Lecture 22 Outline

Reading: §126
Due: Homework 4, due on May 25, 2018 at 11:59pm; Lab 3, due on May 23, 2018 at 11:59pm


  1. Firewalls
    1. Why use them?
    2. Packet-level or filtering firewalls
    3. Application layer or proxy firewalls
  2. Network organization
    1. Inside/outside
    2. Inside/DMZ/outside
    3. How email and web services (and others) are handled
  3. Denial of service attacks
    1. SYN cookies
    2. Adaptive time-out
  4. Authentication
    1. Validating client (user) identity
    2. Validating server (system) identity
    3. Validating both (mutual authentication)
    4. Basis: what you know/have/are, where you are
  5. Passwords
    1. Problem: common passwords
    2. Ways to force good password selection: random, pronounceable, computer-aided selection
    3. Best: use passphrases: goal is to make search space as large as possible, distribution as uniform as possible
  6. Attacks
    1. Exhaustive search
    2. Inspired guessing: think of what people would like (see above)
    3. Random guessing: can’t defend against it; bad login messages aid it
    4. Scavenging: passwords often typed where they might be recorded as login name, in other contexts, etc.
    5. Ask the user: very common with some public access services
  7. Password aging
    1. Pick age so when password is guessed, it’s no longer valid
    2. Implementation: track previous passwords vs. upper, lower time bounds
  8. Ultimate in aging: One-Time Password
    1. Password is valid for only one use
    2. May work from list, or new password may be generated from old by a function
  9. Challenge-response systems
    1. Computer issues challenge, user presents response to verify secret information known/item possessed
    2. Example operations: f(x) = x+1, random, string (for users without computers), time of day, computer sends E(x), you answer E(D(E(x))+1)
    3. Note: password never sent over network
  10. Biometrics
    1. Depend on physical characteristics
    2. Examples: pattern of typing (remarkably effective), retinal scans, etc.
  11. Location
    1. Bind user to some location detection device (human, GPS)
    2. Authenticate by location of the device


UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: [email protected]
ECS 153, Computer Security
Version of May 20, 2018 at 9:05PM

You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh