Unit 5 - Authentication Methods
8.4 Brute Force https://crackstation.net/hashing-security.htm
A brute-force attack tries every possible combination of characters up to a given length. These attacks are very computationally expensive, and are usually the least efficient in terms of hashes cracked per processor time, but they will always eventually find the password. Passwords should be long enough that searching through all possible character strings to find it will take too long to be worthwhile.
8.3 Dictionary attack https://crackstation.net/hashing-security.htm
A dictionary attack uses a file containing words, phrases, common passwords, and other strings that are likely to be used as a password. Each word in the file is hashed, and its hash is compared to the password hash. If they match, that word is the password. These dictionary files are constructed by extracting words from large bodies of text, and even from real databases of passwords. Further processing is often applied to dictionary files, such as replacing words with their "leet speak" equivalents ("hello" becomes "h3110"), to make them more effective.
9.1 Hash Chain https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture24.pdf
A hash chain is the successive application of a hash function to a piece of data. In computer security, a hash chain is a method to produce many one-time keys from a single key or password. Fundamental to the notion of a hash chain is a reduction function. A reduction function maps a hash to a character string that looks like a password. p1 −→ c1=H(p1) −→ p2=R(c1) −→ c2=H(p2) −→ p3=R(c2) −→ c3=H(p3) −→ p4=R(c3)
13. Articulate the process of Public Key Infrastructure (PKI) authentication.
A public key infrastructure (PKI) supports the distribution and identification of public encryption keys, enabling users and computers to both securely exchange data over networks such as the Internet and verify the identity of the other party. A typical PKI consists of hardware, software, policies and standards to manage the creation, administration, distribution and revocation of keys and digital certificates. Digital certificates are at the heart of PKI as they affirm the identity of the certificate subject and bind that identity to the public key contained in the certificate. A typical PKI includes the following key elements: A trusted party, called a certificate authority (CA), acts as the root of trust and provides services that authenticate the identity of individuals, computers and other entities A registration authority, often called a subordinate CA, certified by a root CA to issue certificates for specific uses permitted by the root A certificate database, which stores certificate requests and issues and revokes certificates A certificate store, which resides on a local computer as a place to store issued certificates and private keys
4.1 What are the advantages/disadvantages of passwords?
Advantages: 1) Performed in software (no extra expense for tokens or card readers) 2) Common (people are used to it) 3) They can be secure Disadvantages: 1) They need to be remembered 2) There are several attacks against password authentication 3) can be stolen. Keys must be on disk as well. Blacklisting attacks to lock out users. Susceptible to a dictionary attack. login spoofing. Monitor the traffic between the user and computer. Social engineering to obtain the passwd from users.
7. Construct hypothetical attacks that attempt to crack passwords through random, heuristic (systematic) or opportunistic (e.g., dumpster diving) means. Slide 12 https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture24.pdf
Attacks include: Playing on users & guess using weak or popular passwds. Dictionary Attacks: using a program to use a list of words. Brute Force: systematically try all combinations of a passwd. Rainbow Tables: Rainbow tables compute hashes for each word in a dictionary, store all of the hashes into a hash table, retrieve the hash of the password to be cracked, and do a comparison between each password hash and the real password hash Opportunistic: Shoulder surfing, tricking users into revealing their passwd. Social engineering. Brute force you have to gen a hash for every possible hash combo. If you saved brute force work you would get a rainbow table where you match hash in a table against a hash in a passwd file. Precomputed list of hashes and passwds. For every possible combination the rainbow table can be huge.
4. Provide examples that highlight the shortcomings of direct storage of << username, password >> pairs even if the password is encrypted.
DISADVANTAGE: Key loggers, passwd crackers, shoulder surfing, social engineering, guessing.
10. Provide examples of tokens and discuss their utilization. http://www.explainthatstuff.com/how-security-tokens-work.html
Example of "something you have". One-time passwords are used to achieve higher security than traditional static passwords. They're often generated by tokens. Unlike a conventional password, which is "something you know" and remember, your one-time password comes from "something you have" and keep, such as a text message, a security token, or a piece of paper.Usually you have to type the one-time password into the website or computer you're trying to access, though some security tokens use wireless technologies (such as RFID) or plug in to computers via USB sockets, automatically transfer a one-time password without your having to bother about it, and grant you access that way; a plug-in token like this is a bit like a computerized key that unlocks the door to your system and is sometimes called a dongle.
