Module 12: Authentication

Biometric Disadvantages:

- cost of hardware scanning devices - readers have some amount of error - reject authorized users - accept unauthorized users - biometric systems can be "tricked"

Two specialized devices provide authentication based on something you have:

-smart cards -windowed tokens

3 Basic steps in a rule attack

1. A small sample of the stolen password plaintext file is obtained. 2. Statistical analysis is performed on the sample to determine the length and character sets of the passwords. 3. A series of masks is generated that will be most successful in cracking the highest percentage of passwords.

facial recognition

A biometric authentication that views the user's face and is becoming increasingly popular on smartphones.

password keys

A hardware-based device to store passwords.

time-based one-time password (TOTP)

A onetime password that changes after a set period of time.

HMAC-based one-time password (HOTP)

A onetime password that changes when a specific event occurs

key stretching

A password hashing algorithm that requires significantly more time than standard hashing algorithms to create the digest. -This would then limit the ability of an attacker to crack passwords because it requires significantly more time to create each candidate digest, thus slowing down the entire cracking process. -Two popular key stretching password hash algorithms are bcrypt and PBKDF2.

gait

A person's manner of walking that can be used as a physiological biometric identifier.

fingerprint

A physiological biometric identifier that has become the most common type of authentication.

voice

A physiological biometric identifier.

skimming

A process in which a threat actor attaches a small device that fits inside a card reader to capture information from the magnetic strip of the card.

phone call

A process to use a smartphone to verify a user's login attempt.

salt

A random string added to a hash algorithm for enhanced security. Salts make dictionary attacks and brute force attacks for cracking large number of passwords much more difficult and limit the impact of rainbow tables. Another benefit of a salt is that two users choosing the same password does not help the attacker. Without salts, an attacker who can crack User #1's password would also immediately know User #2's password without performing any computations. By adding salts, however, each password digest is different.

Rule Attack

A rule attack conducts a statistical analysis on the stolen passwords. The results of this analysis is then used to create a mask of the format of the candidate password. - not intended to crack every password but instead gives the highest probability of the largest number of passwords that can be broken.

password

A secret combination of letters, numbers, and/or characters that only the user should have knowledge of.

Windowed token

A small device with a window display. A windowed token does not display a value that never changes (static code); instead, the value dynamically changes. This value is a one-time password (OTP), which is an authentication code that can be used only once or for a limited period of time. -Two types of OTPs: TOTP, HOTP.

static code

A value that never changes.

Security Assertion Markup Language (SAML)

An Extensible Markup Language (XML) standard that allows secure web domains to exchange user authentication and authorization data. This allows a user's login credentials to be stored with a single identity provider instead of being stored on each web service provider's server. SAML is used extensively for online e-commerce business-to-business (B2B) and business-to-consumer (B2C) transactions. The steps of a SAML transaction are as follows: 1. The user attempts to reach a website of a service provider that requires a username and password. 2. The service provider generates a SAML authentication request that is then encoded and embedded into a URL. 3. The service provider sends a redirect URL to the user's browser that includes the encoded SAML authentication request, which is then sent to the identity provider. 4. The identity provider decodes the SAML request and extracts the embedded URL. The identity provider then attempts to authenticate the user either by asking for login credentials or by checking for valid session cookies. 5. The identity provider generates a SAML response that contains the authenticated user's username, which is then digitally signed using asymmetric cryptography. 6. The identity partner encodes the SAML response and returns that information to the user's browser. 7. Within the SAML response, there is a mechanism so that the user's browser can forward that information back to the service provider, either by displaying a form that requires the user to click a Submit button or by automatically sending to the service provider. 8. The service provider verifies the SAML response by using the identity provider's public key. If the response is successfully verified, the user is logged in. -SAMl works with multiple protocols including hypertext Transfer Protocol (hTTP), simple Mail Transfer Protocol (sMTP), and File Transfer Protocol (FTP).

offline brute force attack

An attack in which a stolen digest file is loaded onto a computer to be cracked using password cracking software to create candidate digests of every possible combination. The candidates are matched against those in a stolen digest file to find a match. - slowest yet most thorough attack that is used against passwords.

pass the hash

An attack in which the attacker steals the digest of a password sends that hash to the remote system to be authenticated and then pretends to be the user

OAuth (Open Authorization)

An open source federation framework. -oAuth 2.0 is a framework to support the development of authorization protocols.

