Introduction computer security matt bishop
Chapter 11: Authentication
• Basics
• Passwords
• Challenge-Response
• Biometrics
• Location
• Multiple Methods
| Slide #11-1 |
|---|
• Basics
• Passwords
– Storage
– Selection
– Breaking them
• Other methods
• Multiple methods
– Subject is computer entity (process, etc.)
|
Slide #11-3 |
|---|
– What entity knows (eg. password)
– What entity has (eg. badge, smart card)
©2004 Matt Bishop
Authentication System
– L functions that prove identity
– S functions enabling entity to create, alter information in A or C
| Slide #11-5 |
|---|
• Password system, with passwords stored on line in clear text
– A set of strings making up passwords
– C = A
– F singleton set of identity function { I }
– L single equality test function { eq }
– S function to set/change password
– Generated randomly, by user, by computer with user input
• Sequence of words
– Examples: pass-phrases
| Slide #11-7 |
|---|
Storage
• Store as cleartext
– If password file compromised, all passwords revealed
©2004 Matt Bishop
Example
| Slide #11-9 |
|---|
©2004 Matt Bishop
Anatomy of Attacking• Goal: find a∈A such that:
– Direct approach: as above
– Indirect approach: as l(a) succeeds iff f(a) = c∈C for
Preventing Attacks
• How to prevent this:
| Slide #11-11 |
|---|
Dictionary Attacks
• Trial-and-error from a list of potential
passwords
– Off-line: know f and c’s, and repeatedly try different guesses g∈A until the list is done or passwords guessed
• Examples: crack, john-the-ripper
– On-line: have access to functions in L and try guesses g until some l(g) succeeds
• Examples: trying to log in by guessing a password
Anderson’s formula:
• P probability of guessing a password in specified period of time
• G number of guesses tested in 1 time unit• T number of time units
• N number of possible passwords (|A|)• Then P ≥ TG/N
|
Slide #11-13 |
|---|
– Can test 104 guesses per second
– Probability of a success to be 0.5 over a 365 day period
– So s ≥ 6, meaning passwords must be at least 6 chars
long
selected
• Pronounceable passwords• User selection of passwords
| Slide #11-15 |
|---|
• Generate phonemes randomly
– Phoneme is unit of sound, eg. cv, vc, cvc, vcv
– Examples: helgoret, juttelon are; przbqxdfl, zxrptglfn are not• Problem: too few
User Selection
• Problem: people pick easy to guess passwords
– Personal characteristics or foibles (pet names, nicknames, job characteristics, etc.
|
Slide #11-17 |
|---|
|
Slide #11-19 |
|---|
©2004 Matt Bishop
• If not, it is not in the dictionaries
