Lecture 9: Authentication

Date: October 16, 2013
Homework due: Oct. 18 at 5:00pm

  1. Attributes that identify you
    1. What you know
    2. What you have
    3. What you are
    4. Where you are
  2. Passwords
    1. How to pick them (and what to look out for)
      1. Problem: common passwords
      2. Complex passwords
      3. Pass-phrases
    2. How they are stored
      1. In the clear (readable only by root or the authentication system
      2. Enciphered (key must be available)
      3. Cryptographically hashed; also, salted
    3. How long they are good for (password aging)
      1. Tracking previous passwords vs. expire after n days
      2. One-time passwords (use once only)
    4. How people try to get your password
      1. Exhaustive search: password is 1 to 8 chars, say 96 possible chars; it’s about 7×1015 guesses
      2. Inspired guessing: think of what people would like (see above)
      3. Random guessing: can’t defend against it; bad login messages aid it
      4. Scavenging: passwords often typed where they might be recorded as login name, in other contexts, etc.
      5. Ask the user: very common with some public access services
  3. Challenge-response
    1. Computer issues challenge, user presents response to verify secret information known or item possessed
    2. Example operations: f(x) = x+1, x random; string (for users without computers); something based on time of day; computer sends E(x), you answer E(D(E(x))+1)
    3. Note: password never sent on wire or network
  4. Biometrics
    1. Depend on physical characteristics
    2. Examples: pattern of typing (remarkably effective), retinal scans, etc.
  5. Location
    1. Bind user to some location detection device (human, GPS)
    2. Authenticate by location of the device
  6. Multi-factor authentication


You can also obtain a PDF version of this. Version of October 16, 2013 at 9:09AM