Identity Proofing
Identity proofing, also known as ID proofing, is the process of verifying that a person is who he or she claims to be. ID proofing is a common practice across industries, including such common tasks as renewing a driver's license, securing new employment, or opening a bank account. Identity proofing, including both in-person and remote ID proofing, is critically important as the first step for the secure electronic exchange of health information. Identity proofing starts with the idea that before you give someone a password or create an online account in their name you have to verify that they really are who they say they are. This moment of first contact is a huge weak spot in the way online consumer authentification is done today by many online retailers and financial services firms.
Out-of-band
If a login attempt has failed multiple times and the system locks the account as a precautionary measure, it may allow you to retry but only after it has gone outside of the channel that has failed. ANYTHING NOT USING THE SAME CHANNEL OF IDENTIFICATION IS OUT-OF-BAND
6. Discuss the utilization of "salt" to provide additional security for password storage (e.g., how is it used and what additional security is provided). http://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Right http://goodmath.scientopia.org/2013/03/02/passwords-hashing-and-salt/
In cryptography, a salt is random data, evenly distributed, high entropy value, that is used as an additional input to a one-way function that hashes a password or passphrase.[1] The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks. A new salt is randomly generated for each password. If each user has a different salt, then even if you've got terrible passwords, a thief needs to do a lot of work to try to break your system.
2.3 Something you Are
Including physical characteristics, such as fingerprints, retina, personal trait
9.3 Lookup Table
Lookup tables are an extremely effective method for cracking many hashes of the same type very quickly. The general idea is to pre-compute the hashes of the passwords in a password dictionary and store them, and their corresponding password, in a lookup table data structure. A good implementation of a lookup table can process hundreds of hash lookups per second, even when they contain many billions of hashes.
5 Hashes. Slide 10
Not reversible No indication of passwd len, or content. Similar hashes look completely different. Admin doesn't know. DISADVANTAGE: Key loggers, shoulder surfing, social engineering, guessing.
14. Summarize the concept of a Single Sign-On System and discuss the advantages and disadvantages of this type of system.
One password for many apps - use google login for facebook, etc. I believe people would be more likely to use passwords that are hard to crack as they only have to remember 1 or 2.
3.3 Passwords & storage
Passwords stored in an encrypted file. Passwords are hashed H(passwd) = D1 Store {username, D1) in passwd file. Prompt/Decrypt: Prompt: H(passwdAttempt) = D2 D1 = D2?
11. Compare and contrast physiological and behavioral (modality) biometrics and provide examples of each.
Physiological characteristics are related to the shape of the body. Examples include, but are not limited to fingerprint, palm veins, face recognition, DNA, palm print, hand geometry, iris recognition, retina and odor/scent. Behavioral characteristics are related to the pattern of behavior of a person, including but not limited to typing rhythm, gait, and voice.[note 2] Some researchers have coined the term behaviometrics to describe the latter class of biometrics.[4]
9.4 Rainbow Table http://learncryptography.com/rainbow-tables/
Rainbow Table Attack is an attack that makes use of something called a pre-computed rainbow table. A rainbow table is a table that contains a hash function's inputs and corresponding outputs. A rainbow table makes brute forcing a password hash much easier, by removing the most computationally complicated part of a brute force - performing the hash function itself. With all of the values already computed, it's simplified to just a simple search-and-compare operation on the table. Md5 Rainbow Table With rainbow tables, you are comparing a table of known inputs and outputs to a bunch of unknown outputs. If there's a match, you know for certain that the hash function returns that output for it's corresponding input in the table. A large portion of the security of the hash (the fact that the hash function is not an instant operation, and requires some amount of computational power, and therefore time, to perform) is bypassed with rainbow tables, meaning that if you're lucky, you'll find some matches. However, rainbow tables do have their disadvantages. If the hash you're trying to break is not in your table, you're not going to find the result, period. You're limited to the table that you use, and how that table is created is another challenge entirely. Because rainbow tables have to be made by someone, at some point someone had to generate all of the hashes in the table - likely a very expensive operation for larger, more useful tables. Rainbow tables are also limited by their size - for the speed you gain by not having to compute each hash, you now have to store a significant amount of data - often more than a hard-drive's worth. For a short period of time, rainbow tables were actually an effective way of cracking passwords. With a big enough table (and a big enough database of potential hashes) the chances of finding some matches were quite likely - mainly because of the hash algorithm used (in it's peak, MD5) and also because of common hashes that circulated the web (such as the hash of very common passwords). However, as the popularity of less secure hashing algorithms fell, and as password salting became a more common practice, rainbow tables have fallen out of common use.
