L7 - Identification & Authentication Flashcards
What are the two steps to authentication?
Identification and authentication
In the steps of authentication what is identifications role?
To announce who you are.
In the steps of authentication what is authentications role?
You prove who you are.
What are the four ways of authenticating a user identity based on?
Something…:
* the individual knows
* the individual posseses
* the individual is
* the individual does
The four ways of authenticating a user
Something the indiviual knows refers to what?
E.g Password, pin or answeres to prearanged questions etc.
The four ways of authenticating a user identity
Something the indiviual possesses refers to what?
Token
E.g smartcard, electronic keycard, physical key etc.
The four ways of authenticating a user
Something the indiviual is refers to what?
Static biometrics
E.g fingerprints, retina, face etc.
The four ways of authenticating a user
Something the indiviual does refers to what?
Dynamic biometrics
E.g Voice pattern, handwriting, typing rythm, etc.
What is multifactor authentication?
It’s an authentication combining two types, e.g entering a password and providing a token.
What is password authentication?
It’s a shared secret between user and system. The user provides the system with:
- cretentials
- password
The system then compares password with stored password of that credential
What does a user-ID provide?
- Determination if the user is authorized to acces the system
- User privileges
- Also used in discretionary access control
Passwords are vulnerable against what types of attacks?
- Offline dictionary attack
- Specific account attack
- Popular password attack
- Password guessing against a single user
- Workstation hijacking
- Exploiting user misstakes
- Exploiting multiple password use
- Electronic monitoring
How could you protect a password file?
By using:
* Cryptograpghic protection
* access control enforced by the operating system
* combination of both of above with further measures to slow down dictionary attacks
What is cryptographic protection?
Cryptography provides for secure communication in the presence of malicious third-parties. Encryption uses an algorithm and a key to transform an input (i.e., plaintext) into an encrypted output (i.e., ciphertext).
What is a one-way function?
a one way function is a function which is relatively easy to compute but hard to reverse.
Given an input x it is easy to compute f(x), but given an output y it is hard to find x so that y= f(x)
How does a one-way function work?
Instead of storing the password x it’s instead the value from f(x) that is stored. When logging in with an identical password x’ the function f(x’) and its output should match what’s stored
How does password salting work?
Before hashing a password a salt is added to the end of the password, this will slow down dictionary attacks. And if two users have same passwords they now have different hash values after adding a salt, therefore they will also have separate entries.
What are the different password selection strategies?
- User education
- Computer generated passwords
- Reactive password checking
- Complex password policy
What does user education entail?
Informing users of the importance of creating hard to crack passwords and guidelines for selecting strong passwords.
Computer generated passwords are hard to crack, but are there drawbacks for the users?
A computer generated password can be very hard to remember, which could result in it being written on a piece of paper.
What is reactive password checking?
The system periodacally runs it’s own password cracker in order to find weak/guessable passwords.
What is the complex password policy?
The user is allowed to select it’s own password, however the system checks to see if the password is allowable, if not the password is rejected.
What is the goal of the complex password policy?
The goal is to eliminate guessable passwords while the user is still allowed to select a password which is easy for them to remember.
What are the proactive password checks?
- Rule enforcement
- Password checker
- Bloom filter
What is rule enforcement?
proactive password checks
Specific rules which passwords must adhere to in order to be selected.
What is a password checker?
proactive password checks
A large complied dictionary of passwords not to use.
What is bloom filter?
proactive password checks
a filter used to build a table based on hash values, a desired password is then checked against this table.
What is a spoofing attack?
password
It’s an attack where a users password is sent to a part who they have no actual desire to share the password with. It’s often done by misleading the user into entering their password in a field they believe to be for a trusted part.
How can a spoofing attack be countered?
- By using trusted path
- Display number of failed logins
- Mutual authentication
What is the trusted path?
It’s a way of guaranteeing that the user communicates with the operating system and not a spoofing program.
Using ctrl + alt + delete on windows is a trusted path.
What can be done in mutual verification?
- Exchanging secret codes in both directions.
- Showing a personalized picture
- SSL Extended Validation Certificate
What is TLS used for?
Is a newer version of SSL that encrypts the data sent over the network.
Transport layer security*
What is SSL used for?
t’s the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details.
Socket security layer*
What is shoulder surfing?
It’s when a threat agent gains knowledge about a password through watching a screen or keyboard.
A countermeasure for this is to hide typed characters and replace them with a dot.
What is single sign-on
It’s a service intended to help you with managing loggin in so that you only have to enter a password once. Since all passwords are stored it’s convenient, but could also raise new concerns to security.
What is token authentication?
It’s a process of identifying that a user is who they claim to be by presenting a token.
How does token authentication work?
What are some common tokens?
Token authentication
- Magnetic stripe
- Memory cards
- Smart cards, contact or contactless.
How does token authentication work?
When prompted the user will have to present their physical token to the designated spot. That user will have all the rights regardless if they are the intended user for the token.
What differentiates memory card and smart cards from eachother?
- Mem. card: Store but not process data, contains internal electoric memory.
- Smart card: Has an electronic interface, may use smart token protocols and contains an entire microprocessor
What are the types of biometric systems?
Static
* Facial characteristics
* Fingerprints
* Hand geometry
* Retinal pattern
* Iris
Dynamic
* Signature
* Voice
What is the cost over effectiveness for facial characteristics
Cost = cost to implement, accuracy = effective recognition
Low cost, low accuracy
What is the cost over effectiveness for fingerprint
Cost = cost to implement, accuracy = effective recognition
below average cost, above average accuracy
What is the cost over effectiveness for hand geometry
Cost = cost to implement, accuracy = effective recognition
high cost, low accuracy
What is the cost over effectiveness for retinal pattern
Cost = cost to implement, accuracy = effective recognition
above average cost, average accuracy (same as fingerprint).
What is the cost over effectiveness for iris
Cost = cost to implement, accuracy = effective recognition
high cost, high accuracy
What is the cost over effectiveness for iris
Cost = cost to implement, accuracy = effective recognition
high cost, high accuracy
What is the cost over effectiveness for signature
Cost = cost to implement, accuracy = effective recognition
high cost, low accuracy
What is the cost over effectiveness for voice
Cost = cost to implement, accuracy = effective recognition
high cost, low accuracy
How does the operation of a biometric system work?
It’s seperated into three phases: enrollment, verification & identification.
What is enrollment?
operation of a biometric system
Is the collection of a users biometric, the biometric is then stored in a database for comparison in future authentications.
What is verification?
operation of a biometric system
It’s when the user prompts the same biometric data that was stored in enrollment, the biometric is then compared to see if there is a match for a given user.
What is identification?
operation of a biometric system
It’s when the biometric is used to identify the user from a database of N persons.
What are some common problems in biometric systems?
- If there is a match above a predefined threshhold a user is accepted.
- False positives and negatives.
What is equal-error rate?
It’s when false match rate is equal to false non-match rate.
When is biometrics a good option?
- uniqueness checking for detecting duplicate identities. Example: voter registration or welfare applications.
- Low security apps using low FNMR: such as fingerprint or face recog in smartphones.
- High security authentication: as a secondary security measure to reduce FMR and increase difficulty to missuse.
