第三讲 密钥分配和用户认证.ppt

* We can identify the following attack strategies and countermeasures: ? Offline dictionary attack: A determined hacker may bypass access controls and gain access to the system password file. The attacker then compares the password hashes against hashes of commonly used passwords. ? Specific account attack: The attacker targets a specific account and submits password guesses until the correct password is discovered. ? Popular password attack: The attacker chooses a popular password and try it against a wide range of user IDs. ? Password guessing against single user: The attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password. ? Workstation hijacking; The attacker waits until a logged-in workstation is unattended. ? Exploiting user mistakes: If the system assigns a password, then the user is more likely to write it down because it is difficult to remember. ? Exploiting multiple password use. When different network devices share the same or a similar password for a given user. ? Electronic monitoring: If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping. * Countermeasures against the listed vulnerabilities include controls to: prevent unauthorized access to the password file, intrusion detection measures to identify a compromise, rapid re-issuance of passwords should the password file be compromised; account lockout mechanism which locks out access to the account after a number of failed login attempts; policies to inhibit the selection by users of common passwords; training in and enforcement of password policies that make passwords difficult to guess; automatically logging the workstation out after a period of inactivity; a policy that forbids the same or similar password on particular network devices; encrypted communications links. * A widely used password security technique is the use of hashed passwords and a salt value. Th