Cybersecurity assignment
sb230529
CH06.pptxChapter 6 Authenticating People
Chapter 6 Overview
The three authentication factors: what you know, you have, and you are
Passwords, password bias, and search space calculations
Cryptographic building blocks: random choice, one-way hash
Authentication devices: personal tokens and biometrics
Basic issues in authentication policy
Elements of Authentication
Authentication Factors
Something you know
Password or PIN
Something you have
Key or token
Something you are
Personal trait
Traditional parallel terms:
Something you know, are, have
Multi-factor Authentication
Using different factors in authentication
NOT two or three instances of the same factor
Two-factor authentication
ATM authentication: ATM card + PIN
Biometric laptop: Fingerprint + password
NOT: Password + PIN
Three-factor authentication
Biometric access card: fingerprint + card + PIN
NOT: fingerprint + PIN + password
Authentication Threats
Focus in this chapter
Trick the authentication system or access assets through the system
No “remote” attacks via Internet or LAN
Threats must have physical access to system
Range of threats
Weak threat – authentication is effective
Strong threat – authentication may work
Extreme threat – authentication not effective
Attacks on Authentication
Password Authentication
Each User ID is associated with a secret
User presents the secret when logging in
System checks the secret against the authentication database
Access granted if the secret matches
Risks
Shoulder surfing at the keyboard
Reading the password off of printer paper
Sniffing the password in transit or in RAM
Retrieving the authentication database
Password Hashing
One-Way Hash Functions
A Cryptographic Building Block function
We will see more building blocks later
Input:
An arbitrarily large amount of data, from a few bytes to terabytes – RAM or files or devices
Output:
A fixed-size result
Impractical to reverse
Minor change to input = big change to output
Sniffing Passwords
Goal: intercept the password before it is hashed
Keystroke loggers
In hardware: Devices that connect to a keyboard's USB cable
In software: Procedures that eavesdrop on keyboard input buffers
Password Guessing
DOD Password Guideline (1985) required a minimum 1 in a million chance of successful guessing.
This was designed to defeat interactive password guessing: A person or machine made numerous guesses
Some guessing succeeds based on social and personal knowledge of the targeted victim
Modern network-based guessing can try tens of thousands of alternatives very quickly.
Off-line Password Cracking
How Fast Is Off-line Cracking?
It depends on the size of the search space
i.e., how many legal – or likely – passwords?
Legal passwords are limited to specific sets of characters, typically from the ASCII set
Single-case letters only:
Two letter passwords = 262
Three letter passwords = 263
… etc.
Password with L letters = 26L
Increasing the Search Space
Two options
Increase L – the length of passwords
Increase A – the range of letters and other characters in the password's alphabet
Also called the character set
Search space for fixed length password = AL
Search space for range of lengths from 1 to L
A summation of individual lengths
Reduces to algebra: (AL+1 – 1)/(A – 1)
Speed of Cracking
Varies with different hardware and assumptions
Best case: Cracking with a desktop computer
Bad case: Using custom hardware
Worst case: Using the limits of physics
Exploiting Password Bias
Attacker doesn't try every possible password
Restricts the search space to likely passwords
Morris worm successfully used this attack
Similar attack used by Anonymous and Lulz in 2011 to extract passwords from hashes
A dictionary attack
Uses a list of likely passwords as the password space
There are far fewer likely passwords than possible passwords
A Dictionary Attack
Dictionary Attacks Work
The attacks don't recover all passwords, but they recover enough to make them worthwhile
Exploit the likelihood that some user choose weak passwords
| Research or Incident | % Guessed |
| Morris worm, estimated success (1988) | ~50% |
| Klein's Study (1990) | 24.2% |
| Spafford's Study (1992) | 20% |
| CERT Incident 1998-03 | 25.6% |
| Cambridge study by Yan et al. (2000) | 35% |
| Lulz and Anonymous, estimated success (2011) | 30% |
Assessing Bias-based Attacks
Entropy in data indicates the likelihood that a particular message may appear
It considers the range of possible messages and the likelihood of each one
Randomly chosen characters have more entropy that readable text
Language enforces a bias in the choice of letter sequences
Estimated entropy in English text is 1 to 3 bits per character
Average Attack Space
An estimate of the likelihood that a trial-and-error attack will succeed against a community
We construct a dictionary of passwords that the community is likely to use
We estimate the likelihood that the community chooses those passwords
V = S / (2L)
V = # of trials for a 50% chance of success
S = size of the search space (dictionary)
L = likelihood that users choose from dictionary
An Example: Four-digit Luggage Lock
Assume that there are hundreds of these locks being used
25% of the owners pick a 4-digit date as the combination
1 out of 366, not 1 out of 10000
V = 366 / (2 x .25)
V = 732
50% chance of success requires 732 date trials, not 5000
Must try different locks at random!
