Outline for March 4, 2002
Reading:
§12.1-12.3
Greetings and Felicitations
Puzzle of the day
Authentication:
validating client (user) identity
validating server (system) identity
validating both (mutual authentication)
Basis: what you know/have/are, where you are
Passwords
How UNIX does selection
Problem: common passwords; Go through Morris and Thompson ; Klein and mine,
etc
.
May be pass phrases: goal is to make search space as large as possible, distribution as uniform as possible
Other ways to force good password selection: random, pronounceable, computer-aided selection
Go through problems, approaches to each,
esp
. proactive
Password Storage
In the clear; MULTICS story
Enciphers; key must be kept available; get to it and it's all over
Hashed; present idea of one-way functions using identity and sum
Show UNIX version
Attack Schemes Directed to the Passwords
Exhaustive search: UNIX is 1-8 chars, say 96 possibles; it's about 7e16
Inspired guessing: think of what people would like (see above)
Random guessing: can't defend against it; bad login messages aid it
Scavenging: passwords often typed where they might be recorded (b\as login name, in other contexts,
etc
.
Ask the user: very common with some public access services
Expected time to guess
Password aging
Pick age so when password is guessed, it's no longer valid
Implementation: track previous passwords vs. upper, lower time bounds
Ultimate in aging: One-Time Password
Password is valid for only one use
May work from list, or new password may be generated from old by a function
Example: S/Key
Challenge-response systems
Computer issues challenge, user presents response to verify secret information known/item possessed
Example operations:
f
(
x
) =
x
+1, random, string (for users without computers), time of day, computer sends
E
(
x
), you answer
E
(
D
(
E
(
x
))+1)
Note: password never sent on wire or network
Attack: monkey-in-the-middle
Defense: mutual authentication
ECS 153, Introduction to Computer Security
Winter Quarter 2002
Email:
cs153@cs.ucdavis.edu