P1L4: Authentication Flashcards
What is authentication?
Who are you and prove it
What is authorization?
Does this requester have permission to access this resource?
Authentication goals
Availability: When the correct credentials are presented, the resources should be made available.No false negatives: A false negative is when a process presents the correct credentials, but access is denied.No false positives: A false positive is if the incorrect credentials are presented, but access is given.
How is authentication implemented?
Something only the user knows: password, pinSomething the user has: token, smart card, etc.Something the user is: fingerprint, iris scan, etc.
To authenticate
- capture evidence2. compare it3. authenticate it
Examples of threats to authentication system
–guessing PW–impersonating a real login program (ie a trojan horse)–keylogging: grabs keystrokes to record password
Trusted Path
Connection between the user and the TCB. Should be provided by the OS and hardware.
Trusted Login Path
Keyboard and display must have trusted paths to OS
Implementing PW authentication: Method 1
Store a list of passwords, one for each user in the system.
Implementing PW authentication Method 2
Do not store passwords, but store something that is derived from them. (ie use a one-way hash function and store the result)
Hash function threats: Assume one-way property
If we know common passwords, we can determine their hash.
Hash function threats: Dictionary attacks
The program has a dictionary of common passwords and try each one (brute force). Requires access to hash values and lots of time to test for matches.
Hash function threats: Offline attacks
Take the dictionary of common passwords and compute the hash values for each. Then search the hash file offline for any matching hashes.
T/F: Hackers can acquire publicly available software that can do 10^8 MD5 hashes/sec on a GPU
True
What is two users pick the same password?
A random number is added to the password, which will make the hash values different. this means that you will have to store the salt with the hash values.
T/F: Hash function is fast, which makes it harder to crack.
False. Slow makes it difficult to crack via brute force.
Problem with passwords
–As password length and complexity increases, usability suffers–Phishing and social engineering take advantage of the face that users do not often authenticate who is asking for their password.–Once a password is stolen, it can be used many times.–Humans have a hard time remembering lots of passwords. Usable passwords are easy to guess.
Sys Admin
–Never store passwords in the clear–Only store hashed values and use a random salt–Avoid general purpose fast hash functions
Users
–Use a password manager
Something you have
User must have it. Token, smart cards, etc. Problems include: user must have it, additional HW may be required, increased cost.
Something you are
Biometric methods (ie keystroke dynamics, voice, retina scans, fingerprints)
Static biometric methods
–Retina scans–Fingerprints–Face recognition
Dynamic biometric methods
–Handwriting–Keystroke dynamics–Voice –Behavior
Multi-factor authentication
Combination of the 3 factors:–Something you know–Something you have–Something you are
Authentication over a network
–Remote services require authentication over a network. NOT a trusted path. Crypto helps.
In a bio-metric scheme some physical characteristic of the individual is mapped into a digital representation. T/F
True
User authentication is a procedure that allows communicating parties to verify that the contents of a received message have not been altered and that the source is authentic. T/F
False, message authentication
Identification is the means of establishing the validity of a claimed identity provided by a user. T/F
False, Verification
False, Verification
Depending on the application, user authentication on a bio-metric system involves either verification or identification. T/F
True
Each individual who is to be included in the database of authorized users must first be _____ in the system.
Enrolled
The _____ strategy is when users are told the importance of using hard to guess passwords and provided with guidelines for selecting strong passwords.
User Education
Presenting or generating authentication information that corroborates the binding between the entity and the identifier is the _____.
Verification Step
A _____ strategy is one in which the system periodically runs its own password cracker to find guessable passwords.
Reactive password checking
What is Reactive Password Checking?
A strategy in which the system periodically runs its own password cracker to find guessable passwords.
Recognition by fingerprint, retina and face are examples of _____.
Static biometrics
In a _________ attack an application or physical device masquerades as an authentic application or device for the purpose of capturing a user password, pass-code or bio-metric.
Trojan Horse
Objects that a user possesses for the purpose of user authentication are called _____
tokens
An authentication process consists of the ________ step and the verification step
Identification
What processes are part of the Authentication process?
Identification and Verification
_______ in the context of passwords, refers to an adversary’s attempt to learn the password by observing the user, finding a written copy of the password, or some similar attack that involves the physical proximity of user and adversary.
Eavesdropping
Voice pattern, handwriting characteristics and typing rhythm are examples of _______ bio-metrics.
dynamic
What is the Identification step do?
Its presenting an identifier
What does the Verification step do?
Proves you are who you say you are
What is a Shadow Password File?
File where hashed passwords are saved separate from user id
What does a Proactive password checker do?
Can’t make a password unless it is strong enough
What is a Rainbow Table?
Large table of hash values of common passwords
What is a “Salt”?
Random value added before hashing in case people pick the same passwords
What are tokens for?
Something a user has used to identify and verify
What are the two types of Biometrics? Provide examples of each.
Static: Always the same like fingerprint, iris..
Dynamic: Can be variable, voice recognition or handwriting
What is a Replay attack?
Repeating a previously captured
user response