9.4 Rainbow Table http://en.wikipedia.org/wiki/Rainbow_table
Rainbow tables are a time-memory trade-off technique. They are like lookup tables, except that they sacrifice hash cracking speed to make the lookup tables smaller. Because they are smaller, the solutions to more hashes can be stored in the same amount of space, making them more effective. Rainbow tables that can crack any md5 hash of a password up to 8 characters long exist. A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a plaintext password up to a certain length consisting of a limited set of characters. It is a practical example of a space/time trade-off, using less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple lookup table with one entry per hash. Use of a key derivation function that employs a salt makes this attack infeasible.
9.2 Determine Hash or determine all & store and later look up. Calculate all hash values ahead of time. Slide 26
SALT provides a challenge, Which hash function to use need space to store all
9.3. Compromise between space and time. Slide 28
Store a partial hash and values. Save on space vs. calculating everything. Speed lookup as we only need a partial match. Store less data vs. full list fewer computations to find a match.
2.2 Something you Have
Such as a key, CAC, RSA token,
2.1 Something you Know
Such as a password, pin, challenge question
2.4 User Name/Password Authentication
The combination of a user name and password is one of the most basic authentication schemes. SOMETHING YOU KNOW, MOST COMMON. Password. Authenticate through username and password.
8. Describe what is meant by "password space". Discuss the relationship between password space and password security. Slide 21
The number of passwords available given the range of characters used along with password length. Password length and alphabet size are factors in computing the maximum password space requirements. The set of passwords of a given length and a given character set. The general formula for the size of password space is: (size of the char set) * len
1. 1. Define "identity" and "authenticator". Compare and contrast the two and explain their importance to information assurance.
The process by which the system determines whether the user is who he or she claims to be and whether to allow the user access to systems and networks. Individuals transact with government according to various roles
5.1 Hash and passwords https://crackstation.net/hashing-security.htm
The user creates an account. Their password is hashed and stored in the database. At no point is the plain-text (unencrypted) password ever written to the hard drive. When the user attempts to login, the hash of the password they entered is checked against the hash of their real password (retrieved from the database). If the hashes match, the user is granted access. If not, the user is told they entered invalid login credentials. Steps 3 and 4 repeat everytime someone tries to login to their account.
2.4 Modality
Things you are as well as things you do. Way to describe the categories of authentication.
Knowledge-base Authentication (KBA)
This approach uses questions such as "What is your mother's maiden name?", "What is your favorite color?", or "What was your high school mascot?" to establish who you are before you login to a system. REFER TO AS "SECRET QUESTIONS"
8.2 How does a "Brute force" attack work?
This attack, all strings of specified lengths and character set are tried as potential passwords. The only impediment to this attack is TIME. H (ValidPasswd) = D1 H (RandomGuess) = D2
3. Define multi-factor authentication and discuss its utilization in binding identities.
Using 2 or more from above. Helps deliver identity assurance, verifies or identifies a user. It means you have to pass distinctly different types of security check to get access to a computer system.
3.2 Three-factor authentication
Using all 3 from above.
9.. Describe how techniques such as APR1 and account lockout after failed access attempts reduce the vulnerability to specific types of attacks. Identify the types of attacks against which these techniques are most effective. Slide 18
apr1 is MD5 but slowed down a thousand times. Slows down the attack . Value is hasked 1000 times and that value is stored. Significantly increases the number of attempts needed to crack a passwd. apr1 is MD5 but slowed down a thousand times.
12. Describe how, when authenticating over a network, a "challenge and response" protocol can provide more confidence in the authentication.
one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated. The simplest example of a challenge-response protocol is password authentication, where the challenge is asking for the password and the valid response is the correct password.