Authentification Flashcards
Confidentiality
Protect data from unauthorized acces
Integrity
Protect data from unauthorized changes
Availability
Make data available on request by authorized entity
Mental models
The image of the world inside our head
Authorization
Includes identification (Id) and authentication (pass). Grants access according to access control policies
A good password
Should withstand attacks
How to: authentication
- Passwords
2.alternative to passwords(graphical pass, biometrics, tokens)
3.help with passwords and other authentication mechanisms(password managers, account recovery, fallback authentication)
Attacks on passwords: Client side
- Shoulder surfing
- Phishing and other forms of Social engineering
3.malware
4.password reuse across sites
Attacks on passwords: network attacks
Man in the middle- attacker takes over ip address
Password attacks: server frontend attacks
Online guessing- brute force/dictionary
-breadth first search-target all account
- depth first search- target specific accounts
Attacks on password: backend server attacks
Offline guessing= pass cracking
- prerequisite- obtain the pass database. if pass stored in plain text and unprotected - attack done. Else if database protected, cracking it depends on form of protection.
Protection of pass databases
- Plain text storage of pass- offers no protection
- Reversibly encrypted passwords
- Hashed passwords
Protection of password databases: reversibly encrypted passwords
-Used in practice if legacy system need pass saved in plain text
-encryption key should be protected
-if attack and key leaked then attack is successful
- if attack and key not leaked then attack is impossible
Protection of password database: hashed passwords
- The idea is that the server does not store pass, only its hash.
- hash function h(password) =x is cryptographically secure.
- hash function is difficult to reverse. Knowing only h and x difficult to compute h -1(x) = password
- collision resistant: difficult to find two inputs that match to the same hash value
-possible attacks- password cracking= online guessing
-possible attack- precomputational- rainbow table lookup; brute force-dictionary attacks
Slow hash — to make it more difficult
Add salt- a string added to the password and than that is hashed
How strong is strong for passwords
For passwords that protect against offline attacks- 10^12-10^14
For passwords that protect against online attacks 10^4-10^6
Strong passwords
- Reduce risk of offline guessing only if the password database is hashed and salted.
- reduce risk of online guessing-if lockout and stealthy attack monitoring are implementer. Password can then be less strong than in the case of offline guessing.
-might reduce risk of shoulder surfing and insider guessing
- not protected from phishing attacks, client- side malware
- might increase risk of password reuse or writing down since stronger pass tend to be more difficult to remember
Pass and human capabilities
- humans have a limited capacity of working memory
- item stores in memory decay over time
- unaided recall is harder than cued recall
- similar passwords get easily confused
-items linger in memory, humans cant forget old passwords
- typing errors- no feedback provided in these cases
Why do humans share their password?
-practical needs- if sth happens to me…
-do this task for me
-as a sign of trust
-disabilites
NIST password guidelines
For users: at least 8 characters, the longer the better
For providers:
-compare newly chosen pass with dictionaries and lists of know pass
- secure storage: slow hashing and salting (slow hashing reduces speed of cracking attacks)
- restrict nr of login attempts to 10
- password change only if justified
Min strength of a password
Nminlog2C
Nmin- min length
C- character space
Password creation policies: 3 Factors
- Composition <required> C <min>. Possible classes: lower characters, upper characters, numbers, special characters.
Min length = 8/10/12/16
I.e. 1C8</min></required>
2.blocklist- list of prohibited strings +matching algorithm
- Min strength estimation - novel algorithm neural network trained on leaked data order to guess the pass
Password manager:
Reasonable pass policies:-rule out easily guessed pass -avoid character-class requirements -min length 8
Help users with pass mng -sso, pass managers, secure write down
Protection from online guessing - limit online guessing rate
Protection from offline-slow hashing and salting +detection of breaches
Lock out after 10 guessing attempts- detect stealthy online guessing
Be prepared- usable and secure account recovery- strategies for cases of mass breaches
dont reuse pass on important accounts
Dont reuse pass between work and home
Us aids for pass management- like password managers, secure write down
Usability and security of of strong pass
Usability issues (Hard to remember;Typing errors;Do not scale to large number of account per user)
Security problems- serious attacks exist
Strong password help only protect from certain attacks
Pass strength = guessing difficulty
Guessing algorithms steadily gets better and faster
Human capabilities remain the same in dealing with passwords
usability criteria
-memory-wise effortless
-scalable for users
-nothing to carry
-physically effortless-beyond pressing a button
-easy to learn and recall
-efficent to use -time
-infrequent errors
-easy recovery from loss
Security and privacy criteria. Resilience to:
- Physical observation(shoulder surfing, recording..)
