Lecture 22: May 17, 2021
Reading
:
text
, §12.5.3, 13
Due
: Homework 4, due May 24
Problems with SSL
Authentication
Validating client (user) identity
Validating server (system) identity
Validating both (mutual authentication)
Basis: what you know/have/are, where you are
Passwords
Problem: common passwords
Ways to force good password selection: random, pronounceable, computer-aided selection
Best: use passphrases: goal is to make search space as large as possible, distribution as uniform as possible
Attacks
Exhaustive search
Inspired guessing: think of what people would like (see above)
Random guessing: can’t defend against it; bad login messages aid it
Scavenging: passwords often typed where they might be recorded as login name, in other contexts, etc.
Ask the user: very common with some public access services
Defenses
For trial and error at login: dropping or back-off
For thwarting dictionary attacks: salting
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email:
[email protected]
ECS 135, Computer Security
Version of May 18, 2021 at 11:15PM
You can also obtain a PDF version of this.