Notes for January 26, 1998

1.	Greetings and felicitations!

a.	Reading: Pfleeger, pp.254Į264; Garfinkel & Spafford, pp. 246Į270

2.	Puzzle

3.	Authentication:

a.	validating client (user) identity

b.	validating server (system) identity

c.	validating both (mutual authentication)

4.	Basis

a.	What you know

b.	What you have

c.	What you are

5.	Passwords

a.	How UNIX does selection

b.	Problem: common passwords; Go through Morris and Thompson ; Klein and mine, etc.

c.	May be pass phrases: goal is to make search space as large as possible and distribution as 
uniform as possible

d.	Other ways to force good password selection: random, pronounceable,m computer-aided 
selection

e.	Go through problems, approaches to each, esp. proactive

6.	Password Storage

a.	In the clear; MULTICS story

b.	Encipheres; key must be kept available; get to it and itēs all over

c.	Hashed; present idea of one-way functions using identity and sum

d.	Show UNIX version

[ ended here ]

7.	Attack Schemes Directed to the Passwords 

a.	Exhaustive search: UNIX is 1-8 chars, say 96 possibles; itēs about 7e16

b.	Inspired guessing: think of what people would like (see above)

c.	Random guessing: canēt defend against it; bad login messages aid it

d.	Scavenging: passwords often typed where they might be recorded (b\as login name, in 
other contexts, etc.

e.	Ask the user: very common with some public access services

f.	Expected time to guess

8.	Password aging

a.	Pick age so when password is guessed, itēs no longer valid

b.	Implementation: track previous passwords vs. upper, lower time bounds

9.	Ultimate in aging: One-Time Pads

a.	Password is valid for only one use

b.	May work from list, or new password may be generated from old by a function

c.	Example: S/Key

10.	Challenge-response systems

a.	Computer issues challenge, user presents response to verify secret information known/
item possessed

b.	Example operations:  f(x) = x+1, random, string (for users without computers), time of 
day, computer sends E(x), you answer E(D(E(x))+1)

c.	Note: password never sent on wire or network

d.	Attack: monkey-in-the-middle

e.	Defense: mutual authentication (will discuss more sophisticated network-based protocols 
later)

11.	Biometrics

a.	Depend on physical characteristics

b.	Examples: pattern of typing (remarkably effective), retinal scans, etc.

12.	Location

a.	Bind user to some location detection device (human, GPS)

b.	Authenticate by location of the device