Lecture 23 Outline

Reading: § 12, 16
Due: Homework 4, due on May 30, 2018 at 11:59pm; Lab 3, due on May 23, 2018 at 11:59pm

  1. Attacks
    1. Speeding up guessing: rainbow tables
    2. Scavenging: passwords often typed where they might be recorded as login name, in other contexts, etc.
    3. Ask the user: very common with some public access services
  2. Defenses
    1. For trial and error at login: dropping or back-off
    2. For thwarting dictionary attacks: salting
  3. Password aging
    1. Pick age so when password is guessed, it’s no longer valid
    2. Implementation: track previous passwords vs. upper, lower time bounds
  4. Ultimate in aging: One-Time Password
    1. Password is valid for only one use
    2. May work from list, or new password may be generated from old by a function
  5. Challenge-response systems
    1. Computer issues challenge, user presents response to verify secret information known/item possessed
    2. Example operations: f(x) = x+1, random, string (for users without computers), time of day, computer sends E(x), you answer E(D(E(x))+1)
    3. Note: password never sent over network
  6. Biometrics
    1. Depend on physical characteristics
    2. Examples: pattern of typing (remarkably effective), retinal scans, etc.
  7. Location
    1. Bind user to some location detection device (human, GPS)
    2. Authenticate by location of the device
  8. Access Control Lists
    1. UNIX method
    2. Full ACLs: describe, revocation issue
  9. Capabilities
    1. Capability-based addressing
    2. Inheritance of C-Lists
    3. Revocation: use of a global descriptor table
  10. Lock and Key
    1. Associate with each object a lock; associate with each process that has access to object a key (it’s a cross between ACLs and C-Lists)
    2. Example: cryptographic (Gifford). X object enciphered with key K. Associate an opener R with X. Then:
      OR-Access: K can be recovered with any Di in a list of n deciphering transformations, so R = (E1(K), E2(K), …, En(K)) and any process with access to any of the Di’s can access the file
      AND-Access: need all n deciphering functions to get K: R = E1(E2(… En(K)) …)) ks
  11. Secret sharing

UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: mabishop@ucdavis.edu
ECS 153, Computer Security
Version of May 22, 2018 at 6:41PM

You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh