-
something the individual knows
something the individual possesses
something the individual is (static biometrics)
something the individual does (dynamic biometrics)
four general means of authenticating a user's identity
-
salt value
the value related to the time at which a password is assigned to the user - when combined with the password serves as the input to a hashing algorithm to produce a fixed-length hash code - prevents duplicate passwords from being visible, increases the difficulty of offline dictionary atacks
-
offline dictionary attack
specific account attack
popular password attack
password guessing against single user
workstation hijacking
exploiting user mistakes
exploiting multiple password use
electronic monitoring
8 main forms of attack against password-based authentication
-
shadow password file
file kept separate from the user ID's containing hashed passwords, and is only accessible by a privileged user
-
user education
computer-generated passwords
reactive password checking
proactive password checking
four basic techniques to use in eliminating guessable passwords
-
reactive password checking
strategy in which the system periodically runs its own password cracker to find guessable passwords - can be labor intensive
-
proactive password checker
stragegy in which the user is allowed to select his or her own password however, at the time of selection, the system checks to see if the password is allowable and, if not, rejects it
-
rule enforcement
password checker
bloom filter
approaches to proactive password checking
-
bloom filter
a technique for developing an effective and efficient proactive password checker that is based on rejecting words on a list
-
static
dynamic password generator
challenge-response
three categories of authentication protocols used with smart tokens
-
static
category of token-based authentication protocol in which the user authenticates himself to the token and then the token authenticates the user to the computer
-
dynamic password generator
category of token-based authentication protocol in which the token generates a unique password periodically (ex:every minute) which is then entered into the computer system for authentication - computer knows the password that is current for the particular token
-
challenge-response
category of token-based authentication protocol in which the computer system generates a challenge, such as a random string of numbers, and the smart token generates a response based on the challenge
-
password-based authentication
token-based authentication
biometric authentication
remote user authentication
four types of authentication
-
biometric authentication
authentication based on an individual's unique physical characteristics
-
facial characteristics
fingerprints
hand geometry
retinal pattern
iris
signature
voice
types of physical characteristics that can be used for authentication
-
remote user authentication
authentication which takes place over the internet, a network, or a communications link
-
client attacks
host attacks
eavesdropping
theft
copying
replay
trojan horse
denial of service
user authentication attacks
-
replay attacks
attacks that involve an adversary repeating a previously captured user response
-
trojan horse attack
an attack where an application or physical device masquerades as an authentic application or device for the purpose of capturing a user password
-
denial-of-service attack
an attack which attempts to disable user authentication service by flooding the service with numerous authentication attempts
-
host attacks
attacks that are directed at the user file at the host where passwords, token passcodes, or biometric templates are stored
-
client attacks
attacks in which an adversary attempts to achieve user authentication without access to the remote host or to the intervening communications path - the adversary attempts to masquerade as a legitimate user
-
cardholder
an individual to whom a debit card is issued
-
issuer
an institution (bank or credit union) that issues debit cards to cardholders - is also responsible for the cardholder's account and authorizes all transactions
-
processor
an organization that provides services such as core data processing (PIN recognition and account updating), electronic funds transfer (EFT), and so on to issuers
|
|