Chapter 3- User Authentication

Flashcard set for chapter 3- User Authentication (CIS 4378- Computer and Network Security)

Basic requirements for Authentication

• Identify users, processes, or devices

• Verify identities before granting access

Derived Requirements for Authentication

• Use multifactor authentication (MFA) for local & network access

• Use replay-resistant mechanisms for all accounts

Four Means of Authenticating User Identity

• Something the individual knows

• Something the individual possesses (token)

• Something the individual is (statis biometrics)

• Something the individual does (dynamic biometrics)

Password-Based Authentication

Widely used line of defense against intruders; user provides name/login and password

User ID

• Determines that the user is authorized to access the system

• Determines the user’s privileges

• Is used in discretionary access control

Offline dictionary attack

Attacker tries a list of likely passwords on stolen password hashes.

Specific account attack

Targeting one user with tailored guesses (e.g., using personal info).

Popular password attack

Trying commonly used passwords like 123456 or password.

Password guessing (single user)

Brute-force guessing of one account’s password

Workstation Hijacking

Stealing credentials from an unattended or unlocked device

User mistakes

Weak, simple, or predictable passwords chosen by users

Multiple password use

Reusing passwords across accounts increases risk

Electronic monitoring

Keylogging or capturing passwords over the network

Dictionary attacks

• Develop a large dictionary of possible passwords and try each against the password file

• Each password must be hashed using each available salt value and then compared with stored hash values

Rainbow table attacks

• Pre-compute tables of hash values for all salts

• A mammoth table of hash values

• Can be countered by using a sufficiently large salt value and a sufficiently large hash length

True

T or F: Password crackers exploit the fact that people choose easily guessable passwords

Users have trouble remembering them

One criticism of computer generated passwords is that….

Reactive password checking

System periodically runs its own password cracker to find guessable passwords

Complex password policy

User is allowed to select their own password, however the system checks to see if the password is allowable, and if not, rejects it

Rule enforcement

Specific rules that passwords must adhere to

Password checker

Compile a large dictionary of passwords not to use

Bloom filter

Used to build a table based on hash values

Embossed cards

Raised characters only, on front

Magnetic stripe

Magnetic bar on back, characters on front

Memory card

Electronic memory inside (e.g. prepaid phone card)

Smart

Biometric ID cards and credit cards are examples of what kind of card

Memory Cards

• Can store but do not process data

• The most common is the magnetic stripe card

• Can include an internal electronic memory

• Can be used alone for physical access (e.g. Hotel room, Gift card)

• Provides significantly greater security when combined with a password or PIN

• Requires special reader

• Loss of token

• User dissatisfaction

3 drawbacks of memory cards

Smart token

• Physical characteristics:

  • Include an embedded microprocessor

  • Can look like calculators, keys, small portable objects

• User interface:

  • Manual interfaces include a keypad and display for human/token interaction

• Electronic interface

  • A smart card or other token requires an electronic interface to communicate with a compatible reader/writer

  • Contact and contactless interfaces

Authentication protocol for smart token

• Static

• Dynamic password generator

• Challenge-response

Smart card

Most important category of smart token

Read-only memory (ROM), Electrically erasable programmable ROM (EEPROM), Random access memory (RAM); ROM, EEPROM, RAM

3 types of memory typically included in smart cards

True

T or F: Smart cards contain an entire microprocessor

False; smart cards may use any of the smart token protocls

T or F: Smart cards can only use specific smart token protocols

Random access memory (RAM)

Holds temporary data generated when applications are executed

Electrically erasable programmable ROM (EEPROM)

Holds application data and programs

Read-only memory (ROM)

Stores data that does not change during the card’s life

Electronic Identity Cards (eID)

Use of a smart card as a national identity card for citizens; a smart card that has been verified by the national government as valid and authentic

Most advanced deployment of an eID

German card neuer Personalausweis is an example of….

Password Authenticated Connection Establishment (PACE)

• Ensures that the contactless RF chip in the eID card cannot be read without explicit access control

• For online applications, access is established by the user entering the six-digit PIN (which should be known only to the holder of the card)

• For offline applications, either the MRZ printed on the back of the card or the six-digit card access number (CAN) printed on the front is used

One-time password (OTP) device

• Has a secret key to generate an password

• User enters the password and the system validates the value entered

• Uses a block cipher/hash function to combine secret key and time or nonce value to create password

• Has a tamper-resistant module for secure storage of the secret key

This describes what kind of hardware authentication token

Time-based one-time password (TOTP)

• Uses HMAC with a hash function

• Used in many hardware tokens and by many mobile authenticator apps

• Password is computed from the current Unix format time value

This describes what kind of hardware authentication token

Single factor authentication

Provides authentication service with just one factor

Multifactor authentication

Provides authentication service after a local authentication step

Hardware authentication tokens

Uses a user agent as an intermediary between authenticator and authenticating service

Authentication code via message

• One of the simplest authentication approaches

• Used for banking, government service access, etc.

• No need to have any additional app on the phone

Disadvantages of authentication using a mobile phone

• Requires mobile coverage to receive SMS

• When mobile phone is lost or stolen, user will lose access or an attacker might gain access

• Attackers might use a SIM swap attack

• Attacker might also intercept messages using either a fake mobile tower, or by attacking SS7 signaling protocol

Mobile authentication apps

• Implements a one-time password generator

• Implements the “Time-based one-time password (TOTP)” algorithm

• Does not require a network connection

• Can be used with multiple accounts

• More secure than authentication code

Biometric authentication

• Attempts to authenticate an individual based on unique physical characteristics (fingerprint, face ID, retinal pattern, etc.)

• Based on pattern recognition

• Is technically complex and expensive when compared to passwords and tokens

Remote user authentication

• Authentication over a network, the Internet, or a communications link is more complex

• Generally, rely on some form of a challenge-response protocol to counter threats

Client attacks

Fake user login attempt (no host access)

Host attacks

Stealing stored passwords / tokens / biometrics

Eavesdropping

Observing user to capture credentials

Replay

Reusing previously captured login response

Trojan horse

Fake app/device capturing credentials

Denial-of-Service (DoS)

Flooding system to block valid logins