# Outline for March 3, 2003

## Discussion Problem

"To fight and conquer in all your battles is not supreme excellence; supreme excellence consists in breaking the enemy's resistance without fighting. In the practical art of war, the best thing of all is to take the enemy's country whole and intact; to shatter and destroy it is not so good. So, too, it is better to capture an army entire than to destroy it, to capture a regiment, a detachment, or a company entire than to destroy it."1

What does this paragraph say to a system administrator or security officer seeking insight to defend her systems?

## Outline for the Day

1. How UNIX does selection
2. Problem: common passwords
3. May be pass phrases: goal is to make search space as large as possible, distribution as uniform as possible
4. Other ways to force good password selection: random, pronounceable, computer-aided selection
5. Go through problems, approaches to each, esp. proactive
2. Attack Schemes Directed to the Passwords
1. Exhaustive search: UNIX is 1-8 chars, say 96 possibles; it's about 7e16
2. Inspired guessing: think of what people would like (see above)
3. Random guessing: can't defend against it; bad login messages aid it
4. Scavenging: passwords often typed where they might be recorded (as login name, in other contexts, etc.
5. Ask the user: very common with some public access services
6. Expected time to guess
1. Pick age so when password is guessed, it's no longer valid
2. Implementation: track previous passwords vs. upper, lower time bounds
4. Ultimate in aging: One-Time Password
1. Password is valid for only one use
2. May work from list, or new password may be generated from old by a function
3. Example: S/Key
5. Challenge-response systems
1. Computer issues challenge, user presents response to verify secret information known/item possessed
2. Example operations: f(x) = x+1, random, string (for users without computers), time of day, computer sends E(x), you answer E(D(E(x))+1)
3. Note: password never sent on wire or network
4. Attack: monkey-in-the-middle
5. Defense: mutual authentication
6. Biometrics
1. Depend on physical characteristics
2. Examples: pattern of typing (remarkably effective), retinal scans, etc.
7. Location
1. Bind user to some location detection device (human, GPS)
2. Authenticate by location of the device

1 Sun Tzu, The Art of War, James Clavell, ed., Dell Publishing, New York, NY ©1983, p. 15

Here is a PDF version of this document.