Ch.12 Flashcards
proving that a user is genuine, and not an imposter
authentication
five elements that can prove the genuineness of a user: what you know, what you have, what you are, what you do, and where you are
authentication factors
authenticating a user by the unique actions that the user performs
behavioral biometrics
an attack that searches for any two digests that are the same
birthday attack
a password attack in which every possible combination of letters, numbers, and characters is used to create encrypted passwords that are matched against those in a stolen password file
brute force attack
authenticating a user through the perception, thought process, and understanding of the user
cognitive biometrics
a U.S. Department of Defense (DoD) smart card used for identification of active-duty and reserve military personnel along with civilian employees and special contractors
common access card (CAC)
a password attack that creates encrypted versions of common dictionary words and compares them against those in a stolen password file
dictionary attack
single sign-on for networks owned by different organizations
federated identity management (FIM)(or FEDERATION)
the identification of the location of a person or object using technology
geolocation
a one-time password that changes when a specific event occurs
HMAC-based one-time password (HOTP)
a password attack that slightly alters dictionary words by adding numbers to the end of the password, spelling words backwords, slightly misspelling words, or including special characters
hybrid attack
a password hashing algorithm that requires significantly more time than standard hashing algorithms to create the digest
key stretching
a cryptographic function found in older Microsoft Windows operating systems used to fingerprint data
LM (LAN MANAGER) HASH
using more than one type of authentication credential
multifactor authentication
a hash used by modern Microsoft Windows operating systems for creating password digests
NTLM (New Technology LAN Manager) hash
the current version of the New Technology LAN Manager hash
NTLMv2
an authentication code that can be used only once for a limited period of time
one-time password (OTP)
a secret combination of letters, numbers, and/or characters that only the user should have knowledge of
password
a popular key stretching password hash algorithm
PBKDF2
a U.S. government standard for smart cards that covers all government employees
personal identity verification (PIV)
an attack in which one known digest is compared to an unknown digest
pre-image attack
large pregenerated data sets of encrypted passwords used in password attacks
rainbow tables
a random string that is used in hash algorithms
salt
using one type of authentication credential
single-factor authentication
using one authentication credential to access multiple accounts or applications
single sign-on (SSO)
a card that contains an integrated circuit chip that can hold information used as part of the authentication process.
smart card
using fingerprints or other unique physical characteristics of a person’s face, hands, or eyes for authentication
standard biometrics
time-based one-time password (TOTP)
a one-time password that changes after a set period of time
a small device that can affixed to a keychain with a window display that shows a code to be used for authentication
token
a two-way relationship that is automatically created between parent and child domains in a Microsoft Active Directory Forest
transitive trust
an identifier of a user logging into a system
username
Which authentication factor is based on a unique talent that a user possesses?
a. what you have
b. what you are
c. what you do
d. what you know
c
Which of these is NOT a characterisics of a weak password?
a. a common dictionary word
b. a long password
c. using personal information
d. using a predictable sequence of characters
b
Which attack is an attempt to compare a known digest to an unknown digest?
a. pre-image attack
b. birthday attack
c. configuration attack
d. SNIP attack
a
Which of these algorithms is the weakest for creating password digests?
a. SHA-1
b. MD-5
c. LM (LAN Manager) hash
d. NTLM (New Technology LAN Manager) hash
c
How is key stretching effective in resisting password attacks?
a. it takes more time to generate candidate password digest
b. it requires the use of GPUs
c. it does not require the use of salts
d. the license fees are very expensive to purchase and use it
a
Which of these is NOT a reason why users create weak passwords?
a. a lengthy and complex password can be difficult to memorize
b. a security policy requires a password to be changed regularly
c. having multiple passwords makes it hard to remember all of them
d. most sites force users to create weak passwords even though they do not want to
d
What is a hybrid attack?
a. an attack that uses both automated and user input
b. an attack that combines a dictionary attack with an online guessing attack
c. a brute force attack that uses special tables
d. an attack that slightly alters dictionary words
d
A TOTP token code is valid _____.
a. for as long as it appears on the device
b. for up to 24 hours
c. only while the user presses SEND
d. until an event occurs
a
What is a token system that requires the user to enter the code along with a PIN called?
