Ch03 - User Authentication

  1. In most computer security contexts, ___________ is the fundamental building block and the primary line of defense.
    user authentication
  2. _________ is the basis for most types of access control and for user accountability.
    User authentication
  3. The process of verifying an identity claimed by or for a system entity.
    User authentication
  4. Presenting an identifier to the security system.
    Identification step
  5. Presenting or generating authentication information that corroborates the binding between the entity and the identifier.
    Verification step
  6. _________ is the means by which a user provides a claimed identity to the system;
  7. _______________ is the means of establishing the validity of the claim.
    user authentication
  8. ____________ is a procedure that allows communicating parties to verify that the contents of a received message have not been  altered and that the source is authentic.
    message authentication
  9. The process of establishing confidence in user identities that are presented electronically to an information system.
    Electronic user authentication
  10. a __________ for user authentication that involves a number of entities and procedures.
    general model
  11. An applicant applies to a _________ to become a subscriber of a credential service provider (CSP).
    registration authority (RA)
  12. An applicant applies to a registration authority (RA) to become a _________ of a credential service provider (CSP).
  13. An applicant applies to a registration authority (RA) to become a subscriber of a ___________.
    credential service provider (CSP)
  14. The __________ is a data structure that authoritatively binds an identity and additional attributes to a token possessed by a subscriber, and can be verified when presented to the verifier in an authentication transaction.
  15. The party to be authenticated is called a _________ and the party verifying that identity is called a _________.
    claimant, verifier
  16. The verifier passes on an assertion about the identity of the subscriber to the _________.
    relying party (RP)
  17. Four general means of authenticating a user’s identity:
    • Something the individual knows
    • Something the individual possesses
    • Something the individual is (static biometrics)
    • Something the individual does (dynamic biometrics)
  18. An ________ may be able to guess or steal a password.
  19. 3 concepts we wish to relate:
    • assurance level
    • potential impact
    • areas of risk
  20. An _________ describes an organization’s degree of certainty that a user has presented a credential that refers to his or her identity.
    assurance level
  21. The degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued
  22. The degree of confidence that the individual who uses the credential is the individual to whom the credential was issued.
  23. Assurance levels:
    • Level 1 - little or no confidence
    • Level 2 - some confidence
    • Level 3 -  high confidence
    • Level 4 - very high confidence
  24. Three levels of potential impact:
    • Low - Authentication error could be expected to have a limited adverse effect.
    • Moderate - Authentication error expected to have a serious adverse effect.
    • High - Authentication error expected to have a severe or catastrophic adverse effect.
  25. Impact of error that results in unauthorized access: (Areas of Risk)
    • Low: At worst, an insignificant or inconsequential unrecoverable financial loss.
    • Moderate - At worst, a serious unrecoverable financial loss to any party, or a serious organization liability.
    • High - severe or catastrophic unrecoverable financial loss to any party; or severe or catastrophic organization liability.
  26. (T/F) If the potential impact is low, an assurance level of 1 is adequate. If the potential impact is moderate, an assurance level of 2 or 3 should be achieved. And if the potential impact is high, an assurance level of 4 should be implemented.
  27. A widely used line of defense against intruders is the ________.
    password system
  28. The attacker obtains the system password file and compares the password hashes against hashes of commonly used passwords.
    Offline dictionary attack
  29. The attacker targets a specific account and submits password guesses until the correct password is discovered.
    Specific account attack
  30. A variation of the preceding attack is to use a popular password and try it against a wide range of user IDs.
    Popular password attack
  31. The attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password.
    Password guessing against single user
  32. The attacker waits until a logged-in workstation is unattended.
    Workstation hijacking
  33. If the system assigns a password, then the user is more likely to write it down because it is difficult to remember.
    Exploiting user mistakes
  34. Attacks can also become much more effective or damaging if different network devices share the same or a similar password for a given user.
    Exploiting multiple password use
  35. If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping.
    Electronic monitoring
  36. A widely used password security technique is the use of ________ and a ____ value.
    hashed passwords, salt
  37. This value is related to the time at which the password is assigned to the user.
  38. The password and salt serve as inputs to a hashing algorithm to produce a __________.
    fixed-length hash code
  39. Salt serves three purposes:
    • prevents duplicate passwords from being visible
    • greatly increases the difficulty of offline dictionary attacks
    • impossible to find out whether a person used the same password
  40. a user can gain  access on a machine using a guest account or by some other means and then run a password guessing program, called a ___________, on that machine.
    password cracker
  41. The most secure version of the UNIX hash/salt scheme was developed for _______, another widely used open source UNIX.
  42. OpenBSD uses a hash function based on the Blowfish symmetric block cipher. The hash function, called ______, is quite slow to execute.
  43. (T/F) The traditional approach to password guessing, or password cracking as it is called, is to develop a large dictionary of possible passwords and to try each of these against the password file.
