DACS 2201 / 09-AUTHENTICATION

Learning Objectives

  • Describe the different types of authentication factors.
  • Explain the different attacks on authentication.
  • Describe the weaknesses of passwords.
  • Describe how to implement authentication security solutions.

Access Control and the AAA Framework

  • Access Control: This is the formal process of granting or denying approval to use specific resources.
  • Triple-A (AAA): This is a fundamental cybersecurity framework for controlling access to resources. It consists of:
    • Authentication: Validates the credentials of an entity (such as a user) to ensure it is genuine and not an imposter.
    • Authorization: Grants the user access to specific resources based on a defined set of permissions.
    • Accountability: Makes the user responsible for their actions by recording the actions taken.
  • Audit: A process used to verify what a user has specifically done within a system.

Authentication Factors and Attributes

Authentication is performed using one or more of the following factors:

  • Knowledge Factor: Something only you know. Examples include a password or a Personal Identification Number (PIN).
  • Possession Factor: Something you have that nobody else has. Examples include a bank card, an RFID card, or a cell phone.
  • Biometrics Factor: Something you are. This refers to unique biological characteristics such as fingerprints, facial expressions, or an iris scan.
Other Authentication Forms (Attributes)
  • Geographic Location: Somewhere you are. For example, authentication may only be granted if the user is physically present in the office.
  • Behavior/Activity: Something only you can do. Examples include a signature or keystroke dynamics (the unique timing and rhythm of a user's typing).
  • Other Person's Validation: Someone who knows you. An example would be an instructor validating a student's identity.
  • Genetic Characteristics/Exhibitions: Some may include characteristics you exhibit, such as hair color or genetic data.
Levels of Authentication
  • Single-factor authentication (SFA): Uses only one factor.
  • Two-factor authentication (2FA): Uses two unique factors.
  • Multi-factor authentication (MFA): Uses more than two factors.

Knowledge Factor: Password Strengths and Weaknesses

  • Passwords are the most common form of computer authentication based on the knowledge factor.
  • Weaknesses of Passwords (Human Memory Constraints):
    • Complexity vs. Recall: Effective passwords must be long and complex, making them difficult to remember.
    • Account Proliferation: The average internet user has approximately 207207 accounts. Using unique passwords for each strains human memory.
    • Credential Stuffing Attack: This occurs when users use the same password for multiple accounts. If an attacker discovers one password, they can easily access multiple separate accounts.
    • Password Policies: Many security policies mandate password expiry after a set period, forcing constant memorization of new strings. Some policies also prevent recycling or the reuse of old passwords.

Password Attacks

  • Password Guessing: An attacker manually attempts to guess passwords at the login prompt. This is mitigated by users choosing strong, unpredictable passwords.
  • Shoulder Surfing: An attacker watches an individual enter a security code on a keypad. Mitigation includes user caution or physical shields, such as those found on ATMs.
  • Brute Forcing: An attacker attempts every possible combination of characters. This is mitigated by locking accounts or disabling logins after a limited number of incorrect attempts (e.g., 55 attempts).
  • Password Spraying: An attacker selects one or a few very common passwords (such as password1password1 or 123456123456) and attempts to use them to log into several different user accounts. This is mitigated by using unpredictable passwords.
  • Password Dumps: An attacker steals stored passwords from a system or database. In 2009, over 3232 million user passwords were stolen and posted in cleartext.

Password Storage and Digest Protection

  • Systems mitigate the impact of password dumps by hashing passwords before storage.
  • Hash Function: A process that takes an input string (the message) and encrypts it to produce an output (the digest).
  • Digests: These are irreversible and cannot be decrypted. During login, the entered password is hashed, and access is granted only if the resulting digest matches the stored hash.
Attacks on Password Digests

Even with hashing, attackers can use dumped digest files to find passwords by hashing a list of potential passwords and comparing them to the dump:

  • Offline Brute Force Attack: Generates a password list by trying all possible character combinations.
  • Dictionary Attack: Uses a list generated from commonly used words found in a dictionary.
  • Password Collection Attack: Uses a list taken from previous cleartext password dumps.
  • Rainbow Table Attack: Uses a compressed, precomputed list of passwords organized in a specific sequence.

Password Security: Salting and Key Stretching

  • Salting: A technique where a random string (the salt) is generated and concatenated to the password before it is hashed.
  • Key Stretching: The use of specialized hashing algorithms designed to be intentionally slower. This causes minor delays for single users but significantly slows down attackers trying to generate billions of candidates.
    • Examples of key stretching algorithms: bcrypt, PBKDF2, and Argon2.
    • These are much slower than fast hash algorithms like MD5 and SHA.

