ISM W31 Flashcards
(24 cards)
Technical definition of Authentication:
“the act of confirming the truth of an attribute of a single piece of
data claimed true by an entity”
Types of Authentication (according to the entity type) (5):
- User authentication
- Message authentication
- Device / Server authentication
- Humanness authentication (CAPTCHA)
- Physical object authentication (1/2-D barcodes,
RFID chips, security hologram labels, watermarks, …)
3 main (traditional) authentication factors + 2 others:
Traditional: knowledge-based
(“what you know”), possession-based (“what you have”) and
inherence-based (“who you are”)
Other: context-based (“where you are”)
and risk-based (“how risky you are”)
What is Multi-factor authentication (MFA):
Using two or more authentication factors together
Who prescribes two-factor authentication (2FA) for online payments? (with a few exceptions)
The EU PSD2 (European Payment Services Directive 2)
Whats the most common way MFA is utilised?
Most often by combining passwords and a smartphone-based factor (SMS message or an authenticator mobile app).
Most widely used example knowledge-based user authentication?
Passwords
How are passwords stored? (user side)
- In your brain
- On a piece of paper
- On your device (e.g., mobile phone)
- On a USB key
- In a password manager (such as lastpass)
- Calculated from something you know
(What is stored may not be the password itself, but just a hint).
How are passwords stored (on the server side):
- In clear (should never happen, but …):
password - Processed by a cryptographic hash function:
H(password) - Hashed with a random number (called a salt):
H(password || salt) - Stored using advanced key stretching (password strengthening) methods, e.g., Hn(password || salt), where n is large.
- Honeytokens (fake passwords) may be used.
Why is hashing used when storing passwords on the server side?
To avoid password leakage if the server is hacked.
Why is salting used on top of hashing when storing passwords on the server side?
(Fact: salt is random but stored in clear at server side)
- For resisting rainbow table (a pre-calculated table of possible passwords and their hash values) attacks
- Play a role similar to cryptographic nonce
what is a password (narrowly speaking vs broadly speaking):
Narrowly speaking:
- A secret textual string you present for accessing some protected resource(s).
Broadly speaking:
- 1st authentication factor
“What you know” = “What you (have to) remember”
Give some examples of types of passwords:
- PIN (Personal Identification Number), textual passwords (digits + letters + special chars), graphical passwords: graphical elements
What is the security-usability dilemmna?
Stronger passwords are securer but harder to manage by humans (= less usable).
- Weaker passwords are easier to manage by humans (more usable) but also easier to crack.
Strong passwords for humans ≠ Strong passwords for automated password crackers
- ⇒ Users have a tendency of choosing usability over security: using easy-to-manage passwords.
(This password behaviour of users has not changed much since 1970s)!
What is a password CHECKER and how could it solve the security-usability dilemnna?
BASICALLY HELPS PPL REMEMBER NOT TO BE IDIOTS AND MAKE A PASSWORD THAT ISNT SHIT
A password checker evaluates the
strength of a given password and
warns the user about its weakness.
- PROACTIVE password checkers work
at the client side when the user is
entering his/her password. - REACTIVE password checkers work at
the server side after users set their
passwords (by scanning all passwords
of all users).
(Both proactive and reactive password
checkers are based on one or more
PASSWORD METERS THAT ESTIMATE THE SECURITY STRENGTH of a given password.)
What is a password MANAGER and how could it solve the security-usability dilemnna?
A password manager is a software/hardware tool managing credentials of multiple accounts of the user.
- Local password managers run from a local computer (could be a smart phone) and store the data locally.
- Web-based password managers run from the Web or the cloud and store the data remotely in a remote web site.
- Cloud-based password managers run from local computer or the Web and store the data remotely in a cloud.
- Three layers of managers: password managers, users, and organisations
BASICALLY HELPS IDIOTS REMEMBER LOTS OF DIFFERENT PASSWORDS SO THEY CAN USE ONES THAT ARE HARDER TO CRACK AND LOTS OF DIFFERENT ONES FFOR DIFFERENT SITES INSTEAD OF USING THE SAME ONE FOR EVERYTHING…
What is the official password GUIDANCE? What are password POLICIES and how could they solve the security-usability dilemnna?
solve security-usability dilemnna by implementing SOME OF THE BELOW as password policies and IT regulations………………
ADVICE FROM NATIONAL CYBER SECURITY CENTRE……………………………………..
- BLACKLIST MOST COMMON PW CHOICES
- MONITOR FAILED LOG IN ATTEMPTS AND TRAIN USERS TO REPORT SUS ACTIVITY
- PRIORITISE ADMINISTRATOR AND REMOTE USER ACCOUNTS
- DONT STORE PASSWORDS IN PLAIN TEXT FORMAT
- USE ACCOUNT MANAGEMENT, THROTTLING AND MONITORING TO HELP REVENT BRUTE FORCE ATTACKS
HELP USERS COPE WITH OVERLOAD:
- only use PW when really needed
- use technical solutions to reduce burden
- allow users to securely store PW
- only request change of pw when suspicion of compromise
- allow users to reset password easily/quick/cheap
HELP USERS GENERATE APPROPRIATE PASSWORDS:
- put technical defences in place so simpler passwords can be used
- steer users away from predictable PW and ban most commor
- encourage users to never re-use passwors between work and home
- Train staff to help users avoid creating easy to guess PW
- be aware of limitations of PW strength meters
How are passwords cracked?
