Identity and Authentication Flashcards
Introduction on Identity and Authentication
The most basic security operation
- Information access
- Permissions for different operations
It’s also surprisingly subtle
- Approaches
- Users and computers
- The trade-off between security and usability
- Attacks we need to consider
Notes on Identifying users
Relates to several concepts
- Claiming an identity
- Assigning permissions to a claimed identity
Different Identities
- Depends on how we want to operate.
- As an individual, as a person fulfilling a role, …
- As a proxy for someone else
Notes on Identifying computers
Increasingly at least (or more) important.
- What is the right meaning of “identity” for a computer?
Also different roles.
- As a service provider: computer convinces user (or user agent) it is who it says it is.
- As an agent: computer operates on behalf of a user.
- As a server: computer only deals with the other computers it expects.
Name three methods of authentication?
- Passwords
- Multi-factor authentication (example: 2FA)
- Biometrics
What are the benefits and drawbacks of Passwords?
Benefits:
- “Something you know” (and only you know)
- The more complex the password, the harder to crack it.
Drawbacks:
- Might forget the password
* Subject to the limitations of the human memory
- Needs to be unpredictable
* Weaker passwords are easier to crack. Because of the strengths of computers at trying lots of combinations.
- Replay: If we get the password once, we can simply replay it against the service we want to attack. Possession of the password is sufficient to authenticate.
- Re-use: People often use passwords on multiple services. They’re hard to remember – and the more secure they are, the harder they become.
What is meant by Entropy in relation to passwords?
Meaning: A way to measure how unpredictable a password is, and how difficult it would be to guess or crack.
Key-Note: A High entropy means a more complex password that’s harder to break.
Note: High entropy = high disorder, or a high level of randomness, or a high level of unpredictability.
Name three methods for generating passwords?
- Leetspeak:
- Replacing leets with special characters, to spell modified words.
- Classic example of security through obscurity (details are kept hidden and vulnerabilities are not known or are difficult to detect)
- Random passwords:
- randomise a password of length n.
- This lack of information gain provides the security.
- Still need a long password, hard to memorize.
- Words
- password made up of random words
How can we crack a password?
- Brute Force Attack
- Try every possible combination of the password. - Key Loggers
- A form of malware that logs all the keys that a user enters.
- Doesn’t matter how complicated the password is if we can get its plaintext.
What is meant by Multi-Factor Authentication (MFA)?
Meaning: A method that requires more than one factor to authenticating a user.
Note: Compared with passwords, in which a single successful attack is needed, MFA increases complexity by adding multiple factors.
- Several things needed in order to authenticate
- Require more attacks to be successful
- Make the factors independent: knowing one doesn’t leak information about the others
- Feedback to the user when one factor is used
Example: 2FA
- Requires two factors to authenticating a user
- Two attack vectors, two instances of carelessness, doesn’t mean it can’t happen.
What are the factors in a MFA
Physical:
- A hardware token such as a swipe card, contactless (NFC) card, USB dongle, etc.
Digital/Mental
- Password
- PIN
- Memorable Date
- Some letters from a memorable word.
Example:
- Supply username and password
- Supply second factor
- Phone call, code from text message, hardware dongle, etc.
What is the main negative of MFA?
Possibly having too many factors:
- More is not always better
- Relates to usability – but in doing so opens a security hole by hitting human limitations
Note: Policies need to be aware of this.
- If you mandate people can’t write things down, don’t ask them to use things they can’t remember.
- If you need a second factor, make sure there are options (or accept that people will get locked out).
What is meant by biometric in relation to security?
Meaning: a method for identification and authentication that uses physical traits to verify a user’s identity.
Note: “Something you bring, something you know”
- Since you always bring yourself, using something that’s intrinsic to you is attractive.
- Harder to fake.
Example: Fingerprints and faces
- Fingerprints and faces are unique.
Vulnerabilities:
- Both approaches are based on an image of a person, not actually on the person themselves directly.
- Encoded representation of a core personal attribute
Attacks:
- Once the encoding has been found, it can be leveraged.
- Lookalikes, fake fingerprints
- Hack the camera taking the image
- Hold the camera to the person’s face/finger.
Note: Remember we’re working with an image of a physical attribute, not the attribute itself.
Notes on Identity and Authentication
Can we do without any computer-based authentication?
Perhaps if having physical access to the computer is enough.
- The security is all done outside the digital realm
- Air-gapped machine (no remote access)
- Inside a secure facility such as a SCIF.
Summary of Identity and Authentication.
Authentication is a great example of a sociotechnical problem
- Technological solutions embedded into a human social system, and faced with human constraints
- Limits the complexities of methods
Multiple factors can help – but only if designed with this in mind
- Independence of attacks, protect against subtle attacks like replays and hazards like re-use.
