Outline for October 16, 2024

>Reading: text. §12.4, 13
Due: Homework 2, due October 23; Project progress report, due November 1

1. Fast Exponentiation

2. Privacy-enhanced email

3. Authentication
   1. Validating client (user) identity
   2. Validating server (system) identity
   3. Validating both (mutual authentication)
   4. Basis: what you know/have/are, where you are

4. Passwords
   1. Problem: common passwords, easy to guess passwords
   2. Best: use passphrases: goal is to make search space as large as possible, distribution as uniform as possible

5. Attacks
   1. Exhaustive search
   2. Guessing
   3. Scavenging: passwords often typed where they might be recorded as login name, in other contexts, etc.
   4. Ask the user: very common with some public access services

6. Defenses
   1. For trial and error at login: dropping or back-off
   2. For thwarting dictionary attacks: salting

7. Challenge-response systems
   1. Computer issues challenge, user presents response to verify secret information known/item possessed
   2. Example operations: f(x) = x+1, random, string (for users without computers), time of day, computer sends E(x), you answer E(D(E(x))+1)
   3. Note: password never sent over network

8. One-Time Password
   1. Password is valid for only one use
   2. May work from list, or new password may be generated from old by a function or a hardware token

9. Biometrics
   1. Depend on physical characteristics
   2. Examples: pattern of typing (remarkably effective), retinal scans, etc.

10. Location
    1. Bind user to some location detection device (human, GPS)
    2. Authenticate by location of the device

11. Multi-factor authentication

Matt Bishop Office: 2209 Watershed Sciences Phone: +1 (530) 752-8060 Email: mabishop@ucdavis.edu

ECS 235A, Computer and Information Security Version of October 15, 2024 at 3:38PM

You can also obtain a PDF version of this.