Notes for January 28, 1998

  1. Greetings and felicitations!
    1. Reading: Pfleeger, pp.254-264; Garfinkel & Spafford, pp. 246-270
  2. Puzzle
  3. Attack Schemes Directed to the Passwords
    1. Exhaustive search: UNIX is 1-8 chars, say 96 possibles; it's about 7e16
    2. Inspired guessing: think of what people would like (see above)
    3. Random guessing: can't defend against it; bad login messages aid it
    4. Scavenging: passwords often typed where they might be recorded as login name, in other contexts, etc.
    5. Ask the user: very common with some public access services
    6. Expected time to guess
  4. Password aging
    1. Pick age so when password is guessed, it's no longer valid
    2. Implementation: track previous passwords vs. upper, lower time bounds
  5. Ultimate in aging: One-Time Pads
    1. Password is valid for only one use
    2. May work from list, or new password may be generated from old by a function
    3. Example: S/Key
  6. Challenge-response systems
    1. Computer issues challenge, user presents response to verify secret information known/item possessed
    2. Example operations: f(x) = x+1, random, string (for users without computers), time of day, computer sends E(x), you answer E(D(E(x))+1)
    3. Note: password never sent on wire or network
    4. Attack: monkey-in-the-middle
    5. Defense: mutual authentication (will discuss more sophisticated network-based protocols later)
[ ended here ]
  1. Biometrics
    1. Depend on physical characteristics
    2. Examples: pattern of typing (remarkably effective), retinal scans, etc.
  2. Location
    1. Bind user to some location detection device (human, GPS)
    2. Authenticate by location of the device

You can also see this document in its native format, in Postscript, in PDF, or in ASCII text.
Send email to

Department of Computer Science
University of California at Davis
Davis, CA 95616-8562

Page last modified on 2/13/98