P1L4: Authentication

Question 1

What is authentication?

Answer 1

Who are you and prove it

Question 2

What is authorization?

Answer 2

Does this requester have permission to access this resource?

Question 3

Authentication goals

Answer 3

Availability: When the correct credentials are presented, the resources should be made available.No false negatives: A false negative is when a process presents the correct credentials, but access is denied.No false positives: A false positive is if the incorrect credentials are presented, but access is given.

Question 4

How is authentication implemented?

Answer 4

Something only the user knows: password, pinSomething the user has: token, smart card, etc.Something the user is: fingerprint, iris scan, etc.

Question 5

To authenticate

Answer 5

1. capture evidence2. compare it3. authenticate it

Question 6

Examples of threats to authentication system

Answer 6

–guessing PW–impersonating a real login program (ie a trojan horse)–keylogging: grabs keystrokes to record password

Question 7

Trusted Path

Answer 7

Connection between the user and the TCB. Should be provided by the OS and hardware.

Question 8

Trusted Login Path

Answer 8

Keyboard and display must have trusted paths to OS

Question 9

Implementing PW authentication: Method 1

Answer 9

Store a list of passwords, one for each user in the system.

Question 10

Implementing PW authentication Method 2

Answer 10

Do not store passwords, but store something that is derived from them. (ie use a one-way hash function and store the result)

Question 11

Hash function threats: Assume one-way property

Answer 11

If we know common passwords, we can determine their hash.

Question 12

Hash function threats: Dictionary attacks

Answer 12

The program has a dictionary of common passwords and try each one (brute force). Requires access to hash values and lots of time to test for matches.

Question 13

Hash function threats: Offline attacks

Answer 13

Take the dictionary of common passwords and compute the hash values for each. Then search the hash file offline for any matching hashes.

Question 14

T/F: Hackers can acquire publicly available software that can do 10^8 MD5 hashes/sec on a GPU

Answer 14

True

Question 15

What is two users pick the same password?

Answer 15

A random number is added to the password, which will make the hash values different. this means that you will have to store the salt with the hash values.

Question 16

T/F: Hash function is fast, which makes it harder to crack.

Answer 16

False. Slow makes it difficult to crack via brute force.

Question 17

Problem with passwords

Answer 17

–As password length and complexity increases, usability suffers–Phishing and social engineering take advantage of the face that users do not often authenticate who is asking for their password.–Once a password is stolen, it can be used many times.–Humans have a hard time remembering lots of passwords. Usable passwords are easy to guess.

Question 18

Sys Admin

Answer 18

–Never store passwords in the clear–Only store hashed values and use a random salt–Avoid general purpose fast hash functions

Question 19

Users

Answer 19

–Use a password manager

Question 20

Something you have

Answer 20

User must have it. Token, smart cards, etc. Problems include: user must have it, additional HW may be required, increased cost.

Question 21

Something you are

Answer 21

Biometric methods (ie keystroke dynamics, voice, retina scans, fingerprints)

Question 22

Static biometric methods

Answer 22

–Retina scans–Fingerprints–Face recognition

Question 23

Dynamic biometric methods

Answer 23

–Handwriting–Keystroke dynamics–Voice –Behavior

Question 24

Multi-factor authentication

Answer 24

Combination of the 3 factors:–Something you know–Something you have–Something you are

Question 25

Authentication over a network

Answer 25

–Remote services require authentication over a network. NOT a trusted path. Crypto helps.

Question 26

In a bio-metric scheme some physical characteristic of the individual is mapped into a digital representation. T/F

Answer 26

True

Question 27

User authentication is a procedure that allows communicating parties to verify that the contents of a received message have not been altered and that the source is authentic. T/F

Answer 27

False, message authentication

Question 28

Identification is the means of establishing the validity of a claimed identity provided by a user. T/F
False, Verification

Answer 28

False, Verification

Question 29

Depending on the application, user authentication on a bio-metric system involves either verification or identification. T/F

Answer 29

True

Question 30

Each individual who is to be included in the database of authorized users must first be _____ in the system.

Answer 30

Enrolled

Question 31

The _____ strategy is when users are told the importance of using hard to guess passwords and provided with guidelines for selecting strong passwords.

Answer 31

User Education

Question 32

Presenting or generating authentication information that corroborates the binding between the entity and the identifier is the _____.

Answer 32

Verification Step

Question 33

A _____ strategy is one in which the system periodically runs its own password cracker to find guessable passwords.

Answer 33

Reactive password checking

Question 34

What is Reactive Password Checking?

Answer 34

A strategy in which the system periodically runs its own password cracker to find guessable passwords.

Question 35

Recognition by fingerprint, retina and face are examples of _____.

Answer 35

Static biometrics

Question 36

In a _________ attack an application or physical device masquerades as an authentic application or device for the purpose of capturing a user password, pass-code or bio-metric.

Answer 36

Trojan Horse

Question 37

Objects that a user possesses for the purpose of user authentication are called _____

Answer 37

tokens

Question 38

An authentication process consists of the ________ step and the verification step

Answer 38

Identification

Question 39

What processes are part of the Authentication process?

Answer 39

Identification and Verification

Question 40

_______ in the context of passwords, refers to an adversary’s attempt to learn the password by observing the user, finding a written copy of the password, or some similar attack that involves the physical proximity of user and adversary.

Answer 40

Eavesdropping

Question 41

Voice pattern, handwriting characteristics and typing rhythm are examples of _______ bio-metrics.

Answer 41

dynamic

Question 42

What is the Identification step do?

Answer 42

Its presenting an identifier

Question 43

What does the Verification step do?

Answer 43

Proves you are who you say you are

Question 44

What is a Shadow Password File?

Answer 44

File where hashed passwords are saved separate from user id

Question 45

What does a Proactive password checker do?

Answer 45

Can’t make a password unless it is strong enough

Question 46

What is a Rainbow Table?

Answer 46

Large table of hash values of common passwords

Question 47

What is a “Salt”?

Answer 47

Random value added before hashing in case people pick the same passwords

Question 48

What are tokens for?

Answer 48

Something a user has used to identify and verify

Question 49

What are the two types of Biometrics? Provide examples of each.

Answer 49

Static: Always the same like fingerprint, iris..
Dynamic: Can be variable, voice recognition or handwriting

Question 50

What is a Replay attack?

Answer 50

Repeating a previously captured

user response