P1L4 Authentication

Question 1

What is authentication?

Answer 1

Who are you and prove it

Question 2

What is authorization?

Answer 2

Does this requester have permission to access this resource?

Question 3

Authentication goals

Answer 3

Availability: When the correct credentials are presented, the resources should be made available.
No false negatives: A false negative is when a process presents the correct credentials, but access is denied.
No false positives: A false positive is if the incorrect credentials are presented, but access is given.

Question 4

How is authentication implemented?

Answer 4

Something only the user knows: password, pin
Something the user has: token, smart card, etc.
Something the user is: fingerprint, iris scan, etc.

Question 5

To authenticate

Answer 5

1. capture evidence
2. compare it
3. authenticate it

Question 6

Examples of threats to authentication system

Answer 6

• -guessing PW
• -impersonating a real login program (ie a trojan horse)
• -keylogging: grabs keystrokes to record password

Question 7

Trusted Path

Answer 7

Connection between the user and the TCB. Should be provided by the OS and hardware.

Question 8

Trusted Login Path

Answer 8

Keyboard and display must have trusted paths to OS

Question 9

Implementing PW authentication: Method 1

Answer 9

Store a list of passwords, one for each user in the system.

Question 10

Implementing PW authentication Method 2

Answer 10

Do not store passwords, but store something that is derived from them. (ie use a one-way hash function and store the result)

Question 11

Hash function threats: Assume one-way property

Answer 11

If we know common passwords, we can determine their hash.

Question 12

Hash function threats: Dictionary attacks

Answer 12

The program has a dictionary of common passwords and try each one (brute force). Requires access to hash values and lots of time to test for matches.

Question 13

Hash function threats: Offline attacks

Answer 13

Take the dictionary of common passwords and compute the hash values for each. Then search the hash file offline for any matching hashes.

Question 14

T/F: Hackers can acquire publicly available software that can do 10^8 MD5 hashes/sec on a GPU

Answer 14

True

Question 15

What is two users pick the same password?

Answer 15

A random number is added to the password, which will make the hash values different. this means that you will have to store the salt with the hash values.

Question 16

T/F: Hash function is fast, which makes it harder to crack.

Answer 16

False. Slow makes it difficult to crack via brute force.

Question 17

Problem with passwords

Answer 17

• -As password length and complexity increases, usability suffers
• -Phishing and social engineering take advantage of the face that users do not often authenticate who is asking for their password.
• -Once a password is stolen, it can be used many times.
• -Humans have a hard time remembering lots of passwords. Usable passwords are easy to guess.

Question 18

Sys Admin

Answer 18

• -Never store passwords in the clear
• -Only store hashed values and use a random salt
• -Avoid general purpose fast hash functions

Question 19

Users

Answer 19

–Use a password manager

Question 20

Something you have

Answer 20

User must have it. Token, smart cards, etc. Problems include: user must have it, additional HW may be required, increased cost.

Question 21

Something you are

Answer 21

Biometric methods (ie keystroke dynamics, voice, retina scans, fingerprints)

Question 22

Static biometric methods

Answer 22

• -Retina scans
• -Fingerprints
• -Face recognition

Question 23

Dynamic biometric methods

Answer 23

• -Handwriting
• -Keystroke dynamics
• -Voice
• -Behavior

Question 24

Multi-factor authentication

Answer 24

Combination of the 3 factors:

• -Something you know
• -Something you have
• -Something you are

Question 25

Authentication over a network

Answer 25

–Remote services require authentication over a network. NOT a trusted path. Crypto helps.