Chapter 3 - User Authentication

Question 1

User Authentication Simple Definition

Answer 1

The process of verifying an identity claimed by or for a system entity

Question 2

NIST Definition of User Authentication

Answer 2

The Process of establishing confidence in user identities presented electronically to an information system

Question 3

What is User Authentication considered?

Role in Security System

Answer 3

• Fundamental building block
• primary line of defense in computer security
• basis for most types of access control and accountability

Question 4

Two steps in the authentication process

Answer 4

1. Identification: Presenting an identifier to the system
2. Verification: confirm binding between the entity and the identifier

Question 5

Is FaceID identifier or verifier?

Answer 5

Verifier because it validates identity by comparing face to stored facial data.

Identifier is implicit!

Question 6

4 means of authenticating user identity and issues with each

Something the individual: _____

Answer 6

1. Something individual knows
   (Password, PIN, answer to security questions) - must be as secure as the password
   - Password guessing/stealing/forgetting
2. Something the individual possesses Token
   (Smartcard, electronic keycard, physical key)
   - theft/loss
3. Something the individual is
   (Static biometrics like fingerprint, retina or face)
   - false positives/negatives
   - user acceptance issues
   - inconvenience to set up
4. Something the individual does
   (dynamic biometrics like voice pattern, handwriting, or typing ryhythm)

Question 7

What is password-based authentication?

Answer 7

Method where a user provides a name/(loginID) and a password, which the system compares with a stored password for that login

userID
1. Authorized to enter system?
2. Which privileges?
3. Access control

Question 8

Password Vulnerabilities (8)

Eric, Please Offer Spectacular Passwords When Making Users

Answer 8

• Electronic monitoring
• Password guessing (against single user)
• Offline dictionary attacks
• Specific account attacks
• Popular password attacks
• Workstation hijacking
• Exploiting user mistakes
• Exploiting multiple password use

Question 9

Popular Password Attack

Password Vulnerabilities

Answer 9

Attacker gains unauthorized access by guessing popular passwords

make policies against selection of commonly used passwords (prevent), scan ip address of authentication requests (detect)

Question 10

Password Guessing (against single user)

Password Vulnerabilities

Answer 10

Guessing against a specific user

min length, character set, training

Question 11

Electronic monitoring

Password Vulnerabilities

Answer 11

Malware that records every keystroke a user types

Question 12

Offline dictionary attack

Password Vulnerabilities

Answer 12

Attacker obtains database of hashed passwords and compares them against hash values of commonly used passwords

Access contols (prevent) intrustion detection (detect) rapid reissuance of passwords (respond)

Question 13

Specific Account Attacks

Password Vulnerabilities

Answer 13

Gathering personal information about a user to guess password

Accout lockout mechanisms

Question 14

Example of workstation hijacking

Password Vulnerabilities

Answer 14

Attacker accesses a logged-in workstation that was left unattended

Question 15

Example of Exploiting user mistakes

Password Vulnerabilities

Answer 15

User leaves password on a sticky note on desk

Question 16

Example of multiple passwords use

Password Vulnerabilities

Answer 16

Attacker gains access to one account and reuses the credentials to access the user’s email or banking accouts

salting helps prevent this!

Question 17

Online vs. Offline password attacks

Answer 17

Online: Requires interaction with a service or resource

Offline: Works with intercepted or stolen data (password files)

Question 18

Countermeasures (8)

Password Countermeasures

Answer 18

• Prevent unauthorized password files access
• Intrusion detection measures
• Rapid reissuance of compromised passwords
• Account lockout mechanisms
• Policies against using common passwords and using similar passwords on network devices
• Regular password reissuance
• Training in and enforcement of password policies
• Automatic workstation logout

Question 19

Account Lockout Mechanisms

Password Countermeasures

Answer 19

The account is locked after a given number of failed attempts

*Has a downside: Can be abused for denial of service attack

Question 20

Why are passwords the most common authentication technique despite all the vulnerabilities?

Answer 20

• tokens expensive and inconvenient to carry around
• biometrics depend on client side hardware and it requires specific software implemnation on both sides, usually one side reluctant

Question 21

Why should passwords NEVER be stored “in clear” ?