Something you exhibit

Authentication based on a genetically determined characteristic. Peyton's red hair.

Something you can do

Authentication based on actions that the user can uniquely perform. Paul's signature.

someone you know

Authentication based on being validated by another person. Trey knows Kyle.

Something you have

Authentication based on the approved user having a specific item in their possession. like a key.

Somewhere you are

Authentication based on where the user is located. Ex. restricted military base

Password Security:

Because passwords are so widely used—and attacked—much attention is focused on securing passwords. This includes protecting password digest files and helping users manage their passwords.

Something you do

Behavioral Biometrics -based on actions that the user is uniquely qualified to perform, or something you do. keystroke dynamics-recognizes a user's unique typing rhythm.

Hardware Security Module (HSM)

Comprehensive cryptographic hardware modules can also facilitate password management. A hardware security module (HSM) is a removable external cryptographic device. An HSM can be a USB device, an expansion card, a device that connects directly to a computer through a port, or a secure network server. -MicroSD HSM

Common sequence of password attack tools

Custom wordlist - download a stolen password collection Custom wordlist using rule attack - Dictionary attack - generate password statistics using a rule attack to create specialized masks Dictionary attack using rules - conduct a refined dictionary attack using results from a rule attack Updated Custom Wordlist using rules - input any cracked passwords from previous steps to create more refined rules. Hybrid attack - Perform a focused dictionary attack with a mask attack. Mask attack - conduct a mask attack on harder passwords that have not already been cracked. Brute Force attack- last-resort effort on any remaining passwords

Disadvantages of using a smartphone:

Despite its convenience and ability to reach a wide range of users, using a smartphone for authentication is not considered to be a secure option. An OTP received through an SMS text message can be "phished" (when a user is tricked into providing it to an attacker through a phishing attack), SMS text messages can be intercepted, and a malware infection on the phone can target the authentication app.

Authentication Services

Different services can be used to provide authentication. These include RADIUS, Kerberos, Terminal Access Control Access Control Systems, directory services, Security Assertion Markup Language, and authentication frame-work protocols.

vein

One of the "tubes" that form part of the blood circulation system in the human body that carries oxygen-depleted blood back toward the heart.

authentication

Proving that a user is genuine and not an imposter.

Protecting Password Digests

Salts Key Stretching

Secure Authentication Technologies:

Single sign-on Authentification Services

Federation

Single sign-on for networks owned by different organizations, also called federated identity management (FIM).

password cracker

Software designed to break passwords through matching hashes. Password crackers create known digests (candidates) and then compare them against the stolen digests.

Two types of fingerprint scanners:

Static Fingerprint Scanner: requires the user to place the entire thumb or finger on a small oval window on the scanner. The scanner takes an optical "picture" of the fingerprint and compares it with the fingerprint image on file. Dynamic fingerprint scanner: has a small slit or opening

MS-CHAP

The Microsoft version of CHAP.

efficacy rate

The benefit achieved of a biometric identifier. While biometrics can aid in authentication, some experts question the sacrifice of user privacy.

crossover error rate (CER)

The biometric error rate in which the FAR and FRR are equal over the size of the population.

TACACS+

The current version of the Terminal Access Control Access Control System (TACACS) authentication service. -an authentication service commonly used on UNIX devices that communicates by forwarding user authentication information to a centralized server. -encrypted communication

false acceptance rate (FAR)

The frequency at which imposters are accepted as genuine when using biometric authentication.

