Chapter 11 - Authentication And Account Management Flashcards
Authentication
Proving that a user is genuine, and not an imposter.
Authentication credentials
1) what he has
2) what he is
3) what he knows
4) where he is
5) what he does
Online attack
An attempt to enter different passwords at the login prompt until the right password is guessed.
Offline attack
Stealing a message digest database and cracking it offline.
NTLM (New Technology LAN Manager) hash
A hash used by modern Microsoft Windows operating systems for creating password digests.
Pass the hash attack
An attack in which the user sends the hash to the remote system to then be authenticated on an NTLM system.
Mask attack
A more targeted brute force attack that uses placeholders for characters in certain positions of the password.
Rule attack
Conducts a statistical analysis on the stolen passwords that is then used to create a mask to break the largest number of passwords.
Dictionary attack
A password attack that creates encrypted versions of common dictionary words and compares them against those in a stolen password file.
Rainbow tables
Large pre-generated data sets of encrypted passwords used in password attacks.
Key stretching
A password hashing algorithm that requires significantly more time than standard hashing algorithms to create the digest.
2 popular key stretching password hash algorithms
1) bcrypt
2) PBKDF2
Multifactor authentication
Using more than one type of authentication credential.
Security token
A means of authentication based on a token that the user has.
Hardware security token
A small device (usually one that can be affixed to a keychain) with a window display.
Software security token
Software stored in a general-purpose device like a laptop computer or smartphone.
Time-based one-time password (TOTP)
A one-time password that changes after a set period.
HMAC-based one-time password (HOTP)
A one-time password that changes when a specific event occurs.
Smart card
A card that contains an integrated circuit chip that can hold information used as part of the authentication process.
Proximity card
A contactless card that does not require physical contact with the card itself for authentication.
Common access card (CAC)
A U.S department of defense (DoD) smart card used for identification of active-duty and reserve military personnel along with civilian employees and special contractors.
Personal Identity Verification (PIV)
A U.S government standard for smart cards that covers all government employees.
Standard biometrics
Using fingerprints or other unique physical characteristics of a persons face, hands, or eyes for authentication.
Retinal scanner
A device that uses the human retina as a biometric identifier.
