While interacting with a system, a user needs to identify her to the system in order to access materials. Access control and user accountability are associated with the identity of a user. So, this is the primary line of defense.
Section 3.2: Password Based Authentication
This section lists a number of attacks to break passwords and hack into one or more accounts. Then it lists countermeasures for these attacks. Think about the following while reading this section:
· Why is salt added to a password before it is hashed?
· Why the salt is fixed length?
· Salts are saved in a plaintext file which an attacker can easily see. Why is then using salt provides more protection?
· Read about Bcrypt from the Internet. What makes it more secure than any other existing UNIX hash/salt schemes?
· What is rainbow table? How can this approach be countered?
· What is a shadow password file? How is it kept secured?
· You realize how important it is to select good passwords. What are the criteria for good password? Read “rule enforcement” strategies carefully.
· How does the Markov model work? How does bloom filter works? Which one is more efficient to filter out bad passwords?
Section 3.3: Token Based Authentication
Read this section briefly.
Section 3.4: Biometric Authentication
· Read about most common types of biometric authentication.
· How accurate is a biometric system? In other words, how is it possible that an imposter is recognized as an authorized user? How can you minimize the probability of such false match? Is it possible to completely remove the possibility of false match? Why or why not?
· Why is authentication required in static biometric but not in dynamic biometric?
Section 3.5: Remote User Authentication
This is a more complex type of user authentication as it takes place over a network, mainly over the Internet. Therefore this type authentication is vulnerable to additional attacks such as eavesdropping, replay attack etc. As a counter measure, various types of challenge response protocols are designed.
· What is the basic idea of a challenge response protocol?
· Does dynamic biometric protocol provide more security than static biometric protocol?
Section 3.6: Security Issues for User Authentication
This is more detailed description of attacks against authentication. Go through table 3.4.Think about how each defense works to prevent the corresponding attacks.
· How does challenge response protocol prevent replay attack and host attack? Can it protect against eavesdropping too? Why or why not?
· Is it possible to prevent denial service attacks completely over the Internet? Why or why not?
· How does authentication of client protect against Trojan horse attack?
· How is eavesdropping prevented? Does cryptography provide any protection against eavesdropping?
Section 3.7: An Iris Biometric System
· What are the characteristics of this system?
· Does this system provide remote authentication?
Section 3.8: Case Study
This is an interesting case study. Read it.
Try to solve the problems at the end of this chapter. Some of these problems will be given as assignments.