Lecture 6: 2nd October 2019

Question 1

What two security functions do IDs and passwords fulfill?

Answer 1

Allows users to identify themselves (claim to be) an authorised user, and allows a system to authenticate them as that user.

Question 2

What is an entity?

Answer 2

A user or process

Question 3

What do we need to determine about an entity during authentication?

Answer 3

What the entity knows (e.g. a password) and possesses (security badge or authentication token); what/whom the entity is (biometrics); where the entity is (GPS or IP)

Question 4

How do authentication systems work?

Answer 4

Authentication systems have authentication info, A (info required for entities to prove identities and binds them); complementary info, C (validates A); complementation functions, F (make C from A); authentication functions, L (verify identity); selection functions, S (allow entities to alter the authentication info or complementary function).

At least one of A, C, and F should be hidden.

Question 5

What is a password space?

Answer 5

The set of all possible passwords: character set.

Question 6

What is the entropy of a password space?

Answer 6

How difficult it is to predict what a password is - increases as there are more possible passwords.

Question 7

How can you increase the entropy of a password space?

Answer 7

Increase the minimum and maximum number of characters passwords can hold and allow more characters in them.

Question 8

How can you attack an authentication system?

Answer 8

Attack the authentication function (always visible) or complementary info. Since these are password checking and passwords respectively and usually the only public parts of an authentication system.

Question 9

How can you protect against attacks on authentication functions?

Answer 9

Use an exponential back-off (after n failed tries, lock for an increasing amount each time); lock completely after n failed turns; use termed jailing; disable accounts.

Question 10

What are some problems with password-based authentication systems?

Answer 10

Passwords are lost and forgotten, stolen, shared, and are often simple and used across multiple systems

Question 11

What are hazard points?

Answer 11

Parts of the operation of a system which present security vulnerabilities that could be exploited

Question 12

What are some hazard points concerning passwords?

Answer 12

shoulder surfing (others watching them being typed); sniffing when transmitted over networks; cameras at ATMs; keyloggers; more often used keys/buttons more worn so show you most used PIN digits

Question 13

How can stored passwords be protected?

Answer 13

SALT and hash them.

Question 14

How can you attack password systems?

Answer 14

brute force attack: try all passwords from random generator

dictionary attack: use a dictionary or common words to form more likely passwords than random characters

Question 15

How can you defend against attacks on password systems?

Answer 15

Allow a finite amount of time to login or a limited number of attempts; SALT and hash passwords; insist on the length and other rules to increase entropy

Question 16

What are the pros and cons of pseudo-random generated passwords?

Answer 16

Harder to attack as greater entropy. But people may forget and will be more likely to write them down, which makes other types of attack more easy.

Question 17

How can dictionary attacks try to predict passwords?

Answer 17

Combine words to form pronounceable passwords. Append numbers and special chars, esp if required in password rules, to form possible passwords. Can also build them up from phonemes.

Question 18

What is password ageing?

Answer 18

Forcing users to change their passwords at intervals.

Question 19

What are Challenge-Response authentication mechanisms?

Answer 19

Protocols to identify users using questions and answers chosen by the users

Question 20

What are one-time passwords?

Answer 20

Valid (authenticating) password values that become redundant after one use.

Question 21

What is password entropy?

Answer 21

How difficult it is to predict a password - increases as there are more possible passwords.

Question 22

How can you calculate password entropy?

Answer 22

password entropy, E = log 2 (R ^ L)

R = no of unique characters that can be in a password
L = length of your password

50+ bits a reasonable level of protection from cracking. Entropy lowered with word breakdowns from the dictionary attacks

Question 23

What are drawn secrets?

Answer 23

Making users draw memorised shapes as a method of authentication.

Question 24

What are the pros and cons of drawn secrets?

Answer 24

Easier to remember than complex passwords; visually impaired can’t use; it’s technically difficult to verify shapes; drawings generally simple, central, and symmetric: low entropy

Question 25

What are passpoints?

Answer 25

A system made involving users choosing a number of points on a picture background as markers, whose locations are used to authenticate them.

Question 26

What are the pros and cons of passpoints?

Answer 26

Easy to use and remember; forced format removes inconsistency with entropies found in passwords of different lengths and complexities; people choose pronounced and prominent features as marker points, lowering entropy

Question 27

How do passpoints work?

Answer 27

Choose 5 points on a picture as your passpoints. When logging in again system challenges you and you must choose same points (+ some error tolerance) to be authenticated.

Question 28

What are search metrics?

Answer 28

Different ways of searching and matching images by checking sections of them against each other. Metrics are measures and methods of assessment. Search metrics are therefore ways of assessing data for comparison and matching in a search.

Question 29

What are loci metrics?

Answer 29

A search metric in which locations on an image are used to match and identify users.

Question 30

What are draw metrics?

Answer 30

A search metric in which drawings by users onto a 5x5 grid are used to identify and authenticate them

Question 31

What is Passfaces?

Answer 31

An authentication system developed as part of a research project involving a 9x9 grid of people's faces, one of which you click each time.

Question 32

What are the disadvantages of Passfaces?

Answer 32

People choose pretty young women, other than old women, and people choose their own race, etc. Psychological factors lowering entropy.

Question 33

What is Wall of Faces?

Answer 33

A black and white collage of portrait photos put together which people click as a search metric for authentication

Question 34

What are the disadvantages of Wall of Faces?

Answer 34

Again low entropy from human patterns. People will choose central, full, prominent, attractive faces of the same race.

Question 35

What are graphical passwords?

Answer 35

Authentication systems in which users choose from a collection of images as a search metric

Question 36

How would people respond to adding drawings onto backgrounds as passwords?

Answer 36

They draw simple, central, and symmetric images; this lowers their entropy

Question 37

What is tolerance?

Answer 37

The degree of error within which authentication is still granted

Question 38

Why are graphical passwords being developed?

Answer 38

As alternatives to PINs and text passwords. They are difficult and flawed and PINs have very low entropy