Lesson 6: Implementing Identity and Access Management Controls

Question 1

access control system

Answer 1

An access control system is the set of technical controls that govern how subjects may interact with objects.

Question 2

Subjects

Answer 2

users, devices, or software processes, or anything else that can request and be granted access to a resource.

A subject is identified on a computer system by an account. An account consists of an identifier, credentials, and a profile.

Question 3

Objects

Answer 3

resources; these could be networks, servers, databases, files, and so on.

Question 4

Access Control List (ACL)

Answer 4

In computer security, the basis of access control is usually an Access Control List (ACL). This is a list of subjects and the rights or permissions they have been granted on the object.

Question 5

An Identity and Access Management (IAM) system is usually described in terms of four main processes:

Answer 5

• Identification—creating an account or ID that identifies the user, device, or process on the network.
• Authentication—proving that a subject is who or what it claims to be when it attempts to access the resource.
• Authorization—determining what rights subjects should have on each resource, and enforcing those rights.
• Accounting—tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.

IAM enables you to define the attributes that comprise an entity’s identity, such as its purpose, function, security clearance, and more. These attributes subsequently enable access management systems to make informed decisions about whether to grant or deny an entity access, and if granted, decide what the entity has authorization to do.

Question 6

Identification

Answer 6

associates a particular user (or software process) with an action performed on a network system.

Question 7

Authentication

Answer 7

proves that a user or process is who it claims to be; that is, that someone or something is not masquerading as a genuine user.

verifies that only the account holder is able to use the account, and that the system may only be used by account holders. Authentication is performed when the account holder supplies the appropriate credentials to the system. These are compared to the credentials stored on the system. If they match, the account is authenticated. One of the primary issues with authentication is unauthorized exposure or loss of the information being used to authenticate. If a user’s credential, such as a password, is exposed, it may be used in an unauthorized fashion before it can be changed.

Question 8

Identification and authentication are vital first steps in the access control process:

Answer 8

• To prove that a user is who he or she says he is. This is important because access should only be granted to valid users (authorization).
• To prove that a particular user performed an action (accounting). Conversely, a user should not be able to deny what he or she has done (non-repudiation).

Question 9

Security Identifier (SID)

Answer 9

An identifier must be unique. For example, in Windows® a subject may be represented by a username to system administrators and other users. The username is often recognizable by being some combination of the user’s first and last names or initials. However, the account is actually defined on the system by a Security Identifier (SID) string. If the user account was deleted and another account with the same name subsequently created, the new account would have a new SID and, therefore, not inherit any of the permissions of the old account.

Question 10

Credentials

Answer 10

Credentials means the information used to authenticate a subject when it tries to access the user account. This information could be a username and password or smart card and PIN code.

Question 11

profile

Answer 11

The profile is information stored about the subject. This could include name and contact details as well as group memberships.

Question 12

Issuance (or enrollment)

Answer 12

means processes by which a subject’s credentials are recorded, issued, and linked to the correct account, and by which the account profile is created and maintained.

Question 13

Some of the issues involved in issuance or enrollment are:

Answer 13

• Identity proofing—verifying that subjects are who they say they are at the time the account is created. Attackers may use impersonation to try to infiltrate a company without disclosing their real identity. Identity proofing means performing background and records checks at the time an account is created.

Note: Websites that allow users to self-register typically employ a CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart). A CAPTCHA is usually a graphic or audio of some distorted letters and digits. This prevents a software process (bot) from creating an account.

• Ensuring only valid accounts are created—for example, preventing the creation of dummy accounts or accounts for employees that are never actually hired. The identity issuance process must be secured against the possibility of insider threats (rogue administrative users). For example, a request to create an account should be subject to approval and oversight.
• Secure transmission of credentials—creating and sending an initial password securely. Again, the process needs protection against snooping and rogue administrative staff. Newly created accounts with simple or default passwords are an easily exploitable backdoor.
• Revoking the account if it is compromised or no longer in use.

Question 14

The difficulties of issuance or enrollment can be mitigated by two techniques:

Answer 14

• Password reset—automating the password reset process reduces the administration costs associated with users forgetting passwords but making the reset process secure can be problematic.
• Single sign-on—this means that all network resources and applications accept the same set of credentials, so the subject only needs to authenticate once per session. This requires application compatibility and is difficult to make secure or practical across third-party networks.

Question 15

There are many different technologies for defining credentials. They can be categorized as the following factors:

Answer 15

• Something you know, such as a password.
• Something you have, such as a smart card.
• Something you are, such as a fingerprint.
• Something you do, such as making a signature.
• Somewhere you are, such as using a mobile device with location services.

