Authentication and Access Control (Lecture 8)

Question 1

What is the definition of Authentication?

Answer 1

User Authentication is the process of verifying an identity claimed by or for a system entity

It is the act of proving that a user is who they say they are

Methods - Something the user knows, is or has

Question 2

What are the steps in the authentication process which is the basis for access control and user accountability?

Answer 2

Identification step - presenting an identifier to the security system (username)

Verification step - presenting or generating authentication information that corroborates the binding between the entity and the identifier

Question 3

What does Something You Know include?

Answer 3

Passwords
Security questions

Attacks on ‘something you know’ as answers can be easy to figure out, especially with social media

Question 4

What is salting in terms of concealing passwords?

Answer 4

When a new password is added and we want to conceal it we use a process called ‘salting’

Salting is a slow hash function. A salt is mixed with a password and is used by this slow hash function to create the stored password (Hash code) (Salt and user id kept with it)

When the user tries to authenticate, the user id goes in and then the password is entered. It then takes the entered password and the salt and runs it through the slow hash function and compares it to the stored hash code. If it matches then it allows you in.
Some passwords could result in the same hash codes, given the salt that is used. You can get dictionaries of hash codes that can be used.

Question 5

What vulnerabilities are there to passwords? (8)

Answer 5

Offline dictionary attack

Specific account attack (using social media)

Popular password attack

Password guessing against single user (social media)

Workstation hijacking (key logging system)

Exploiting user mistakes

Exploiting multiple password use

Electronic monitoring

Question 6

Name two types of password cracking and briefly explain

Answer 6

Dictionary attacks - develop large dictionary of possible passwords and try each against password file. Each password must be hashed using each salt value and compared to stored hash values

Rainbow table attacks - Pre-compute tables of hash values for all salts (giant table). Can be countered by using sufficiently large salt value and a sufficiently large hash length

Question 7

What are the modern ways to counter password cracking

Answer 7

Having a complex password policy which forces the user to pick stronger passwords

Question 8

How have password cracking techniques improved?

Answer 8

Processing capacity available for password cracking has increased

There are sophisticated algorithms which can generate potential passwords.

Question 9

How do you protect the password file

Answer 9

Block access to the password file by only making it available to privileged users. This can block offline guessing attacks by denying access to encrypted passwords

Question 10

What vulnerabilities are there for the password file?

Answer 10

Weakness in the OS that allows access to the file

Accident with permissions making it readable

Users with same password on other systems

Access from backup media

Sniff passwords in network traffic (Wireshark)

Question 11

How can you reduce vulnerabilities with passwords?

Answer 11

User education - users told of the importance of using hard to guess passwords and given guidelines for creating strong passwords

Phrases rather than a password are good or first letter of phrase words

Use computer generated passwords - hard to remember but can be stored

Periodically run own password cracker to find guessable passwords

Have a complex password policy which rejects passwords that don’t meet requirements

Compile a large dictionary of passwords not to use

Bloom filter - used to build a table based on dictionary using hashes which checks desired password against this table

Question 12

What problems are there with biometrics (the something you are)?

Answer 12

Intrusive

Expensive

Single point of failure which could lock you out

Sampling errors

False readings - similar thumbprint may work

Speed can be slow

Biometric data could be duplicated and forged

Question 13

What is biometric authentication?

Answer 13

Attempts to authenticate an individual based on unique physical characteristics. It is based on pattern recognition.

Expensive and complex compared to using passwords and tokens

Uses facial characteristics
Fingerprints
Hand geometry
Retinal pattern
Iris
Signature
Voice

Question 14

What are tokens (the something you have)?

Answer 14

A device that generates a code
Might first need:
Username
Password
then ask you for a token (number) usually changes after set time

Passcode = PIN + Tokencode

Question 15

Name some types of cards used as tokens

Answer 15

Embossed (Raised characters that get scanned and imprinted like old credit cards)

Magnetic stripe - bar on back and characters on front

Memory (electronic memory inside like prepaid phone card

Smart contactless (Electronic memory and processor
Electrical contacts exposed and radio antenna embedded inside

Question 16

List some features of memory cards

Answer 16

Can store but do not process data

(Magnetic stripe cards)

Can be used alone for physical access (hotel cards) but more secure when used with a PIN

Requires a special reader, token/card can be lost and users dissatisfied

Question 17

List some features of Smart tokens

Answer 17

Include an embedded microprocessor

Looks like a bank card, calculator or small portable object

Manual interface can include a keypad and display for interaction

Electronic interfaces communicate with a compatible reader/writer

Question 18

What are the concepts used in risk assessments for user authentication

Answer 18

Assurance Level
Potential Impact
Areas of risk

Question 19

Explain the concept of assurance level in risk assessing authentication

Answer 19

Assurance level describes an organisation’s degree of certainty that a user has presented a credential that refers to his or her identity.

It is the degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued and that the individual who used the credential is the individual to whom the credential was issued

Question 20

Explain the concept of Potential Impact in risk assessing authentication

Answer 20

FIPS 199 defines three levels of potential impact on organisations or individuals should there be a breach of security

Low - authentication error could have limited adverse effect on operations, assets or individuals

Moderate - error could expect to have a serious adverse effect

High - error could expect to have severe or catastrophic adverse effect

Question 21

What are the levels of assurance?

Answer 21

Level 1 - 4 Level one having little or no confidence in asserted identity’s validity (using a key) and level 4 being highly confident (biometric)

Question 22

What is Remote User Authentication?

Answer 22

Authentication over a network, the Internet or a communications link (is more complex)

Creates additional security threats like eavesdropping, capturing a password, replaying an authentication sequence that has been observed

Generally rely on some form of a challenge-response protocol to counter threats

Question 23

What are some authentication security issues?

Answer 23

Denial-of-Service - attempts to disable a user authentication service by flooding service with many authentication attempts

Trojan horse - An application or physical device pretending to be an authentic application for purpose of capturing a user password or biometric

Client Attacks - Adversary attempts to achieve user authentication without access to the remote host or the intervening communications path

Replay attacks - adversary repeats a previously captured user response

Host attacks - directed at the user file at the host where passwords, tokens or biometric templates are stored

Eavesdropping - attempts to learn the password by some sort of attack that involves the physical proximity of user and adversary