Notes for November 8, 1999

  1. Greetings and Felicitations!
  2. Puzzle of the Day
  3. Password Storage
    1. In the clear; MULTICS story
    2. Enciphers; key must be kept available; get to it and it's all over
    3. Hashed; present idea of one-way functions using identity and sum
    4. Show UNIX version
  4. >Attack Schemes Directed to the Passwords
    1. Exhaustive search: UNIX is 1-8 chars, say 96 possibles; it's about 7x1016
    2. Inspired guessing: think of what people would like (see above)
    3. Random guessing: can't defend against it; bad login messages aid it
    4. Scavenging: passwords often typed where they might be recorded (b\as login name, in other contexts, etc.
    5. Ask the user: very common with some public access services
    6. Expected time to guess
  5. Password aging
    1. Pick age so when password is guessed, it's no longer valid
    2. Implementation: track previous passwords vs. upper, lower time bounds
  6. Ultimate in aging: One-Time Pads
    1. Password is valid for only one use
    2. May work from list, or new password may be generated from old by a function
    3. Example: S/Key?
  7. Challenge-response systems
    1. Computer issues challenge, user presents response to verify secret information known/item possessed
    2. Example operations: f(x) = x+1, random, string (for users without computers), time of day, computer sends E(x), you answer E(D(E(x))+1)
    3. Note: password never sent on wire or network
    4. Attack: monkey-in-the-middle
    5. Defense: mutual authentication (will discuss more sophisticated network-based protocols later)
  8. Biometrics
    1. Depend on physical characteristics
    2. Examples: pattern of typing (remarkably effective), retinal scans, etc.
  9. Location
    1. Bind user to some location detection device (human, GPS)
    2. Authenticate by location of the device

Send email to [email protected].

Department of Computer Science
University of California at Davis
Davis, CA 95616-8562


Page last modified on 11/13/99