Study Guides (283,960)
AUS (7,911)
Monash (1,561)
FIT (42)
FIT2093 (1)
Final

FIT2093 Study Guide - Final Guide: Reverse Dictionary, Dictionary Attack, Argon2

9 Pages
77 Views
Summer 2018

Department
Information Technology
Course Code
FIT2093
Professor
Dr Ron Steinfeld
Study Guide
Final

This preview shows pages 1-3. Sign up to view the full 9 pages of the document.
Security threats:
- Interruption: Disrupting network (attack on availability)
- Interception: Intercepting the network and stealing data (attack on confidentiality)
- Modification: Modifying the message in the transfer network (attack on integrity)
- Fabrication: Sending a message without the receiver knowing that the sender is not the
original sender (attack on authenticity)
Two types of attacks:
- Passive attack: Eavesdropping networks and monitoring information being transmitted
- Active attack: Modifying message stream
Authentication
Means of User Authentication:
- Something you know: Password
- Something you have: Smartcard
- Something you are (static biometrics): Fingerprints
- Something you do (dynamic biometrics): Voice
Errors in biometrics:
- False Negative: When an enrolled user is not verified into the system; false rejection
- False Positive: When an unenrolled user is verified into the system; false acceptance
Simple password authentication attacks:
- “Online” password guessing
o Specific account guessing attack
o Popular password guessing attack
o Countermeasures: Can be stopped by account locking mechanisms
- Workstation hijacking: Using a logged in workstation
o Countermeasures: Can be stopped by automatic workstation logout
- Exploiting user mistakes
- Exploiting multiple password use
- Electronic monitoring: Monitoring user’s password entering through electronic devices
o Countermeasures: Can be stopped by encrypted network links
One-way hash functions easily transform a password to hashed password f(p) but derivatizing p
from f(p) is computationally infeasible. Use one-way functions like scrypt or Argon2 to slow down
hashing process to around 100ms so that deriving the password would take a very long time
Precomputation based dictionary attacks:
- Offline dictionary attack phase: Create a dictionary of possible passwords, hash each one to
create a reverse dictionary
- Password lookup attack: Compare reverse dictionary with hashed password in the hashed
password file
Password aging requires the user to change the password regularly
One-time password follows a challenge response protocol, where random bits of data will be
assigned to user to enter to be able to log in.
Biometrics Authentication
Enrolment: Adding a biometric identifier into the system/database
Present biometric > Capture > Process > Store > COMPARE
Verification: Checking if user matches enrolment record
Present biometric > Capture > Process > COMPARE
Access control
The prevention of unauthorized use of a resource and the use of a resource in an unauthorized
manner
User Authentication function [e.g. Logging in] Access control function Resources
Subject the user/application that access resources
Object The files/resources being accessed
Access right the way a subject accesses resources (e.g. read, write, execute permission)
3 types of access control:
- DAC (discretionary access control) controls access based on requestor’s identity and access
rules on what requestors can do
o Centralised security: an admin controls access
o Distributed security: managers/team leaders control access
- MAC (mandatory access control) controls access by comparing security labels of resources
to security clearances of subjects
- RBAC (role-based access control) controls access by categorising users into specific roles
and access rules for resources are subdivided for each role
Access control matrix defines the subjects, the objects and the access rights for each subject to each
object.
Access control list focuses on object. It shows all subjects access rights to the object.
Capabilities list focuses on subject. It shows access rights to all objects for a subject.
Access control security models:
- Multilevel model
o Categorises information into confidentiality levels (security classification) and
categorises users into responsibility levels (security clearances)
- Multilateral model
o Information categorised in to classes based on usage patterns
Bell-La-Padula Model
3 conditions:
- No READ UP: A subject can only read objects that have a lower clearance level (ss property)
- No WRITE DOWN: A subject can only write on objects that have a higher clearance level (star
property)
- DISCRETIONARY Access Control: A subject can only have access if it has the authorization
based on his/her security clearances compared to the subject’s security label
Cryptography
2 basic principles of cryptography
- Substitution
o Substitute each letter with a few positions down the alphabet sequence
- Transposition
o Repositioning each letter in the message a fixed position from its original position
5 features of a ciphertext:
- Confusion: The relationship between the ciphertext and the encryption key is very complex
- Diffusion: The structure of the plaintext is dissipated in the large structure of the ciphertext
- Avalanche Effect: A small change in the plaintext will create a significant change in the
ciphertext
- Computational Effect: Given a limited amount of computing power, the computer will not
be able break the ciphertext
- Unconditional Effect: No amount of computing power will be able to break the ciphertext
due to insufficient information to determine the plaintext
All Private key block ciphers (symmetric encryption):
- DES (key - 56 bits, plain/ciphertext - 64 bits)
o Encryption/Decryption algorithm
o Key scheduling algorithm
o 3DES
- AES (key 128,192,256 bits, plaintext 128 bits)
- Triple DES (key - 56 bits, plain/ciphertext - 64 bits)
o Encryption - Encryption, Decryption, Encryption (C = EK3[DK2[EK1[P]]])
o Decryption Decryption, Encryption, Decryption (P = DK3[EK2[DK1[P]]])
3 types on cryptography:
- Key Distribution (Diffie Hellman Key Exchange)
- Encryption/Decryption (RSA cryptosystem)
- Digital certificates

