Authentication and Access Control (Lecture 8) Flashcards
What is the definition of Authentication?
User Authentication is the process of verifying an identity claimed by or for a system entity
It is the act of proving that a user is who they say they are
Methods - Something the user knows, is or has
What are the steps in the authentication process which is the basis for access control and user accountability?
Identification step - presenting an identifier to the security system (username)
Verification step - presenting or generating authentication information that corroborates the binding between the entity and the identifier
What does Something You Know include?
Passwords
Security questions
Attacks on ‘something you know’ as answers can be easy to figure out, especially with social media
What is salting in terms of concealing passwords?
When a new password is added and we want to conceal it we use a process called ‘salting’
Salting is a slow hash function. A salt is mixed with a password and is used by this slow hash function to create the stored password (Hash code) (Salt and user id kept with it)
When the user tries to authenticate, the user id goes in and then the password is entered. It then takes the entered password and the salt and runs it through the slow hash function and compares it to the stored hash code. If it matches then it allows you in.
Some passwords could result in the same hash codes, given the salt that is used. You can get dictionaries of hash codes that can be used.
What vulnerabilities are there to passwords? (8)
Offline dictionary attack
Specific account attack (using social media)
Popular password attack
Password guessing against single user (social media)
Workstation hijacking (key logging system)
Exploiting user mistakes
Exploiting multiple password use
Electronic monitoring
Name two types of password cracking and briefly explain
Dictionary attacks - develop large dictionary of possible passwords and try each against password file. Each password must be hashed using each salt value and compared to stored hash values
Rainbow table attacks - Pre-compute tables of hash values for all salts (giant table). Can be countered by using sufficiently large salt value and a sufficiently large hash length
What are the modern ways to counter password cracking
Having a complex password policy which forces the user to pick stronger passwords
How have password cracking techniques improved?
Processing capacity available for password cracking has increased
There are sophisticated algorithms which can generate potential passwords.
How do you protect the password file
Block access to the password file by only making it available to privileged users. This can block offline guessing attacks by denying access to encrypted passwords
What vulnerabilities are there for the password file?
Weakness in the OS that allows access to the file
Accident with permissions making it readable
Users with same password on other systems
Access from backup media
Sniff passwords in network traffic (Wireshark)
How can you reduce vulnerabilities with passwords?
User education - users told of the importance of using hard to guess passwords and given guidelines for creating strong passwords
Phrases rather than a password are good or first letter of phrase words
Use computer generated passwords - hard to remember but can be stored
Periodically run own password cracker to find guessable passwords
Have a complex password policy which rejects passwords that don’t meet requirements
Compile a large dictionary of passwords not to use
Bloom filter - used to build a table based on dictionary using hashes which checks desired password against this table
What problems are there with biometrics (the something you are)?
Intrusive
Expensive
Single point of failure which could lock you out
Sampling errors
False readings - similar thumbprint may work
Speed can be slow
Biometric data could be duplicated and forged
What is biometric authentication?
Attempts to authenticate an individual based on unique physical characteristics. It is based on pattern recognition.
Expensive and complex compared to using passwords and tokens
Uses facial characteristics Fingerprints Hand geometry Retinal pattern Iris Signature Voice
What are tokens (the something you have)?
A device that generates a code Might first need: Username Password then ask you for a token (number) usually changes after set time
Passcode = PIN + Tokencode
Name some types of cards used as tokens
Embossed (Raised characters that get scanned and imprinted like old credit cards)
Magnetic stripe - bar on back and characters on front
Memory (electronic memory inside like prepaid phone card
Smart contactless (Electronic memory and processor Electrical contacts exposed and radio antenna embedded inside
List some features of memory cards
Can store but do not process data
(Magnetic stripe cards)
Can be used alone for physical access (hotel cards) but more secure when used with a PIN
Requires a special reader, token/card can be lost and users dissatisfied
List some features of Smart tokens
Include an embedded microprocessor
Looks like a bank card, calculator or small portable object
Manual interface can include a keypad and display for interaction
Electronic interfaces communicate with a compatible reader/writer
What are the concepts used in risk assessments for user authentication
Assurance Level
Potential Impact
Areas of risk
Explain the concept of assurance level in risk assessing authentication
Assurance level describes an organisation’s degree of certainty that a user has presented a credential that refers to his or her identity.
It is the degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued and that the individual who used the credential is the individual to whom the credential was issued
Explain the concept of Potential Impact in risk assessing authentication
FIPS 199 defines three levels of potential impact on organisations or individuals should there be a breach of security
Low - authentication error could have limited adverse effect on operations, assets or individuals
Moderate - error could expect to have a serious adverse effect
High - error could expect to have severe or catastrophic adverse effect
What are the levels of assurance?
Level 1 - 4 Level one having little or no confidence in asserted identity’s validity (using a key) and level 4 being highly confident (biometric)
What is Remote User Authentication?
Authentication over a network, the Internet or a communications link (is more complex)
Creates additional security threats like eavesdropping, capturing a password, replaying an authentication sequence that has been observed
Generally rely on some form of a challenge-response protocol to counter threats
What are some authentication security issues?
Denial-of-Service - attempts to disable a user authentication service by flooding service with many authentication attempts
Trojan horse - An application or physical device pretending to be an authentic application for purpose of capturing a user password or biometric
Client Attacks - Adversary attempts to achieve user authentication without access to the remote host or the intervening communications path
Replay attacks - adversary repeats a previously captured user response
Host attacks - directed at the user file at the host where passwords, tokens or biometric templates are stored
Eavesdropping - attempts to learn the password by some sort of attack that involves the physical proximity of user and adversary
