MIS risk and security project
Security in Computing, Fifth Edition
Chapter 2: Toolbox: Authentication, Access Control, and Cryptography
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
1
1
Objectives for Chapter 2
Survey authentication mechanisms
List available access control implementation options
Explain the problems encryption is designed to solve
Understand the various categories of encryption tools as well as the strengths, weaknesses, and applications of each
Learn about certificates and certificate authorities
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
2
Authentication
The act of proving that a user is who she says she is
Determining who a person really is consists of two separate steps:
identification is stating an identity,
authentication is confirming the identity
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
3
Identification is asserting who a person is.
Authentication is proving that asserted identity
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
4
Identification vs. Authentication
Identities, (user-names) are public, and not protected.
bank account number is printed on checks
debit card account number is shown on your card
authentication should be reliable and is necessarily protected.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
5
Authentication Methods:
Something the user knows:
Passwords, PIN numbers, passphrases, a secret handshake
Something the user is:
biometrics, are based on a physical characteristic of the user
a fingerprint, the pattern of a person’s voice, or a fac
Something user has:
Identity badges, physical keys
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
6
Something You Know
Passwords
A user enters identification information
This identification can be available to the public or can be easy to guess because it does not provide the real protection.
The protection system then requests a password from the user.
If the password matches the one on file for the user, the user is authenticated and allowed access.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
7
password guessing steps
no password
the same as the user ID
is, or is derived from, the user’s name
on a common word list (for example, password, secret, private) plus common names and patterns (for example, qwerty, aaaaaa)
contained in a short college dictionary
contained in a complete English word list
contained in common non-English-language dictionaries
obtained by brute force, trying all possible combinations of alphabetic characters
obtained by brute force, trying all possible combinations from the full character set
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
8
Attacks on “something you know”:
Inferring likely passwords/answers
Guessing
Dictionary attacks
Defeating concealment
Exhaustive or brute-force attack
Rainbow tables
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
9
Distribution of Password Types
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
10
Alhough this data is from an old study, more recent studies have reaffirmed the results. The vast majority of passwords used on the Internet are extremely easy to crack.
10
Guessing Probable Passwords
Penetrators searching for passwords realize human characteristics and use them to their advantage
people prefer short passwords to long ones
Trying to guess 4 or 5 characters passwords takes only 475 seconds (about 8 minutes)
people tend to choose names or words they can remember
spelling checkers sometimes carry online dictionaries of the most common English words.
One contains a dictionary of 80,000 words. Trying all of these words as passwords takes only 80 seconds
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
11
Inferring Passwords Likely for a User
When selecting a password, users probably do not choose a word at random.
Passwords are usually something meaningful to People
personal passwords, such as the name of a spouse, child, other family member, or pet.
For any given person, the number of such possibilities is only a dozen or two.
Trying this many passwords by computer takes less than a second
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
12
Dictionary Attacks
Several network sites post dictionaries of phrases, science fiction character names, places, Chinese words, and other specialized lists.
These lists help site administrators identify users who have chosen weak passwords,
But the same dictionaries can also be used by attackers
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
13
Defeating Concealment
The operating system authenticates a user by asking for a name and password, which it then has to validate, most likely by comparing to a value stored in a table
Obtaining the table gives access to all accounts because it contains not just one but all user IDs and their corresponding passwords.
Solution: storing passwords not in their public form but in a concealed form
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
14
most systems lock out a user who fails a small number of successive login attempts.
This failure count prevents an attacker from attempting more than a few guesses.
however, that this lockout feature gives an attacker a way to prevent access by a legitimate user: simply enter enough incorrect passwords to cause the system to block the account.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
15
The interceptor can create a rainbow table, a list of the concealed forms of the common passwords,
Searching for matching entries in an intercepted password table, the intruder can learn that Jan’s password is 123456 and Mike’s is qwerty.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
16
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
17
Scrambled passwords have yet another vulnerability.
Pat and Roz both chose the same password.
Both copies will have the same concealed value, so someone who intercepts the table can learn that users Pat and Roz have the same password.
Knowing one means knowing both
some systems use an extra piece called the salt.
A salt is an extra data field different for each user, perhaps the date the account was created or a part of the user’s name.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
18
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
19
Password Storage
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
20
Plaintext
Concealed
Passwords should never be stored in plaintext but rather should always be concealed. We talk more about proper password storage later.
20
Exhaustive Attack/ brute force
the attacker tries all possible passwords
the number of possible passwords depends on the implementation of the particular computing system.