Password Countermeasures

Answer 21

• Sysadmin could access all user’ passwords
• Intruder would get a very valuable asset

BTW: Never email password!!

Question 22

What are hashed and salted passwords?

Password Countermeasures

Answer 22

Passwords are transformed using a hash function

with a salt value, or random value added to each password before hashing to make attacks harder

Salt values are stored in the password value in clear

Question 23

How is password verified with salting and hashing?

Password Countermeasures

Answer 23

1. User enters password
2. Retrieve user’s salt value from password file
3. Combine them, and pass through hash function
4. Compare newly computed hash with stored hash

Question 24

Why is salting important in password storage? (2)

Password Countermeasures

Answer 24

1. It prevents duplicate passwords from being visible in the password file, increasing the difficulty of offline dictionary attacks (attacker has to add all possible salts to commonly used passwords, will take forever)
2. Becomes nearly impossible to find out whether a person with passwords on two or more systems has used the same password

(salt of b bits increases number of possible passwords by a factor of 2^b)

Salt ensures that each password has a unique hash

Question 25

Whys is it a "slow" hash function in salt & hashing? | *Password Countermeasures*

Answer 25

This delay makes it computationally expensive for attackers to execute brute-force attacks

Question 26

Old salting vs new salting | *Password Countermeasures*

Answer 26

* 12-bit salt using DES encryption into a one-way hash function (based on MD5, which is not SHA512) * 48-bit+ salt using Bcyrpt hash algorithm (*Blowfish block cipher)*

Question 27

Shadow password file | *Password Countermeasures*

Answer 27

Separate file from the user IDs where the hashed passwords are kept

Question 28

User Education | Password Countermeasures

Answer 28

Users told importance of using hard to guess passwords, provided with guidelines

Question 29

Computer generated passwords | Password Countermeasures

Answer 29

Hard to guess for attackers but users have trouble remembering them | Could use password managers

Question 30

Reactive password checking | *Password Countermeasures*

Answer 30

System periodically runs its own password cracker to find guessable passwords ## Footnote cancel those guessed and notify user

Question 31

Proactive password checking | definition and 2 examples

Answer 31

User checks if user selected password is allowable at time of selection and if not rejects it 1. Rule enforcement (basic16 > comprehensive8) 2. Password checker (compile dictionary of "bad passwords") | *Goal: Eliminate guessable passwords while allowing memorable passwords*

Question 32

What is the problem with traditional UNIX password scheme? What is the recommended hash instead?

Answer 32

It uses DES cipher which is insecure, but this scheme is still required with many accout management softwares for compatibility reasons MD5 with 48 bit salt and 128 bit hash value that uses an inner loop with 1000 iterations to slow it down (longer to crack)

Question 33

Most secure Unix hash/salt scheme

Answer 33

developed for OpenBSD, the "Bcrypt" hash function. 55 character max for password, 128 bit salt, outputs to 192 bit hash value. *Can configure a cost variable to increase hash time more*

Question 34

Methods for proactive password checking | *Password Countermeasures*

Answer 34

* Specific rules * Password cracker (large dictionary of passwords not to use + variations) * Neural networks-based evaluation * Password invalidation based on public data breaches

Question 35

Dictionary Attack | *Password Cracking*

Answer 35

Attacker obtains password file, develops a *dictionary* of possible passwords, then hashes each possible password (with the salt value) and then compares to stored hash values in the password file | *each password hashed with EVERY salt... takes awhile*

Question 36

Rainbow table attacks | *Password Cracking*

Answer 36

Attacker precomputes hashes from possible passwords (assuming a hash function) and creates a *mammoth* table that maps passwords (rainbow table) to hash values (in password file) | Large salt makes it too difficult. ## Footnote *If attacker can match a hash in their table to hash stored in password file, they have cracked the password*

Question 37

Why is rainbow table attack more efficient than dictionary? | *Password Cracking*

Answer 37

Instead of computing the hash for each password guess in real-time, it compares to stored hashes in rainbow table | Rainbow tables can be resused if no salt was uses! ## Footnote **trade off space for time** 1.4 gb of data was shown to crack 99.9% of all alphanumeric windows passwords

