Lecture 22 Outline

Reading: §126
Due: Homework 4, due on May 25, 2018 at 11:59pm; Lab 3, due on May 23, 2018 at 11:59pm

1. Firewalls
   1. Why use them?
   2. Packet-level or filtering firewalls
   3. Application layer or proxy firewalls
2. Network organization
   1. Inside/outside
   2. Inside/DMZ/outside
   3. How email and web services (and others) are handled
3. Denial of service attacks
   1. SYN cookies
   2. Adaptive time-out
4. Authentication
   1. Validating client (user) identity
   2. Validating server (system) identity
   3. Validating both (mutual authentication)
   4. Basis: what you know/have/are, where you are
5. Passwords
   1. Problem: common passwords
   2. Ways to force good password selection: random, pronounceable, computer-aided selection
   3. Best: use passphrases: goal is to make search space as large as possible, distribution as uniform as possible
6. Attacks
   1. Exhaustive search
   2. Inspired guessing: think of what people would like (see above)
   3. Random guessing: can’t defend against it; bad login messages aid it
   4. Scavenging: passwords often typed where they might be recorded as login name, in other contexts, etc.
   5. Ask the user: very common with some public access services
7. Password aging
   1. Pick age so when password is guessed, it’s no longer valid
   2. Implementation: track previous passwords vs. upper, lower time bounds
8. Ultimate in aging: One-Time Password
   1. Password is valid for only one use
   2. May work from list, or new password may be generated from old by a function
9. Challenge-response systems
   1. Computer issues challenge, user presents response to verify secret information known/item possessed
   2. Example operations: f(x) = x+1, random, string (for users without computers), time of day, computer sends E(x), you answer E(D(E(x))+1)
   3. Note: password never sent over network
10. Biometrics
    1. Depend on physical characteristics
    2. Examples: pattern of typing (remarkably effective), retinal scans, etc.
11. Location
    1. Bind user to some location detection device (human, GPS)
    2. Authenticate by location of the device

Matt Bishop Office: 2209 Watershed Sciences Phone: +1 (530) 752-8060 Email: mabishop@ucdavis.edu

ECS 153, Computer Security Version of May 20, 2018 at 9:05PM

You can also obtain a PDF version of this.