Chapter 3

List and briefly describe the principal threats to the secrecy of passwords?

"Offline dictionary attack: The attacker obtains the system password file and compares the password hashes against hashes of commonly used passwords. If a match is found, the attacker can gain access by that ID/password combination. *Specific account attack: The attacker targets a specific account and submits password guesses until the correct password is discovered. *Popular password attack: A variation of the preceding attack is to use a popular password and try it against a wide range of user Ids. *Password guessing against single user: The attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password. *Workstation hijacking: The attacker waits until a logged-in workstation is unattended. *Exploiting user mistakes: Strict polices force more complicated password and the user is more likely to write it down because it is difficult to remember. An attacker may trick the user or an account manager into revealing a password (also: preconfigured passwords for system administrators are a threat) *Exploiting multiple password use Electronic monitoring: If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping."

List and briefly describe the principal characteristics used for biometric identification.

*Facial characteristics *Fingerprints *Hand geometry *Retinal pattern *Iris *Signature *Voice

Define the terms false match rate and false non-match rate, and explain the use of a threshold in relationship to these two rates.

*False match rate: It measures the percent of invalid inputs which are incorrectly accepted. *False non-match rate: It measures the percent of valid inputs which are incorrectly rejected. By moving the threshold, the probabilities can be altered but note that a decrease in false match rate necessarily results in an increase in false non-match rate, and vice versa.

Explain the difference between a simple memory card and a smart card.

*Memory Card: Stores but does not process data. *Smart Card: Has a microprocessor, different types memory, I/O ports etc. May also have a crypto coprocessor and an embedded antenna.

In general terms, what are four means of authenticating a user's identity?

*Something the individual knows: Examples includes a password, a personal identification number (PIN), or answers to a prearranged set of questions. *Something the individual possesses: Examples include electronic key-cards, smart cards, and physical keys. This type of authenticator is referred to as a token. *Something the individual is (static biometrics): Examples include recognition by fingerprint, retina, and face. *Something the individual does (dynamic biometrics): Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm.

List and briefly describe four common techniques for selecting or assigning passwords.

*User education *Computer-generated passwords *Reactive password checking: The system periodically runs its own password cracker and notifies the user if it was able to crack his or her password. *Proactive password checking: The user chooses his password based on rules given by thesystem (eg. at least eight characters long etc.)

In the context of biometric user authentication, explain the terms, enrollment, verification, and identification.

Enrollment: Each individual who is to be included in the database of authorized users must first be enrolled in the system. *Verification: The user enters a PIN and also uses a biometric sensor. Identification: The individual uses the biometric sensor but presents no additional information.

Describe the general concept of a challenge-response protocol.

The host generates a random number r and returns it to the user (=challenge). In addition, the host specifies two functions, a hash function h() and another function f() to be used in the response. The user calculates f(r', h(P')), where r' = r and P' is the user's password. When the response arrives, the host compares the incoming result to the calculated f(r, h(P)) and if it matches the user is authenticated. Advantages: Only the hashes of the passwords have to be stored and they do not have to be transmitted directly, so i cannot be captured during transmission.

What are the two common techniques used to protect a password file?

Using a salt value. This salt is stored in plaintext with the hash from (salt + password). Password File Access Control. The hashed passwords are kept in a separate file from the user Ids referred to as shadow password file. Only privileged users have access to this file.