Review Questions Edit

In general terms, what are four means of authenticating a user's identity? Edit

page 75:

There are four general means of authenticating a user's identity, which can be used
alone or in combination:
Something the individual knows: Examples includes a password, a personal
identification number (PIN), or answers to a prearranged set of questions.
Something the individual possesses: Examples include electronic keycards,
smart cards, and physical keys. This type of authenticator is referred to as a
Something the individual is (static biometrics): Examples include recognition
by fingerprint, retina, and face.
Something the individual does (dynamic biometrics): Examples include recog-
nition by voice pattern, handwriting characteristics, and typing rhythm.

List and briefly describe four common techniques for selecting or assigning passwords. Edit

(page 84)

Four basic techniques are in use:

User education: unlikely to succeed at most installations, particularly where there is a large user population or a lot of turnover.

Computer-generated passwords: if the passwords are to random in nature, users will not be able to remember them.

Reactive password checking: Strategy is one in which the system periodically runs its own password cracker to find guessable passwords.

Proactive password checking: The user is allowed to select his or her own password.

Explain the difference between a simple memory card and a smart card. Edit

  • Simple: Store but do not process data.
  • Smart: Has own processor, memory, I/O ports


List and briefly describe the principal physical characteristics used for biometric identification Edit

Facial characteristics, Fingerprints, Hand geometry, Retinal pattern, Iris, Signature, Voice (page 92)

In the context of biometric user authentication, explain the terms, enrollment, verification, and identification. Edit

(page 93)

Enrollment: Is where each individual who is to be included in the database of authorized users must first be enrolled in the system. Verification: is analogous to a user logging on to a system by using a memory card or smart card coupled with a password or PIN. Identification: the individual uses the biometric sensor but presents no additional information.

Define the terms false match rate and false nonmatch rate, and explain the use of a threshold in relationship to these two rates.(page 95-97)Edit

Describe the general concept of a challenge-response protocol. Edit

In this case the computer system generates a challenge, such as a random string of numbers. The smart token generates a response based on the challenge. For example public-key cryptography could be used and the token could encrypt the challenge string with the token´s private key.