L5 - Authentication Flashcards
What is Authentication?
Authentication: Who are you? Prove it bitch.
Authorization: Does this requester have permission to use the resource? On whose behalf is the request being made?
We now have personal devices that are not shared across multiple users. What threats motivate the use of authentication in such devices?
a) Malware infection that may exfiltrate sensitive data
b) Loss of theft of the device
b) Loss of theft of the device
With regards to malware, if it is on your device, user authentication doesn’t matter. The malware is already on your device, whoever is authenticating doesn’t really matter.
An attacker correctly guesses Alice’s password and logs in as her. Is this a case of…
a) False positive
b) True negative
a) False positive
A number of online banking systems send a limited lifetime PIN to your smartphone for you to be able to authenticate yourself to the bank. Is this an example of…
a) Something you have
b) Something you are
a) Something you have
Window’s CNTL-ALT-DEL is an example of a ____.
Trusted path
If we do not have a trusted path between a user and the system, what problem may occur?
a) User is not able to log into the system
b) User may provide the password to a malicious program
b) User may provide the password to a malicious program
Could be a Trojan
In the past, hashed passwords were stored in a publicly readable file /etc/passwd. Why were shadow password files added instead of making /etc/passwd file readable to privileged users?
a) Shadow files are more efficient to access
b) There is other public information in /etc/passwd file that various utilities need
b) There is other public information in /etc/passwd file that various utilities need
The hash functions used for computing hashed password values should meet the following requirements:
a) Provide more efficient storage of password related information
b) Produce different hashed values for distinct passwords
c) Its inverse should be very hard to compute
B and C
b) Produce different hashed values for distinct passwords
c) Its inverse should be very hard to compute
Adding a random salt will ___.
Make a unique hash output for different users with the same password.
How many unique 4 digit PINs are possible:
a) 1,000
b) 100,000
c) 10,000
d) 1,000,000
c) 10,000
10^4 = 10,000
A randomly chosen password has six characters that include upper and lower case letters, digits (0-9) and 10 special characters. In the worst case, how many attempts must a brute-force method make to determine a password when its hashed value is available?
a) 6^72
b) 62^6
c) 72^6
c) 72^6
26+26+10+10 = 72^6
In smartphone touch screens, pattern based passwords are used to unlock the device. It is believed that such patterns are not random and there is a bias in where users start. This can be explained by …
a) Users often start at a random point but then fall back to a common pattern
b) There is a bias in starting at a point near the top left of the screen
c) The ease of moving from current to next point introduces bias
B and C
b) There is a bias in starting at a point near the top left of the screen
c) The ease of moving from current to next point introduces bias
A multi-factor authentication method will likely reduce false positives:
a) True
b) False
a) True
An attacker who is able to log in as you will cause a false-positive.
Although a “something you have” based authentication method avoids problems associated with passwords, it could also be prone to attacks. What is the main weakness that is illustrated here?
a) Lost cards
b) Cloning of cards
c) Vulnerabilities in implementation
c) Vulnerabilities in implementation
Biometric authentication based on fingerprints can be hacked if an attacker can gain access to a user’s fingerprint. Can a similar attack be mounted if voice biometric authentication is used?
a) Yes
b) No
a) Yes
Someone can record your voice. Also someone can build a model.
