第三讲密钥分配和用户认证讲解.ppt

* Countermeasures against the listed vulnerabilities include controls to: prevent unauthorized access to the password file, intrusion detection measures to identify a compromise, rapid re-issuance of passwords should the password file be compromised; account lockout mechanism which locks out access to the account after a number of failed login attempts; policies to inhibit the selection by users of common passwords; training in and enforcement of password policies that make passwords difficult to guess; automatically logging the workstation out after a period of inactivity; a policy that forbids the same or similar password on particular network devices; encrypted communications links. * A widely used password security technique is the use of hashed passwords and a salt value. This scheme is found on virtually all UNIX variants as well as on a number of other operating systems. The procedure shown here in Figure 3.1a from the text is used. To load a new password into the system, the user selects or is assigned a password.This password is combined with a fixed-length salt value (so the same user password can create multiple hash values, depending on which salt is used. to make attacks harder). In older implementations, the salt is related to the time the password is assigned to the user. Newer implementations use a pseudorandom or random number. The password and salt serve as inputs to a hashing algorithm to produce a fixed-length hash code. The hash algorithm is designed to be slow to execute to thwart attacks. The hashed password is then stored, together with a plaintext copy of the salt, in the password file for the corresponding user ID. The hashed-password method has been shown to be secure against a variety of cryptanalytic attacks. When a user attempts to log on to a system, the user provides an ID and a password (as shown in Figure 3.1b). The operating system uses the ID to index into the password file and retrieve the plaintext salt and the encrypted passwor