LCN 06 Authentication (MEMORISE ONLY)

Authentication

• A party (claimant) presents a principal’s identity and claims to be that principal.

• enables some party (verifier) to gain confidence that the claim is legitimate.

Authentication two distinct contexts

• Entity authentication

• Data origin authentication

Entity authentication

An identity presented by a remote party participating in a communication connection or a session

Data origin authentication

An identity is processed along with a data item.  It is claimed that the data originated from the principal identified

Identification vs Verification:

• Identification is claiming and verification is proving.

Authentication 5 factors:

1. Something you know

2. Something you are

3. Something you have

4. Something you do

5. Somewhere you are

Attacks on “Something you know”

• Dictionary attacks

• Inferring likely passwords/answers

• Guessing

• Exhaustive or brute-force attack

• Rainbow tables

Rainbow Table

A precomputed table for reversing cryptographic hash functions

Password vulnerabilities:

• Offline dictionary attack

• Password guessing against single user

• Workstation hijacking

• Electronic monitoring

• Specific account attack

• Popular password attack

• Exploiting user mistakes

• Exploiting multiple password use

Attacks on passwords:

• Social engineering (phishing, shoulder surfing, dumpster diving)

• Capturing (keylogger, man-in-the-middle, and replay)

• Resetting

Message Digest/Hash

Unique digital fingerprint digest created using hash algorithm when a password is made.

Salt

Unique random code added to passwords to make hash unique and minimise collisions.

Why are salted hashes important?

• They prevent duplication of passwords from being visible in the password file.

• More difficult to to crack using offline dictionary attacks.

• Becomes nearly impossible to know if a person with passwords on more than one platform has used the same password on all of them.

Password Defences

• Password complexity

• Credential Management

Password Complexity

• Mix characters

• Choose long/complex passwords

• Avoid names/words

Credential Management

• Change passwords regularly

• Avoid using same passwords for different applications

• Do not disclose to others

• Do not write it down

Password Selection strategies

• User education

• Computer generated passwords (Trouble memorising)

• Reactive password checking (System runs own password cracker to find guessable passwords)

• Complex password policy (User can pick password but system checks if strong or weak then rejects/accepts)

Standard biometrics:

• Fingerprint

• Hand geometry

• Retina and iris

• Face

• Facial features

Advantages of Biometric authentication

• Cannot be lost, forgotten, or shared, always available.

• Difficult to be forged

Problems with biometrics

• Some people find their use intrusive

• Expensive

• Sampling error

• Single point of failure (If card doesn’t work, I can pull another, I can’t pull my finger)

• Speed

• Forgery

• False Readings

Memory Cards

• Can store but do not process data

• Most common is magnetic stripe card

• Can be used alone for physical access

• Significantly greater security when mixed with password or pin.

Drawbacks of Memory Cards:

• Requires a special reader

• Loss of token

• User dissatisfaction

Most important category of smart token

• Has the appearance of a credit card

• Has an electronic interface

• May use any of the smart token protocols

Smart Cards contain three memories:

1. Read-only memory (ROM)

2. Electrically erasable programmable ROM (EEPROM)

3. Random access memory (RAM)

Something you do AKA:

Behavioral / Cognitive Biometrics

Example of Something you do:

Picture Gesture Authentication

Federated Identity Management

A union of separate identification and authentication systems. Authentication is performed in one place, and separate processes and systems determine that an already authenticated user is to be activated.

Single Sign On (SSO)

Lets a user log on once per session but access many different applications/systems.

SSO uses one set of credentials that give access to all applications at once.