CYBR171 - User Authentication

What are the 5 main vulnerabilities of biometrics?

- A biometric is a password for life. If your biometric has been compromised, you cannot change it. - Biometrics are left around for others to copy, e.g. fingerprints, pictures of us, recordings of our voice. 3D printing and photos can be used to replay a biometric and sensors may not be able to tell the difference between a real biometric and a copy. - The enrolment process may be attacked. Templates could be changed in the database to match the attackers rather than the victims. - Biometrics are not a "yes" or "no"; they are a score. It suffers from false positives and false negatives - an attacker may be accidentally verified if they look similar. - Some biometrics change over time. With age or due to injury, you might not be able to be verified as you.

What are the 4 main vulnerabilities of using SMS-based authentication?

- Attacker could steal your phone. They login as you on the target website and the SMS is sent to the phone in their possession. - Attacker could install a virus or remote control program on your phone. This allows them to read the password sent by the SMS. - Attacker could hack the local cell tower allowing them to intercept SMS messages. - Attacker could use social engineering to have a new SIM with your phone number issued to them. They will now receive any SMS messages intended for you.

What are the 3 types of connectivity?

- Disconnected: The token displays the password on screen. E.g. Secure ID. - Contact: The token must make contact to be used. E.g. Physically via USB port, audio jack, inserted into a reader. - Contactless: The token has a way of communication without having to make contact to be used. E.g. near field communication (radio, NFC), Bluetooth, visual (QR code shown to camera).

What are the 3 types of password types?

- Fixed: The token may have a fixed password. - Dynamic: The token has a one-time password that changes over time. - Challenge-Response: The verifier poses a challenge to the user. Only the correct user will be able to give the correct response. These challenges and responses change every time.

What are the 3 types of vulnerabilities?

- Loss and Theft: Once an attacker has your token, they can deny service and authenticate themselves as you. - Predict the One Time Password: The attacker steals the algorithm and the algorithm is poorly implemented, or they discover the value of the counter. Also, they may manipulate the clock. - Forced Downgrade: The attacker prevents the token from communicating with the verifier or the systems it relies upon. Then you may have to fall back to an insecure second method of authentication that the attacker can easily infiltrate.

What are the 3 main ways to classify (software) tokens?

- Password type - Connectivity - Vulnerabilities

What are the 3 main ways to classify hardware tokens?

- Password type - Connectivity - Vulnerabilities

What are the 4 security (hardware) tokens?

- Physical key: raised edges push pins above cylinder in locks. - Magnetic strips: once inserted, the strip is read by an electronic door lock or scanner. - Smart cards: These have processes on them and run code on them (Java). They communicate with the verifier by radio antenna or when inserted. - Secure ID: Can run code like a smart card. Produces a one-time password. User will read the password off the screen so it can be input by the verifier.

What are the 4 ways to authenticate a user?

- Something the individual knows, eg. passwords, PINs, specific information - Something the individual possesses, eg. keycards, smart cards, physical keys (a token) - Something the individual is, eg. recognition by fingerprint, retina, face (static biometrics) - Something the individual does, eg. recognition by voice pattern, handwriting, typing rhythm (dynamic biometrics)

What are the 4 basic techniques to eliminate guessable passwords?

- User education: Users can be told the importance of using hard-to-guess passwords and can be provided with guidelines for selecting strong passwords. However, there is the chance that users will ignores these guidelines. - Computer generated passwords: If these passwords are too random, they can be difficult for a user to remember. - Reactive password checking: which a system periodically runs its own password cracket to find guessable passwords. The system cancels any passwords that are guessed and notifies the user. However, this is resource intensive if the job is done right. Also, as a determined opponent who is able to steal a password file can devote fill CPU time to the task for hours or even days, an effective reactive password checker is at a distinct disadvantage. Furthermore, any existing passwords remain vulnerable until the reactive password checker finds them. - Complex password policy: A user is allowed to select their own password. However, at the time of selection, the system checks to see if the password is allowable and, if not, rejects it. This could be that it matches a pattern for a weak password, is a dictionary word or has been used before.

Why is storing hashed passwords not secure enough?

