Professional Documents
Culture Documents
Security
User Authentication
User authentication
Areas of
risk
Assurance Level
More specifically Four levels of
is defined as: assurance
Describes an
organization’s Level 1
degree of The degree of confidence • Little or no confidence in the
asserted identity's validity
in the vetting process
certainty that a used to establish the
identity of the individual
user has to whom the credential Level 2
was issued • Some confidence in the asserted
presented a identity’s validity
credential that
Level 3
refers to his or • High confidence in the asserted
her identity The degree of confidence
that the individual who
identity's validity
Offline Password
guessing Workstation Electronic
dictionary against hijacking monitoring
attack single user
Exploiting
Specific Popular Exploiting
multiple
account password user
password
attack attack mistakes
use
Password Cracking
Dictionary attacks Rainbow table attacks
• Develop a large dictionary • Pre-compute tables of
of possible passwords hash values for all salts
and try each against the • A mammoth table of hash
password file values
• Each password must be • Can be countered by
hashed using each salt using a sufficiently large
value and then compared salt value and a
to stored hash values sufficiently large hash
length
Make
available
only to
Vulnerabilities
privileged
users
• Password checker
o Compile a large dictionary of passwords not to use
• Bloom filter
o Used to build a table based on hash values
o Check desired password against this table
Memory Cards
• Can store but do not process data
• The most common is the magnetic stripe card
• Can include an internal electronic memory
• Can be used alone for physical access
o Hotel room
o ATM
• Provides significantly greater security when combined
with a password or PIN
• Drawbacks of memory cards include:
o Requires a special reader
o Loss of token
Smart Tokens
• Physical characteristics:
o Include an embedded microprocessor
o A smart token that looks like a bank card
o Can look like calculators, keys, small portable objects
• User interface:
o Manual interfaces include a keypad and display
for human/token interaction
• Electronic interface
o A smart card or other token requires an electronic interface to
communicate with a compatible reader/writer
o Contact and contactless interfaces
• Authentication protocol:
o Classified into three categories:
• Static
• Dynamic password generator
Smart Cards
• Most important category of smart token
o Has the appearance of a credit card
o Has an electronic interface
o May use any of the smart token protocols
• Contain:
o An entire microprocessor
• Processor
• Memory
• I/O ports
Can serve the same purposes as other Has human-readable data printed on its
national ID cards, and similar cards such as a surface
driver’s license, for access to government and • Personal data
commercial services • Document number
• Card access number (CAN)
• Machine readable zone (MRZ)