P1L4 Authentication Flashcards

1
Q

What is authentication?

A

Who are you and prove it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is authorization?

A

Does this requester have permission to access this resource?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Authentication goals

A

Availability: When the correct credentials are presented, the resources should be made available.
No false negatives: A false negative is when a process presents the correct credentials, but access is denied.
No false positives: A false positive is if the incorrect credentials are presented, but access is given.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How is authentication implemented?

A

Something only the user knows: password, pin
Something the user has: token, smart card, etc.
Something the user is: fingerprint, iris scan, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

To authenticate

A
  1. capture evidence
  2. compare it
  3. authenticate it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Examples of threats to authentication system

A
  • -guessing PW
  • -impersonating a real login program (ie a trojan horse)
  • -keylogging: grabs keystrokes to record password
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Trusted Path

A

Connection between the user and the TCB. Should be provided by the OS and hardware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Trusted Login Path

A

Keyboard and display must have trusted paths to OS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Implementing PW authentication: Method 1

A

Store a list of passwords, one for each user in the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Implementing PW authentication Method 2

A

Do not store passwords, but store something that is derived from them. (ie use a one-way hash function and store the result)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Hash function threats: Assume one-way property

A

If we know common passwords, we can determine their hash.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Hash function threats: Dictionary attacks

A

The program has a dictionary of common passwords and try each one (brute force). Requires access to hash values and lots of time to test for matches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Hash function threats: Offline attacks

A

Take the dictionary of common passwords and compute the hash values for each. Then search the hash file offline for any matching hashes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

T/F: Hackers can acquire publicly available software that can do 10^8 MD5 hashes/sec on a GPU

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is two users pick the same password?

A

A random number is added to the password, which will make the hash values different. this means that you will have to store the salt with the hash values.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

T/F: Hash function is fast, which makes it harder to crack.

A

False. Slow makes it difficult to crack via brute force.

17
Q

Problem with passwords

A
  • -As password length and complexity increases, usability suffers
  • -Phishing and social engineering take advantage of the face that users do not often authenticate who is asking for their password.
  • -Once a password is stolen, it can be used many times.
  • -Humans have a hard time remembering lots of passwords. Usable passwords are easy to guess.
18
Q

Sys Admin

A
  • -Never store passwords in the clear
  • -Only store hashed values and use a random salt
  • -Avoid general purpose fast hash functions
19
Q

Users

A

–Use a password manager

20
Q

Something you have

A

User must have it. Token, smart cards, etc. Problems include: user must have it, additional HW may be required, increased cost.

21
Q

Something you are

A

Biometric methods (ie keystroke dynamics, voice, retina scans, fingerprints)

22
Q

Static biometric methods

A
  • -Retina scans
  • -Fingerprints
  • -Face recognition
23
Q

Dynamic biometric methods

A
  • -Handwriting
  • -Keystroke dynamics
  • -Voice
  • -Behavior
24
Q

Multi-factor authentication

A

Combination of the 3 factors:

  • -Something you know
  • -Something you have
  • -Something you are
25
Q

Authentication over a network

A

–Remote services require authentication over a network. NOT a trusted path. Crypto helps.