Lecture 18: November 4, 2019
Reading: C text, §12.5.3, 13
Due: Lab 2, due November 6, 2019; Homework 3, due November 8, 2019
- Greetings and felicitations!
- Midterms should be back by Friday at the latest
- Puzzle of the Day
- TLS and SSL
- Upper layer
- TLS handshake protocol
- TLS change cipher spec protocol
- TLS alert protocol
- TLS heartbeat extension
- TLS application protocol
- TLS vs. SSLv3
- Authentication
- Validating client (user) identity
- Validating server (system) identity
- Validating both (mutual authentication)
- Basis: what you know/have/are, where you are
- Passwords
- Problem: common passwords
- Ways to force good password selection: random, pronounceable, computer-aided selection
- Best: use passphrases: goal is to make search space as large as possible, distribution as uniform as possible
- Attacks
- Exhaustive search
- Inspired guessing: think of what people would like (see above)
- Random guessing: can’t defend against it; bad login messages aid it
- Scavenging: passwords often typed where they might be recorded as login name, in other contexts, etc.
- Ask the user: very common with some public access services
- Defenses
- For trial and error at login: dropping or back-off
- For thwarting dictionary attacks: salting
- Password aging
- Pick age so when password is guessed, it’s no longer valid
- Implementation: track previous passwords vs. upper, lower time bounds
- Ultimate in aging: One-Time Password
- Password is valid for only one use
- May work from list, or new password may be generated from old by a function
- Challenge-response systems
- Computer issues challenge, user presents response to verify secret information known/item possessed
- Example operations: f(x) = x+1, random, string (for users without computers), time of day, computer sends E(x), you answer E(D(E(x))+1)
- Note: password never sent over network
- Biometrics
- Depend on physical characteristics
- Examples: pattern of typing (remarkably effective), retinal scans, etc.
- Location
- Bind user to some location detection device (human, GPS)
- Authenticate by location of the device