Notes for November 3, 1999

  1. Greetings and Felicitations!
  2. Puzzle of the Day
  3. Authentication:
      validating client (user) identity
      validating server (system) identity
      validating both (mutual authentication)


      What you know
      What you have
      What you are

      How UNIX does selection
      Problem: common passwords; go through Morris and Thompson; Klein and mine, etc.
      May be pass phrases: goal is to make search space as large as possible, distribution as uniform as possible
      Other ways to force good password selection: random, pronounceable, computer-aided selection
      Go through problems, approaches to each, esp. proactive

    Password Storage
      In the clear; MULTICS story
      Enciphers; key must be kept available; get to it and it's all over
      Hashed; present idea of one-way functions using identity and sum
      Show UNIX version

    Attack Schemes Directed to the Passwords
      Exhaustive search: UNIX is 1-8 chars, say 96 possibles; it's about 7e16
      Inspired guessing: think of what people would like (see above)
      Random guessing: can't defend against it; bad login messages aid it
      Scavenging: passwords often typed where they might be recorded as login name, in other contexts, etc.
      Ask the user: very common with some public access services
      Expected time to guess

    Password aging
      Pick age so when password is guessed, it's no longer valid
      Implementation: track previous passwords vs. upper, lower time bounds

      Ultimate in aging: One-Time Pads
        Password is valid for only one use
        May work from list, or new password may be generated from old by a function
        Example: S/Key

      Challenge-response systems
        Computer issues challenge, user presents response to verify secret information known/item possessed
        Example operations: f(x) = x+1, random, string (for users without computers), time of day, computer sends E(x), you answer E(D(E(x))+1)
        Note: password never sent on wire or network
        Attack: monkey-in-the-middle
        Defense: mutual authentication (will discuss more sophisticated network-based protocols later)

        Depend on physical characteristics
        Examples: pattern of typing (remarkably effective), retinal scans, etc.

        Bind user to some location detection device (human, GPS)
        Authenticate by location of the device

      Send email to

      Department of Computer Science
      University of California at Davis
      Davis, CA 95616-8562

      Page last modified on 11/4/99