Auth and Passwords Flashcards

1
Q

Main Objectives(CANADAA)

A
  1. Authentication(identity) crypto
  2. Authorisation(permission)
  3. Confidentiality(encryption) crypto
  4. Data Integrity(unmodified) crypto
  5. Accountability(responsibility)
  6. Availability(access)
  7. Non repudiation(undeniability) crypto
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

3 types of Auth

A
  1. Something you know
  2. Something you have
  3. Something you are
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Something you know(1)

A
  1. Passwords
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

2 Advantages of passwords

A
  1. simple to implement
  2. easy to understand
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

2 Disadvantages of passwords

A
  1. Users do not choose strong passwords
  2. can be exposed to keyloggers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How hackers crack passwords(2steps)

A
  1. sniff and extract password hash
  2. Store common passwords with precomputed hashes in dictionaries
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Solution against keyloggers

A

One Time Passwords, new password each time log in, something you have

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Something you have(3)

A
  1. OTP cards
  2. Smart cards
  3. ATM cards
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

OTP cards

A
  • new password on card each time user logs in
  • server verifies password
  • password only generated when user enters PIN
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Smart cards

A
  • tamper resistant, breaks when cracked open physically
  • smart card challenges smart card reader, then user enters PIN
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Smart card 2 -ves

A
  1. Smart card reader must be trusted
  2. Smart card power consumption reveals contents stored
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

ATM cards

A
  • magnetic strip on back of card stores data for auth
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Problem and Solution for ATM cards

A

magnetic strip easy to copy
Sol: holograms/ other hard to copy elements on the cards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Something you are(Biometric)(7)

A
  1. Palm Scan
  2. Iris Scan
  3. Retina Scan
  4. Fingerprint
  5. Voice
  6. Face
  7. Signature
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Palm Scan

A

-measures size of hand and fingers + curves
-better than fingerprint scans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Iris Scan + 2 +ves

A

-camera takes picture of iris and store features
+ve:
1. more socially acceptable
2. less intrusive

17
Q

Retina Scan

A

-infrared light shot into user eyes and creates a signature based on retinal blood vessels

18
Q

Fingerprint + 2 -ves

A

-reader scans curves of fingerprint
-ve:
1. not socially acceptable(crime)
2. less info than palm scan

19
Q

Face

A

-facial recognition after taking picture

20
Q

Voice + 1 -ve

A

-electronic coded signals of voice compared to databank for match
-ve:
1. easy to bypass

21
Q

Signature + 1 +ve

A

-records signature, pressure, timing
+ve:
difficult to replicate

22
Q

Problems with Biometrics(4) + Solution

A
  1. False Positive
  2. False Negative
  3. Varying social acceptance, less than password
  4. Key management issues, cannot revoke key and supposed to be unique. Key once revealed can be abused for impersonation
    Sol: passwords: easily changed
23
Q

+ve of Biometrics

A
  1. Convenient
24
Q

Bypassing fingerprint readers

A
  1. Cloning using glass surfaces
  2. Rubber fingers, NOT issue with security personnel presence
25
Q

Internet Auth(3)

A
  1. Client Auth: server verifies client
  2. Server Auth: client verifies server
  3. Mutual Auth: client and server verifies each other
    - TLS/SSL in https support all three
    - cheap to set up spoofed websites
26
Q

Final Notes about Auth

A
  • combining auth moethods more effective
  • 2FA: 2 out of 3 auth methods
  • should keep 2 verification methods separated physically
27
Q

Auth Protocol(2)

A
  1. Weak/Simple Auth: one entity proves identity by giving up secret
  2. Strong Auth: Mutual Auth: both parties claimant and verifier, challenge response protocols, prove knowledge of secret without giving up secret