Lecture 6: 2nd October 2019 Flashcards
Authentication
What two security functions do IDs and passwords fulfill?
Allows users to identify themselves (claim to be) an authorised user, and allows a system to authenticate them as that user.
What is an entity?
A user or process
What do we need to determine about an entity during authentication?
What the entity knows (e.g. a password) and possesses (security badge or authentication token); what/whom the entity is (biometrics); where the entity is (GPS or IP)
How do authentication systems work?
Authentication systems have authentication info, A (info required for entities to prove identities and binds them); complementary info, C (validates A); complementation functions, F (make C from A); authentication functions, L (verify identity); selection functions, S (allow entities to alter the authentication info or complementary function).
At least one of A, C, and F should be hidden.
What is a password space?
The set of all possible passwords: character set.
What is the entropy of a password space?
How difficult it is to predict what a password is - increases as there are more possible passwords.
How can you increase the entropy of a password space?
Increase the minimum and maximum number of characters passwords can hold and allow more characters in them.
How can you attack an authentication system?
Attack the authentication function (always visible) or complementary info. Since these are password checking and passwords respectively and usually the only public parts of an authentication system.
How can you protect against attacks on authentication functions?
Use an exponential back-off (after n failed tries, lock for an increasing amount each time); lock completely after n failed turns; use termed jailing; disable accounts.
What are some problems with password-based authentication systems?
Passwords are lost and forgotten, stolen, shared, and are often simple and used across multiple systems
What are hazard points?
Parts of the operation of a system which present security vulnerabilities that could be exploited
What are some hazard points concerning passwords?
shoulder surfing (others watching them being typed); sniffing when transmitted over networks; cameras at ATMs; keyloggers; more often used keys/buttons more worn so show you most used PIN digits
How can stored passwords be protected?
SALT and hash them.
How can you attack password systems?
brute force attack: try all passwords from random generator
dictionary attack: use a dictionary or common words to form more likely passwords than random characters
How can you defend against attacks on password systems?
Allow a finite amount of time to login or a limited number of attempts; SALT and hash passwords; insist on the length and other rules to increase entropy