a. single-factor authentication system
b. token-passing authentication system
c. dual-prong verification system
d. multifactor authentication system
d
Which of these is a U.S Department of Defense (DoD) smart card that is used for identification of active-duty and reserve military personnel?
a. Personal Identity Verification (PIV) card
b. Common Access Card (CAC)
c. Government Smart Card (GSC)
d. Secure ID Card (SIDC)
b
Keystroke dynamics is an example of which type of biometrics?
a. behavioral
b. resource
c. cognitive
d. adaptive
b
Creating a pattern of where a user accesses a remote web account is an example of _____.
a. geolocation
b. Time-Location Resource Monitoring (TLRM)
c. keystroke dynamics
d. cognitive biometrics
a
Which of these is a decentralized open-source FIM that does not require specific software to be installed on the desktop?
a. Windows Live ID
b. SSO Login Resource (SSO-LR)
c. Windows CardSpace
d. OpenID
d
Which human characteristic is NOT used for biometric identification?
a. retina
b. face
c. weight
d. fingerprint
c
_____ biometrics is related to the perception, thought processes, and understanding of the user.
a. Cognitive
b. Standard
c. Intelligent
d. Behavioral
a
Using one authentication credential to access multiple accounts or applications is known as _____.
a. credentialization
b. identification authentication
c. single sign-on
d. federal login
c
What is a disadvantage of biometric readers?
a. cost
b. speed
c. size
d. standards
a
Which single sign-on (SSO) technology depends on tokens?
a. OAuth
b. CardSpace
c. OpenID
d. All SSO technologies use tokens
a
Why should the account lockout threshold not be set too low?
a. it could decrease calls to the help desk
b. the network administrator would have to reset the account manually
c. the user would not have to wait too long to have her password reset
d. it could result in denial of service (DoS) attacks
d
Which one-time password is event-driven?
a. HOTP
b. TOTP
c. ROTP
d. POTP
a
-AUTHENTICATION CREDENTIALS-
- SOMEWHERE HE IS- LOCATION can help prove authenticity
- SOMETHING HE HAS- what he HAS helps to prove genuineness
- SOMETHING HE IS- access to an area is protected by what he is
- SOMETHING HE KNOWS- contents to the area are protected by what only the real person KNOWS (combination)
- SOMETHING HE DOES- what he DOES helps to uniquely prove authenticity
Because only the real or “authentic” possesses these elements- where he is, what he has, what he is, what he knows, and what he does-they can be considered as types of AUTHENTICATION or proof of genuineness.
These five elements are known as AUTHENTICATION FACTORS (sometimes called AUTHENTICATION CREDENTIALS).
P. 481
-WHAT YOU KNOW: PASSWORDS-
In most systems, a user logging in would be asked to identify himself. This is done by entering an identifier known as the USERNAME.
A PASSWORD is a secret combination of letters, numbers, and/or characters that only the user should have knowledge of.
p. 481
-PASSWORD WEAKNESSES-
Passwords place heavy loads on human memory in multiple ways:
- The most effective passwords are long and complex. However, these are difficult for users to memorize and then accurately recall when needed.
- Users must remember passwords for many different accounts. Most users have accounts for different computers and mobile devices at work, school, and home: multiple email accounts; online banking; Internet site accounts; and so on. In one study, 28 percent of a group of users had more than 13 passwords each, while in another study a group of 144 users had an average of 16 passwords per user.
- For the highest level of security, each account password should be unique, which further strains human memory.
- Many security policies mandate that passwords expire after a set period of time, such as every 45-60 days, when a new one must be created. Some security policies even prevent a previously used password from being recycled and used again, forcing users to repeatedly memorize new passwords.
The first shortcut is to use a WEAK PASSWORD. Weak passwords use common word as a password (princess), a short password (desk), a predictable sequence of characters (abc123), or personal information (Hannah) in a password. Even when users attempt to create stronger passwords, they generally follow predictable patterns of APPENDING and REPLACING:
- APPENDING. When users combine letters, numbers, and punctuation (character sets), they do it in a pattern. Users typically append one character set with another set or sets. Most often they only add a number after letters (caitlin1 or cheer99). If they add all three character sets, it is in the sequence letters+punctuation+number (amanda.7 or chris#6).
