Get 1 week of unlimited access
Study Guides (299,242)
AUS (8,316)
Monash (1,660)
FIT (54)
Final

FIT2093 Study Guide - Final Guide: Reverse Dictionary, Dictionary Attack, Argon2

9 pages93 viewsSummer 2018

Department
Information Technology
Course Code
FIT2093
Professor
Dr Ron Steinfeld
Study Guide
Final

This preview shows pages 1-3. to view the full 9 pages of the document.
Security threats:
- Interruption: Disrupting network (attack on availability)
- Interception: Intercepting the network and stealing data (attack on confidentiality)
- Modification: Modifying the message in the transfer network (attack on integrity)
- Fabrication: Sending a message without the receiver knowing that the sender is not the
original sender (attack on authenticity)
Two types of attacks:
- Passive attack: Eavesdropping networks and monitoring information being transmitted
- Active attack: Modifying message stream
Authentication
Means of User Authentication:
- Something you know: Password
- Something you have: Smartcard
- Something you are (static biometrics): Fingerprints
- Something you do (dynamic biometrics): Voice
Errors in biometrics:
- False Negative: When an enrolled user is not verified into the system; false rejection
- False Positive: When an unenrolled user is verified into the system; false acceptance
Simple password authentication attacks:
- “Online” password guessing
o Specific account guessing attack
o Popular password guessing attack
o Countermeasures: Can be stopped by account locking mechanisms
- Workstation hijacking: Using a logged in workstation
o Countermeasures: Can be stopped by automatic workstation logout
- Exploiting user mistakes
- Exploiting multiple password use
- Electronic monitoring: Monitoring user’s password entering through electronic devices
o Countermeasures: Can be stopped by encrypted network links
One-way hash functions easily transform a password to hashed password f(p) but derivatizing p
from f(p) is computationally infeasible. Use one-way functions like scrypt or Argon2 to slow down
hashing process to around 100ms so that deriving the password would take a very long time
Precomputation based dictionary attacks:
- Offline dictionary attack phase: Create a dictionary of possible passwords, hash each one to
create a reverse dictionary
- Password lookup attack: Compare reverse dictionary with hashed password in the hashed
password file
Password aging requires the user to change the password regularly
One-time password follows a challenge response protocol, where random bits of data will be
assigned to user to enter to be able to log in.
You're Reading a Preview

Unlock to view full version

Only half of the first page are available for preview. Some parts have been intentionally blurred.

Biometrics Authentication
Enrolment: Adding a biometric identifier into the system/database
Present biometric > Capture > Process > Store > COMPARE
Verification: Checking if user matches enrolment record
Present biometric > Capture > Process > COMPARE
Access control
The prevention of unauthorized use of a resource and the use of a resource in an unauthorized
manner
User Authentication function [e.g. Logging in] Access control function Resources
Subject the user/application that access resources
Object The files/resources being accessed
Access right the way a subject accesses resources (e.g. read, write, execute permission)
3 types of access control:
- DAC (discretionary access control) controls access based on requestor’s identity and access
rules on what requestors can do
o Centralised security: an admin controls access
o Distributed security: managers/team leaders control access
- MAC (mandatory access control) controls access by comparing security labels of resources
to security clearances of subjects
- RBAC (role-based access control) controls access by categorising users into specific roles
and access rules for resources are subdivided for each role
Access control matrix defines the subjects, the objects and the access rights for each subject to each
object.
Access control list focuses on object. It shows all subjects access rights to the object.
Capabilities list focuses on subject. It shows access rights to all objects for a subject.
Access control security models:
- Multilevel model
o Categorises information into confidentiality levels (security classification) and
categorises users into responsibility levels (security clearances)
- Multilateral model
o Information categorised in to classes based on usage patterns
Bell-La-Padula Model
3 conditions:
- No READ UP: A subject can only read objects that have a lower clearance level (ss property)
- No WRITE DOWN: A subject can only write on objects that have a higher clearance level (star
property)
- DISCRETIONARY Access Control: A subject can only have access if it has the authorization
based on his/her security clearances compared to the subject’s security label
You're Reading a Preview

Unlock to view full version

Only half of the first page are available for preview. Some parts have been intentionally blurred.

Cryptography
2 basic principles of cryptography
- Substitution
o Substitute each letter with a few positions down the alphabet sequence
- Transposition
o Repositioning each letter in the message a fixed position from its original position
5 features of a ciphertext:
- Confusion: The relationship between the ciphertext and the encryption key is very complex
- Diffusion: The structure of the plaintext is dissipated in the large structure of the ciphertext
- Avalanche Effect: A small change in the plaintext will create a significant change in the
ciphertext
- Computational Effect: Given a limited amount of computing power, the computer will not
be able break the ciphertext
- Unconditional Effect: No amount of computing power will be able to break the ciphertext
due to insufficient information to determine the plaintext
All Private key block ciphers (symmetric encryption):
- DES (key - 56 bits, plain/ciphertext - 64 bits)
o Encryption/Decryption algorithm
o Key scheduling algorithm
o 3DES
- AES (key 128,192,256 bits, plaintext 128 bits)
- Triple DES (key - 56 bits, plain/ciphertext - 64 bits)
o Encryption - Encryption, Decryption, Encryption (C = EK3[DK2[EK1[P]]])
o Decryption Decryption, Encryption, Decryption (P = DK3[EK2[DK1[P]]])
3 types on cryptography:
- Key Distribution (Diffie Hellman Key Exchange)
- Encryption/Decryption (RSA cryptosystem)
- Digital certificates
You're Reading a Preview

Unlock to view full version


Loved by over 2.2 million students

Over 90% improved by at least one letter grade.