P1: JDW
WL040C-01 WL040/Bidgoli-Vol III-Ch-01 June 24, 2003 10:39 Char Count= 0
12 PASSWORDSMoore’s Law An observation named for Intel cofounder
Gordon Moore that the number of transistors per
square inch of an integrated circuit has doubled every
year since integrated circuits were invented. This “law”
has also variously been applied to processor speed,
memory size, etc.
Nonce A random number that is used once in a
challenge–response handshake and then discarded.
The one-time use ensures that an attacker cannot in-
ject messages from a previous exchange and appear to
be a legitimate user (see Replay Attack).
One-way hash A fixed-sized string derived from some
arbitrarily long string of text, generated by a formula
in such a way that it is extremely unlikely that other
texts will produce the same hash value.
One-time password Also called OTP. A system that re-
quires authentication that is secure against passive
attacks based on replaying captured reusable pass-
words. In the modern sense, OTP evolved from Bell-
core’s S/KEY and is described in RFC 1938.
Orange Book 1983 U.S. DoD 5200.28-STD publication,
Trusted Computer System Evaluation Criteria, which de-
fined the assurance requirements for security protec-
tion of computer systems processing classified or other
sensitive information. Superseded by the Common Cri-
teria.
Password synchronization A scheme to ensure that a
known password is propagated to other target applica-
tions. If a user’s password changes for one application,
it also changes for the other applications that the user
is allowed to log onto.
Plaintext A message or file to be encrypted. After it is
encrypted, it becomesciphertext.
Promiscuous mode A manner of running a network de-
vice (especially a monitoring device or sniffer) in such
a way that it is able to intercept and read every net-
work packet, regardless of its destination address. Con-
trast with nonpromiscuous mode, in which a device
only accepts and reads packets that are addressed to
it.
Replay attack An attack in which a valid data trans-
mission is captured and retransmitted in an attempt to
circumvent an authentication protocol.
Salt A random string that is concatenated with a pass-
word before it is operated on by a one-way hashing
function. It can prevent collisions by uniquely identi-
fying a user’s password, even if another user has the
same password. It also makes hash-matching attack
strategies more difficult because it prevents an attacker
from testing known dictionary words across an entire
system.
SAM Security Account Manager. On Windows systems,
the secure portion of the system registry that stores
user account information, including a hash of the user
account password. The SAM is restricted via access
control measures to administrators only and may be
further protected using SYSKEY.
Shadow password file In the Unix or Linux, a system
file in which encrypted user passwords are stored so
they are inaccessible to unauthorized users.
Single sign-on A mechanism whereby a single action
of user authentication and authorization can permit a
user to access all computers and systems on which thatuser has access permission, without the need to enter
multiple passwords.
Sniffing The processes of monitoring communications
on a network segment via a wire-tap device (either soft-
ware or hardware). Typically, a sniffer also has some
sort of “protocol analyzer” which allows it to decode
the computer traffic on which it’s eavesdropping and
make sense of it.
Social engineering An outside hacker’s use of psycho-
logical tricks on legitimate users of a computer sys-
tem, in order to gain the information (e.g., user IDs
and passwords) needed to gain access to a system.
SSH Secure Shell. An application that allows users to
login to another computer over a network and execute
remote commands (as in rlogin and rsh) and move files
(as in ftp). It provides strong authentication and secure
communications over unsecured channels.
SSL Secure Sockets Layer. A network session layer pro-
tocol developed by Netscape Communications Corp. to
provide security and privacy over the Internet. It sup-
ports server and client authentication, primarily for
HTTP communications. SSL is able to negotiate en-
cryption keys as well as authenticate the server to the
client before data is exchanged.
SYSKEY On Windows systems, a tool that provides
encryption of account password hash information to
prevent administrators from intentionally or uninten-
tionally accessing these hashes using system registry
programming interfaces.CROSS REFERENCES
SeeAuthentication; Biometric Authentication; Computer
Security Incident Response Teams (CSIRTs); Digital Signa-
tures and Electronic Signatures; Disaster Recovery Plan-
ning; Encryption; Guidelines for a Comprehensive Security
System; Public Key Infrastructure (PKI); Secure Sockets
Layer (SSL).REFERENCES
Brotzman, R. L. (1985).Password management guideline
(Green Book). Fort George G. Meade, MD: Department
of Defense Computer Security Center.
Brown, A. (2002).U.K. study: Passwords often easy to
crack.Retrieved 2002 from CNN.com Web site: http://
http://www.cnn.com/2002/TECH/ptech/03/13/dangerous.
passwords/index.html
CERT Coordination Center (2002).Windows NT config-
uration guidelines.Retrieved 2002 from CERT Web
site: http://www.cert.org/techtips/winconfiguration
guidelines.html
Federation of American Scientists (FAS) (n.d.). Re-
trieved May 16, 2003, from http://www.fas.org/irp/congress/
2000 hr/030200mitnick.htm
Latham, D. C. (1985).Trusted computer system evoluation
criteria(Orange Book). Fort George G. Meade, MD:
Department of Defense National Computer Security
Center.
Miller, G. A. (1956). The magical number seven, plus
or minus two: Some limits on our capacity for pro-
cessing information. The Psychological Review, 63,
81–97.
Salkever, A. (2001).Picture this: A password you never