Question 16

something you know authentication

Answer 16

The typical something you know technology is the logon: this comprises a username and a password. The username is typically not a secret (though it should not be published openly), but the password must be known only to the account holder. A passphrase is a longer password comprising several words. This has the advantages of being more secure and easier to remember. A Personal Identification Number (PIN) is also something you know, though long PIN codes are hard to remember and short codes are too vulnerable for most authentication systems. If the number of attempts are not limited, it is simple for password cracking software to try to attempt every combination to brute force a 4-digit PIN.

often used for account reset mechanisms

Question 17

something you have authentication

Answer 17

There are numerous ways to authenticate a user based on something they have. Examples include a smart card, USB token, or key fob that contains a chip with authentication data, such as a digital certificate. Compared to something you know authentication, token-based systems are more costly because each user must be issued with the token and each terminal may need a reader device to process the token. The main concerns with cryptographic access control technologies are loss and theft of the devices. Token-based authentication is not always standards-based, so interoperability between products can be a problem. There are also risks from inadequate procedures, such as weak cryptographic key and certificate management.

Question 18

Something you are authentication

Answer 18

employing some sort of biometric recognition system. Many types of biometric information can be recorded, including fingerprint patterns, iris or retina recognition, or facial recognition. The chosen biometric information (the template) is scanned and recorded in a database. When the user wants to access a resource, he or she is re-scanned, and the scan is compared to the template. If the confirmation scan matches the template to within a defined degree of tolerance, access is granted. The main problems with biometric technology generally are:

• Users can find it intrusive and threatening to privacy.
• The technology can be discriminatory or inaccessible to those with disabilities.
• Setup and maintenance costs to provision biometric readers.
• Vulnerability to spoofing methods.

Question 19

Something you do authentication

Answer 19

refers to behavioral biometric recognition. Rather than scan some attribute of your body, a template is created by analyzing a behavior, such as typing or writing a signature. The variations in speed and pressure applied are supposed to uniquely verify each individual. In practice, however, these methods are subject to higher error rates and are much more troublesome for a subject to perform. Something you do authentication is more likely to be deployed as an intrusion detection or continuous authentication mechanism. For example, if a user successfully authenticates using a password and smart card, their use of the keyboard might be subsequently monitored. If this deviates from the baseline, the IDS would trigger an alert.

Question 20

something where you are authentication

Answer 20

Location-based authentication measures some statistic about where you are. This could be a geographic location, measured using a device’s location service and the GPS (Global Positioning System) and/or IPS (Indoor Positioning System), or it could be by IP address. The IP address could also be used to refer to a logical network segment or it could be linked to a geographic location using a geolocation service. Geolocation by IP address works by looking up a host’s IP address in a geolocation database, such as GeoIP (https://www.maxmind.com/en/geoip-demo), IPInfo (https://ipinfo.io), or DB-IP (https://www.db-ip.com), and retrieving the registrant’s country, region, city, name, and other information. The registrant is usually the ISP, so the information you receive will provide an approximate location of a host based on the ISP. If the ISP is one that serves a large or diverse geographical area, you will be less likely to pinpoint the location of the host.

Question 21

multifactor authentication (MFA)

Answer 21

An authentication product is considered strong if it combines the use of more than one type of something you know/have/are (multifactor). Single-factor authentication systems can quite easily be compromised: a password could be written down or shared, a smart card could be lost or stolen, and a biometric system could be subject to high error rates or spoofing.

Question 22

two-factor (2FA)

Answer 22

combines something like a smart card or biometric mechanism with something you know, such as a password or PIN. Three-factor authentication combines all three technologies, or incorporates an additional location-based factor. An example of this would be a smart card with integrated fingerprint reader. This means that to authenticate, the user must possess the card, the user’s fingerprint must match the template stored on the card, and the user must input a PIN or password.

Question 23

Mutual authentication

Answer 23

a security mechanism that requires that each party in a communication verifies each other’s identity. Before the client submits its credentials, it verifies the server’s credentials. Mutual authentication prevents a client from inadvertently submitting confidential information to a non-secure server. Mutual authentication helps in avoiding Man-in-the-Middle and session hijacking attacks.

Mutual authentication can be configured on the basis of a password-like mechanism where a shared secret is configured on both server and client. Distributing the shared secret and keeping it secure is a significant challenge, however. Most mutual authentication mechanisms rely on digital certificates and Public Key Infrastructure (PKI).

Question 24

LAN Manager (LM or LANMAN)

Answer 24

Most computer networks depend on “something you know” authentication, using the familiar method of a user account protected by a password. There are many different ways of implementing account authentication on different computer systems and networks. LAN Manager (LM or LANMAN) was an NOS developed by Microsoft® and 3Com. Microsoft used the authentication protocol from LM for Windows 9x networking. LM is a challenge/response authentication protocol. This means that the user’s password is not sent to the server in plaintext.

