- Biometrics are hard to forge
- But attacker could
- Steal Alice’s thumb
- Photocopy Bob’s fingerprint, eye, etc.
- Subvert software, database, “trusted path” …
- And how to revoke a “broken” biometric?
- Biometrics are not foolproof
- Biometric use is relatively limited today
- That should change in the (near?) future
Something You Have - Something in your possession
- Examples include following…
- Car key
- Laptop computer (or MAC address)
- Password generator (next)
- ATM card, smartcard, etc.
Password Generator - Alice receives random “challenge” R from Bob
- Alice enters PIN and R in password generator
- Password generator hashes symmetric key K with R
- Alice sends “response” h(K,R) back to Bob
- Bob verifies response
- Note: Alice has pwd generator and knows PIN
Alice
Bob, K
1. “I’m Alice”
2. R
5. h(K,R)
3. PIN, R
4. h(K,R)
password
generator
K
- Requires any 2 out of 3 of
- Something you know
- Something you have
- Something you are
- Examples
- ATM: Card and PIN
- Credit card: Card and signature
- Password generator: Device and PIN
- Smartcard with password/PIN
Single Sign-on - A hassle to enter password(s) repeatedly
- Kerberos a single sign-on protocol
- Single sign-on for the Internet?
- Microsoft: Passport
- Everybody else: Liberty Alliance
- Security Assertion Markup Language (SAML)
Chia sẻ với bạn bè của bạn: |