1
Q
what is authentication?
A
- who are you? prove it!
- the process making the request does it on behalf of a certain user, subject, or principal.
- claims & verification about the identity.
2
Q
what is authorization?
A
does this person have permission to access?
3
Q
false negative
A
negative outcome was generated falsely
4
Q
goal of authentication?
A
- a user associated with identity should be able to successfully authenticate (available & no false negative)
- a user not associated with identity should not be able to successfully authenticate (available & no false positive)
5
Q
3 authentication methods
A
- secret (something the user knows)
- token (something the user has. e.g. smart cards)
- part of the user (something the user is. e.g. biometric)
6
Q
password method threat
A
- guessing the password
- impersonating the login program (similar to phishing)
- keylogging
7
Q
Trusted path
A
- you are really talking to the OS. There should be signal from the OS to screen, keyboard to confirm that you are connecting to TCB, and there is nothing in between
8
Q
problems with storing passwords on a file?
A
- readable only by root/admin. Why should admin know all passwords?
- permission can be set incorrectly
- if security is breached, all passwords are exposed to the attacker
9
Q
solution to storing password info
A
- don’t directly store password, store one-way hash function derived from it
- this file is only accessible by root/admin
- slow hash function to reduce brute force attacks
10
Q
threats of one-way hash function
A
- if we know the common passwords, we can figure out their hash
- for dictionary and offline attacks, we have the dict and plenty of time (online system can stop the attack after a certain amount of trials)
11
Q
is password random
A
no
12
Q
how to reduce work for brute force attack?
A
- try popular password first
- rainbow table lookup
13
Q
what if 2 users use the same password? How to distinguish their hash values?
A
- add a random salt before hashing
- store the salt in the same hash value file
14
Q
touch screen password bias
A
- user often start from top left, since most language starting from top left
- the ease of moving from current point
15
Q
problem with password
A
- length, complexity, and expiration reduce usability
- phishing and social engineering
- once stolen, it can be used many times
16
Q
problem with tokens
A
- must have them
- may require additional hardware
- need user to confirm identity (challenge/response)
- cost & misplaced trust
17
Q
biometrics
A
- fingerprint
- keystroke
- voice
- retina scan
18
Q
problem with biometrics
A
- depends on probability -> false neg/pos
19
Q
is ATM multi-factor?
A
yes, card and pin