1. When the server receives a logon request, it generates a random value called the challenge (or nonce) and sends it to the client.
2. Both client and server encrypt the challenge using the hash of the user’s password as a key.
3. The client sends this response back to the server.
4. The server compares the response with its version and if they match, authenticates the client.

Question 25

Passwords are stored using the 56-bit DES cryptographic function. This is not actually a true hash like that produced by MD5 or SHA but is intended to have the same sort of effect; the password is used as the secret key. In theory, this should make password storage secure, but the LM hash process is unsecure for the following reasons:

Answer 25

• Alphabetic characters use the limited ASCII character set and are converted to upper case, reducing complexity.
• Maximum password length is 14 characters. Long passwords (over seven characters) are split into two and encrypted separately; this means passwords that are seven characters or less are easy to identify and makes each part of a longer password more vulnerable to brute force attacks.
• The password is not “salted” with a random value, making the ciphertext vulnerable to rainbow table attacks.

Question 26

NTLM authentication

Answer 26

In Windows NT, the updated NTLM authentication mechanism fixed some of the problems in LM:

• The password is Unicode and mixed case and can be up to 127 characters long.
• The 128-bit MD4 hash function is used in place of DES.

A substantially revised version of the protocol appeared in Windows NT4 SP4. While the basic process is the same, the responses are calculated differently to defeat known attacks against NTLM. An NTLMv2 response is an HMAC-MD5 hash (128-bit) of the username and authentication target (domain name or server name) plus the server challenge, a timestamp, and a client challenge. The MD4 password hash (as per NTLMv1) is used as the key for the HMAC-MD5 function. NTLMv2 also defines other types of responses that can be used in specific circumstances:

• LMv2—provides pass-through authentication where the target server does not support NTLM but leverages the authentication service of a domain controller that does. LMv2 provides a mini-NTLMv2 response that is the same size as an LM response.
• NTLMv2 Session—provides stronger session key generation for digital signing and sealing applications (see the Kerberos Authentication section for a discussion of the use of session keys).
• Anonymous—access for services that do not require user authentication, such as web servers.

Question 27

LM/NTLM vulnerabilities

Answer 27

The flaws in LM and NTLMv1 would normally be considered a historical curiosity as these mechanisms are obsolete, but one of the reasons that Windows password databases can be vulnerable to “cracking” is that they can store LM hash versions of a password for compatibility with legacy versions of Windows (pre Windows 2000). LM responses can also be accepted during logon (by default, the client sends both LM and NTLM responses) and, therefore, captured by a network sniffer.

Question 28

Kerberos

Answer 28

a network authentication protocol developed by the Massachusetts Institute of Technology (MIT) in the 1980s. The idea behind Kerberos is that it provides a single sign-on. This means that once authenticated, a user is trusted by the system and does not need to re-authenticate to access different resources. The Kerberos authentication method was selected by Microsoft as the default logon provider for Windows 2000 and later. Based on the Kerberos 5.0 open standard, it provides authentication to Active Directory, as well as compatibility with other, non-Windows, operating systems.

Kerberos was named after the three-headed guard dog of Hades (Cerberus) because it consists of three parts. Clients request services from a server, which both rely on an intermediary—a Key Distribution Center (KDC)—to vouch for their identity. There are two services that make up a KDC: the Authentication Service and the Ticket Granting Service. The KDC runs on port 88 using TCP or UDP.

Question 29

Authentication Service Of Kerberos

Answer 29

The Authentication Service is responsible for authenticating user logon requests. More generally, users and services can be authenticated; these are collectively referred to as principals. For example, when you sit at a Windows domain workstation and log on to the domain (Kerberos documentation refers to realms rather than domains, which is Microsoft’s terminology), the first step of logon is to authenticate with a Key Distribution Center (KDC) server (implemented as a domain controller).

1. The client sends the AS a request for a Ticket Granting Ticket (TGT). This is composed by encrypting the date and time on the local computer with the user’s password hash as the key.

Note: The password hash itself is not transmitted over the network.

2. If the user is found in the database and the request is valid (the user’s password hash matches the one in the Active Directory database and the time matches to within five minutes of the server time), the AS responds with:

• Ticket Granting Ticket (TGT)—this contains information about the client (name and IP address) plus a timestamp and validity period. This is encrypted using the KDC’s secret key.
• TGS session key for use in communications between the client and the Ticket Granting Service (TGS). This is encrypted using a hash of the user’s shared secret (the logon password, for instance).

The TGT is an example of a logical token. All the TGT does is identify who you are and confirm that you have been authenticated—it does not provide you with access to any domain resources.

