Outline for October 12, 2022

Reading: text, §12.1,12.4, 13
Due: Homework 2, due October 21; Progress report, due Nov 4


  1. Privacy-enhanced email

  2. Authentication
    1. Validating client (user) identity
    2. Validating server (system) identity
    3. Validating both (mutual authentication)
    4. Basis: what you know/have/are, where you are

  3. Passwords
    1. Problem: common passwords, easy to guess passwords
    2. Best: use passphrases: goal is to make search space as large as possible, distribution as uniform as possible

  4. Attacks
    1. Exhaustive search
    2. Guessing
    3. Scavenging: passwords often typed where they might be recorded as login name, in other contexts, etc.
    4. Ask the user: very common with some public access services

  5. Defenses
    1. For trial and error at login: dropping or back-off
    2. For thwarting dictionary attacks: salting

  6. One-Time Password
    1. Password is valid for only one use
    2. May work from list, or new password may be generated from old by a function or a hardware token

  7. Challenge-response systems
    1. Computer issues challenge, user presents response to verify secret information known/item possessed
    2. Example operations: f(x) = x+1, random, string (for users without computers), time of day, computer sends E(x), you answer E(D(E(x))+1)
    3. Note: password never sent over network

  8. Biometrics
    1. Depend on physical characteristics
    2. Examples: pattern of typing (remarkably effective), retinal scans, etc.

  9. Location
    1. Bind user to some location detection device (human, GPS)
    2. Authenticate by location of the device

  10. Multi-factor authentication

UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: mabishop@ucdavis.edu
ECS 235A, Computer and Information Security
Version of October 11, 2022 at 8:40PM

You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh