Lecture 22: May 17, 2021

Reading: text, §12.5.3, 13
Due: Homework 4, due May 24

  1. Problems with SSL

  2. Authentication
    1. Validating client (user) identity
    2. Validating server (system) identity
    3. Validating both (mutual authentication)
    4. Basis: what you know/have/are, where you are

  3. Passwords
    1. Problem: common passwords
    2. Ways to force good password selection: random, pronounceable, computer-aided selection
    3. Best: use passphrases: goal is to make search space as large as possible, distribution as uniform as possible

  4. Attacks
    1. Exhaustive search
    2. Inspired guessing: think of what people would like (see above)
    3. Random guessing: can’t defend against it; bad login messages aid it
    4. Scavenging: passwords often typed where they might be recorded as login name, in other contexts, etc.
    5. Ask the user: very common with some public access services

  5. Defenses
    1. For trial and error at login: dropping or back-off
    2. For thwarting dictionary attacks: salting


UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: [email protected]
ECS 135, Computer Security
Version of May 18, 2021 at 11:15PM

You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh