Notes for November 3, 1999

  1. Greetings and Felicitations!
  2. Puzzle of the Day
  3. Authentication:
      validating client (user) identity
      validating server (system) identity
      validating both (mutual authentication)

      Basis

      What you know
      What you have
      What you are

    Passwords
      How UNIX does selection
      Problem: common passwords; go through Morris and Thompson; Klein and mine, etc.
      May be pass phrases: goal is to make search space as large as possible, distribution as uniform as possible
      Other ways to force good password selection: random, pronounceable, computer-aided selection
      Go through problems, approaches to each, esp. proactive

    Password Storage
      In the clear; MULTICS story
      Enciphers; key must be kept available; get to it and it's all over
      Hashed; present idea of one-way functions using identity and sum
      Show UNIX version

    Attack Schemes Directed to the Passwords
      Exhaustive search: UNIX is 1-8 chars, say 96 possibles; it's about 7e16
      Inspired guessing: think of what people would like (see above)
      Random guessing: can't defend against it; bad login messages aid it
      Scavenging: passwords often typed where they might be recorded as login name, in other contexts, etc.
      Ask the user: very common with some public access services
      Expected time to guess

    Password aging
      Pick age so when password is guessed, it's no longer valid
      Implementation: track previous passwords vs. upper, lower time bounds

      Ultimate in aging: One-Time Pads
        Password is valid for only one use
        May work from list, or new password may be generated from old by a function
        Example: S/Key

      Challenge-response systems
        Computer issues challenge, user presents response to verify secret information known/item possessed
        Example operations: f(x) = x+1, random, string (for users without computers), time of day, computer sends E(x), you answer E(D(E(x))+1)
        Note: password never sent on wire or network
        Attack: monkey-in-the-middle
        Defense: mutual authentication (will discuss more sophisticated network-based protocols later)

      Biometrics
        Depend on physical characteristics
        Examples: pattern of typing (remarkably effective), retinal scans, etc.

      Location
        Bind user to some location detection device (human, GPS)
        Authenticate by location of the device


      Send email to [email protected].

      Department of Computer Science
      University of California at Davis
      Davis, CA 95616-8562



      Page last modified on 11/4/99