Lecture 17 Outline

Reading: text, §12, 13
Due: Homework 4, on May 26

1. Greetings and felicitations!
   1. Discussion question
2. SSL
   1. How the program works
   2. Heartbleed
   3. Poodle
   4. Comparison with TLS
3. Attacks
   1. Exhaustive search: password is 1 to 8 chars, say 96 possibles; it’s about 7×10¹⁶
   2. Inspired guessing: think of what people would like (see above)
   3. Random guessing: can’t defend against it; bad login messages aid it
   4. Scavenging: passwords often typed where they might be recorded as login name, in other contexts, etc.
   5. Ask the user: very common with some public access services
4. Password aging
   1. Pick age so when password is guessed, it’s no longer valid
   2. Implementation: track previous passwords vs. upper, lower time bounds
5. Ultimate in aging: One-Time Password
   1. Password is valid for only one use
   2. May work from list, or new password may be generated from old by a function
6. Challenge-response systems
   1. Computer issues challenge, user presents response to verify secret information known/item possessed
   2. Example operations: f(x) = x+1, random, string (for users without computers), time of day, computer sends E(x), you answer E(D(E(x))+1)
   3. Note: password never sent on wire or network
7. Biometrics
   1. Depend on physical characteristics
   2. Examples: pattern of typing (remarkably effective), retinal scans, etc.
8. Location
   1. Bind user to some location detection device (human, GPS)
   2. Authenticate by location of the device

Matt Bishop Office: 2209 Watershed Sciences Phone: +1 (530) 752-8060 Email: mabishop@ucdavis.edu

ECS 153, Computer Security Version of May 25, 2016 at 11:38PM You can also obtain a PDF version of this.