Question 38

How does an attacker get a password file? (5) | sniff some ass, booty back

Answer 38

1. Exploit software vulnerability in OS to bypass access control system (at least for long enough to steal that file!) 2. Accident of protection rendering password file readable 3. Find copy on backup/archival disk ***physical security weakness*** 4. Boot disk from another operating system 5. Sniffing network traffic

Question 39

Password Cracking using AI (Example) | *Password Cracking*

Answer 39

PassGAN: Generative adversarial networks generate password guesses after learning distribution of passwords by processing the spoils of previous real-world breaches

Question 40

What was the password cracking method used in T6? | *Password Cracking*

Answer 40

John the Ripper ## Footnote Popular open source password cracker that combines brute-force and dictionary techniques

Question 41

Alarming Password Statistics

Answer 41

* 9.8% of users have the password "password" "123456" or "12345678" * 91% of users have a password from teh top 1000 passwords

Question 42

What is multi-factor authentication (MFA)? | *MFA*

Answer 42

Authentication that uses two or more methods EX 1. Something the user knows (password) 2. Something the user has (dynamic PIN or device-generated code) | *SMS are not good for security*

Question 43

MFA can be good, but... | *MFA*

Answer 43

Must consider the security of the channel used for 2nd step of verification: 1. IN band: single device use to input both factors 2. OUT band: on multiple devices

Question 44

What is a passkey?

Answer 44

A replacement for traditional passwords that uses public-key cryptography, storing the key on local devices and resisting phishing attacks | *Goal to completely replace traditional username and passwords*

Question 45

Benefits of passkeys

Answer 45

Stored locally, reducing server-side breach impact Better usability compared to traditional passwords | *Can also use biometric verification*

Question 46

How do passkeys resist phishing attacks?

Answer 46

Phishers don't have access to the private key securely stored locally on device

Question 47

What are memory cards and smartcards in token-based authentication? | *Token Based Authentication*

Answer 47

Memory cards: Store data but do not process it (magnetic stripe cards) Smartcards: Include embedded microprocessors (*does your card have a "chip"?)*

Question 48

Memory Card Drawbacks (4) | *Token-Based Authentication*

Answer 48

* Requires special reader * Loss or theft * Information often stored in clear * Good for ATM but inconvenient for personal computer | *Does hotel properly reprogram lock at each room change?* ## Footnote Do MUCH better with pin

Question 49

2 types of smart card electronic interfaces

Answer 49

1. **contact**: insert card into reader (conductive plate, gold) 2. **contactless**: radio frequencies to connect from inches away (card chip often powered by electromagnetic signal from reader!)

Question 50

Authentication Protocols for Smartcards | *Token-Based Authentication*

Answer 50

1. **Static**: user authenticates himself to token, then token authenticates user to computer (similar to memory card) 2. **dynamic password generator** (token generates unique password periodically, password entered into computer) 3. **challenge-response** (computer generates challenge, smart token generates response) ex - token encrypts a challenge string with token's private key

Question 51

Components of smart card

Answer 51

* microprocessor (can have coprocessor dedicated to cryptography to speed it up) * memory (ROM, EEROM, RAM * I/O ports (wireless or through electrical contacts with insert reader)

Question 52

What is remote user authentication | *Remote User Authentication*

Answer 52

verifying user identity over a network, requiring protocols to defend against threats eavesdropping, replay attacks, and password interception | *Generally rely on challenge-response protocol*

Question 53

Password protocol in remote authentication

Answer 53

instead of transmitting just hash of password, transmit (from user endpoint to system) function where hashed password is **one** of the arguments ## Footnote 1. use random number as one of arguments 2. prevents replay attack because adversary can't resend the content in data packet, it won't contain the hashed password and the random number ensures that each remote authentication attempt is singular

Question 54

What is a replay attack

Answer 54

when an attacker captures a valid authentication message and reuses it to gain unauthorized access

Question 55

Attacks on user authentication (6)

Answer 55

1. client attacks 2. host attacks 3. eavesdropping/theft/copying 4.replay attacks 5.trojan horse 6.denial of service