Notes for January 28, 1998

1. Greetings and felicitations!
   1. Reading: Pfleeger, pp.254-264; Garfinkel & Spafford, pp. 246-270
2. Puzzle
3. Attack Schemes Directed to the Passwords
   1. Exhaustive search: UNIX is 1-8 chars, say 96 possibles; it's about 7e16
   2. Inspired guessing: think of what people would like (see above)
   3. Random guessing: can't defend against it; bad login messages aid it
   4. Scavenging: passwords often typed where they might be recorded as login name, in other contexts, etc.
   5. Ask the user: very common with some public access services
   6. Expected time to guess
4. Password aging
   1. Pick age so when password is guessed, it's no longer valid
   2. Implementation: track previous passwords vs. upper, lower time bounds
5. Ultimate in aging: One-Time Pads
   1. Password is valid for only one use
   2. May work from list, or new password may be generated from old by a function
   3. Example: S/Key
6. Challenge-response systems
   1. Computer issues challenge, user presents response to verify secret information known/item possessed
   2. Example operations: f(x) = x+1, random, string (for users without computers), time of day, computer sends E(x), you answer E(D(E(x))+1)
   3. Note: password never sent on wire or network
   4. Attack: monkey-in-the-middle
   5. Defense: mutual authentication (will discuss more sophisticated network-based protocols later)

7. Biometrics
   1. Depend on physical characteristics
   2. Examples: pattern of typing (remarkably effective), retinal scans, etc.
8. Location
   1. Bind user to some location detection device (human, GPS)
   2. Authenticate by location of the device