Lecture 6: 2nd October 2019 Flashcards
Authentication
What two security functions do IDs and passwords fulfill?
Allows users to identify themselves (claim to be) an authorised user, and allows a system to authenticate them as that user.
What is an entity?
A user or process
What do we need to determine about an entity during authentication?
What the entity knows (e.g. a password) and possesses (security badge or authentication token); what/whom the entity is (biometrics); where the entity is (GPS or IP)
How do authentication systems work?
Authentication systems have authentication info, A (info required for entities to prove identities and binds them); complementary info, C (validates A); complementation functions, F (make C from A); authentication functions, L (verify identity); selection functions, S (allow entities to alter the authentication info or complementary function).
At least one of A, C, and F should be hidden.
What is a password space?
The set of all possible passwords: character set.
What is the entropy of a password space?
How difficult it is to predict what a password is - increases as there are more possible passwords.
How can you increase the entropy of a password space?
Increase the minimum and maximum number of characters passwords can hold and allow more characters in them.
How can you attack an authentication system?
Attack the authentication function (always visible) or complementary info. Since these are password checking and passwords respectively and usually the only public parts of an authentication system.
How can you protect against attacks on authentication functions?
Use an exponential back-off (after n failed tries, lock for an increasing amount each time); lock completely after n failed turns; use termed jailing; disable accounts.
What are some problems with password-based authentication systems?
Passwords are lost and forgotten, stolen, shared, and are often simple and used across multiple systems
What are hazard points?
Parts of the operation of a system which present security vulnerabilities that could be exploited
What are some hazard points concerning passwords?
shoulder surfing (others watching them being typed); sniffing when transmitted over networks; cameras at ATMs; keyloggers; more often used keys/buttons more worn so show you most used PIN digits
How can stored passwords be protected?
SALT and hash them.
How can you attack password systems?
brute force attack: try all passwords from random generator
dictionary attack: use a dictionary or common words to form more likely passwords than random characters
How can you defend against attacks on password systems?
Allow a finite amount of time to login or a limited number of attempts; SALT and hash passwords; insist on the length and other rules to increase entropy
What are the pros and cons of pseudo-random generated passwords?
Harder to attack as greater entropy. But people may forget and will be more likely to write them down, which makes other types of attack more easy.
How can dictionary attacks try to predict passwords?
Combine words to form pronounceable passwords. Append numbers and special chars, esp if required in password rules, to form possible passwords. Can also build them up from phonemes.
What is password ageing?
Forcing users to change their passwords at intervals.
What are Challenge-Response authentication mechanisms?
Protocols to identify users using questions and answers chosen by the users
What are one-time passwords?
Valid (authenticating) password values that become redundant after one use.
What is password entropy?
How difficult it is to predict a password - increases as there are more possible passwords.
How can you calculate password entropy?
password entropy, E = log 2 (R ^ L)
R = no of unique characters that can be in a password L = length of your password
50+ bits a reasonable level of protection from cracking. Entropy lowered with word breakdowns from the dictionary attacks
What are drawn secrets?
Making users draw memorised shapes as a method of authentication.
What are the pros and cons of drawn secrets?
Easier to remember than complex passwords; visually impaired can’t use; it’s technically difficult to verify shapes; drawings generally simple, central, and symmetric: low entropy
What are passpoints?
A system made involving users choosing a number of points on a picture background as markers, whose locations are used to authenticate them.
What are the pros and cons of passpoints?
Easy to use and remember; forced format removes inconsistency with entropies found in passwords of different lengths and complexities; people choose pronounced and prominent features as marker points, lowering entropy
How do passpoints work?
Choose 5 points on a picture as your passpoints. When logging in again system challenges you and you must choose same points (+ some error tolerance) to be authenticated.
What are search metrics?
Different ways of searching and matching images by checking sections of them against each other. Metrics are measures and methods of assessment. Search metrics are therefore ways of assessing data for comparison and matching in a search.
What are loci metrics?
A search metric in which locations on an image are used to match and identify users.
What are draw metrics?
A search metric in which drawings by users onto a 5x5 grid are used to identify and authenticate them
What is Passfaces?
An authentication system developed as part of a research project involving a 9x9 grid of people’s faces, one of which you click each time.
What are the disadvantages of Passfaces?
People choose pretty young women, other than old women, and people choose their own race, etc. Psychological factors lowering entropy.
What is Wall of Faces?
A black and white collage of portrait photos put together which people click as a search metric for authentication
What are the disadvantages of Wall of Faces?
Again low entropy from human patterns. People will choose central, full, prominent, attractive faces of the same race.
What are graphical passwords?
Authentication systems in which users choose from a collection of images as a search metric
How would people respond to adding drawings onto backgrounds as passwords?
They draw simple, central, and symmetric images; this lowers their entropy
What is tolerance?
The degree of error within which authentication is still granted
Why are graphical passwords being developed?
As alternatives to PINs and text passwords. They are difficult and flawed and PINs have very low entropy