For example, if passwords are words consisting of the 26 characters A–Z and can be of any length from 1 to 8 characters, there are
261 passwords of 1 character, 262 passwords of 2 characters, and 268 passwords of 8 characters.
Therefore, the system as a whole has five million million possible passwords
With a rate of checking one password per millisecond, it would take on the order of 150 years to test all eight-letter passwords
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
21
intruder knows a password has to be remembered, people tend to pick simple passwords;
therefore, the intruder should try short combinations of characters before trying longer ones.
building a rainbow table of the common passwords, which reduces the attack effort to a simple table lookup
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
22
Good Passwords
2Brn2Bti? PayTaxesApril15th?
Long,
chosen from a large set of characters,
they do not appear in a dictionary.
Adding digits
uppercase and lowercase letters
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
23
Biometrics: Something You Are
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
24
Handprints and fingerprints are two among many examples of biometrics.
24
Biometrics are biological properties, based on some physical characteristic of the human body:
fingerprint
hand geometry (shape and size of fingers)
retina and iris (parts of the eye)
voice
handwriting, signature, hand motion
typing characteristics
blood vessels in the finger or hand
face
facial features, such as nose shape or eye spacing
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
25
Authentication with biometrics has advantages over passwords because a biometric cannot be lost, stolen, forgotten, or shared and is always available
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
26
Problems with Biometrics
Disturbing: cultures, offensive
Expensive
Single point of failure:
example- retail application uses a biometric recognition is linked to a payment scheme: “If a credit card fails to register, customer can always pull out a second card, but if a fingerprint is not recognized, a customer has only that one finger
sore ,irritation fingers
Sampling error:
Variation reduces accuracy : face is tilted, if you press one side of a finger more than another, or if your voice is affected by a sinus infection.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
27
Recent advances in smartphones have begun to make biometrics cheaper and easier to use. Biometrics are still inadequate for extremely sensitive applications, but their convenience makes them a great alternative to weak passwords.
27
False readings:
False positive: incorrectly confirming an identity.
False negative: incorrectly denying an identity
Biometric matches are not exact; the issue is whether the rate of false positives and false negatives is acceptable.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
28
How it works
Biometrics are reliable for authentication but are much less reliable for identification.
All biometric readers operate in two phases.
First, a user registers with the reader, during which time a characteristic of the user (for example, the geometry of the hand) is captured and reduced to a set of data points.
During registration, the user may be asked to present the hand several times so that the registration software can adjust for variations, such as how the hand is positioned.
Registration produces a pattern, called a template, of the data points particular to a specific user.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
29
In the second phase the user later seeks authentication from the system, during which time the system re-measures the hand and compares the new measurements with the stored template.
If the new measurement is close enough to the template, the system accepts the authentication; otherwise, the system rejects it.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
30
Biometric authentication means a subject matches a template closely enough.
“Close” is a system parameter that can be tuned.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
31
Authentication Based on Tokens: Something You Have
you have a physical object in your possession
key.
badges
identity cards
credit cards
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
32
Active and Passive Tokens
passive tokens do nothing
key is an example of a passive token in that the contents of the token never change
active token can have some interaction with its surroundings.
For example, some public transportation systems use cards with a magnetic strip.
When you insert the card into a reader, the machine reads the current balance, subtracts the price of the trip and rewrites a new balance for the next use.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
33
Static and Dynamic Tokens
static token remains fixed. Keys, identity cards
most useful for onsite authentication
Skimming is the use of a device to copy authentication data secretly and transmit it to an attacker
ATMs
dynamic token overcome copying of physical tokens or passwords
essentially a device that generates an unpredictable value
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
34
Tokens: Something You Have
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
35
An RSA SecurID with a code that changes every 60 seconds. Physical possession of the token should be necessary for successful authentication.
35
One character 0%
Two characters 2%
Three characters 14%
Four characters, all letters
14%
Five letters, all same case
22%
Six letters, lowercase
19%
Words in dictionaries or lists of names
15%
Other good passwords
14%
One character
0%
Two characters
2%
Three characters
14%
Four characters,
all letters
14%
Five letters,
all same case
22%
Six letters,
lowercase
19%
Words in
dictionaries or
lists of names
15%
Other good
passwords
14%
Time-Based Token Authentication
PASSCODE PIN TOKENCODE=
Login: mcollings
2468159759Passcode:
+
Clock synchronized to UCT
Unique seed
Token code: Changes every
60 seconds
Time-Based Token Authentication
PASSCODEPINTOKENCODE
=
Login:mcollings
2468159759Passcode:
+
Clock
synchronized to
UCT
Unique seed
Token code:
Changes every
60 seconds