From eb418467c6597f8029ae6a4f69de942fb71677b5 Mon Sep 17 00:00:00 2001 From: Leonard Kugis Date: Tue, 3 Mar 2020 23:13:00 +0100 Subject: Whitespace fix --- .../introduction_to_information_security.md | 41 +++++++++++++--------- 1 file changed, 25 insertions(+), 16 deletions(-) diff --git a/en_GB/Introduction to Information Security/introduction_to_information_security.md b/en_GB/Introduction to Information Security/introduction_to_information_security.md index 7269b89..67dd769 100644 --- a/en_GB/Introduction to Information Security/introduction_to_information_security.md +++ b/en_GB/Introduction to Information Security/introduction_to_information_security.md @@ -4,15 +4,15 @@ ### Security objectives -- Confidentiality +- Confidentiality Contents of objects cannot be read by third parties. -- Integrity +- Integrity Whether or not a message has been modified between origin and receiver. -- Availability +- Availability Guaranteed access to the information for permitted parties. -- Access Control +- Access Control Only permitted parties are allowed to access the information. -- Non-repudiation +- Non-repudiation Proof that an entity was involved in some event. ### CIA @@ -26,18 +26,18 @@ - Confidentiality - Integrity - Availability -- Utility +- Utility Ensures that the information is useful and insensitive to e.g. lost keys. -- Possession or Control +- Possession or Control Be sure that the possessor is in control of the information at all times. -- Authenticity +- Authenticity Verification of claimed identities. Notice: In most cases, this just proves entities (e.g. machines), not humans. Also, there must be a point in time where authentication starts. If this step is taken automatically by a machine (e.g. session start), there is no valid inference to the actual human. ### Secrecy -Confidentiality+. +Confidentiality+. Not only provides hidden contents, but also hides the fact that there is content at all. ### Strategy @@ -80,18 +80,18 @@ As a user, you can be authenticated on the basis of ### Password protection -- No expiry dates +- No expiry dates Studies have shown that this results in worse passwords. -- No restrictions in password alphabet +- No restrictions in password alphabet Studies have shown that this leads to less possibilities in exhaustive guessing and therefore leads to worse passwords. -- Set a minimum length instead +- Set a minimum length instead Has a higher impact than complexity. Set the maximum to at least 64. - No hints -- Show passwords while typing +- Show passwords while typing Doing the opposite motivates the user to choose shorter passwords. -- Allow passwords to be pasted +- Allow passwords to be pasted This enables secure password managers to be used. -- Forbid commonly used passwords +- Forbid commonly used passwords Makes dictionary attacks difficult. - Limit number of failed password attempts @@ -107,6 +107,7 @@ As a user, you can be authenticated on the basis of #### False match rate (FMR) How often is a false match attempt successful, which it should not be? Best case: $\text{FMR} = 0$. +It can be interpreted as a measure of quality of the specific scheme. The lower the value, the better. $\text{FMR} = \frac{\text{\# successful false matches}}{\text{\# attempted false matches}}$ @@ -165,6 +166,14 @@ Probability of some sample to match at least one of the entries in the database. $\text{FPIR} = (1 - \text{FTA}) \times (1 - (1 - \text{FMR})^{n})$ +#### Biometrics in remote authentication + +*FPIR* scales up with increased *n* (database size), which makes it unusable in remote authentication with large databases. + +##### Examples + +Using a biometric scheme with $\text{FMR} = 0.01\%$ and a database of size $\text{n} = 80000$ results in $\text{FPIR} = (1 - 0) \times (1 - (1 - 0.0001)^{80000}) = 99.97\%$. + ## Threat scenarios No security issues without threat models! E.g. a password is considered safe without any provided threat model. @@ -188,5 +197,5 @@ Victim enters his password and the attacker captures the data forwarded by the f #### Countermeasures - System authentication to the user -- Display number of failed logins +- Display number of failed logins Indicates compromised password to the user. -- cgit v1.2.1