Password Strength Metrics

  • Entropy: A measure of the strength of a password.
  • Length: The most critical factor in password strength. The number of possible passwords is a function of the character set size (SS) and the password length (LL), represented by the formula:     P=(S)LP = (S)^L
Character Set Analysis (9595 Keyboard Keys)
Password LengthNumber of Possible PasswordsAverage Attempts to Break
229,0259,0254,5134,513
33857,375857,375428,688428,688
4481,450,62581,450,62540,725,31340,725,313
557,737,809,3757,737,809,3753,868,904,6883,868,904,688
66735,091,890,625735,091,890,625367,545,945,313367,545,945,313

Password Management Technologies

Experts recommend modern management technologies rather than human memory:

  • Password Managers: Separate secure repositories for storing passwords.
  • Password Generators: Browser extensions that generate and store unique passwords automatically.
  • Online Password Managers (Online Vaults): Centralized repositories that store passwords online.
  • Password Management Applications: Portable apps that store repositories on the disk, reducing the risk of an online vault hack.
  • Password Keys: Secure hardware-based solutions, such as the YubiKey, used to store passwords.

Possession Factor Details

Possession factors are often paired with knowledge factors to create 2FA.

  • Smart Cards: Cards programmed with user information. They require a card reader and are vulnerable to Card Skimming (the use of small devices to clone information from magnetic strips).
  • Windowed Tokens (Key Fobs): These devices use an algorithm to generate a one-time password (OTP), usually valid for 3030 to 6060 seconds. The authentication server must use the same algorithm for a match.
  • Smartphones: Use is highly convenient. Authentication methods include:
    • Phone calls requiring the user to press a number to accept login.
    • SMS messages containing an OTP.
    • Dedicated authentication apps using push notifications or OTP generation.
  • Security Keys: Small USB devices with a pair of public/private keys burned into the hardware to authenticate users.

Biometrics Factors

Physiological Biometrics

Uses unique physical characteristics for identification:

  • Retinal Scan: Maps unique patterns of the retina using low-energy infrared light (IR).
  • Fingerprint Scan: Captures images of ridges and valleys in a fingerprint.
  • Voice Recognition: Identifies unique vocal characteristics via a microphone.
  • Iris Scan: Identifies unique iris features using a standard webcam.
  • Facial Recognition: Maps landmarks on the face known as nodal points.
Physiological Biometrics Disadvantages
  • Cost of additional scanning hardware.
  • False Negative: When an imposter is accepted as genuine.
  • False Positive: When a legitimate user is rejected.
  • Deception: Scans can be "tricked" (e.g., using a fingerprint lifted from a glass).
  • Privacy: Users cannot change their biometric data if a breach occurs.
Cognitive Biometrics

Also known as knowledge-based authentication, this acquires bio-signals based on responses to external stimuli or user life experiences.

  • Picture Password (Windows): A user selects a photo and draws specific lines, circles, or taps points of interest. These gestures must be reproduced to authenticate.

Questions & Discussion

Question: Which of the following is an example of two-factor authentication?

  • A user must enter a username and a password to login. (Incorrect: Single factor - Knowledge only).
  • A user must use a physical key and an RFID card to unlock a door. (Incorrect: Single factor - Possession only, though using two items).
  • A user must swipe his credit card and enter a PIN to access services on an ATM. (Correct: This uses Possession of the card and Knowledge of the PIN).
  • A user must provide a fingerprint scan and have his eye scanned to unlock the data center door. (Incorrect: Single factor - Biometrics only).
  • A user must provide an OTP sent to his phone and a code sent to his key fob (windowed token) to login. (Incorrect: Single factor - Possession only).

Secure Authentication Technologies and Protocols

  • Single Sign-On (SSO): Uses one credential to access multiple applications (e.g., Google login accessing Gmail, YouTube, and Drive). This minimizes the number of passwords a user must remember.
  • Remote Authentication Dial In User Service (RADIUS): A centralized server-based system.
    1. User sends credentials to a RADIUS client (e.g., a wireless Access Point or AP).
    2. The client sends credentials and connection parameters to the RADIUS server.
    3. The RADIUS server compares data against user profiles in a central database.
    4. The server sends an authentication acknowledgement (accept or reject) along with authorization details.
    5. If enabled, the action is logged in an accounting database.
    6. Approval is sent to the user device (laptop).
  • Terminal Access Control Access Control System+ (TACACS+): A system very similar to RADIUS.
  • Kerberos: Uses encryption and authentication specifically for local network service access.
  • Directory Service: A network database containing info about users and devices.
  • Security Assertion Markup Language (SAML): An XML standard for exchanging authentication/authorization data between web domains. This allows credentials to be stored with a single Identity Provider rather than every individual Web Service Provider.
    • Example: Using a Google, Facebook, or Microsoft account to log into a third-party website.