# Computer Security - lesson 5 #### Federico Maggi ###### 1 April 2016 ## Authentication __Authentication__ solve the problem of *validating* and identity. Can be - unidirectional - bidirectional (mutual): both entities authenticates Authentication is necessary for authorization: enforcing of certain permits or not. ## The "to know" factor authentication Passwords or secrets can be stolen or guessed, or spied, or even bruteforced. We can mitigate these problems with enforcing change of password or lenght constraints. Website with hints on strong passwords. `passfault.appspot.com` ### Problem of sending a secret over untrusted channel for example over the internet it is not safe to send the secret in plaintext for authentication A more safe system is the __challenge response__ one, for example the server asks you to send him to compute the hash of *some random data + your secret* This consists in a cryptographic proof that the user owns the password. A typical response is Hash(random data + secret + other random data) + other random data. Usually in this case *mutual authentication* is needed to avoid __Man in the middle__ attacks. __Replay attacks__ consists in intercepting the password and using it again. ### Secret storage The passwords must be never stored in *cleartext*, instead the *password hash* can be stored. Sites that emails back you your password in cleartext, it is an implicit proof that they store your password in cleartext. Also __password recovery__ procedures must be implemented carefully otherwise they can be a way of circumventing the main security measures. ## The "to have" factor There is a difference between *telling* a colleague a secret and *giving* a physical object that contains a secret (e.g. a smart card with your photo on it) Up to now they are cheap and offer a good level of security for the reason above. `Financial Crypto 2016 - How google killed 2factor authentication` ## The "to be" factor Financial Crypto 2016 - How google killed 2factor authentication ## Single Sign On Google, Yahoo, Facebook can be used as identity providers.