L7 - Identification & Authentication Flashcards
What are the two steps to authentication?
Identification and authentication
In the steps of authentication what is identifications role?
To announce who you are.
In the steps of authentication what is authentications role?
You prove who you are.
What are the four ways of authenticating a user identity based on?
Something…:
* the individual knows
* the individual posseses
* the individual is
* the individual does
The four ways of authenticating a user
Something the indiviual knows refers to what?
E.g Password, pin or answeres to prearanged questions etc.
The four ways of authenticating a user identity
Something the indiviual possesses refers to what?
Token
E.g smartcard, electronic keycard, physical key etc.
The four ways of authenticating a user
Something the indiviual is refers to what?
Static biometrics
E.g fingerprints, retina, face etc.
The four ways of authenticating a user
Something the indiviual does refers to what?
Dynamic biometrics
E.g Voice pattern, handwriting, typing rythm, etc.
What is multifactor authentication?
It’s an authentication combining two types, e.g entering a password and providing a token.
What is password authentication?
It’s a shared secret between user and system. The user provides the system with:
- cretentials
- password
The system then compares password with stored password of that credential
What does a user-ID provide?
- Determination if the user is authorized to acces the system
- User privileges
- Also used in discretionary access control
Passwords are vulnerable against what types of attacks?
- Offline dictionary attack
- Specific account attack
- Popular password attack
- Password guessing against a single user
- Workstation hijacking
- Exploiting user misstakes
- Exploiting multiple password use
- Electronic monitoring
How could you protect a password file?
By using:
* Cryptograpghic protection
* access control enforced by the operating system
* combination of both of above with further measures to slow down dictionary attacks
What is cryptographic protection?
Cryptography provides for secure communication in the presence of malicious third-parties. Encryption uses an algorithm and a key to transform an input (i.e., plaintext) into an encrypted output (i.e., ciphertext).
What is a one-way function?
a one way function is a function which is relatively easy to compute but hard to reverse.
Given an input x it is easy to compute f(x), but given an output y it is hard to find x so that y= f(x)
How does a one-way function work?
Instead of storing the password x it’s instead the value from f(x) that is stored. When logging in with an identical password x’ the function f(x’) and its output should match what’s stored
How does password salting work?
Before hashing a password a salt is added to the end of the password, this will slow down dictionary attacks. And if two users have same passwords they now have different hash values after adding a salt, therefore they will also have separate entries.
What are the different password selection strategies?
- User education
- Computer generated passwords
- Reactive password checking
- Complex password policy
What does user education entail?
Informing users of the importance of creating hard to crack passwords and guidelines for selecting strong passwords.
Computer generated passwords are hard to crack, but are there drawbacks for the users?
A computer generated password can be very hard to remember, which could result in it being written on a piece of paper.
What is reactive password checking?
The system periodacally runs it’s own password cracker in order to find weak/guessable passwords.
What is the complex password policy?
The user is allowed to select it’s own password, however the system checks to see if the password is allowable, if not the password is rejected.