2.targeted impersonation(having info from use does not help)
3.throttled guessing - guessing attempts are limited by the service provider
4.unthrottled guessing: attacker constrained only by computational resources
Internal observation( intercept users input?
Phishing
Theft of physical token
No trusted third party
Privacy protecting- does not reveal info about the user to the service provider
Graphical pass schemes
- Recognition based- cognometrics- recognize images- passfaces
- Cued-recall-remember specific parts of an image - passpoints
3.recall-based -draw a secret line- android lock pasterns
Passfaces- what are they?
Idea: people recognize faces better than they remember passwords
Authentication: 4 panels of faces are shown, one after the other. Order remains the same and each panel has fixed set of faces. Set of faces is unique per panel. Faces on panel randomly permuted.
Pass-faces- usability and security
Usability- memorability, creation time, use time
Security- 9^4 password space
Can fall for non guessing attacks such as shoulder surfing, keylogin and screen capture
Scalability- more difficult to remember face for multiple sites
Problems with graphical passwords
- security problems- most problems pass have also graphical pass have
-user choices are more or leas easily guessable
-still may be difficult to remember-scalability problems
- can be mixed up
- remembering 20 graphical pass would not be easier than remembering 20 text pass
Biometrics/ implicit authentification
Anatomic and behavioral characteristics- finger,iris,voice—heartrate, speaking,typing
Estimated key spaces ~20 bit or 6 digit pass
Recovery from leaks- difficult or impossible
Impersonation through theft of biometric feautures
Usability- not always effortless for the user, adjust positioning, -recovery from loss difficult or impossible
Tradeoff between false positives and false negatives: usability problem: false negatives: user not recognized
False positive: attacker is recognized as user
Tokens + 2Fa
Security :2fa-attacker needs both factors
1fa token- only one
If not pin protected- attacker just needs to steal tocken
If pin protected-depends on the guessability of the pin
Usability of 2fa decreases in comparison to pass
Might be faster
Less mental work
Scalability a problem
Usage of multiple devices for login, private keys cant be transferred
Password Managers
- pass generator also needed- without it users create weak passwords
-there are different reasons to use PM- 1.convenience-offered by browser 2.stand-alone: used cause of security
-reasons for not using PM- unaware- nth to protect - security concerns(single point of failure)
- usability concerns: login from different device; changing passwords; recovery if PM did not save passwords;
-usability problems faced by PM users: passwords not saved; no autofill; user id not saved; automatic generated password does not fulfill password requirements; manually having to input long passwords in unsynchronized devices; fears of forgetting master password
-
Password recovery
Recovery - in case of permanent loss of authentication-i.e. forgot password
Can be done through:
-personal questions
-social authentification
-email based recovery
Social authentication
-Several persons hold part of a backup secret for your account- trustees dont have to be warned beforehand, receive emails with part of security code from the system-give the codes to users
Security- can fall for social engineering via phone or email
Usability- slow, might also never finish- user forget their trustees
If locked out- users need reminders, thus the attacker can also get the reminders
Social acceptability- users feel awkward bothering trustees- fear that trustee will think that the emails contain viruses
Properties of a good authentication mechanisms
Security - consider frequent or devastating attacks
Privacy - do not require from user to reveal personal info
Usability-goof performance, fast and easy use and enrollment- low user effort-easy recovery
