4. Authentication. Many organizations (including VT) have deployed two-factor authentica- tion through the use of key fob-sized devices that display pseudorandom codes at a fixed time interval. These codes are generated based on a built-in clock and a device-specific secret s that is also stored on a central authentication server tied to the user's account. Here is one way such a device might work: Let n be the number of minutes that have elapsed since the UNIX epoch; output the first 20 bits of HMACs(). Successful authentication requires the user's username and password and the current pseudorandom code from the user's device (a) Name three common attacks against authentication that are mitigated by these devices (b) Name one common attack against authentication that is not mitigated. Some devices use a counter instead of a clock and generate a single-use code each time the user presses a button on the device. One way this might work is as above, letting n be a register that is initially zero; upon each button press, display the current code for one minute and increment n on the device; on cach successful authentication increment n on the server. (c) Describe one security advantage of single-use codes compared to time-based codes. (d) Describe one usability advantage of single-use codes compared to time-based codes. (c) A major usability problem with single-use codes in practice is that the counter on the device sometimes gets out of sync with the counter on the server (often as a result of in- advertent button presses in the user's pocket). Explain how we might extend the server to mitigate this without significantly reducing security As more and more organizations adopt these devices, end-users are burdened with carrying multiple devices, one for each entity to which they authenticate. Suppose instead that a cen tral authority distributed and managed time-based devices (like the ones described above) for all users and companies, and allowed servers to verify a user's code through a public API (f) Describe at least three serious vulnerabilities that this would introduce Google and Facebook have adopted authentication systems that send a single-usc code to the user via an SMS text message. Compare this approach to dedicated authentication devices (g) Describe one security advantage of the SMS approach. (h) Describe three attacks that only apply to the SMS approach 4. Authentication. Many organizations (including VT) have deployed two-factor authentica- tion through the use of key fob-sized devices that display pseudorandom codes at a fixed time interval. These codes are generated based on a built-in clock and a device-specific secret s that is also stored on a central authentication server tied to the user's account. Here is one way such a device might work: Let n be the number of minutes that have elapsed since the UNIX epoch; output the first 20 bits of HMACs(). Successful authentication requires the user's username and password and the current pseudorandom code from the user's device (a) Name three common attacks against authentication that are mitigated by these devices (b) Name one common attack against authentication that is not mitigated. Some devices use a counter instead of a clock and generate a single-use code each time the user presses a button on the device. One way this might work is as above, letting n be a register that is initially zero; upon each button press, display the current code for one minute and increment n on the device; on cach successful authentication increment n on the server. (c) Describe one security advantage of single-use codes compared to time-based codes. (d) Describe one usability advantage of single-use codes compared to time-based codes. (c) A major usability problem with single-use codes in practice is that the counter on the device sometimes gets out of sync with the counter on the server (often as a result of in- advertent button presses in the user's pocket). Explain how we might extend the server to mitigate this without significantly reducing security As more and more organizations adopt these devices, end-users are burdened with carrying multiple devices, one for each entity to which they authenticate. Suppose instead that a cen tral authority distributed and managed time-based devices (like the ones described above) for all users and companies, and allowed servers to verify a user's code through a public API (f) Describe at least three serious vulnerabilities that this would introduce Google and Facebook have adopted authentication systems that send a single-usc code to the user via an SMS text message. Compare this approach to dedicated authentication devices (g) Describe one security advantage of the SMS approach. (h) Describe three attacks that only apply to the SMS approach