Notes for January 28, 1998
- Greetings and felicitations!
- Reading: Pfleeger, pp.254-264; Garfinkel & Spafford, pp. 246-270
- Puzzle
- Attack Schemes Directed to the Passwords
- Exhaustive search: UNIX is 1-8 chars, say 96 possibles; it's about 7e16
- Inspired guessing: think of what people would like (see above)
- Random guessing: can't defend against it; bad login messages aid it
- Scavenging: passwords often typed where they might be recorded as login
name, in other contexts, etc.
- Ask the user: very common with some public access services
- Expected time to guess
- Password aging
- Pick age so when password is guessed, it's no longer valid
- Implementation: track previous passwords vs. upper, lower time bounds
- Ultimate in aging: One-Time Pads
- Password is valid for only one use
- May work from list, or new password may be generated from old by a
function
- Example: S/Key
- Challenge-response systems
- Computer issues challenge, user presents response to verify secret
information known/item possessed
- Example operations: f(x) = x+1, random, string (for
users without computers), time of day, computer sends E(x), you
answer E(D(E(x))+1)
- Note: password never sent on wire or network
- Attack: monkey-in-the-middle
- Defense: mutual authentication (will discuss more sophisticated
network-based protocols later)
[ ended here ]
- Biometrics
- Depend on physical characteristics
- Examples: pattern of typing (remarkably effective), retinal scans,
etc.
- Location
- Bind user to some location detection device (human, GPS)
- Authenticate by location of the device
You can also see this document
in its native format,
in Postscript,
in PDF,
or
in ASCII text.
Send email to
cs153@csif.cs.ucdavis.edu.
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 2/13/98