Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
16 Cards in this Set
- Front
- Back
|
Access Control and two areas of primary interest
|
Umbrella for any security issues related to access of system resources.
Authentication and authroization |
|
|
Authentication
|
process of determining whether a user should be allowed access to a system. Are you who you say you are?
|
|
|
Authentication Methods
|
Something you know (password), something you have (ATM card, smartcard, MAC address, password generator), something you are (bio metrics)
|
|
|
Storing passwords
|
Do not store raw passwords in a file, store the hashed passwords.
Adv: Trudy gets password file and doesn't get actual passwords. Issue: If Trudy knows hash value she can conduct a forward search attack by guessing likely passwords |
|
|
Prevent forward search attacks
|
Appending a non-secret random value known as salt to each password before hashing.
|
|
|
Salt
|
Non secret value that causes identical password to hash to different values.
|
|
|
Password issues
|
Password reuse
Social engineering Keystroke logging software |
|
|
Ideal biometric would satisfy all of the following
|
Universal: Should apply to virtually everyone
Distinguishing: Should distinguish with virtual certainty Permanent: Physical characteristic measured should never change Collectable: Physical characteristic should be easy to collect without any potential to cause harm to subject Reliable, robust, and user friendly |
|
|
Two phases of biometrics
|
Enrollment phase: subjects have biometric info gathered and entered into a database
Recognition phase: biometric detection system is used in practice to determine whether to authenticate or not. |
|
|
Biometric modes
|
Identification: Who goes there? One to many. Ex: FBI fingerprint database
Authentication: Are you who you say you are? one to one |
|
|
Types of errors in authentication
|
Fraud rate: Bob poses as Alice and system authenticates Bob
Insult rate: Alice tried to authenticate as herself but system fails to authenticate. Can decrease the fraud or insult rate at expense of other. Equal error rate: rate for which the fraud and insult rates are the same. |
|
|
Smartcard and Special purpose smartcard reader
|
Smartcard: A credit card sized device that includes a small amount of memory and computing resources so that it is able to store cryptographic keys or other secrets.
Special purpose smartcard reader: Used to read the key stored on the card. Then key can be used to authenticate user. Since key is used and selected at random, password guessing attacks are eliminated. |
|
|
Password generator
|
Small device that the user must have to log in to a system. Alice wants to authenticate to Bob. Bob sends random "challenge" R to Alice, Alice inputs into the password generator along with her PIN. Generator produces a response that she sends to Bob. If correct Bob knows.
Example of challenge response authentication |
|
|
Two factor authentication
|
Any authentication method that requires two out of three "somethings"
|
|
|
Single sign on
|
Authenticate once and then have a successful result automatically follow wherever one goes on internet.
Ex: Kerberos |
|
|
Web cookies
|
Often used as a weak form of authentication. Cookie is provided by a website and stored on a user's machine. Cookies maintain state across sessions. Can act as a single sign on method for a website. A website can authenticate "Alice" based on the possession of Alice's Web cookie.
|
