 8-character password that contains only lowercase characters, would increasing the length to 10 characters represent any significant increase in strength?

A

For this question, it should be discucsed that the strength of the password increases
as one increases the number of characters. However this is not a significant increase
because it is just one dimension, i.e. we only play with the number of characters. To
make it significantly stronger, we need to bring in other dimensions such as the case used
(lower case vs upper case), the use of not only letters but numbers and/or symbols etc

35
Q

What factors might we use when implementing a multifactor authentication scheme for users who are logging on to workstations that are in a secure environment and are used by more than one person?

A

For this question, look for some creativity in terms of the 5 factors used. Again the
factors are: (1) something you know, (2) something you are, (3) something you have, (4)
something you do, and (5) the place you are.

36
Q

If we are developing a multifactor authentication system for an environment where we might find larger-than-average numbers of disabled or injured users, such as a hospital, which authentication factors might we want to use or avoid? Why?

A

: For this question, again look for some creativity in terms of the 5 factors used.
There should be a good discussion of what to avoid in terms of factors. Of course this
should depend on the unique solution presented.