Something You Are

This type of authentication, something you are, involves physiological biometrics and cognitive biometrics.

card cloning

Unauthorized duplication of smart cards.

multifactor authentication (MFA)

Using more than one type of authentication credential.

single sign-on (SSO)

Using one authentication credential to access multiple accounts or applications. -SSO holds the promise of reducing the number of usernames and passwords that users must memorize (potentially, to just one).

knowledge-based authentication

Using perception, thought processes, and understanding for a biometric identifier. AKA Cognitive Biometrics -One of the most common methods used in Picture Password was using a photo of a person and triple tapping on the face, with the most common face tap is the eyes, followed by nose and jaw.

Smartphones

Whereas smart cards and windowed tokens are specialized devices, using a smartphone for authentication is consid-ered a more practical approach. Because smartphones are ubiquitous and carried by users virtually everywhere, they can be used for authentication by a wide range of users without the need for an additional device. Once users enter their username and password on the endpoint, their smartphone (something they have) is then used for the second authentication factor. Authentication through using a smartphone can be accomplished by the following: - Phone call. An automated phone call to the user's smartphone asks if the user has requested to log in and, if so, to press a digit on the keypad for approval or to decline if the user has not just tried to log in. - SMS text message. Another option is for the user to receive an OTP in an SMS text message. The user must then manually enter the OTP. - Authentication app. An authentication app can be installed on the smartphone to authenticate the user. When the app is first installed, the user goes through a verification process. Whenever a user attempts to log in to an account by entering a username and password, a message is displayed on a specified phone (called a push notification) through the authentication app that asks the user to approve or deny the request.

directory service

a database stored on the network itself that contains information about users and network devices. It contains information such as the user's name, telephone extension, email address, login name, as well as keeping track of all the resources on the network and a user's privileges to those resources and grants or denies access based on the directory service information.

Something you know

knowledge that only authorized people know. Ex. Password.

Elements that prove authenticity

somewhere you are something you are something you have someone you know, something you exhibit, something you can do, or something you know.

Even when users attempt to create stronger passwords, they generally follow these predictable patterns:

• Appending-When users combine letters, numbers, and punctuation (character sets), they do it in a pattern. Most often they only add a number after letters (caitlin1 or cheer99). • Replacing-Users also use replacements in predictable patterns. Generally, a zero is used instead of the letter o, the digit 1 for the letter i, or a dollar sign for an s (be$tfriend).

smart card

A card that contains information used as part of the authentication process. Smart cards used for authentication generally require that the card be inserted into a card reader that is connected to the computer, although some cards are contactless cards that only require it to be in close proximity to the reader. -Has many disadvantages.

dictionary attack

A dictionary attack begins with the attacker creating digests of common dictionary words as candidates and then comparing them against those in a stolen digest file. Dictionary attacks are successful because users often create passwords from simple dictionary words. pre-image attack- A dictionary attack that uses a set of dictionary words and compares it with the stolen digests. One known digest (dictionary word) is compared to an unknown digest (stolen digest). A birthday attack is slightly different, in that the search is for any two digests that are the same. A password attack that is a combination of a dictionary attack and a mask attack is called a hybrid attack.

Open ID

A federation technology that provides user authentication information. -Authentication protocol that can be used in oAuth 2.0 as a standard means to obtain user identity.

Extensible Authentication Protocol (EAP)

A framework for transporting authentication protocols that defines the format of the messages. EAP essentially defines the format of the messages and uses four types of packets: request, response, success, and failure. Request packets are issued by the authenticator and ask for a response packet from the supplicant. Any number of request-response exchanges may be used to complete the authentication. If the authentication is successful, a success packet is sent to the supplicant; if not, a failure packet is sent.

token key

A hardware device inserted into a computer port that contains all the necessary cryptographic information to authenticate the user. AKA Security Key. -security keys do not transmit oTPs that can be intercepted or phished and are considered easier to use. -One feature of token/security keys is attestation.

