Authentification Flashcards
Confidentiality
Protect data from unauthorized acces
Integrity
Protect data from unauthorized changes
Availability
Make data available on request by authorized entity
Mental models
The image of the world inside our head
Authorization
Includes identification (Id) and authentication (pass). Grants access according to access control policies
A good password
Should withstand attacks
How to: authentication
- Passwords
2.alternative to passwords(graphical pass, biometrics, tokens)
3.help with passwords and other authentication mechanisms(password managers, account recovery, fallback authentication)
Attacks on passwords: Client side
- Shoulder surfing
- Phishing and other forms of Social engineering
3.malware
4.password reuse across sites
Attacks on passwords: network attacks
Man in the middle- attacker takes over ip address
Password attacks: server frontend attacks
Online guessing- brute force/dictionary
-breadth first search-target all account
- depth first search- target specific accounts
Attacks on password: backend server attacks
Offline guessing= pass cracking
- prerequisite- obtain the pass database. if pass stored in plain text and unprotected - attack done. Else if database protected, cracking it depends on form of protection.
Protection of pass databases
- Plain text storage of pass- offers no protection
- Reversibly encrypted passwords
- Hashed passwords
Protection of password databases: reversibly encrypted passwords
-Used in practice if legacy system need pass saved in plain text
-encryption key should be protected
-if attack and key leaked then attack is successful
- if attack and key not leaked then attack is impossible
Protection of password database: hashed passwords
- The idea is that the server does not store pass, only its hash.
- hash function h(password) =x is cryptographically secure.
- hash function is difficult to reverse. Knowing only h and x difficult to compute h -1(x) = password
- collision resistant: difficult to find two inputs that match to the same hash value
-possible attacks- password cracking= online guessing
-possible attack- precomputational- rainbow table lookup; brute force-dictionary attacks
Slow hash — to make it more difficult
Add salt- a string added to the password and than that is hashed
How strong is strong for passwords
For passwords that protect against offline attacks- 10^12-10^14
For passwords that protect against online attacks 10^4-10^6
Strong passwords
- Reduce risk of offline guessing only if the password database is hashed and salted.
- reduce risk of online guessing-if lockout and stealthy attack monitoring are implementer. Password can then be less strong than in the case of offline guessing.
-might reduce risk of shoulder surfing and insider guessing
- not protected from phishing attacks, client- side malware
- might increase risk of password reuse or writing down since stronger pass tend to be more difficult to remember
Pass and human capabilities
- humans have a limited capacity of working memory
- item stores in memory decay over time
- unaided recall is harder than cued recall
- similar passwords get easily confused
-items linger in memory, humans cant forget old passwords
- typing errors- no feedback provided in these cases
Why do humans share their password?
-practical needs- if sth happens to me…
-do this task for me
-as a sign of trust
-disabilites
NIST password guidelines
For users: at least 8 characters, the longer the better
For providers:
-compare newly chosen pass with dictionaries and lists of know pass
- secure storage: slow hashing and salting (slow hashing reduces speed of cracking attacks)
- restrict nr of login attempts to 10
- password change only if justified
Min strength of a password
Nminlog2C
Nmin- min length
C- character space
Password creation policies: 3 Factors
- Composition <required> C <min>. Possible classes: lower characters, upper characters, numbers, special characters.
Min length = 8/10/12/16
I.e. 1C8</min></required>
2.blocklist- list of prohibited strings +matching algorithm
- Min strength estimation - novel algorithm neural network trained on leaked data order to guess the pass
Password manager:
Reasonable pass policies:-rule out easily guessed pass -avoid character-class requirements -min length 8
Help users with pass mng -sso, pass managers, secure write down
Protection from online guessing - limit online guessing rate
Protection from offline-slow hashing and salting +detection of breaches
Lock out after 10 guessing attempts- detect stealthy online guessing
Be prepared- usable and secure account recovery- strategies for cases of mass breaches
dont reuse pass on important accounts
Dont reuse pass between work and home
Us aids for pass management- like password managers, secure write down
Usability and security of of strong pass
Usability issues (Hard to remember;Typing errors;Do not scale to large number of account per user)
Security problems- serious attacks exist
Strong password help only protect from certain attacks
Pass strength = guessing difficulty
Guessing algorithms steadily gets better and faster
Human capabilities remain the same in dealing with passwords
usability criteria
-memory-wise effortless
-scalable for users
-nothing to carry
-physically effortless-beyond pressing a button
-easy to learn and recall
-efficent to use -time
-infrequent errors
-easy recovery from loss