Note: The TGT (or user ticket) is time-stamped (under Windows, they have a default maximum age of 10 hours). This means that workstations and servers on the network must be synchronized (to within five minutes) or a ticket will be rejected. This helps to prevent replay attacks.

Presuming the user entered the correct password, the client can decrypt the TGS session key but not the TGT. This establishes that the client and KDC know the same shared secret and that the client cannot interfere with the TGT.

To access resources within the domain, the client requests a Service Ticket (a token that grants access to a target application server). This process of granting service tickets is handled by the Ticket Granting Service (TGS).

3. The client sends the TGS a copy of its TGT and the name of the application server it wishes to access plus an authenticator, consisting of a time-stamped client ID encrypted using the TGS session key.

The TGS should be able to decrypt both messages using the KDC’s secret key for the first, and the TGS session key for the second. This confirms that the request is genuine. It also checks that the ticket has not expired and has not been used before (replay attack).

4. The TGS service responds with:

• Service session key—for use between the client and the application server. This is encrypted with the TGS session key.
• Service ticket—containing information about the user, such as a timestamp, system IP address, Security Identifier (SID) and the SIDs of groups to which he or she belongs, and the service session key. This is encrypted using the application server’s secret key.

5. The client forwards the service ticket, which it cannot decrypt, to the application server and adds another time-stamped authenticator, which is encrypted using the service session key.
6. The application server decrypts the service ticket to obtain the service session key using its secret key, confirming that the client has sent it an untampered message. It then decrypts the authenticator using the service session key.
7. Optionally, the application server responds to the client with the timestamp used in the authenticator, which is encrypted by using the service session key. The client decrypts the timestamp and verifies that it matches the value already sent and concludes that the application server is trustworthy.

This means that the server is authenticated to the client (referred to as mutual authentication). This prevents a Man-in-the-Middle attack where a malicious user could intercept communications between the client and server.

8. The server now responds to client requests (assuming they conform to the server’s access control list).

One of the noted drawbacks of Kerberos is that the KDC represents a single point-of-failure for the network. In practice, backup KDC servers can be implemented (for example, Active Directory supports multiple domain controllers, each of which will be running the KDC service).

Kerberos can be implemented with several different algorithms: DES (56-bit), RC4 (128-bit), or AES (128-bit or better) for session encryption and the MD5 or SHA-1 hash functions. AES is supported under Kerberos v5, but in terms of Microsoft networking, only versions Windows Server 2008/Windows Vista and later support it. A suitable algorithm is negotiated between the client and the KDC.

Question 30

Password Authentication Protocol (PAP)

Answer 30

The Password Authentication Protocol (PAP) is an unsophisticated authentication method developed as part of the TCP/IP Point-to-Point Protocol (PPP), used to transfer TCP/IP data over serial or dial-up connections. It relies on clear text password exchange and is, therefore, obsolete for the purposes of any sort of secure connection.

Question 31

Challenge Handshake Authentication Protocol (CHAP)

Answer 31

developed as part of PPP as a means of authenticating users over a remote link. It is defined in http://www.ietf.org/rfc/rfc1994.txt. CHAP relies on an encrypted challenge in a system called a three-way handshake.

1. Challenge—the server challenges the client, sending a randomly generated challenge message.
2. Response—the client responds with a hash calculated from the server challenge message and client password (or other shared secret).
3. Verification—the server performs its own hash using the password hash stored for the client. If it matches the response, then access is granted; otherwise, the connection is dropped.

The handshake is repeated with a different challenge message periodically during the connection (though transparent to the user). This guards against replay attacks, where a previous session could be captured and reused to gain access. CHAP typically provides one-way authentication only. Cisco’s implementation of CHAP, for example, allows for mutual authentication by having both called and calling routers challenge one another. This only works between two Cisco routers, however.

Question 32

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

Answer 32

Microsoft’s first implementation of CHAP, supported by older clients, such as Windows 95. An enhanced version (MS-CHAPv2) was developed for Windows 2000 and later. MS-CHAPv2 also supports mutual authentication. Because of the way it uses vulnerable NT hashes, MS-CHAP should not be deployed without the protection of a secure connection tunnel so that the credentials being passed are encrypted.

Question 33

password attack

Answer 33

An online password attack is where the adversary directly interacts with the authentication service—a web login form or VPN gateway, for instance. The attacker will submit passwords using either a database of known passwords (and variations) or a list of passwords that have been cracked offline.

Note: Be aware of horizontal brute force attacks, also referred to as password spraying. This means that the attacker chooses one or more common passwords (for example, password or 123456) and tries them in conjunction with multiple usernames.

An online password attack can show up in audit logs as repeatedly failed logons and then a successful logon, or as several successful logon attempts at unusual times or locations. Apart from ensuring the use of strong passwords by users, online password attacks can be mitigated by restricting the number or rate of logon attempts, and by shunning logon attempts from known bad IP addresses.

