Auth and Passwords

Question 1

Main Objectives(CANADAA)

Answer 1

1. Authentication(identity) crypto
2. Authorisation(permission)
3. Confidentiality(encryption) crypto
4. Data Integrity(unmodified) crypto
5. Accountability(responsibility)
6. Availability(access)
7. Non repudiation(undeniability) crypto

Question 2

3 types of Auth

Answer 2

1. Something you know
2. Something you have
3. Something you are

Question 3

Something you know(1)

Answer 3

1. Passwords

Question 4

2 Advantages of passwords

Answer 4

1. simple to implement
2. easy to understand

Question 5

2 Disadvantages of passwords

Answer 5

1. Users do not choose strong passwords
2. can be exposed to keyloggers

Question 6

How hackers crack passwords(2steps)

Answer 6

1. sniff and extract password hash
2. Store common passwords with precomputed hashes in dictionaries

Question 7

Solution against keyloggers

Answer 7

One Time Passwords, new password each time log in, something you have

Question 8

Something you have(3)

Answer 8

1. OTP cards
2. Smart cards
3. ATM cards

Question 9

OTP cards

Answer 9

• new password on card each time user logs in
• server verifies password
• password only generated when user enters PIN

Question 10

Smart cards

Answer 10

• tamper resistant, breaks when cracked open physically
• smart card challenges smart card reader, then user enters PIN

Question 11

Smart card 2 -ves

Answer 11

1. Smart card reader must be trusted
2. Smart card power consumption reveals contents stored

Question 12

ATM cards

Answer 12

• magnetic strip on back of card stores data for auth

Question 13

Problem and Solution for ATM cards

Answer 13

magnetic strip easy to copy
Sol: holograms/ other hard to copy elements on the cards

Question 14

Something you are(Biometric)(7)

Answer 14

1. Palm Scan
2. Iris Scan
3. Retina Scan
4. Fingerprint
5. Voice
6. Face
7. Signature

Question 15

Palm Scan

Answer 15

-measures size of hand and fingers + curves
-better than fingerprint scans

Question 16

Iris Scan + 2 +ves

Answer 16

-camera takes picture of iris and store features
+ve:
1. more socially acceptable
2. less intrusive

Question 17

Retina Scan

Answer 17

-infrared light shot into user eyes and creates a signature based on retinal blood vessels

Question 18

Fingerprint + 2 -ves

Answer 18

-reader scans curves of fingerprint
-ve:
1. not socially acceptable(crime)
2. less info than palm scan

Question 19

Face

Answer 19

-facial recognition after taking picture

Question 20

Voice + 1 -ve

Answer 20

-electronic coded signals of voice compared to databank for match
-ve:
1. easy to bypass

Question 21

Signature + 1 +ve

Answer 21

-records signature, pressure, timing
+ve:
difficult to replicate

Question 22

Problems with Biometrics(4) + Solution

Answer 22

1. False Positive
2. False Negative
3. Varying social acceptance, less than password
4. Key management issues, cannot revoke key and supposed to be unique. Key once revealed can be abused for impersonation
   Sol: passwords: easily changed

Question 23

+ve of Biometrics

Answer 23

1. Convenient

Question 24

Bypassing fingerprint readers

Answer 24

1. Cloning using glass surfaces
2. Rubber fingers, NOT issue with security personnel presence

Question 25

Internet Auth(3)

Answer 25

1. Client Auth: server verifies client
2. Server Auth: client verifies server
3. Mutual Auth: client and server verifies each other
   - TLS/SSL in https support all three
   - cheap to set up spoofed websites

Question 26

Final Notes about Auth

Answer 26

• combining auth moethods more effective
• 2FA: 2 out of 3 auth methods
• should keep 2 verification methods separated physically

Question 27

Auth Protocol(2)

Answer 27

1. Weak/Simple Auth: one entity proves identity by giving up secret
2. Strong Auth: Mutual Auth: both parties claimant and verifier, challenge response protocols, prove knowledge of secret without giving up secret