- REPLACING. Users also use replacements in predictable patterns. Generally a zero is used instead of the letter o (passw0rd), the digit 1 for the letter i (denn1s), or a dollar sign for an s (be$tfriend).
p. 482-483
Study table Ten most common passwords
-ATTACKS ON PASSWORDS-
Instead of randomly guessing a password, attackers use far more sophisticated methods. Attacks that can be used to discover a password include:
- SOCIAL ENGINEERING- Passwords can be revealed through social engineering attacks, including phishing, shoulder surfing, and dumpster diving
- CAPTURING- There are several methods that can be used to capture passwords. A keylogger on a computer can capture the passwords that are entered on the keyboard. While passwords are in transit, man-in-the-middle and replay attacks can be used. A protocol analyzer also can capture transmission that contain passwords.
- RESETTING- If an attacker can gain physical access to a user’s computer, she can erase the existing password and reset it to a new password. Password reset programs require that the computer be rebooted from an optical drive or USB flash drive that usually contains a version of a different operating system along with the password reset program. For example, to reset a password on a Microsoft Windows computer, a USB flash drive with Linux, and the password reset program would be used
Most password attacks today instead use OFFLINE CRACKING.
With offline cracking, attackers steal the file of password digests and load that file onto their own computers. They can then attempt to discover the passwords by comparing the stolen digests with their own digests that they have created, called CANDIDATES.
When cracking passwords, attackers use computers with multiple graphics processing units (GPUs).
p. 484
-BRUTE FORCE-
In an automated BRUTE FORCE ATTACK, every possible combination of letters, numbers, and characteristics is used to create candidate digests that are then matched against those in the stolen digest file.
This is the SLOWEST yet most thorough method. using an automated brute force attack program, an attacker enters into the attack program the following types of parameters:
- PASSWORD LENGTH. The minimum and maximum lengths of the passwords to be generated (such as a range from 1-15) can be entered
- CHARACTERS SET. This is the set of letters, symbols, and characters that make up the password. Because not all systems accept the same character set for passwords, if characters can be eliminated from the character set, this will dramatically increase the speed of the attack.
- LANGUAGE. Many programs allow different languages to be chosen, such as Arabic, Dutch, English, French, German, Italian, Portuguese, Russian, or Spanish.
- PATTERN. If any part of the password is known, a pattern can be entered to reduce the number of passwords generated. A question mark (?) can replace one symbol and an asterisk(*) can replace multiple symbols. For example, if the first two letters of a six-character password were known to be sk, the pattern the pattern could be sk????.
- SKIPS. Because most passwords are wordlike combinations of letters, some brute force attack programs can be set to skip nonsensical combinations of characters (wqrghea) so that only passwords such as elmosworld and carkeys are created
p. 484-485
-DICTIONARY ATTACK-
Another common password attack is a DICTIONARY ATTACK. A dictionary attack begins with the attacker creating digests of common dictionary words as candidates and then comparing them against those in a stolen digest file
A dictionary attack that uses a set of dictionary words and compares it with the stolen digests is known as a PRE-IMAGE ATTACK, in that one known digest (dictionary word) is compared to an unknown digest (stolen digest). A BIRTHDAY ATTACK is slightly different, in that the search is for any two digests that are the same.
p. 485
-HYBRID ATTACK-
A variation of the dictionary attack is the HYBRID ATTACK. This attack combines a dictionary attack with the a brute force attack and will slightly alter dictionary words by adding numbers to the end of the password, spelling words backward, slightly misspelling words, or including special characters such as @, $, !, or %.
p. 486
-RAINBOW TABLES-
Although brute force and dictionary attacks were once the primary tools used by attackers to crack stolen digest passwords, more recently attackers have used RAINBOW TABLES. Rainbow tables make password attacks easier by creating a large pregenerated data set of candidate digests.
A rainbow table is a compressed representation of cleartext passwords that are related and organized in a sequence ( called a CHAIN).
Although generating a rainbow table requires a significant amount of time, once it is created it has three significant advantages over other password attack methods:
- a rainbow table can be used repeatedly for attacks on other passwords
- Rainbow tables are much fast than dicationary attacks
- The amount of memory needed on the attacking machine is greatly reduced.