Note: Note that restricting logons can be turned into a vulnerability as it exposes you to Denial of Service attacks. The attacker keeps trying to authenticate, locking out valid users.

Question 34

Password cracker

Answer 34

Password cracker software works on the basis of exploiting known vulnerabilities in password transmission and storage algorithms (LM and NTLM hashes, for instance). They can perform brute force attacks and use precompiled dictionaries and rainbow tables to break naïvely chosen passwords. A password cracker can work on a database of hashed passwords. This can also be referred to as an offline attack, as once the password database has been obtained, the cracker does not interact with the authentication system to perform the cracking.

Question 35

The following locations are used to store passwords:

Answer 35

• %SystemRoot%\System32\config\SAM—local users and passwords are stored as part of the Registry (Security Account Manager) on Windows machines.
• %SystemRoot%\NTDS\NTDS.DIT—domain users and passwords are stored in the Active Directory database on domain controllers.
• On Linux, user account details and encrypted passwords are stored in /etc/passwd, but this file is universally accessible. Consequently, passwords are moved to /etc/ shadow, which is only readable by the root user.

Also, be aware that there are databases of username and password/password hash combinations for multiple accounts stored across the Internet. These details derive from successful hacks of various companies’ systems. These databases can be searched using a site such as https://haveibeenpwned.com.

If the attacker cannot obtain a database of passwords, a packet sniffer might be used to obtain the client response to a server challenge in a protocol such as NTLM or CHAP/MS-CHAP. While these protocols avoid sending the hash of the password directly, the response is derived from the password hash in some way. Password crackers can exploit weaknesses in a protocol to calculate the hash and match it to a dictionary word or brute force it.

Question 36

Some well-known password cracking tools include:

Answer 36

• John the Ripper—multi-platform password hash cracker.
• THC Hydra—often used against remote authentication (protocols such as Telnet, FTP, HTTPS, SMB, and so on).
• Aircrack—sniffs and decrypts WEP and WPA wireless traffic.
• L0phtcrack—one of the best-known Windows password recovery tools. There is also an open source version (ophcrack).
• Cain and Abel—Windows password recovery with password sniffing utility.

Question 37

brute force attack

Answer 37

A brute force attack attempts every possible combination in the key space in order to derive a plaintext password from a hash. The key space is determined by the number of bits used (the length of the key). In theory, the longer the key, the more difficult it is to compute each value, let alone check whether the plaintext it produces is a valid password. Brute force attacks are heavily constrained by time and computing resources, and are therefore most effective at cracking short passwords. However, brute force attacks that are distributed across multiple hardware components, like a cluster of high-end graphics cards, can be successful at cracking longer passwords.

Question 38

dictionary attack

Answer 38

A dictionary attack can be used where there is a good chance of guessing the likely value of the plaintext, such as a non-complex password. Rather than attempting to compute every possible value, the software enumerates values in the dictionary.

Question 39

Rainbow table attacks

Answer 39

Rainbow table attacks refine the dictionary approach. The technique was developed by Phillipe Oechsli and used in his Ophcrack Windows password cracker. The attacker uses a precomputed lookup table of all possible passwords and their matching hashes. Not all possible hash values are stored, as this would require too much memory. Values are computed in chains and only the first and last values need to be stored. The hash value of a stored password can then be looked up in the table and the corresponding plaintext discovered.

Hash functions can be made more secure by adding salt. Salt is a random value added to the plaintext. This helps to slow down rainbow table attacks against a hashed password database, as the table cannot be created in advance and must be recreated for each combination of password and salt value. Rainbow tables are also impractical when trying to discover long passwords (over about 14 characters). UNIX® and Linux® password storage mechanisms use salt, but Windows does not. Consequently, in a Windows environment it is even more important to enforce password policies, such as selecting a strong password and changing it periodically.

Question 40

hybrid password attack

Answer 40

A hybrid password attack uses a combination of dictionary and brute force attacks. It is principally targeted against naively strong passwords, such as james1. The password cracking algorithm tests dictionary words and names in combination with several numeric prefixes and/or suffixes. Other types of algorithms can be applied, based on what hackers know about how users behave when forced to select complex passwords that they don’t really want to make hard to remember. Other examples might include substituting “s” with “5” or “o” with “0”.

Question 41

key stretching

Answer 41

Another technique to make the key generated from a user password stronger is by—basically—playing around with it lots of times. This is referred to as key stretching. The initial key may be put through thousands of rounds of hashing. This might not be difficult for the attacker to replicate so it doesn’t actually make the key stronger, but it slows the attack down as the attacker has to do all this extra processing for each possible key value.