Password Ping-Pong
Attacks
Defenses
Passwords
Steal the Password File
Password Hashing
Guessing
Guess Detection
Social Engineering
Help Desk Restrictions
Keystroke Sniffing
Memory Protection
Password Sharing
Password Tokens
Network Sniffing
One-Time Passwords
??
Authentication Tokens
Benefits
Hard to attack – use a stronger secret than you get in a typical password
Hard to forge – must hack the hardware
Hard to share – secret stored in hardware
Problems
Expensive – must buy hardware and/or special authentication software
Can be lost or stolen
Risk of hardware failure
Types of Tokens
Passive tokens – the most common
Stores an unchanging credential
Examples: Card keys for hotel rooms, magnetic stripes on credit cards
Active tokens – the most secure
Stores a secret that generates a different credential for each login
Examples: One-time password tokens, smartphone authentication apps
Challenge Response Authentication
Another Crypto Building Block
Challenge response is a protocol
An exchange of data to yield a shared result
Four steps:
Bob says, “Authenticate me!”
Alice says, “The challenge is 56923”
Bob calculates the response and says, “The response is 17390.”
Alice checks Bob's response against what she expected, using the same calculation
Calculation relies on a shared secret
A Challenge Response Calculation
Photo: Courtesy of Dr. Richard Smith.
A One-time Password Token
Photo: Courtesy of Dr. Richard Smith.
Smartphones as Tokens
Lock/unlock adds an authentication factor
Unlock with memorized passcode
Separate authentication token
Smart watch other Bluetooth device
Biometric: fingerprint, face, iris, …
Mobile authentication techniques
One-time password via SMS messaging (bad)
Smartphone one-time password software
NFC protocols for financial cards
Token Vulnerabilities
Clone or borrow credential
Borrowing is possible, but detectable
Cloning should be impractical
Sniffing and trial-and-error guessing
Both should be impractical
Denial of service
Token may be lost, damaged, or stolen
Retrieve from backup
Attacker could steal the authentication database – 2011 incident with SecurID
Biometric Authentication
Courtesy of Dr. Richard Smith
Elements of Biometric Authentication
Biometric Accuracy
Two types of errors
False acceptance – incorrectly detects a match with a credential and the database
False rejection – fails to detect a match between a credential and the database
False Acceptance Rate (FAR)
Likelihood of incorrectly authenticating someone as an authorized user
Average attack space = 1 / (2 x AFAR)
False Rejection Rate (FRR) – denial of service
Biometric Vulnerabilities
Clone or borrow credential – often
Demonstrated many times with fingerprints, faces, voices, etc.
Sniff the credential and replay – often
Possible in networked and remote systems
Trial and error guessing – slight
Requires a team of attackers
Denial of service – possible
Retrieve from backup – possible
Authentication Requirements
Constructing a policy for an isolated computer
Answer these questions:
Is the computer used at home, at work, or both?
For each environment, are there threats?
For each threat, is it a weak or strong threat?
Weak threat: Might make an opportunistic attack on a vulnerable computer
Strong threat: Will spend time and effort on an attack, if unlikely to be detected and/or caught
Threats and Motivations
Weak Threat Environments
At home
Avoid opportunities for shoulder surfing
Do not write down passwords that are at risk of being stolen
Passwords should be hard to guess and easy to remember
At work – similar to home, except:
Passwords may be written down as long as the user keeps physical possession of the list
Authentication tokens may be used
Strong Threat Environment
Using passwords
System should track failed password guesses to try to detect guessing attacks
Protect against keyboard sniffers
Pick passwords that resist off-line attacks
The system should provide “secure attention”
Other options:
Passwords plus tokens (not for home use)
Passwords plus a locked smartphone
Passwords plus biometrics
Password Selection and Handling
Password selection
Choose passwords according to the risk faced by the assets it protects
Pick strong passwords for valuable assets
Use different passwords to protect different types of assets (if you reuse passwords)
Password protection
Keep an electronic, password-protected list
Keep a paper list of less critical passwords
Lock up a list of essential passwords safely
