Notes for November 3, 1999
Greetings and Felicitations!
Puzzle of the Day
Authentication:
validating client (user) identity
validating server (system) identity
validating both (mutual authentication)
Basis
What you know
What you have
What you are
Passwords
How UNIX does selection
Problem: common passwords; go through Morris and Thompson; Klein and mine,
etc
.
May be pass phrases: goal is to make search space as large as possible, distribution as uniform as possible
Other ways to force good password selection: random, pronounceable, computer-aided selection
Go through problems, approaches to each, esp. proactive
Password Storage
In the clear; MULTICS story
Enciphers; key must be kept available; get to it and it's all over
Hashed; present idea of one-way functions using identity and sum
Show UNIX version
Attack Schemes Directed to the Passwords
Exhaustive search: UNIX is 1-8 chars, say 96 possibles; it's about 7e16
Inspired guessing: think of what people would like (see above)
Random guessing: can't defend against it; bad login messages aid it
Scavenging: passwords often typed where they might be recorded as login name, in other contexts,
etc
.
Ask the user: very common with some public access services
Expected time to guess
Password aging
Pick age so when password is guessed, it's no longer valid
Implementation: track previous passwords vs. upper, lower time bounds
Ultimate in aging: One-Time Pads
Password is valid for only one use
May work from list, or new password may be generated from old by a function
Example: S/Key
Challenge-response systems
Computer issues challenge, user presents response to verify secret information known/item possessed
Example operations:
f
(
x
) =
x
+1, random, string (for users without computers), time of day, computer sends
E
(
x
), you answer
E
(
D
(
E
(
x
))+1)
Note: password never sent on wire or network
Attack: monkey-in-the-middle
Defense: mutual authentication (will discuss more sophisticated network-based protocols later)
Biometrics
Depend on physical characteristics
Examples: pattern of typing (remarkably effective), retinal scans,
etc
.
Location
Bind user to some location detection device (human, GPS)
Authenticate by location of the device
Send email to
[email protected]
.
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 11/4/99