- INTERCEPTION (while transmitted over a network)
- BRUTE FORCE (automated guessing)
- SEARCHING (IT infrastructure searched for electronically stored password info)
- STEALING PASSWORDS (handwritten etc.)
- MANUAL GUESSING (date of birth, name etc.)
- SOCIAL ENGINEERING (ppl tricked lol)
- SHOULDER SURFING (looking over ur shoulder at the ATM lol)
KEY LOGGING (installed key logger intercepts passwords as they are typed)
Examples of fallback/recovery/emergency
authentication?
What you know = What you (must) remember - Password reset is necessary from time to time!
POSSIBLE METHODS
- Password reset via email
- Secret questions and answers
- Physical authentication
Authentication vs Identification
(WHATS THE DIFFERENCE AS THEY OFTEN GET MIXED UP)
AUTHENTICATION
- An entity makes an EXPLICIT claim.
- A verifier checks if the claim is LEGITIMATE.
- An identity is often used to facilitate the authentication process. ⇒ authentication = verification of a CLAIMED identity
(IDs) are needed to manage identities.
- The claimant normally needs to provide some PROOF to allow the authentication check. ⇒ claimant = prover
IDENTIFICATION
- NOBODY makes a claim explicitly.
- An entity is present with an UNKNOWN identity.
- An identifier tries to UNCOVER the present entity’s identity.
What is user authorisation about?
- The claimant is a (human) user.
- The verifier is normally a computer (at least in our context), but it can also be another (human) user.
- The user authentication process must be properly managed (identities, verifiers, configurations, etc.).
Examples of possession based “what you have” user authentication factor + pros and cons as replacement of passwords “what you know”?
EXAMPLES
- Different type of hardware tokens
- Secret paper
- Electronic cards (+ card reader)
- Smart cards, contact-less cards,
RFID tags, NFC tags, …
- Connected security tokens
- USB-based, optical channel
based, …
- Disconnected security tokens
- One-time password generators, transaction signers, …
- Mobile phones
- Software versions of all the above
(as mobile apps)
PROS
Some hardware tokens relatively cheap and simple to deploy (for both users and organisations).
- Most hardware tokens widely used in many sectors so WELL TESTED.
- Most hardware tokens are EASY TO USE for non-expert users.
- Some solutions use existing hardware tokens that are needed for multiple purposes (e.g., KentOne cards and
mobile phones owned by users already).
CONS
- Usability issues
- You need to BRING it PHYSICALLY with you!
- Unavoidable COSTS for users and organisations (material, training, reparation/replacement, etc.)
- LOSS AND THEFT
- PIN AS BACKUP = Security reduced to the first authentication factor (“what you know”)!
- Insecure implementations
- SECURITY VULNERABILITIES in hardware tokens (including zero-day ones), side channel attacks, clone attacks, insecure user
behaviours, …
Examples of inherence-based “who you are” user authentication factor + pros and cons as replacement of passwords “what you know”?
EXAMPLES
PHYSICAL BIOMETRICS
- Fingerprint, palm, hand
geometry, iris, retina, …
BEHAVOURAL BIOMETRICS
- Handwriting, signature, speech,
gait, mouse/keystroke
dynamics, …
CHECHEMICAL/BIOLOGICAL BIOMETRICS
- Perspiration, skin luminescence, DNA, body odour
PROS
INTRINSIC FEATURES OF HUMAN USERS so no need to create one.
- Intrinsic features of human users so CANNOT BE (EASILY) FORGOTTEN OR LOST.
- May be MORE SECURE?? than non-biometric systems? (May be more difficult to steal/more difficult to forge?)
- Accurate enough for some biometric modalities and applications (e.g., iris, fingerprint, face)
- Human identification is POSSIBLE WITHOUT A GIVEN ID
CONS
PRIVACY concerns: misuse of biometric features (Private/Anonymous biometrics may mitigate this problem).
- SAFETY concerns (Example: in 2005, Malaysian car thieves cut off the finger of a
Mercedes-Benz S-Class owner when attempting to steal the car).
- LIMITED SECURITY (3D printed head bypass facial recognition security)
- Many systems are LESS SECURE THAN STRONG PASSWORDS!
- Biometrics do not always work! ⇒ ANOTHER FACTOR NEEDED AS BACKUP = Security reduced to the first authentication factor usually (“what you know”)!
- CanNOT be EASILY changed or REPLACED.
(You have only one face, two eyes, ten fingers).
inherence-based “who you are” - 2 PHASES AND 2 MODES?
TWO PHASES:
- ENROLLMENT: capturing biometric features and add them into the database as a template.
- VERIFICATION/IDENTIFICATION: matching an input live template against one or all enrolled templates.
TWO MODES:
VERIFICATION (Authentication) – 1:1 MATCHING: checking if a live template matches the enrolled template corresponding to a given ID.
IDENTIFICATION – 1:N MATCHING: checking if a live template matches all enrolled templates in the database.
