1. Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers used in our world? What is the problem with using people’s names as identifiers?

2. Access privileges granted to a user, program, or process.† † Definition from National Information Systems Security Common authorization tokens:

3. Security measure designed to establish the validity of a transmission, message, or originator,or a means of verifying an individual’s authorization to receive specific categories of information.† † Definition from National Information Systems Security Authentication is often necessary to ensure integrity of origin.

4. Authentication... is a basis for trust Password -- the most common means of authentication Passwords are vulnerable to attacks. Why? Uses challenge - reponse protocol RESPONSE password:  CHALLENGE  (Encryption required) Challenge-response systems fail when responses are efficiently discovered.

5. Give password cracking software a challenge. The conventional wisdom is as follows...  Use first letters from some phrase you can remember. TtlsH1wwya  Don’t use short passwords (at least 8 symbols).  Include both lowercase and uppercase and digits.  Bracket the password with non-alphanumerics. #TtlsH1wwya&  Bracket the password with non-printables.  #TtlsH1wwya&  Alt - 0181 cracker algorithm == repeatedly

6. token -- small device carried by user (often includes microprocessor, keypad and/or real-time clock) Challenge-Response Token 1)System displays random number which user enters on keypad. 2)Card uses keypad input to calculate and display number. 3)User enters number in computer which system verifies by same computation. Time-Based Token 1)Card uses internal real-time clock value to calculate and display number. 2)User enters number in computer which system verifies with its clock. HHAD - Hand Held Authentication Device

7. biometric -- requires special devices to read human features fingerprints retinal/iris scans facial recognition? voice patterns

8. Advantages nothing to remember or to carry promise of simple use Disadvantages imperfect accuracy (1:100,000 at best) susceptible to physical injury theft possible (even without direct contact) not all systems will be consistent

9. NIST has suggested including two fingerprints and a faceprint on passports. A few major U.S. airports have tested face recognition software. In Jan., 2002, a Yokohama math researcher spoofed fingerprints. A British medical report claims that medications used to treat Glaucoma will alter iris patterns, rendering iris scans useless.

10. digital certificate -- a certificate authority performs a security check on a user and grants an electronic certificate (essentially encryption keys) smartcard -- physically requires reader, contains full microprocessor with cryptographic calculations performed onboard. Smartcards can store...  private keys  biometric data  digital certificate  user data Tampering with a smartcard typically renders it useless.

11. Strength of authentication Vulnerability to attack Ease of use Cost to implement Interoperability with other systems

12. ...what you _______ (password)...what you _______ (key, token, smartcard)...what you _____ (biometrics - fingerprints, retinal scan)..._______ you are (in secure location, at some terminal)

13. Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data.† † Definition from National Information Systems Security Access Attacker User