. If you are using a common hash, there are "rainbow tables" that list what hashes will correspond to common passwords. If anyone is using a password in one of the "rainbow tables", then they will be easy to infiltrate.

What is a popular password attack?

A variation of the preceding attack is to use a popular password and try it against a wide range of user IDs. A user's tendency is to choose a password that is easily remembered; this unfortunately makes the password easy to guess.

How does one exploit multiple password use?

Attacks can also become much more effective or damaging if different network devices share the same or a similar password for a given user. Countermeasures include a policy that forbids the same or similar password on particular network devices.

What are the countermeasures to an offline dictionary attack?

Countermeasures include controls to prevent unauthorised access to the password file, measures to identify a compromise, and rapid reissuance of passwords show the password file by compromised.

What are the countermeasures for a popular password attack?

Countermeasures include policies to inhibit the selection by users of common passwords and scanning the IP addresses of authentication requests for submission patterns.

What is authentication?

How one proves that they are who they say they are, eg. when you claim to be Jane Doe by logging into a computer system as "jdoe", it's most likely going to ask you for a password. You've claimed to be that person by entering the name into the username field, but now you have to prove that you are really that person. Most systems use a password for this, i.e. a secret between you and the system. Other ways are presenting something you have, i.e. driver's license, RSA token, smart card, or something you are, i.e. thumb print, retina scan.

What is electronic monitoring?

If a password is communicated across a network to logon to a remote system, it is vulnerable to eavesdropping. Simple encryption will not fix this problem, because the encrypted password is, in effect, the password and can be observed and reused by an adversary.

How does one exploit user mistakes?

If the system assigns a password, then the user is more likely to write it down because it is difficult to remember. This situation creates the potential for an adversary to read the written password. A user may intentionally share a password, to enable a colleague to share files, for example. Also, attackers are frequently successful in obtaining passwords by using social engineering tactics that trick the user or an account manager into revealing a password. Many computer systems are shipped with preconfigured passwords for system administrators. Unless the pre-configured passwords are changed, they are easily guessed. Countermeasures include user training, use of techniques to create more memorable passwords and simpler passwords combined with another authentication mechanism.

What are the differences between classifications of hardware and software tokens?

Most are the same, except software tokens have 1 more vulnerability: the attacker installs a virus on your device running the software. This means they can eavesdrop, and control what the software does. You can no longer trust your token.

What are the differences between static biometrics and dynamic biometrics?

Static: - requires capturing a single sensor reading - Photo, hand geometry - Compares that with a template Dynamic: - requires capturing multiple sensor readings - Voice, gait

What is an offline dictionary attack?

The attacker obtains the system password file or database containing the passwords and compares the password hashes against hashes of commonly used passwords. If a match is found, the attacker can gain access by that ID/password combination.

What is a specific account attack?

The attacker targets a specific account and submits password guesses until the correct password is discovered.

What is workstation hijacking?

The attacker waits until a logged-in workstation is unattended.

What is identification?

The claim that you are somebody, eg. when you speak to someone that you don't know, and they ask you who they're speaking to. When you say, "I'm Jason.", you've identified yourself. In the information security world, this is analogous to entering a username.

What are the countermeasures for workstation hijacking?

The standard countermeasure is automatically logging the workstation after a period of inactivity.

What are the countermeasures for a specific account attack?

The standard countermeasures is an account lockout mechanism, which locks out access to the account after a number of failed login attempts. Typical practice is no more than five access attempts.

What are biometrics?

They attempt to authenticate an individual based on unique physical characteristics and pattern recognition. It is technically complex and expensive when compared to passwords and tokens. They provide both verification and identification.

What is authorisation?

What takes place after a person has been both identified and authenticated; it's the step that determines what a person can then do on the system. E.g. someone has shown up to your house that wants to be let inside. After this person has identified and authenticated who they are, you see they are someone you do not know well, then the authorisation phase would not include access to the inside of the house.

Why is encrypting user passwords and storing them in a database not secure enough?

When the user logs in, you decrypt the user's stored password and compare it to what they wrote. If it's the same, you let them in. Inside users or hackers can use the keys that decrypt the stored passwords. If you have many people using the same password, all the encryptions for them will be the same.