66 lines
3.2 KiB
Markdown
66 lines
3.2 KiB
Markdown
|
Lecture Topic: Passwords
|
||
|
|
|
||
|
|
Password File Access Control:
|
||
|
|
One way to thwart a password attack is to deny the attacker access to the password file
|
||
|
|
|
||
|
|
Shadow password?
|
||
|
|
|
||
|
|
There are four techniques to attempt make users select a secure password:
|
||
|
|
- User Education (Can be ignored)
|
||
|
|
- Computer Generated Passwords (Users are unable to remember)
|
||
|
|
- Reactive password checking (Resource intensity issues)
|
||
|
|
- The system runs its own password cracker in the background and finds guessable passwords
|
||
|
|
- Any vulnerable passwords remain vulnerable until the checker checks it
|
||
|
|
- Complex Password Policy (Proactive password checker - Promising approach)
|
||
|
|
- Password must be at least 16 characters (basic16)
|
||
|
|
- Must have 8 characters including an uppercase and lowercase, a digit and may not contain a dictionary word (comprehensive8)
|
||
|
|
|
||
|
|
Another possible procedure is to simply compile a large dictionary of bad passwords, and when the user selects a password, it makes sure it's not in the list
|
||
|
|
|
||
|
|
But there are problems with this approach
|
||
|
|
- Space: The dictionary must be very large to be effective
|
||
|
|
- Time: The time required to search a large dictionary may itself be large. If the checker also checks permutations the time cost increases exponentially
|
||
|
|
|
||
|
|
Bloom filter
|
||
|
|
A technique for developing an effective and proactive password checker
|
||
|
|
- It is based on rejecting words on a list that has been implemented on a number of systems
|
||
|
|
|
||
|
|
Token based Authentication
|
||
|
|
Objects that a user posses for the purpose of user authentication are called tokens
|
||
|
|
- Memory Cards can store but not process data
|
||
|
|
- For authentication a user provides both the memory card and some form of password or PIN
|
||
|
|
- A typical example is an ATM, which uses a card in addition for a PIN for access to your money
|
||
|
|
Potential Drawbacks
|
||
|
|
- Requires reader
|
||
|
|
- Token loss
|
||
|
|
- User dissatisfaction
|
||
|
|
|
||
|
|
Smart Cards
|
||
|
|
Physical Characteristics:
|
||
|
|
- Has an embedded micro pressor. A smart token that looks like a card is called a smart card
|
||
|
|
User Interface:
|
||
|
|
- Manual interface includes a keypad and display for human/token interaction
|
||
|
|
Electronic Interface:
|
||
|
|
- Contact
|
||
|
|
- A smart card that needs to be inserted, and data transfer is done over physical contact points
|
||
|
|
- Contactless
|
||
|
|
- A contactless card only requires a close proximity to a reader. Both the reader and the card have an antenna and the two communicate using radio frequencies.
|
||
|
|
- Most contactless cards also derive power from these signals
|
||
|
|
- NFC is a common example
|
||
|
|
|
||
|
|
Authentication protocol
|
||
|
|
The purpose of a smart token is to provide authentication
|
||
|
|
|
||
|
|
Static:
|
||
|
|
With a static protocol, the user authenticates himself with the token and then the token authenticates with the computer. The second part is similar to the operation of a memory token
|
||
|
|
|
||
|
|
Dynamic password generator:
|
||
|
|
In this case the token generates a password periodically. The password is entered into the computer either manually or automatically. The computer needs to synchronized with the token for this method to work, as the computer needs to know the correct password for the given time
|
||
|
|
|
||
|
|
Challenge-response:
|
||
|
|
In this case the computer system generates a challenge …
|
||
|
|
|
||
|
|
|
||
|
|
Electronic Identity Cards - Digital applications of identity cards
|
||
|
|
|
||
|
|
Biometric Authentication: Covered next class
|