Loved by over 2.2 million students

Over 90% improved by at least one letter grade.

Leah — University of Toronto

OneClass has been such a huge help in my studies at UofT especially since I am a transfer student. OneClass is the study buddy I never had before and definitely gives me the extra push to get from a B to an A!

Leah — University of Toronto
Saarim — University of Michigan

Balancing social life With academics can be difficult, that is why I'm so glad that OneClass is out there where I can find the top notes for all of my classes. Now I can be the all-star student I want to be.

Saarim — University of Michigan
Jenna — University of Wisconsin

As a college student living on a college budget, I love how easy it is to earn gift cards just by submitting my notes.

Jenna — University of Wisconsin
Anne — University of California

OneClass has allowed me to catch up with my most difficult course! #lifesaver

Anne — University of California
Description
Security threats: Interruption: Disrupting network (attack on availability) Interception: Intercepting the network and stealing data (attack on confidentiality) Modification: Modifying the message in the transfer network (attack on integrity) Fabrication: Sending a message without the receiver knowing that the sender is not the original sender (attack on authenticity) Two types of attacks: Passive attack: Eavesdropping networks and monitoring information being transmitted Active attack: Modifying message stream Authentication Means of User Authentication: Something you know: Password Something you have: Smartcard Something you are (static biometrics): Fingerprints Something you do (dynamic biometrics): Voice Errors in biometrics: False Negative: When an enrolled user is not verified into the system; false rejection False Positive: When an unenrolled user is verified into the system; false acceptance Simple password authentication attacks: Online password guessing o Specific account guessing attack o Popular password guessing attack o Countermeasures: Can be stopped by account locking mechanisms Workstation hijacking: Using a logged in workstation o Countermeasures: Can be stopped by automatic workstation logout Exploiting user mistakes Exploiting multiple password use Electronic monitoring: Monitoring users password entering through electronic devices o Countermeasures: Can be stopped by encrypted network links Oneway hash functions easily transform a password to hashed password f(p) but derivatizing p from f(p) is computationally infeasible. Use oneway functions like scrypt or Argon2 to slow down hashing process to around 100ms so that deriving the password would take a very long time Precomputation based dictionary attacks: Offline dictionary attack phase: Create a dictionary of possible passwords, hash each one to create a reverse dictionary Password lookup attack: Compare reverse dictionary with hashed password in the hashed password file Password aging requires the user to change the password regularly Onetime password follows a challenge response protocol, where random bits of data will be assigned to user to enter to be able to log in.
More Less
Unlock Document

Only pages 1-3 are available for preview. Some parts have been intentionally blurred.

Unlock Document
You're Reading a Preview

Unlock to view full version

Unlock Document

You've reached the limit of 4 previews this month

Create an account for unlimited previews.

Already have an account?

Log In


OR

Don't have an account?

Join OneClass

Access over 10 million pages of study
documents for 1.3 million courses.

Sign up

Join to view


OR

By registering, I agree to the Terms and Privacy Policies
Already have an account?
Just a few more details

So we can recommend you notes for your school.

Reset Password

Please enter below the email address you registered with and we will send you a link to reset your password.

Add your courses

Get notes from the top students in your class.


Submit