Lecture 6: 2nd October 2019 Flashcards

Authentication

1
Q

What two security functions do IDs and passwords fulfill?

A

Allows users to identify themselves (claim to be) an authorised user, and allows a system to authenticate them as that user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is an entity?

A

A user or process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What do we need to determine about an entity during authentication?

A

What the entity knows (e.g. a password) and possesses (security badge or authentication token); what/whom the entity is (biometrics); where the entity is (GPS or IP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How do authentication systems work?

A

Authentication systems have authentication info, A (info required for entities to prove identities and binds them); complementary info, C (validates A); complementation functions, F (make C from A); authentication functions, L (verify identity); selection functions, S (allow entities to alter the authentication info or complementary function).

At least one of A, C, and F should be hidden.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a password space?

A

The set of all possible passwords: character set.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the entropy of a password space?

A

How difficult it is to predict what a password is - increases as there are more possible passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How can you increase the entropy of a password space?

A

Increase the minimum and maximum number of characters passwords can hold and allow more characters in them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How can you attack an authentication system?

A

Attack the authentication function (always visible) or complementary info. Since these are password checking and passwords respectively and usually the only public parts of an authentication system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How can you protect against attacks on authentication functions?

A

Use an exponential back-off (after n failed tries, lock for an increasing amount each time); lock completely after n failed turns; use termed jailing; disable accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are some problems with password-based authentication systems?

A

Passwords are lost and forgotten, stolen, shared, and are often simple and used across multiple systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are hazard points?

A

Parts of the operation of a system which present security vulnerabilities that could be exploited

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are some hazard points concerning passwords?

A

shoulder surfing (others watching them being typed); sniffing when transmitted over networks; cameras at ATMs; keyloggers; more often used keys/buttons more worn so show you most used PIN digits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How can stored passwords be protected?

A

SALT and hash them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How can you attack password systems?

A

brute force attack: try all passwords from random generator

dictionary attack: use a dictionary or common words to form more likely passwords than random characters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How can you defend against attacks on password systems?

A

Allow a finite amount of time to login or a limited number of attempts; SALT and hash passwords; insist on the length and other rules to increase entropy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the pros and cons of pseudo-random generated passwords?

A

Harder to attack as greater entropy. But people may forget and will be more likely to write them down, which makes other types of attack more easy.

17
Q

How can dictionary attacks try to predict passwords?

A

Combine words to form pronounceable passwords. Append numbers and special chars, esp if required in password rules, to form possible passwords. Can also build them up from phonemes.

18
Q

What is password ageing?

A

Forcing users to change their passwords at intervals.

19
Q

What are Challenge-Response authentication mechanisms?

A

Protocols to identify users using questions and answers chosen by the users

20
Q

What are one-time passwords?

A

Valid (authenticating) password values that become redundant after one use.

21
Q

What is password entropy?

A

How difficult it is to predict a password - increases as there are more possible passwords.

22
Q

How can you calculate password entropy?

A

password entropy, E = log 2 (R ^ L)

R = no of unique characters that can be in a password
L = length of your password

50+ bits a reasonable level of protection from cracking. Entropy lowered with word breakdowns from the dictionary attacks

23
Q

What are drawn secrets?

A

Making users draw memorised shapes as a method of authentication.

24
Q

What are the pros and cons of drawn secrets?

A

Easier to remember than complex passwords; visually impaired can’t use; it’s technically difficult to verify shapes; drawings generally simple, central, and symmetric: low entropy

25
Q

What are passpoints?

A

A system made involving users choosing a number of points on a picture background as markers, whose locations are used to authenticate them.

26
Q

What are the pros and cons of passpoints?

A

Easy to use and remember; forced format removes inconsistency with entropies found in passwords of different lengths and complexities; people choose pronounced and prominent features as marker points, lowering entropy

27
Q

How do passpoints work?

A

Choose 5 points on a picture as your passpoints. When logging in again system challenges you and you must choose same points (+ some error tolerance) to be authenticated.

28
Q

What are search metrics?

A

Different ways of searching and matching images by checking sections of them against each other. Metrics are measures and methods of assessment. Search metrics are therefore ways of assessing data for comparison and matching in a search.

29
Q

What are loci metrics?

A

A search metric in which locations on an image are used to match and identify users.

30
Q

What are draw metrics?

A

A search metric in which drawings by users onto a 5x5 grid are used to identify and authenticate them

31
Q

What is Passfaces?

A

An authentication system developed as part of a research project involving a 9x9 grid of people’s faces, one of which you click each time.

32
Q

What are the disadvantages of Passfaces?

A

People choose pretty young women, other than old women, and people choose their own race, etc. Psychological factors lowering entropy.

33
Q

What is Wall of Faces?

A

A black and white collage of portrait photos put together which people click as a search metric for authentication

34
Q

What are the disadvantages of Wall of Faces?

A

Again low entropy from human patterns. People will choose central, full, prominent, attractive faces of the same race.

35
Q

What are graphical passwords?

A

Authentication systems in which users choose from a collection of images as a search metric

36
Q

How would people respond to adding drawings onto backgrounds as passwords?

A

They draw simple, central, and symmetric images; this lowers their entropy

37
Q

What is tolerance?

A

The degree of error within which authentication is still granted

38
Q

Why are graphical passwords being developed?

A

As alternatives to PINs and text passwords. They are difficult and flawed and PINs have very low entropy