lesson_05.md 2.1 KB
Computer Security - lesson 5
Federico Maggi
1 April 2016
Authentication
Authentication solve the problem of validating and identity. Can be
- unidirectional
- bidirectional (mutual): both entities authenticates Authentication is necessary for authorization: enforcing of certain permits or not.
The "to know" factor authentication
Passwords or secrets
can be stolen or guessed, or spied, or even bruteforced.
We can mitigate these problems with enforcing change of password or lenght constraints.
Website with hints on strong passwords.
passfault.appspot.com
Problem of sending a secret over untrusted channel
for example over the internet it is not safe to send the secret in plaintext for authentication A more safe system is the challenge response one, for example the server asks you to send him to compute the hash of some random data + your secret This consists in a cryptographic proof that the user owns the password. A typical response is Hash(random data + secret + other random data) + other random data. Usually in this case mutual authentication is needed to avoid Man in the middle attacks. Replay attacks consists in intercepting the password and using it again.
Secret storage
The passwords must be never stored in cleartext, instead the password hash can be stored. Sites that emails back you your password in cleartext, it is an implicit proof that they store your password in cleartext.
Also password recovery procedures must be implemented carefully otherwise they can be a way of circumventing the main security measures.
The "to have" factor
There is a difference between telling a colleague a secret and giving a physical object that contains a secret (e.g. a smart card with your photo on it) Up to now they are cheap and offer a good level of security for the reason above.
Financial Crypto 2016 - How google killed 2factor authentication
The "to be" factor
Financial Crypto 2016 - How google killed 2factor authentication
Single Sign On
Google, Yahoo, Facebook can be used as identity providers.