Lecture 3 Flashcards
The authentication process consists of two broad steps:
Identification Step
- Presenting an identifier to the security system
Verification Step
- Presenting authentication information that corroborates the binding between the entity and identifier
Means of Authentication
- Something the individual KNOWS (passwords, PIN, answers)
- Something the individual POSSESSES, TOKEN (smartcard, electronic keycard, physical key)
- Something the individual IS, STATIC BIOMETRICS (fingerprint, retina, face)
- Something the individual DOES DYNAMIC BIOMETRICS (voice patterns, handwriting)
What is password authentication and What does an ID determine?
- Used to in defence against intruders
- Requires login/password
- System compares password with the one stored in the system
The user ID determines:
- User is authorised to gain access
- Determines user’s privileges
- Any discretionary control
Password vulnerabilities
- Office dictionary attack
- Specific account attack
- Popular password attack
- Password guessing against a single user
- Workstation hacking
- Exploring user’s mistakes
- Exploring password use
- **Electronic monitoring **
What is Countermeasures?
Controls and prevents unauthorised access
- Intrusion detection measures
- Account lockout mechanisms
- Automatic logout workstation
Policies against passwords on network devices
Password Implementation schemes
- Hashed Passwords
- Unix Implementation
UNIX Implementation
- Original scheme
- 8 printable characters In length
- 12-bit salt used to modify **DES encryption **
Improved Implementation
- Stronger hash/salt scheme available for Unix
- Recommended for MD5
- Password length is unlimited
- Produces 128 hash tag
What is Password cracking?
Dictionary attacks
- Develops large dictionary of possible passwords and try each against the password file
- All passwords must be hashed using salt value and compared to stored hash values
Rainbow table attacks
- Pre-compute tables of each hash value for all salts
- A marathon table of hash values
- Can be countered using large salt value and **large hash length **
What is Password File Access Control?
- Can be offline guessing attacks by denying access to encrypted passwords
- Make available for privilege users
- Shadow password file
Vulnerabilities of passwords
- Weakness in the OS allows access to files
- Accident permission making it readable
- Users with the same passwords
- Access from backup media
- Sniff passwords in network traffic
- Workstation vulnerabilities
- Password guessing
Password Selection Techniques
User education
- Users being told the importance of hard-to-guess passwords and provide guidelines and strong passwords
Computer generated passwords
- Users have trouble remembering them
Reactive password checking
- System runs its own password cracker to find guessable passwords
Proactive password checking
- Users are allowed to select their own passwords; the system checks if the password is allowable > X reject it.
- Eliminate guessable passwords
Proactive Password Checking is?
Rule Enforcement
- Specific rules you need to adhere to
Password cracker
- Compile **large dictionary **of passwords not to use
Bloom Filter
- Build a table using dictionary using hashes
- Check desired password against the table
Token authentication for: Memory Card and Smart Cards
Memory Cards
Uses black magnetic black strip card
Can be used alone or physical access
- Hotel room
- ATM
Provides greater security
Drawbacks: Loss of token, special reader
Smart Cards
- Looks like a bank card (Looks like calculators, keys)
- Interface: electronic display
Biometric Authentication (Examples)
Authenticating a user using unique physical characteristics
- Based on pattern recognition
- Complex and Expensive
Includes:
- Facial characteristics
- Fingerprints
- Hand geometry
- Retina pattern
- Signature
- Voice
