Lecture 18: November 4, 2019

Reading: C text, §12.5.3, 13
Due: Lab 2, due November 6, 2019; Homework 3, due November 8, 2019


  1. Greetings and felicitations!
    1. Midterms should be back by Friday at the latest
  2. Puzzle of the Day
  3. TLS and SSL
    1. Upper layer
      1. TLS handshake protocol
      2. TLS change cipher spec protocol
      3. TLS alert protocol
      4. TLS heartbeat extension
      5. TLS application protocol
    2. TLS vs. SSLv3
  4. Authentication
    1. Validating client (user) identity
    2. Validating server (system) identity
    3. Validating both (mutual authentication)
    4. Basis: what you know/have/are, where you are
  5. Passwords
    1. Problem: common passwords
    2. Ways to force good password selection: random, pronounceable, computer-aided selection
    3. Best: use passphrases: goal is to make search space as large as possible, distribution as uniform as possible
  6. Attacks
    1. Exhaustive search
    2. Inspired guessing: think of what people would like (see above)
    3. Random guessing: can’t defend against it; bad login messages aid it
    4. Scavenging: passwords often typed where they might be recorded as login name, in other contexts, etc.
    5. Ask the user: very common with some public access services
  7. Defenses
    1. For trial and error at login: dropping or back-off
    2. For thwarting dictionary attacks: salting
  8. Password aging
    1. Pick age so when password is guessed, it’s no longer valid
    2. Implementation: track previous passwords vs. upper, lower time bounds
  9. Ultimate in aging: One-Time Password
    1. Password is valid for only one use
    2. May work from list, or new password may be generated from old by a function
  10. Challenge-response systems
    1. Computer issues challenge, user presents response to verify secret information known/item possessed
    2. Example operations: f(x) = x+1, random, string (for users without computers), time of day, computer sends E(x), you answer E(D(E(x))+1)
    3. Note: password never sent over network
  11. Biometrics
    1. Depend on physical characteristics
    2. Examples: pattern of typing (remarkably effective), retinal scans, etc.
  12. Location
    1. Bind user to some location detection device (human, GPS)
    2. Authenticate by location of the device

UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: mabishop@ucdavis.edu
ECS 153, Computer Security
Version of November 5, 2019 at 5:49PM

You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh