Sec2_Task

hybridtek

Chapter_2_Identification_and_Authentication.pdf

Home >Computer Science homework help >Sec2_Task

2 I D E N T I F I C A T I O N A N D

A U T H E N T I C A T I O N

When you’re developing security measures, whether they’re specific mechanisms or

entire infrastructures, identification and authentication are key concepts. In short, iden-

tification makes a claim about what someone or some thing is, and authentication establishes whether this claim is true. You can see such processes taking place daily in a wide variety of ways.

One common example of an identification and authentication transaction is the use of payment cards that require a personal identifi cation number (PIN). When you swipe the magnetic strip on the card, you’re asserting that you’re the person indicated on the card. At this point, you’ve given your identification, but nothing more. When you’re prompted to enter the PIN associated with the card, you’re completing the authentication portion of the transaction, proving you’re the legiti mate cardholder.

Andress, Jason. Foundations of Information Security : A Straightforward Introduction, No Starch Press, Incorporated, 2019. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/snhu-ebooks/detail.action?docID=5965309. Created from snhu-ebooks on 2021-08-24 01:30:06.

C o p yr

ig h t ©

2 0 1 9 . N

o S

ta rc

h P

re ss

, In

co rp

o ra

te d . A

ll ri g h ts

r e se

rv e d .

24 Chapter 2

Some of the identification and authentication methods that we use daily are particularly fragile, meaning they depend largely on the honesty and diligence of those involved in the transaction. If you show your ID card to buy alcohol, for example, you’re asking people to trust that your ID is genuine and accurate; they can’t authenticate it unless they have access to the system that maintains the ID in question. We also depend on the com petence of the person or system performing the authentication; they must be capable not only of performing the act of authentication but also of detecting false or fraudulent activity.

You can use several methods for identification and authentication, from requiring simple usernames and passwords to implementing purposebuilt hardware tokens that serve to establish your identity in multiple ways. In this chapter, I’ll discuss several of these methods and explore their uses.

Identification Identification, as you just learned, is simply an assertion of who we are. This may include who we claim to be as people, who a system claims to be over the network, or who the originating party of an email claims to be. You’ll see some methods for determining identity and examine how trustworthy those methods are.

Who We Claim to Be Who we claim to be is a tenuous concept at best. We can identify ourselves by our full names, shortened versions of our names, nicknames, account numbers, usernames, ID cards, fingerprints, or DNA samples. Unfortunately, with a few exceptions, such methods of identification are not unique, and even some of the supposedly unique methods of identification, such as finger prints, can be duplicated.

Who we claim to be can, in many cases, be subject to change. For instance, women often change their last names upon getting married. In addition, we can generally change logical forms of identification—such as account numbers or usernames—easily. Even physical identifiers, such as height, weight, skin color, and eye color, can change. One of the most crucial factors to realize is that a claim of identity alone is not enough.

Identity Verification Identity verification is a step beyond identification, but it’s still a step short of authentication, which I’ll discuss in the next section. When you’re asked to show a driver’s license, Social Security card, birth certificate, or other similar form of identification, this is generally for identity verification, not authen tication. It’s the rough equivalent of someone claiming the identity John Smith; you asking if the person is indeed John Smith and being satisfied with an answer of “Sure, I am” from the person (plus a little paperwork).

C o p yr

ig h t ©

2 0 1 9 . N

o S

ta rc

h P

re ss

, In

co rp

o ra

te d . A

ll ri g h ts

r e se

rv e d .

Identification and Authentication 25

We can take the example a bit further and validate the form of identi fication (say, a passport) against a database holding an additional copy of the information that it contains, matching the photograph and physical specifications with the person standing in front of us. This may get us a bit closer to ensuring we’ve correctly identified the person, but it still doesn’t qualify as authentication; we may have validated the status of the ID itself, and we know that the person meets the general specifications of the person it was originally issued to, but we’ve taken no steps to prove that the person is really the right one. The more than we trend toward verification and away from authentication, the weaker our controls are.

Computer systems use identity verification, too. When you send an email, the identity you provide is taken to be true; the system rarely takes any additional steps to authenticate you. Such gaps in security contribute to the enormous amount of spam traffic, which Cisco’s Talos Intelligence Group estimated to have accounted for approximately 85 percent of all emails sent from mid2017 to mid2018.1

Falsifying Identification As I’ve discussed, methods of identification are subject to change. As such, they are also subject to falsification. Minors often use fake IDs to get into bars or nightclubs, while criminals and terrorists might use them for a vari ety of more nefarious tasks. You could use some methods of identification, such as birth certificates, to gain additional forms of identification, such as Social Security cards or driver’s licenses, thus strengthening a false identity.

Identity theft based on falsified information is a major concern today; identity thieves stole an estimated $16.8 billion from US consumers in 2017.2 This type of attack is unfortunately common and easy to execute. Given a minimal amount of information—usually a name, address, and Social Security number are sufficient—it’s possible to impersonate some one just enough to be able to conduct a variety of transactions in their name, such as opening a line of credit. Such crimes occur because many activities lack authentication requirements. Although most people think identity verification is sufficient, verification is easy to circumvent by using falsified forms of identification.

Many of the same difficulties exist in computer systems and environ ments. For example, it’s entirely possible to send an email from a falsified email address. Spammers use this tactic on a regular basis. I’ll address such issues at greater length in Chapter 9.

Authentication In information security, authentication is the set of methods used to estab lish whether a claim of identity is true. Note that authentication does not decide what the party being authenticated is permitted to do; this is a sepa rate task, known as authorization. I’ll discuss authorization in Chapter 3.

C o p yr

ig h t ©

2 0 1 9 . N

o S

ta rc

h P

re ss

, In

co rp

o ra

te d . A

ll ri g h ts

r e se

rv e d .

26 Chapter 2

Factors There are several approaches to authentication: something you know, some thing you are, something you have, something you do, and where you are. These approaches are known as factors. When you’re attempting to authen ticate a claim of identity, you’ll want to use as many factors as possible. The more factors you use, the more positive your results will be.

Something you know, a common authentication factor, includes passwords or PINs. However, this factor is somewhat weak, because if the information the factor depends on is exposed, your authentication method may no longer be unique.

Something you are is a factor based on the relatively unique physical attri butes of an individual, often referred to as biometrics. Although biometrics can include simple attributes such as height, weight, hair color, or eye color, these aren’t usually distinctive enough to make very secure identifiers. Complex identifiers such as fingerprints, iris or retina patterns, or facial characteristics are more common. These are a bit stronger than, say, a password, because forging or stealing a copy of a physical identifier is somewhat more difficult, although not impossible. There is some question as to whether biometrics truly count as an authentication factor or whether they only constitute verifi cation. I’ll discuss this again later in this chapter, when I cover biometrics in greater depth.

Something you have is a factor generally based on a physical possession, although it can extend into some logical concepts. Common examples are automatic teller machine (ATM) cards, state or federally issued identity cards, or softwarebased security tokens, as shown in Figure 21.3 Some institutions, such as banks, have begun to use access to logical devices, such as cell phones or email accounts, as methods of authentication, as well.

This factor can vary in strength depending on the implementation. If you wanted to use a security token sent to a device that doesn’t belong to you, you’d need to steal the device to falsify the authentication method. On the other hand, if the security token was sent to an email address, it would be much easier to intercept, and you’d have a measure of considerably less strength.

Something you do, sometimes considered a variation of something you are, is a factor based on the actions or behaviors of an individual. This may include an analysis of the individual’s gait or handwriting or of the time delay between keystrokes as he or she types a passphrase. These factors

Figure 2-1: Sending a security token to a mobile phone is a common authentication method.

C o p yr

ig h t ©

2 0 1 9 . N

o S

ta rc

h P

re ss

, In

co rp

o ra

te d . A

ll ri g h ts

r e se

rv e d .

Identification and Authentication 27

present a strong method of authentication and are difficult to falsify. They do, however, have the potential to incorrectly reject legitimate users at a higher rate than some of the other factors.

Where you are is a geographically based authentication factor. This factor operates differently than the other factors, as it requires a person to be present in a specific location. For example, when changing an ATM PIN, most banks will require you to go into a branch, at which point you will also be required to present your identification and account number. If the bank allowed the PIN to be reset online, an attacker could change your PIN remotely and proceed to clean out your account. Although potentially less useful than some of the other factors, this factor is difficult to counter with out entirely subverting the system performing the authentication.

Multifactor Authentication Multifactor authentication uses one or more of the factors discussed in the preceding section. When you’re using only two factors, this practice is also sometimes called two-factor authentication.

Let’s return to the ATM example because it illustrates multifactor authentication well. In this case, you use something you know (your PIN) and something you have (your ATM card). Your ATM card serves as both a factor for authentication and a form of identification. Another example of multifactor authentication is writing checks. In this case, you’re using something you have (the checks themselves) and something you do (signing them). Here, the two factors involved in writing a check are rather weak, so you sometimes see a third factor—a fingerprint—used with them.

Depending on the factors selected, you can assemble stronger or weaker multifactor authentication schemes particular to each situation. In some cases, although certain methods may be more difficult to defeat, they’re not practical to implement. For example, DNA makes for a strong method of authentication but isn’t practical in most situations. In Chapter 1, I said that your security should be proportional to what you’re protecting. You certainly could install iris scanners on every credit card terminal, but this would be expensive, impractical, and potentially upsetting to customers.

Mutual Authentication Mutual authentication is an authentication mechanism in which both par ties in a transaction authenticate each other. These parties are typically softwarebased. In the standard, oneway authentication process, the client authenticates to the server. In mutual authentication, not only does the client authenticate to the server, but the server authenticates to the client. Mutual authentication often relies on digital certificates, which I’ll discuss in Chapter 5. Briefly, both the client and the server would have a certificate to authenticate the other.

In cases where you don’t perform mutual authentication, you leave yourself open to impersonation attacks, often referred to as man-in-the- middle attacks. In a maninthemiddle attack, the attacker inserts himself between the client and the server. The attacker then impersonates the

C o p yr

ig h t ©

2 0 1 9 . N

o S

ta rc

h P

re ss

, In

co rp

o ra

te d . A

ll ri g h ts

r e se

rv e d .

28 Chapter 2

server to the client and the client to the server, as shown in Figure 22, by circumventing the normal pattern of traffic and then intercepting and for warding the traffic that would normally flow directly between the client and the server.

Client Server

Original connection

Attacker

Attacker’s connection

Figure 2-2: A man-in-the-middle attack

This is typically possible because the attacker needs to subvert or falsify authentication only from the client to the server. If you implement mutual authentication, this becomes a considerably more difficult attack because the attacker would have to falsify two different authentications.

You can also combine mutual authentication with multifactor authen tication, although the latter generally takes place only on the client side. Multifactor authentication from the server back to the client would be not only technically challenging but also impractical in most environments because it would involve some technical heavylifting on the client side, potentially on the part of the user. You’d likely lose a significant amount of productivity.

Common Identification and Authentication Methods I’ll conclude this discussion by exploring three common identification and authentication methods in detail: passwords, biometrics, and hardware tokens.

Passwords Passwords are familiar to most us who use computers regularly. When combined with a username, a password will generally allow you access to a computer system, an application, a phone, or a similar device. Although they’re only a single factor of authentication, passwords can represent a relatively high level of security when constructed and implemented properly.

People often describe certain passwords as being strong, but a better descriptive term might be complex. If you construct a password that uses lowercase letters only and is eight characters long, you can use a password cracking utility to crack it quickly, as discussed in Chapter 1. Adding char acter sets to the password makes it increasingly harder to figure out. If you

C o p yr

ig h t ©

2 0 1 9 . N

o S

ta rc

h P

re ss

, In

co rp

o ra

te d . A

ll ri g h ts

r e se

rv e d .

Identification and Authentication 29

use uppercase letters, lowercase letters, numbers, and symbols, you’ll end up with a password that is potentially more difficult to remember, such as $sU&qw!3, but much harder to crack.

In addition to constructing strong passwords, you also need to practice good password hygiene. Don’t write your password down and post it under your keyboard or on your monitor; doing so completely defeats the purpose of having a password in the first place. Applications called password managers exist to help us manage all the logins and passwords we have for different accounts, some as locally installed software and others as web or mobile device applications. There are many arguments for and against such tools; some people think keeping all of your passwords in one place is a bad idea, but when used carefully, they can help you maintain good password hygiene.

Another common problem is the manual synchronization of passwords— in short, using the same password everywhere. If you use the same password for your email, for your login at work, and for your online knitting discus sion forum, you’re putting the security of all the accounts in the hands of those system owners. If any one of them is compromised, all of your accounts become vulnerable; all an attacker needs to do to access the others is look up your account name on the internet to find your other accounts and log in using your default password. By the time the attacker gets into your email account, the game is over because an attacker can generally use it reset account credentials for any other accounts you have.

Biometrics Although some biometric identifiers may be more difficult to falsify than others, this is only because of the limitations of today’s technology. At some point in the future, we’ll need to develop more robust biometric characteris tics to measure or else stop using biometrics as an authentication mechanism.

Using Biometrics

Biometricsequipped devices are becoming increasingly common and inex pensive. You can find a wide selection of them for less than $20. It pays to research such devices carefully before you depend on them for security, as some of the cheaper versions are easy to bypass.

You can use biometric systems in two ways. You can use them to verify the identity claim someone has put forth, as discussed earlier, or you can reverse the process and use biometrics as a method of identification. This process is commonly used by law enforcement agencies to identify the owner of fingerprints left on various objects. It can be a timeconsuming effort, considering the sheer size of the fingerprint libraries held by such organizations. To use a biometric system in either manner, you need to put the user through some sort of enrollment process. Enrollment involves recording the user’s chosen biometric characteristic—for instance, making a copy of a fingerprint—and saving it in a system. Processing the character istic may also include noting elements that appear at certain parts of the image, known as minutiae (Figure 23).

C o p yr

ig h t ©

2 0 1 9 . N

o S

ta rc

h P

re ss

, In

co rp

o ra

te d . A

ll ri g h ts

r e se

rv e d .

30 Chapter 2

Figure 2-3: Biometric minutiae

You can use the minutiae later to match the characteristic to the user.

Characteristics of Biometric Factors

Biometric factors are defined by seven characteristics: universality, uniqueness, permanence, collectability, performance, acceptability, and circumvention.4

Universality means you should be able to find your chosen biometric characteristic in the majority of people you expect to enroll in the system. For instance, although you might be able to use a scar as an identifier, you can’t guarantee that everyone will have a scar. Even if you choose a common characteristic, such as a fingerprint, you should take into account the fact that some people may not have an index finger on their right hand and be prepared to compensate for this.

Uniqueness is a measure of how unique a characteristic is among indi viduals. For example, if you choose to use height or weight as a biometric identifier, you’d stand a good chance of finding several people in any given group who have the same height or weight. You should try to select char acteristics with a high degree of uniqueness, such as DNA or iris patterns, but even these could be duplicated, whether intentionally or otherwise. For example, identical twins have the same DNA, and an attacker could repli cate a fingerprint.

Permanence tests how well a characteristic resists change over time and with advancing age. If you choose a factor that can easily vary, such as height, weight, or hand geometry, you’ll eventually find yourself unable to authenti cate a legitimate user. It’s better to use factors such as fingerprints, which are unlikely to change without deliberate action.

Collectability measures how easy it is to acquire a characteristic. Most com monly used biometrics, such as fingerprints, are relatively easy to acquire, which is one reason they are common. On the other hand, a DNA sample is more difficult to acquire because the user must provide a genetic sample to enroll and to authenticate again later.

C o p yr

ig h t ©

2 0 1 9 . N

o S

ta rc

h P

re ss

, In

co rp

o ra

te d . A

ll ri g h ts

r e se

rv e d .

Identification and Authentication 31

Performance measures how well a given system functions based on factors such as speed, accuracy, and error rate. I’ll discuss the performance of bio metric systems at greater length later in this section.

Acceptability is a measure of how acceptable the characteristic is to the users of the system. In general, systems that are slow, difficult to use, or awkward to use are less likely to be acceptable to the user.5 Systems that require users to remove their clothes, touch devices that have been repeat edly used by others, or provide tissue or bodily fluids are unlikely to have a high degree of acceptability.

Circumvention describes how easy it is to trick a system by using a falsified biometric identifier. The classic example of a circumvention attack against the fingerprint as a biometric identifier is the “gummy finger.” In this type of attack, a fingerprint is lifted from a surface and used to create a mold with which the attacker can cast a positive image of the fingerprint in gelatin. Some biometric systems have secondary features specifically designed to defeat such attacks by measuring skin temperature, pulse, or pupillary response.

Measuring Performance

There are many ways to measure the performance of a biometric system, but a few primary metrics are particularly important. The false acceptance rate (FAR) and false rejection rate (FRR) are two of these.6 FAR measures how often you accept a user who should be rejected. This is also called a false positive. FRR measures how often we reject a legitimate user and is some times called a false negative.

You want to avoid both of these situations in excess. You should aim for a balance between the two error types, referred to as an equal error rate (EER). If you plot both the FAR and the FRR on a graph, as I’ve done in Figure 24, the EER marks the point where the two lines intersect. We sometimes use EER as a measure of the accuracy of biometric systems.

Threshold

Pe rc

en t o

f F A

R an

d FR

FAR FRR

ERR

Figure 2-4: The equal error rate is the intersection of the false acceptance rate and false rejection rate.

C o p yr

ig h t ©

2 0 1 9 . N

o S

ta rc

h P

re ss

, In

co rp

o ra

te d . A

ll ri g h ts

r e se

rv e d .

32 Chapter 2

Flaws in Biometric Systems

Biometric systems are prone to several common issues. As I mentioned when discussing circumvention, it’s easy to forge some biometric identifiers. Moreover, once they’re forged, it’s hard to reenroll a user in the system. For example, if you enroll a user with both index fingers and those fingerprints get compromised, you could remove these from the system and enroll two of their other fingers. However, if you’ve already enrolled all of their fingers in the system, you’d have no means of reenrolling them using fingers at all. Depending on the system in question, you may be able to select a different set of minutiae for the same identifier, but this avoids the point of the discussion, which is that biometric identifiers are finite. This issue became tangible in 2015, when an attacker hacked the US Office of Personnel Management and stole the fingerprint records of 5.6 million federal employees holding security clearances.7

You also face possible privacy issues in the use of biometrics. When you’re enrolled in a biometric system, you’re essentially giving away a copy of the identifier, whether it’s a fingerprint, iris pattern, or DNA sample. Once such an item has been entered into a computer system, you have little, if any, control over what happens to it. We can hope that once you’re no longer associated with the institution in question, the institution would destroy such materials, but you have no way to guarantee this. Particularly in the case of DNA sampling, the repercussions of surrendering genetic material could affect you for the rest of your life.

Hardware Tokens A standard hardware token (Figure 25) is a small device, typically in the general form factor (size and shape) of a credit card or keychain fob.8 The simplest hardware tokens look identical to universal serial bus (USB) flash drives and contain a certificate or unique identifier. They’re often called dongles. More complex hardware tokens incorporate liquidcrystal displays (LCDs), keypads for entering passwords, biometric readers, wireless devices, and additional features to enhance security.

Figure 2-5: A hardware token

C o p yr

ig h t ©

2 0 1 9 . N

o S

ta rc

h P

re ss

, In

co rp

o ra

te d . A

ll ri g h ts

r e se

rv e d .

Identification and Authentication 33

Many hardware tokens contain an internal clock that generates a code based on the device’s unique identifier, an input PIN or password, and other potential factors. Usually, the code is output to a display on the token and changes on a regular basis, often every 30 seconds. The infrastructure used to keep track of these tokens can predict what the proper output will be at any given time in order to authenticate the user.

The simplest kind of hardware token represents only the something you have factor and is thus susceptible to theft and potential use by a knowledge able criminal. Although these devices represent an increased level of security for the user’s accounts and aren’t generally useful without the associated account credentials, you do need to remember to safeguard them.

More sophisticated hardware tokens could represent the something you know or something you are factors, as well. They might require a PIN or fingerprint, which enhances the security of the device considerably; in addi tion to getting the hardware token, an attacker would need to either subvert the infrastructure that uses the device or extract the something you know or something you are factor from the legitimate owner of the device.

Summary Identification is an assertion of the identity of some party, whether it be a person, process, system, or other entity. Identification is only a claim of identity; it doesn’t say anything about any privileges that might be associ ated with the identity.

Authentication is the process used to validate whether the claim of identity is correct. It’s different than verification, which is a much weaker way of testing someone’s identity.

When you perform authentication, you can use several factors. The main factors are something you know, something you are, something you have, something you do, and where you are. An authentication mechanism that includes more than one factor is known as multifactor authentication. Using multiple factors gives you a much stronger authentication mechanism than you might otherwise have.

The common set of tools used for authentication includes passwords, tokens, and biometric identifiers. Each of these has its own set of unique challenges that you will need to deal with when you are implementing them as part of your set of security controls.

In the next chapter, I’ll discuss the steps that take place after identifica tion and authentication: authorization and access control.

Exercises 1. What is the difference between verification and authentication of an

identity?

2. How do you measure the rate at which you fail to authenticate legiti mate users in a biometric system?

C o p yr

ig h t ©

2 0 1 9 . N

o S

ta rc

h P

re ss

, In

co rp

o ra

te d . A

ll ri g h ts

r e se

rv e d .

34 Chapter 2

3. What do you call the process in which the client authenticates to the server and the server authenticates to the client?

4. A key would be described as which type of authentication factor?

5. What biometric factor describes how well a characteristic resists change over time?

6. If you’re using an identity card as the basis for your authentication scheme, what steps might you add to the process to allow you to move to multifactor authentication?

7. If you’re using an eightcharacter password that contains only lowercase characters, would increasing the length to ten characters represent any significant increase in strength? Why or why not?

8. Name three reasons why an identity card alone might not make an ideal method of authentication.

9. What factors might you use when implementing a multifactor authenti cation scheme for users who are logging onto workstations that are in a secure environment and are used by more than one person?

10. If you’re developing a multifactor authentication system for an environ ment where you might find largerthanaverage numbers of disabled or injured users, such as a hospital, which authentication factors might you want to use or avoid? Why?

C o p yr

ig h t ©

2 0 1 9 . N

o S

ta rc

h P

re ss

, In

co rp

o ra

te d . A

ll ri g h ts

r e se

rv e d .