Notes/UNB/Year 4/Semester 1/CS2418/10-6-2023.md

66 lines
3.2 KiB
Markdown
Raw Normal View History

2024-01-22 10:12:48 -04:00
Lecture Topic: Passwords
Password File Access Control:
One way to thwart a password attack is to deny the attacker access to the password file
Shadow password?
There are four techniques to attempt make users select a secure password:
- User Education (Can be ignored)
- Computer Generated Passwords (Users are unable to remember)
- Reactive password checking (Resource intensity issues)
- The system runs its own password cracker in the background and finds guessable passwords
- Any vulnerable passwords remain vulnerable until the checker checks it
- Complex Password Policy (Proactive password checker - Promising approach)
- Password must be at least 16 characters (basic16)
- Must have 8 characters including an uppercase and lowercase, a digit and may not contain a dictionary word (comprehensive8)
Another possible procedure is to simply compile a large dictionary of bad passwords, and when the user selects a password, it makes sure it's not in the list
But there are problems with this approach
- Space: The dictionary must be very large to be effective
- Time: The time required to search a large dictionary may itself be large. If the checker also checks permutations the time cost increases exponentially
Bloom filter
A technique for developing an effective and proactive password checker
- It is based on rejecting words on a list that has been implemented on a number of systems
Token based Authentication
Objects that a user posses for the purpose of user authentication are called tokens
- Memory Cards can store but not process data
- For authentication a user provides both the memory card and some form of password or PIN
- A typical example is an ATM, which uses a card in addition for a PIN for access to your money
Potential Drawbacks
- Requires reader
- Token loss
- User dissatisfaction
Smart Cards
Physical Characteristics:
- Has an embedded micro pressor. A smart token that looks like a card is called a smart card
User Interface:
- Manual interface includes a keypad and display for human/token interaction
Electronic Interface:
- Contact
- A smart card that needs to be inserted, and data transfer is done over physical contact points
- Contactless
- A contactless card only requires a close proximity to a reader. Both the reader and the card have an antenna and the two communicate using radio frequencies.
- Most contactless cards also derive power from these signals
- NFC is a common example
Authentication protocol
The purpose of a smart token is to provide authentication
Static:
With a static protocol, the user authenticates himself with the token and then the token authenticates with the computer. The second part is similar to the operation of a memory token
Dynamic password generator:
In this case the token generates a password periodically. The password is entered into the computer either manually or automatically. The computer needs to synchronized with the token for this method to work, as the computer needs to know the correct password for the given time
Challenge-response:
In this case the computer system generates a challenge …
Electronic Identity Cards - Digital applications of identity cards
Biometric Authentication: Covered next class