Rainbow tables are freely available for download on the Internet.
p. 486
-PASSWORD COLLECTIONS-
Password mask attacks can significantly reduce the amount of time needed to break a password when compared to a raw brute force attack
p. 487
-PASSWORD DEFENSES-
Most passwords consist of a root ( not necessarily a dictionary word but generally “pronounceable”) along with an attachment, either an ending suffix(about 90 percent of the time) or prefix (10 percent).
The program also makes common substitutions with letters in the dictionary words, such as $ for s, @ for a, 3 for E etc. Finally, it uses a variation of attachments, such as :
- Two-digit combinations
- Dates from 1900 to present
- Three-digit combinations
- Single symbols (#, $, %)
- Single digit plus single symbol
- Two-symbol combinations
Understanding how a password attack program attempts to break a password can lead to the following general observations regarding creating passwords:
- Do not use passwords that consist of dictionary words or phonetic words
- Do not repeat (xxx) or use sequences (abc, 123, qwerty).
- Do not use birthdays, family member names, pet names, addresses, or any personal information
- Do not use short passwords. A strong password should be a minimum of 15 characters in length.
One way to make passwords stronger is to use nonkeyboard characters, or special characters that do not appear on the keyboard, thus extending the number of possible keys beyond 95. These characters are created by holding down the ALT key while simultaneously typing a number on the numeric keypad (but not the numbers across the top of the keyboard).
p. 487-488
-CREDENTIAL MANAGEMENT-
Equally important to creating good passwords is to properly manage password credentials. For an organization, one important defense against password cracking is to prevent attackers from capturing the password digest files. There are several defenses against the theft of these files:
- Do not leave a computer running unattended, even if it is in a locked office. All screensavers should be set to resume only when a password is entered.
- Do not set a computer to boot from an optical drive or USB flash drive.
- Password-protect the ROM BIOS
- Physically lock the computer case so that it cannot be opened
Good credential management also includes the following:
- Change passwords frequently
- Do not reuse old passwords
- Never write a password down
- Have a unique password for each account
- If it is necessary for a user to access another user’s account, a temporary password should be set up and then immediately changed
- Do not allow a computer to automatically sign into an account or record a password so that a login is not necessary
- Do not enter passwords on public access computers or other individuals’ computers that could be infected
- Do not enter a password while using an unencrypted wireless network
A secure solution to credential management is to rely on technology rather than human memory to store and manage passwords.
A better solution is PASSWORD MANAGEMENT APPLICATIONS. These programs let a user create and store multiple strong passwords in a single user “vault” file that is protected by one strong master password.
p. 490
-PASSWORD HASHING ALGORITHMS-
The first is known as the LM (LAN Manager) HASH. The LAN MANAGER HASH is not actually a hash, because a hash is a mathematical function used to fingerprint the data. The LM HASH instead uses a CRYPTOGRAPHIC ONE-WAY FUNCTION (OWF): instead of encrypting the password with another key, the password itself is the key.
LM HASH is not case sensitive.
LM HASH splits all passwords into two 7-character parts.
Microsoft later introduced the NTLM (NEW TECHNOLOGY LAN MANAGER) HASH. The NTLM hash does not limit stored passwords to two 7-character parts. It is case sensitive and has a larger character set of 65,535 characters. The current version is NTLMv2 and uses the Hashed Message Authentication Code (HMAC) with MD5.
The fast speed of general-purpose hash algorithms works in an attacker’s favor.
A more secure approach for creating passwords digests is to use a specialized password hash algorithm that is intentionally designed to be slower. This is called KEY STRETCHING.
Two popular key stretching password hash algorithms are BCRYPT and PBKDF2. These can be configured to require more time to create a digest. A network administrator can specify the number of iterations (rounds), which sets how “expensive” (in terms of computer time and/or resources) the password hash function will be.
p.491
-SALTS-
In order to increase the strength of hashed passwords, a salt also can be used. A SALT consists of a random string that is used in hash algorithms. Passwords can be protected by adding a random string to the user’s cleartext password before it is hashed.
Salts make dictionary attacks and brute force attacks for cracking large number of passwords much slower (although they do not benefit cracking just one password), and also limit the impact of rainbow tables.