Question 42

Key stretching can be performed by using a particular software library to hash and save passwords when they are created. Two such libraries are:

Answer 42

• bcrypt—an extension of the crypt UNIX library for generating hashes from passwords. It uses the Blowfish cipher to perform multiple rounds of hashing.
• Password-Based Key Derivation Function 2 (PBKDF2)—part of RSA security’s public key cryptography standards (PKCS#5).

Question 43

Pass-the-Hash (PtH) attacks

Answer 43

If an attacker can obtain the hash of a user password, it is possible to present the hash (without cracking it) to authenticate to network protocols such as CIFS. Such attacks are called Pass-the-Hash (PtH) attacks. One opportunity for widening access to a Windows domain network using pass-the-hash is for the local administrator account on a domain PC to be compromised so that the adversary can run malware with local admin privileges. The malware then scans system memory for cached password hashes being processed by the Local Security Authority Subsystem Service (lsass.exe). The adversary will hope to obtain the credentials of a domain administrator logging on locally or remotely and then replay the domain administrator hash to obtain wider privileges across the network.

Related to PtH, the secret keys used to secure AD Kerberos tickets are derived from NT hashes rather than randomly generated; therefore, care must be taken to protect the hashes from credential dumping or the system becomes vulnerable to ticket-forging attacks, referred to as a “golden ticket” attack (https://www.youtube.com/watch?v=lJQn06QLwEw).

The principal defense against these types of attacks is to strongly restrict the workstations that will accept logon (interactive or remote) from an account with domain administrative privileges. Domain administrators should only be allowed to log on to especially hardened workstations, and such workstations must be protected against physical and network access by any other type of account or process.

Question 44

token

Answer 44

There are various ways to authenticate a user based on something they have or a token. Typically, this might be a smart card, USB token, or key fob that contains a chip with authentication data, such as a digital certificate. A smart card is a credit card-sized device with an integrated chip and data interface. The card must be presented to a card reader before the user can be authenticated.

Question 45

contact-based

Answer 45

A smart card is either contact-based, meaning that it must be physically inserted into a reader, or contactless, meaning that data is transferred using a tiny antenna embedded in the card. A contactless smart card can also be referred to as a proximity card. The ISO have published various ID card standards to promote interoperability, including ones for smart cards (ISO 7816 for contact and ISO 14443 for contactless types).

Note: ISO 14443 refers to Proximity Integrated Circuit Cards (PICC). Be aware that proximity card might be used to specifically mean an ISO 14443 compliant smart card.

The card reader or scanner can either be built into a computer or connected as a USB peripheral device. A software interface is then required to read (and possibly write) data from the card. The software should comply with the PKCS#11 API standard. The latest generation of cards can generate their own keys, which is more secure than programming the card through software. When the card is read, the card software usually prompts the user for a PIN or password, which mitigates the risk of the card being lost or stolen.

As well as being used for computer and network logons, smart cards and proximity cards can be used as a physical access control to gain access to building premises via secure gateways.

If the smart card format is unsuitable, an authentication token can also be stored on a special USB drive. A USB-based token can be plugged into a normal USB port.

Question 46

IEEE 802.1X Port-based Network Access Control framework

Answer 46

Smart cards and other token-based systems are often configured to work with the IEEE 802.1X Port-based Network Access Control framework. 802.1X establishes several ways for devices and users to be securely authenticated before they are permitted full network access. The actual authentication mechanism will be some variant of the Extensible Authentication Protocol (EAP). EAP allows lots of different authentication methods, but many of them use a digital certificate on the server and/or client machines. This allows the machines to establish a trust relationship and create a secure tunnel to transmit the user authentication credential.

Question 47

One-time Password (OTP)

Answer 47

one that is generated automatically (rather than being selected by a user) and used only once. Consequently, it is not vulnerable to password guessing or sniffing attacks. An OTP is generated using some sort of hash function on a secret value plus a synchronization value (seed), such as a timestamp or counter. Other options are to base a new password on the value of an old password or use a random challenge value (nonce) generated by the server. OTP tokens may be implemented in hardware or in software. Many tokens exist in the form of mobile device applications.

A hardware token type of device is typified by the SecurID token from RSA. The device generates a passcode based on the current time and a secret key coded into the device. An internal clock is used to keep time and must be kept precisely synchronized to the time on the authentication server. The code is entered along with a PIN or password known only to the user, to protect the system against loss of the device itself.

There are also 2-step verification mechanisms. These generate a software token on a server and send it to a resource that is assumed to be safely controlled by the user, such as a smartphone or email account. Note that this is not strictly a something you have authentication factor. Anyone intercepting the code within the timeframe could enter it as something you know without ever possessing or looking at the device itself.