MicroSD HSM

A hardware security module in a small consumer-oriented form factor.

attestation

A key pair that is "burned" into a security key during manufacturing and is specific to a device model that can verify authentication.

retina

A layer at the back (posterior) portion of the eyeball that contains cells sensitive to light and can be used for biometric authentication. The network of blood vessels in the retina is so complex that even identical twins do not share a similar pattern. even though retinal patterns may be altered in cases of diabetes, glaucoma, or retinal degenerative disorders, the retina generally remains unchanged through a person's lifetime.

password vault

A secure repository in which users can store their passwords. 3 Basic Types of Password Vaults/Managers: • Password generators. These are web browser extensions that generate passwords. The user enters a master password and the password generator creates a password based on the master password and the website's URL "on the fly." The disadvantage of password generators is that the browser extension must be installed on each computer and web browser. • Online vaults. An online vault also uses a web browser extension, but instead of creating the user's password each time, it retrieves the password from a central online repository. The disadvantage is that online sites storing the passwords are vulnerable to attackers. • Password management applications. A password management application is a program installed on a computer through which the user can create and store multiple strong passwords in a single user "vault" file that is protected by one strong master password. Users can retrieve individual passwords as needed by opening the user file, freeing the user from the need to memorize multiple passwords. The disadvantage is that the program must be carried with the user or installed on multiple computers.

authentication app

A smartphone application that can be used to verify a user's login attempt.

iris

A thin circular structure in the eye that can be used for authentication.

Challenge-Handshake Authentication Protocol (CHAP)

A weak authentication framework protocol that has been replaced by more secure versions.

Password Authentication Protocol (PAP)

A weak version of Extensible Authentication Protocol (EAP).

brute force attack

An attack in which every possible combination of letters, numbers, and characters is combined to attempt to determine the user's password. The attack is not done in a random fashion but instead uses a meticulous approach to create the passwords.

online brute force attack

An attack in which the same account is continuously attacked by entering different passwords. However, an online brute force attack is rarely used by attackers because it is impractical. Even at two or three tries per second, it could take thousands of years to guess the right password.

password spraying

An attack that uses one or a small number of commonly used passwords when trying to log in to several different user accounts. Because this targeted guess is spread across many accounts, instead of attempting multiple password variations on a single account, it is much less likely to raise any alarms or lock out the user account from too many failed password attempts.

Kerberos

An authentication system developed by the Massachusetts Institute of Technology (MIT) and used to verify the identity of networked users. -Kerberos uses encryption and authentication for security. Kerberos will function under Windows, macOS, and Linux. -The user is provided a ticket that is issued by the Kerberos authentication server, much as a driver's license is issued by the DMV. This ticket contains information linking it to the user. The user presents this ticket to the network for a service. The service then examines the ticket to verify the identity of the user. If the user is verified, he is then accepted.

RADIUS (Remote Authentication Dial-In User Service)

An industry standard authentication service with widespread support across nearly all vendors of networking equipment. -The RADIUS server authenticates and authorizes the RADIUS client request and sends back a RADIUS message response. RADIUS clients also send RADIUS accounting messages to RADIUS servers. -The strength of RADIUS is that messages are never sent directly between the wireless device and the RADIUS server. This prevents an attacker from penetrating the RADIUS server and compromising security. -RADIUS allows an organization to maintain user profiles in a central database that all remote servers can share. Doing so increases security, allowing a company to set up a policy that can be applied at a single administered network point. Having a central service also means that it is easier to track usage for billing and for keeping network statistics.

Something you are

Authentication factor that relies on a biological physical characteristic (fingerprint, face, eye, palm)

Rainbow tables

Large pregenerated data sets of encrypted passwords used in password attacks. A rainbow table is a compressed representation of passwords that are related and organized in a sequence (called a chain). Although generating a rainbow table requires a significant amount of time, once it is created, it has three significant advantages over other password attack methods: 1. A rainbow table can be used repeatedly for attacks on other passwords 2. rainbow tables are much faster than dictionary attacks 3. the amount of memory needed on the attacking machine is greatly reduced.

false rejection rate (FRR)

The frequency that legitimate users are rejected when using biometric authentication.