

























































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Various access control methods, focusing on passwords, biometrics, and two-factor authentication. It covers static and one-time passwords, good and bad password practices, password cracking attacks, and password complexity requirements. Additionally, it discusses biometric recognition systems, identification vs authentication, and biometric errors.
Typology: Lecture notes
1 / 65
This page cannot be seen from the preview
Don't miss anything!


























































Part 2 Access Control
Part 2 Access Control
Two parts to access control… Authentication: Are you who you say you are? o (^) Determine whether access is allowed or not o (^) Authenticate human to machine o (^) Or, possibly, machine to machine
Part 2 Access Control
Passwords Lots of things act as passwords! o (^) PIN o (^) Social security number o (^) Mother’s maiden name o (^) Date of birth o (^) Name of your pet, etc.
Two types of password credentials can be used by today’s authentication solutions: (1) static and (2) one- time passwords Part 2 Access Control
One-time passwords are secrets that can be used for authentication only once, or a few times. Technically, this means that the user must have a new password every time he needs to authenticate. One-time passwords Part 2 Access Control 7
A problem with such passwords is that they are often not secret. If left to their own devices, users tend to select bad passwords, which makes password cracking surprisingly easy. In fact, we'll provide some basic Part 2mathematical arguments to show Access Control
Part 2 Access Control
Why is “something you know” more popular than “something you have” and “something you are”? Cost : passwords are free Convenience : easier for sysadmin to reset pwd than to issue a new card
Part 2 Access Control
Bad passwords o (^) frank o (^) Fido o (^) Password o (^) incorrect o (^) Pikachu o (^102560) o (^) AustinStamp Good Passwords? o (^) jfIej,43j- EmmL+y o (^0986437653726) 3 o (^) P0kem0N o (^) FSa7Yago o (^) 0nceuP0nAt1m o (^) PokeGCTall
Again, if users are allowed to choose passwords, then the best advice is to choose passwords based on passphrases. In addition, system administrators should use a password-cracking tool to test for weak passwords Part 2 Access Control
One of the oldest types of attacks is password guessing If a system requires the user to authenticate with a username and password, an attacker can try to guess the username and the password, and then authenticate as the actual user. Information about usernames can be easily obtained by an attacker
To mitigate the risk of brute force attacks, administrators should require users to change their passwords more often, and may also impose other countermeasures such as complexity requirements for user passwords. Part 2 Access Control
Another popular and very successful approach to password guessing is the dictionary attack. It is based on the fact that users (unlike computers) select memorable words for their passwords Part 2 Access Control
To mitigate the risk from such attacks, password complexity requirements and regular password changes can be implemented Password File Access Control Part 2 Access Control
Part 2 Access Control
Too many passwords to remember o (^) Results in password reuse Failure to change default passwords Social engineering Error logs may contain “almost” passwords Bugs, keystroke logging, spyware, etc.