Question 48

Initiative for Open Authentication (OATH)

Answer 48

The Initiative for Open Authentication (OATH) is an industry body comprising mostly the big PKI providers, such as Verisign and Entrust, established with the aim of developing an open, strong authentication framework. Open means a system that any enterprise can link into to perform authentication of users and devices across different networks. Strong means that the system is based not just on passwords but on 2- or 3-factor authentication or on 2-step verification. OATH has developed two algorithms for implementing One-time Passwords (OTPs) on the web.

Question 49

HMAC-based One-time Password Algorithm (HOTP)

Answer 49

n algorithm for token-based authentication. HOTP is defined by http://tools.ietf.org/html/rfc4226. The authentication server and client token are configured with the same shared secret. This should be an 8-byte value generated by a cryptographically strong random number generator. The token could be a fob-type device or implemented as a smartphone app. The shared secret can be transmitted to the smartphone app as a QR code image acquirable by the phone’s camera so that the user doesn’t have to type anything. Obviously, it is important that no other device is able to acquire the shared secret. The shared secret is combined with a counter to create a one-time password when the user wants to authenticate. The device and server both compute the hash and derive an HOTP value that is 6-8 digits long. This is the value that the user must enter to authenticate with the server. The counter is incremented by one.

Note: The server will be configured with a counter window to cope with the circumstance that the device and server counters move out of sync. This could happen if the user generates an OTP but does not use it, for instance.

Question 50

Note: The server will be configured with a counter window to cope with the circumstance that the device and server counters move out of sync. This could happen if the user generates an OTP but does not use it, for instance.

Answer 50

a refinement of the HOTP. One issue with HOTP is that tokens can be allowed to persist unexpired, raising the risk that an attacker might be able to obtain one and decrypt data in the future. In TOTP, the HMAC is built from the shared secret plus a value derived from the device’s and server’s local timestamps. TOTP automatically expires each token after a short window (60 seconds, for instance). For this to work, the client device and server must be closely time-synchronized. TOTP is defined by http://tools.ietf.org/html/rfc6238. One well-known implementation of HOTP and TOTP is Google Authenticator™.

Question 51

biometric authentication

Answer 51

The first step in setting up biometric authentication is enrollment. The chosen biometric information is scanned by a biometric reader and converted to binary information. There are various ways of deploying biometric readers. Most can be installed as a USB peripheral device. Some types (fingerprint readers) can be incorporated on a laptop or mouse chassis. Others are designed to work with physical access control systems.

There are generally two steps in the scanning process:

• A sensor module acquires the biometric sample from the target.
• A feature extraction module records the significant information from the sample (features that uniquely identify the target).

The biometric template is recorded in a database stored on the authentication server. When the user wants to access a resource, he or she is re-scanned, and the scan is compared to the template. If they match to within a defined degree of tolerance, access is granted. Security of the template and storage mechanism is a key problem for biometric technologies.

• It should not be possible to use the template to reconstruct the sample.
• The template should be tamper-proof (or at least tamper-evident).
• Unauthorized templates should not be injected.

Standard encryption products cannot be used, as there needs to be a degree of fuzzy pattern matching between the template and the confirmation scan. Vendors have developed proprietary biometric cryptosystems to address security.

A corollary of the development of biometric cryptosystems is to use biometric information as the key when encrypting other data. This solves the template storage problem and the problem of secure key distribution (the person is the key) but not the one of pattern matching (that is, will the same biometric sample always produce the same key and if not, how would encrypted data be recovered?)

Another problem is that of dealing with templates that have been compromised; that is, how can the genuine user be re-enrolled with a new template (revocability)? One possible solution is to employ steganography to digitally watermark each enrollment scan. Another is to “salt” each scan with a random value or a password.

Question 52

biometric factors - physical

Answer 52

fingerprint, eye, and facial recognition

Question 53

biometric factors - behavioral

Answer 53

voice, signature, and typing pattern matching

Question 54

Key metrics and considerations used to evaluate different technologies include the following:

Answer 54

• False negatives (where a legitimate user is not recognized); referred to as the False Rejection Rate (FRR) or Type I error.
• False positives (where an interloper is accepted); referred to as the False Acceptance Rate (FAR) or Type II error.

False negatives cause inconvenience to users, but false positives can lead to security breaches, and so is usually considered the most important metric.

• Crossover Error Rate (CER)—the point at which FRR and FAR meet. The lower the CER, the more efficient and reliable the technology.
• Errors are reduced over time by tuning the system. This is typically accomplished by adjusting the sensitivity of the system until CER is reached.
• Throughput (speed)—this refers to the time required to create a template for each user and the time required to authenticate. This is a major consideration for high traffic access points, such as airports or railway stations.