Salts should be random for each user password. This requires that both the salt, which is added to the user’s cleartext password when it is entered upon login, and the stored password digest be protected.
p. 491-492
-WHAT YOU HAVE: TOKENS, CARDS, AND CELL PHONES-
Another type of authentication credential is based on the approved user having a specific item in his possession. Because the user is using more than one type of authentication credential-both what a user knows (the password) and what the user has–this type of authentication credential is called MULTIFACTOR AUTHENTICATION. (Using just one type of authentication is called SINGLE-FACTOR AUTHENTICATION.)
p. 492
-TOKENS-
A TOKEN is typically a small device (usually one that can be affixed to a keychain) with a window display. Tokens can be used to create a ONE-TIME PASSWORD (OTP), an authentication code that can be used only once or for a limited period of time.
There are two types of OTPs. A TIME-BASED ONE-TIME PASSWORD (TOTP) changes after a set time period. An attacker who steals the code would have to use it within the token’s time limit.
Instead of changing after a set number of seconds, an HMAC-BASED ONE-TIME PASSWORD (HOTP) is “event-driven” and changes when a specific event occurs, such as when a user enters a personal identification number (PIN) on the token’s keypad, which triggers the token to create a random code.
Tokens have several advantages over passwords. First, standard passwords are static: they do not change unless the user is forced to create a new password. Second, a user might not know if an attacker has stolen her password, and confidential information could be accessed without the user knowing it was taking place.
Intel recently introduced Intel Identity Protection Technology (IPT) that functions on Intel ultrabook mobile devices.
p. 493-494
-CARDS-
A SMART CARD contains an INTEGRATED CIRCUIT CHIP that can hold information, which then can be used as part of the authentication process.
A COMMON ACCESS CARD (CAC) is a U.S. Department of Defense (DoD) smart card that is used for identification of active-duty and reserve military personnel along with civilian employees and special contractors. The smart card standard covering all U.S. government employees is the PERSONAL IDENTITY VERIFICATION (PIV) standard.
p. 494
-CELL PHONES-
Tokens and cards are increasingly being replaced today with cell phones. A code can be sent to a user’s cell phone through an app on the device or as a text message when using TOTP. Cell phones also allow a user to send a request via the phone to receive an HOTP authorization code.
p. 494
-STANDARD BIOMETRICS-
STANDARD BIOMETRICS uses a person’s unique physical characteristics for authentication (what he is). Standard biometrics can use fingerprints or other unique characteristics of a person’s face, hands, or eyes (irises and retinas) to authenticate a user. Fingerprint scanners have become the most common type of standard biometric device. A second method creates a template from selected locations on the finger.
There are two basic types of fingerprint scanners. A STATIC SCANNER requires the user to place the entire thumb or finger on a small oval window on the scanner. The other type of scanner is known as a DYNAMIC FINGERPRINT SCANNER. A dynamic fingerprint scanner has a small slit or opening.
Dynamic fingerprint scanners work on the same principle as stud finders that carpenters use to locate wood studs behind drywall. This is known as capacitive technology.
Standard biometrics has two disadvantages. The first is the cost. The second disadvantage is that biometric readers are not always foolproof and can reject authorized users while accepting unauthorized users. These errors are mainly due to the many facial or hand characteristics that must be scanned and then compared.
p. 495-496
-COGNITIVE BIOMETRICS-
COGNITIVE BIOMETRICS is related to the perception, thought process, and understanding of the user. Cognitive biometrics is considered to be much easier for the user to remember because it is based on the user’s life experiences.
One type of cognitive biometrics is picture gesture authentication (PGA) for touch-enabled devices. users select a picture to use for which there should be at least 10 “points of interest” on the photograph that could serve as “landmarks: or places to touch, connect highlight any parts of the picture and these gestures are recorded.
Picture passwords can still be vulnerable to attacks. An attacker who is shoulder surfing may be able to see a user’s gestures, or finger smudges left on the screen may provide enough clues for an attacker to replicate the actions. The most common face tap is the eyes, followed by nose and jaw.
A similar example of cognitive biometrics requires the user to identify specific faces. They are taken through a”familiarization process”.
Another example of cognitive biometrics based on a life experience that the user remembers begins with the user selecting one of several “memorable events” in her lifetime, such as taking a special vacation, celebrating a personal achievement, or attending a specific family dinner. then the user is asked specific questions about that memorable event, such as what type of food was served.
