Lecture 22: May 17, 2021

Reading: text, §12.5.3, 13
Due: Homework 4, due May 24

1. Problems with SSL

2. Authentication
   1. Validating client (user) identity
   2. Validating server (system) identity
   3. Validating both (mutual authentication)
   4. Basis: what you know/have/are, where you are

3. Passwords
   1. Problem: common passwords
   2. Ways to force good password selection: random, pronounceable, computer-aided selection
   3. Best: use passphrases: goal is to make search space as large as possible, distribution as uniform as possible

4. Attacks
   1. Exhaustive search
   2. Inspired guessing: think of what people would like (see above)
   3. Random guessing: can’t defend against it; bad login messages aid it
   4. Scavenging: passwords often typed where they might be recorded as login name, in other contexts, etc.
   5. Ask the user: very common with some public access services

5. Defenses
   1. For trial and error at login: dropping or back-off
   2. For thwarting dictionary attacks: salting

Matt Bishop Office: 2209 Watershed Sciences Phone: +1 (530) 752-8060 Email: mabishop@ucdavis.edu

ECS 135, Computer Security Version of May 18, 2021 at 11:15PM

You can also obtain a PDF version of this.