Question 55

Fingerprint recognition

Answer 55

most widely implemented biometric technology. A fingerprint is a unique pattern and thus lends itself to authentication. The technology required for scanning and recording fingerprints is relatively inexpensive and the process quite straightforward. Scanning devices are easy to implement, with scanners incorporated on laptop chassis, mice, keyboards, smartphones, and so on. The technology is also simple to use and non-intrusive, though it does carry some stigma from association with criminality. Reader and finger also need to be kept clean and dry.

The main problem with fingerprint scanners is that it is possible to obtain a copy of a user’s fingerprint and create a mold of it that will fool the scanner

A similar option is hand- or palmprint recognition, but this is considered less reliable and obviously requires bulkier devices.

Question 56

There are two types of biometric recognition based on features of the eye:

Answer 56

• Retinal scan—an infrared light is shone into the eye to identify the pattern of blood vessels. The arrangement of these blood vessels is highly complex and typically does not change from birth to death, except in the event of certain diseases or injuries. Retinal scanning is, therefore, one of the most accurate forms of biometrics. Retinal patterns are very secure, but the equipment required is expensive and the process is relatively intrusive and complex. False negatives can be produced by disease, such as cataracts.
• Iris scan—this matches patterns on the surface of the eye using near-infrared imaging and so is less intrusive than retinal scanning (the subject can continue to wear glasses, for instance), and a lot quicker. Iris scanners offer a similar level of accuracy as retinal scanners but are much less likely to be affected by diseases. Iris scanning is the technology most likely to be rolled out for high-volume applications, such as airport security. There is a chance that an iris scanner could be fooled by a high-resolution photo of someone’s eye.

Question 57

facial recognition

Answer 57

Where fingerprint and eye recognition focus on one particular feature, facial recognition records multiple indicators about the size and shape of the face, like the distance between each eye, or the width and length of the nose. The initial pattern needs to be recorded under optimum lighting conditions; depending on the technology, this can be a lengthy process. Again, this technology is very much associated with law enforcement, and is the most likely to make users uncomfortable about the personal privacy issues. Facial recognition suffers from relatively high false acceptance and rejection rates and can be vulnerable to spoofing. Much of the technology development is in surveillance, rather than for authentication, though it is becoming a popular method for use with smartphones.

Question 58

Behavioral technologies

Answer 58

Behavioral technologies (sometimes classified as Something you do) are often cheap to implement but tend to produce more errors than scans based on physical characteristics. They can also be discriminatory against those with disabilities:

• Voice recognition—this is relatively cheap, as the hardware and software required are built into many standard PCs and mobiles. However, obtaining an accurate template can be difficult and time-consuming. Background noise and other environmental factors can also interfere with logon. Voice is also subject to impersonation.
• Signature recognition—everyone knows that signatures are relatively easy to duplicate, but it is more difficult to fake the actual signing process. Signature matching records the user applying their signature (stroke, speed, and pressure of the stylus).
• Typing—this matches the speed and pattern of a user’s input of a passphrase.

Question 59

Common Access Card (CAC) & Personal Identification Verification (PIV) Access Cards

Answer 59

Identification is the problem of issuing authentication credentials to the correct person and of ensuring that the authorized person is using the credentials. In a password-based system, you must trust that the password is known only to the authorized person. In a token-based system, you must ensure that the token can only be used by the authorized person. In the US, the Homeland Security Presidential Directive 12 (HSPD-12) mandated that access to Federal property must be controlled by a secure identification and authentication mechanism (as defined in the FIPS-201 standard). As a result, two identity cards have been introduced:

Common Access Card (CAC)—issued to military personnel, civilian employees, and contractors to gain access to Department of Defense (DoD) facilities and systems.

These cards allow the user to authenticate using a token (the card is a smart card) and passcode but the card also contains Personally Identifiable Information, including a photograph of the holder.

Other identity documents produced include the First Responder Access Credential (FRAC)—for emergency services personnel to gain access to federal buildings during an emergency—and the ePassport (a passport with an embedded smart card).

Question 60

Follow these guidelines when implementing IAM:

Answer 60

• Ensure robust procedures for creating accounts that identify network subjects (users and computers) and issue credentials to those subjects securely.
• Determine which authentication factors and technology provide the best security, given any limitations imposed by existing infrastructure and budget.
• Understand some of the risks in relying on password-based authentication.
• Consider implementing certificate-based or hardware token-based authentication methods in a multifactor scheme to mitigate issues associated with passwords and biometrics.
• Recognize the strengths and weaknesses of each type of biometric device and how they can mitigate risks when implemented as single-factor or multifactor authentication technology.
• Consider that using PIV or CACs may be mandatory if you work with or for the U.S. federal government.