Cognitive biometrics is considered much esier for the end-user and may provide a higher degree of protection. It is predicted that cognitive biometrics could become a key element in authentication in the future.
p. 496-497
-WHAT YOU DO: BEHAVIORAL BIOMETRICS-
Another type of authentication is based on actions that the user is uniquely qualified to perform. This is sometimes called BEHAVIORAL BIOMETRICS.
p. 497
-KEYSTROKE DYNAMICS-
One type of behavioral biometrics is KEYSTROKE DYNAMICS, which attempts to recognize a user’s unique typing rhythm. All users type at a different pace.
Keystroke dynamics uses two unique typing variables. The first is known as DWELL TIME, which is the time it takes for a key to be pressed and then released. The second characteristic is FLIGHT TIME, or the time between keystrokes (both “down” when the key is pressed and “up” when the key is released are measured).
Keystroke dynamics holds a great deal of potential. Because it requires no specialized hardware and because the user does not have to take any additional steps beyond entering a username and password. some security experts predict that keystroke dynamics will become widespread in the near future.
p. 498-499
-VOICE RECOGNITION-
Voice recognition is not to be confused with speech recognition, which accepts spoken words for input as if they had been typed on the keyboard.
One of the concerns regarding voice recognition is that an attacker could record the user’s voice and then create a recording to use for authentication.
The PHONETIC CADENCE, or speaking two words together in a way that one word “bleeds” into the next word, becomes part of each user’s speech pattern.
To protect against voice biometric attacks, identification phrases can be selected that would rarely (if ever) come up in normal speech, or random phrases can be displayed for the user to repeat.
p. 499
-WHERE YOU ARE: GEOLOCATION-
A final type of authentication can be based where the user is located. Known as geolocation, it is the identification of the location of a person or object using technology. Although geolocation may not uniquely identify the user, it can indicate if an attacker is trying to perform a malicious action from a location different from the normal location of the user.
In addition to geolocation, the time of day, Internet service provider, and basic PC configuration also can be used to determine if the user is authentic.
p. 499
-SINGLE SIGN-ON-
This is the idea behind IDENTITY MANAGEMENT, which is using a single authentication credential that is shared across multiple networks. When those networks are owned by different organizations, it is called FEDERATED IDENTITY MANAGEMENT (FIM), or just FEDERATION. One application of FIM is called SINGLE- SIGN-ON (SSO), or using one authentication credential to access multiple accounts or applications, SSO holds the promise of reducing the number of usernames and passwords that users must memorize (potentially, to just one).
p. 500
-MICROSOFT ACCOUNT-
Microsoft Account is similar to Windows Live ID and serves as the authentacation system for different Microsoft products.
The use of “global” and “local” cookies is the basis of Microsoft Account.
p. 500-501
-OPENID-
Unlike Microsoft Account, which is proprietary and has centralized authentication, OpenID is a decentralized open-source FIM that does not require specific software to be installed on the desktop. OpenID is a Uniform Resource Locator (URL)- based identity system.
OpenID does have some security weaknesses. One weakness is that OpenID depends on the URL identifier routing to the correct server, which depends on a domain name server (DNS) that may have it s own security weaknesses. In its current format, OpenID is generally not considered strong enough for most banking and e-commerce websites. However, OpenID is considered suitable for other less secure sites.
A technology to avoid using multiple passwords is an open-source service similar to OpenID called OPEN AUTHORIZATION (OAuth). OAuth permist users to share resources stored on one site with a second site without forwarding their authentication credentials to the other site.
OAuth relies upon token credentials.
p. 501-502
-ACCOUNT MANAGEMENT-
A preferred approach is to assign privileges by group. In a Microsoft Windows environment, there are two categories of group password settings. The first category is called PASSWORD POLICY SETTINGS and is configured by using Group Policy at the domain level.
The second category is the Ac count Lockout Policy, which is an Active Directory Domain Services (AD DS) security feature. The lockout prevents a login after a set number of failed login attempts within a specified period and also can specify the length of time that the lockout is in force.
Also, care must be taken with TRANSITIVE TRUST. Transitive trust is a two-way relationship that is automatically created between parent and child domains in a Microsoft Active Directory Forest.
Study table 12-4 p.503
Table 12-5 p. 504
p.503-504
