Password Authentication

Question 1

What are the two standard security functions?

Answer 1

IDentification of yourself as an authorised user

Authentication of yourself to the system as that user

Question 2

What is an entity?

Answer 2

A user or a process in a system

Question 3

What do we need to determine about the entity for authentication?

Answer 3

What the entity knows - Password, Secret
What the entity has - badge, token
What the entity is - biometrics
where the entity is - IP, Geo Location

Question 4

What is Gollman’s principle of security?

Answer 4

It is important to determine which layer of the system the security mechanism should be placed at.

IE: Applicaiton, OS, Kernel, Hardware…

Question 5

What must a system store about an entity or principal in order to allow authentication?

Answer 5

Set of authentication information
Set of complementary information
Set of complementary functions
Set of authentication functions
Set of selection functions

Question 6

What is the set of authentication information and what is it used for?

Answer 6

The set of specific information required by entities to prove their identity (Passwords, tokens etc.)

This is used to bind an entity to an identity.

Question 7

What is the set of complementary information and what is it used for?

Answer 7

Information stored on the system to validate the authentication information.

Question 8

What are the complementary functions used for?

Answer 8

These functions generate the complementary information given the authentication information

Question 9

What is the set of authentication functions?

Answer 9

These are the functions that verify identity by returning whether or not the login criteria has been met.

Question 10

What is the set of selection functions?

Answer 10

Set of functions that allow an entity to create or alter the authentication and complementation functions, such as change passwords or request a new ID.

Question 11

What is the password space?

Answer 11

The set of all password (all chars, in every combination, that can be in a password)

Question 12

What is an attack vector in almost all modern public systems?

Answer 12

Authentication functions are always available and therefore always an attack vector

Question 13

What are some protection mechanisms for authentication functions?

Answer 13

Exponential backoff: Wait time is x^n-1 for each n attempts.

Disconnection after N attempts

Jailing: Disable the account after N unsuccessful attempts.

Question 14

What are the problems with using passwords?

Answer 14

Loss
Disclosure - either stolen or given
User - more passwords needed but same used across many sites.
Revocation - Disclosure of password to admin.

Question 15

What are the hazard points of physical password entry?

Answer 15

Shoulder surfing

Interception of transmissions over the network

Keyboards can be adapted

Door entry pins etc have erosion and grease marks

Question 16

How can the storage of passwords be protected?

Answer 16

Encrypt password file

Store one-way hash of the password

Question 17

What are the attacks on password systems?

Answer 17

Brute force attack

Dictionary attack

Question 18

What is a brute force attack on passwords?

Answer 18

A brute force attack is an attack that uses repeated trial and error with a random password generator.

Question 19

What is a dictionary attack on passwords?

Answer 19

Common word list or word seed function is used to test common words for the password.

Question 20

What are the possible defences against password attacks?

Answer 20

Allowing finite login attempts

Insisting on rules such as seeding or increasing the password space by requiring numbers, special characters etc.

Question 21

Why does increasing the password length and not allowing common passwords improve security?

Answer 21

Takes more time to guess as the password space increases

Question 22

What do users tend to make password choices on?

Answer 22

Username
Real name
Computer name
Dictionary words
Reversed dictionary words

Question 23

What is a challenge-response?

Answer 23

A challenge-response protects users if an attack has taken place by changing the input required to authenticate each time to confirm identity.

Challenge-response is coupled with the user’s password and hashed, then compared at the server side to authenticate.

Question 24

What is password entropy?

Answer 24

The size of the password space. The higher the entropy, the harder it is to crack the password.