authentication

Question 1

authentication

Answer 1

identifies a global or local identity

Question 2

eg global id

Answer 2

passport number

Question 3

e.g. local id

Answer 3

student number

Question 4

authentication factors

Answer 4

what the user knows, is and has
allows you to prove your identity to a system

Question 5

knowledge based authentication

Answer 5

have to share information with the authentication system

Question 6

what are some examples of knowledge based authentication

Answer 6

passwords
pins
pass phrase
personal data
word association

Question 7

what is an alternative to textual passwords

Answer 7

graphical passwords

Question 8

graphical passwords

Answer 8

interacting with images
e.g. passmap or unlock patterns
can select images draw on an image or select parts of an image

Question 9

advantages of knowledge based authentication

Answer 9

cheap
easily revoked
widely used and accepted by users
high security potential (long passwords harder to remember)

Question 10

disadvantages of knowledge based authentication

Answer 10

user accountability
no privilege control once shared
not aware when leaked
password may be leaked to an untrustworthy host
eavesdropping and illicit capture
can be captured by a masquerade/phishing company

Question 11

how are textual passwords cracked

Answer 11

determine which hash function has been used
decide which attempt to use (brute force/ dictionary attack)
acquire recourses (brute force requires a storage device)

Question 12

in what context do we use brute force for textual password cracking

Answer 12

to attempts all possible combinations for a particular account
may take many years

Question 13

in what context do we use dictionary attacks for textual password cracking

Answer 13

checks most likely passwords for many accounts

Question 14

how do we crack graphical passwords

Answer 14

using brute force as there’s a limited password space
can use smudge attacks from the touch screen

Question 15

what are the benefits of using one time passwords

Answer 15

not reused so phishing and eavesdropping isn’t possible
most require access to another device that only the user has

Question 16

what are the 3 forms of possession based authentication (user has )

Answer 16

magnetic strip card
smart cards
one shot password token

Question 17

smart card

Answer 17

secure storage of data
contents cant be modified or copied without authorisation
has processing and data storage capabilities due to the imbedded processor (computer chip)

Question 18

magnetic strip card

Answer 18

contains identification information and a signature on the back
mostly used by banking systems

Question 19

magnetic strip card positives

Answer 19

universally accepted
cheap to produce

Question 20

magnetic strip card negatives

Answer 20

limited security and functionality as they’re easy to counterfit

Question 21

what are the two methods of using one shot password tokens

Answer 21

synchronised password
challenge response system

Question 22

synchronised password (tokens)

Answer 22

a synchronised password generator produces the same sequence of random passwords in a token and host

Question 23

what is the process behind synchronised password tokens

Answer 23

the user needs to put the correct pin into the token to display the otp
the system clock is included in the algorithm to calculate the otp ensuring time sensitivity and uniqueness
the user can now input the otp to authenticate
failure if there’s a loss of synchronisation between the clocks

Question 24

challenge response system (tokens)

Answer 24

one party presents a challenge and the other must provide a valid answer

Question 25

what is the process behind challenge response system

Answer 25

the user and system have a secret key the user logs on and the host generates a random number (challenge) and displays it the user enter their pin into the token followed by the challenge the response is computed as a cryptographic one way function using the secret key and pin which is displayed on the token the user puts the response into the terminal the host creates its own function based on the key and pin stored with the users id and if they match then the user is granted access

Question 26

benefits of possession based authentication (user has )

Answer 26

attacker must have the token users cant share the token token can be combined with other methods e.g. otp aware of if the token has been lost and must report it illegal token possession is evidence

Question 27

disadvantages of possession based authentication (user has )

Answer 27

cost of the token plus the reading and checking mechanism admin work; distributing, recording, lost token reporting, destruction, replacement of expired tokens

Question 28

biometric based authentication (user is)

Answer 28

biometrics; automated methods of verifying and recognising a person based on physical and behavioural characheristics

Question 29

examples of physical biometrics

Answer 29

measurements from the human body fingerprint/face/iris/retina recognition

Question 30

examples of behavioural biometrics

Answer 30

measurements from actions voice/signature recognition keystroke/touch dynamics