4. Password & Authentication Schemes

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/10

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

11 Terms

1
New cards

Identification vs. Verification

Identification → Confirms who someone is from a group of identities.

Verification → Confirms if someone is who they claim to be.

2
New cards

What is the definition of Authentication?

The process of verifying an identity claimed by or for a system entity.

3
New cards

What are the 4 means of User Authentication

Based on something the individual:

  • knows → password

  • posses → token

  • Naturally has → static biometrics

  • does → dynamic biometrics

4
New cards

What type of attack can be used against hashed passwords?

Dictionary attacks

5
New cards

What are ways to prevent Dictionary Attacks on passwords?

  • Salts → Add random salt to password before hashing.

  • Memory-bound hash functions → designed to be slow and requires lots of memory.

  • Password File Access Control → OS allows only root / authentication checks to read file with hashed passwords.

6
New cards

What is Lamports Hash?

  • One-time password scheme.

  • Secure against breach of server database.

Scheme:

  • Server stores an integer n and hashn(password) for each user.

  • n decrements after each use.

  • User calculates large number of password hashes in advance.

<ul><li><p>One-time password scheme.</p></li><li><p>Secure against breach of server database.</p></li></ul><p></p><p><u>Scheme</u>:</p><ul><li><p>Server stores an integer <em>n</em> and <em>hash<sup>n</sup>(password)</em> for each user.</p></li><li><p><em>n</em> decrements after each use.</p></li><li><p>User calculates large number of password hashes in advance. </p></li></ul><p></p>
7
New cards

What is the problem with Lamports Hash?

The small n attack:

  • Scheme has no mutual authentication (server can be impersonated).

  • Attacker sends small n to User - which is smaller than the actual current n → receives hashn(password).

  • Attacker can use hashn(password) to construct hashes until the actual current n (of the server) reaches n.

8
New cards

What is the definition of Strong Password Protocols?

Eavesdropping or impersonation will not yield enough information to do offline verification of password guesses.

9
New cards

What is the problem of Encrypted Key Exchange (EKE) and Simple Password Exponential Key Exchange (SPEKE)?

The server has to store the weak password w.

<p>The server has to store the weak password <em>w</em>.</p>
10
New cards

What are Augmented Strong Password Protocolls?

  • Strong Password Protocols, where the server does not need to store the password.

<ul><li><p>Strong Password Protocols, where the server does <span style="color: red">not </span>need to<span style="color: yellow"> store the password</span>.</p></li></ul><p></p>
11
New cards

What is Discretionary Acces Control (DAC)?

Matrix that defines the access rights of all subjets for all objects.

  • Subject → entity that can access objects.

  • Object → Access controlled resource.

<p>Matrix that defines the <span style="color: yellow">access rights</span> of all subjets for all objects.</p><ul><li><p>Subject → entity that can access objects.</p></li><li><p>Object → Access controlled resource.</p></li></ul><p></p>

Explore top notes

Explore top flashcards