  44. The result is a mammoth table of hash values known as a __________.
    rainbow table
  45. The hashed passwords are kept in a separate file from the user IDs, referred to as a __________.
    shadow password file
  46. The _________ strategy is unlikely to succeed at most installations, particularly where there is a large user population or a lot of turnover.
    user education
  47. If the passwords are quite random in nature, users will not be able to remember them.
    Computer-generated passwords
  48. A _____________ strategy is one in which the system periodically runs its own password cracker to find guessable passwords.
    reactive password checking
  49. A user is allowed to select his or her own password. How ever, at the time of selection, the system checks to see if the password is allowable and, if not, rejects it.
    complex password policy, or proactive password checker
  50. (T/F) All passwords must be at least eight characters long. In the first eight characters, the passwords must include at least one each of uppercase, lowercase, numeric digits, and punctuation marks.
  51. two problems in password checker:
    • Space
    • Time
  52. A technique for developing an effective and efficient proactive password checker that is based on rejecting words on a list has been implemented on a number of systems, including Linux.
    Bloom filter
  53. Objects that a user possesses for the purpose of user authentication are called _________.
  54. _______ can store but not process data.
    Memory cards
  55. A _________ can store only a simple security code, which can be read by an inexpensive card reader.
    magnetic stripe
  56. (T/F) Smart tokens include an embedded microprocessor.
  57. A _______ smart card must be inserted into a smart card reader with a direct connection to a conductive contact plate on the surface of the card.
  58. A _________ card requires only close proximity to a reader.
  59. With a ______ protocol, the user authenticates himself or herself to the token and then the token authenticates the user to the computer.
  60. The token generates a unique password periodically.
    Dynamic password generator
  61. The computer system generates a challenge, such as a random string of numbers. The smart token generates a response based on the challenge.
  62. For user authentication the most important category of smart token is the _______, which has the appearance of a credit card, has an electronic interface, and may use any of the type of protocols.
    smart card
  63. Smart card includes three types of memory:
    • Read-only memory (ROM)
    • Electrically erasable programmable ROM (EEPROM)
    • Random access memory (RAM)
  64. The terminal may be able to change the protocol used and other parameters via a ________ command.
    protocol type selection (PTS)
  65. A __________ card can serve the same purposes as other national ID cards, and similar cards such as a driver’s license, for access to government and commercial services.
    national electronic identity (eID)
  66. A six-digit decimal random number printed on the face of the card. This is used as a password, as explained subsequently.
    Card access number (CAN)
  67. Three lines of human- and machine-readable text on the back of the card. This may also be used as a password.
    Machine readable zone (MRZ)
  68. An alphanumerical nine-character unique identifier of each card.
    Document number
  69. This function is reserved for government use and stores a digital representation of the cardholder’s identity.
  70. This function is for general-purpose use in a variety of government and commercial applications.
  71. This optional function stores a private key and a certificate verifying the key; it is used for generating a digital signature.
  72. Ensures that the contactless RF chip in the eID card cannot be read without explicit access control.
    Password Authenticated Connection Establishment (PACE)
  73. A ___________ system attempts to authenticate an individual based on his or her unique physical characteristics.
    biometric authentication
  74. Biometrics is based on __________.
    pattern recognition
  75. Most common means of human-to-human identification; thus it is natural to consider them for identification by computer.
    Facial characteristics
  76. A ________ is the pattern of ridges and f urrows on the surface of the fingertip. Believed to be unique across the entire human population.
  77. Identify features of the hand, including shape, and lengths and widths of fingers.
    Hand geometry systems
  78. A _________ system obtains a digital image of the retinal pattern by projecting a low-intensity beam of visual or infrared light into the eye.
    retinal biometric
  79. Each individual who is to be included in the database of authorized users must first be ________ in the system.
  80. Depending on application, user authentication on a biometric system involves either _________ or __________.
    verification, identification
  81. The simplest form of user authentication is _____________, in which a user  attempts to access a system that is locally present, such as a stand-alone office PC or an ATM machine.
    local authentication
  82. The host generates a random number r, often called a ______, and returns this to the user.
  83. (T/F) The token either stores a static passcode or generates a one-time random passcode.
  84. (T/F) The principal difference from the case of a stable biometric is that the host provides a random sequence as well as a random number as a challenge. The sequence challenge is a sequence of numbers, characters, or words.
  85. ________ are those in which an adversary attempts to achieve user authentication without access to the remote host or to the intervening communications path.
    Client attacks
  86. __________ are directed at the user file at the host where passwords, token passcodes, or biometric templates are stored.
    Host attacks
  87. __________ in the context of passwords refers to an adversary’s attempt to learn the password by observing the user, finding a written copy of the  password, or some similar attack that involves the physical proximity of user and adversary.
  88. For a token, an analogous threat is ______ of the token or physical copying of the token.
  89. The analogous threat for a biometric protocol is _______ or imitating the biometric parameter so as to generate the desired template.
  90. Involve an adversary repeating a previously captured user response.
    Replay attacks
  91. An application or physical device masquerades as an authentic application or device for the purpose of capturing a user password, passcode, or biometric.
    Trojan horse attack
  92. A _________ attempts to disable a user authentication service by flooding the service with numerous authentication attempts.
    denial-of-service attack
Card Set
Ch03 - User Authentication
2nd Semester