P1L4 Authentication Flashcards
What is authentication?
Who are you and prove it
What is authorization?
Does this requester have permission to access this resource?
Authentication goals
Availability: When the correct credentials are presented, the resources should be made available.
No false negatives: A false negative is when a process presents the correct credentials, but access is denied.
No false positives: A false positive is if the incorrect credentials are presented, but access is given.
How is authentication implemented?
Something only the user knows: password, pin
Something the user has: token, smart card, etc.
Something the user is: fingerprint, iris scan, etc.
To authenticate
- capture evidence
- compare it
- authenticate it
Examples of threats to authentication system
- -guessing PW
- -impersonating a real login program (ie a trojan horse)
- -keylogging: grabs keystrokes to record password
Trusted Path
Connection between the user and the TCB. Should be provided by the OS and hardware.
Trusted Login Path
Keyboard and display must have trusted paths to OS
Implementing PW authentication: Method 1
Store a list of passwords, one for each user in the system.
Implementing PW authentication Method 2
Do not store passwords, but store something that is derived from them. (ie use a one-way hash function and store the result)
Hash function threats: Assume one-way property
If we know common passwords, we can determine their hash.
Hash function threats: Dictionary attacks
The program has a dictionary of common passwords and try each one (brute force). Requires access to hash values and lots of time to test for matches.
Hash function threats: Offline attacks
Take the dictionary of common passwords and compute the hash values for each. Then search the hash file offline for any matching hashes.
T/F: Hackers can acquire publicly available software that can do 10^8 MD5 hashes/sec on a GPU
True
What is two users pick the same password?
A random number is added to the password, which will make the hash values different. this means that you will have to store the salt with the hash values.