Strong Authentication (Michal Sobiegraj)

3,830 views

Published on

Michal Sobiegraj

1 Comment
7 Likes
Statistics
Notes
No Downloads
Views
Total views
3,830
On SlideShare
0
From Embeds
0
Number of Embeds
79
Actions
Shares
0
Downloads
0
Comments
1
Likes
7
Embeds 0
No embeds

No notes for slide

Strong Authentication (Michal Sobiegraj)

  1. 1. Strong Authentication (2FA) Michał Sobiegraj, CISSP michal@sobiegraj.com
  2. 2. 1. Access Control 2. Knowledge 3. Ownership 4. Characteristics 5. 2FA
  3. 3. 1/5 Access Control
  4. 4. 1 Access control 1. Identification – Who you say you are? 2. Authentication (1) – Prove it! 3. Authorisation (1 & 2 & ACL/Capability List) – OK, so here is what you can do. 4. Accountability (1 & 2 & Audit trail) – You are responsible for this!
  5. 5. 1 Identification methods • User ID • Account number • PIN • Badge • Biometrics
  6. 6. 1 Identifier characteristics • Unique to each user • Not relating to a job function • Standardised naming conventions
  7. 7. 1 Authentication • Knowledge based – Something only you know • Ownership based – Something only you have • Characteristics based – Something only you are
  8. 8. 1 Traditional means of identification and authentication • People knew each other in person – They used face recognition – Something only you are (biometrics) • Internet made it useless – More need for proving identity – Impossible to know people in person
  9. 9. 1 Authentication Each single factor is fairly easy to compromise Lets use 2 factors!
  10. 10. 1
  11. 11. 1 Classic examples of 2FA ATM (Automated Teller Machine) – Something you have (card) – Something you know (PIN) Credit card and signature – Something you have (card) – Something you are (signature)
  12. 12. 2/5 Knowledge (Something You Know)
  13. 13. 2. Knowledge Password/PIN • Free • Easy to use – People got used to it and understand it • The weakest factor – Easily guessable/bruteforcable or complex • To complex ones get written down – One password everywhere or many to remember • If there is to many, they get written down
  14. 14. 2. Knowledge Cognitive password • Series of random personal questions • Takes longer to authenticate • No need to remember a password • Fairly weak if based on personal information
  15. 15. 2. Knowledge Passphrase • Longer to enter than a password • Less susceptible to brute forcing and guessing • Still sniff-able and susceptible to key logging
  16. 16. 2. Knowledge SYK Pros/Cons • No need to carry anything • Susceptible to classic attacks – Key logging – Social engineering/shoulder surfing – Brute force/dictionary attacks – Sniffing and replay attacks – IT Staff abuse of privileges – Man in the middle attacks http://img.alibaba.com/photo/11475911/KeyShark_Hardware_Keylogger.jpg http://www.phuketgazette.com/newsimages/bull8282007-5914-4.jpg
  17. 17. 2. Knowledge SYK Pros/Cons • No strong accountability – Easily shareable • Frequently written down in predictable places http://klaatu.anastrophe.com/wp-images/postit.jpg
  18. 18. 3/5 Ownership (Something You Have)
  19. 19. 3. Ownership PKI Certificate • Transfers trust – Make sure the signer is trustworthy! • Usually server authenticates to the user – Mutual authentication may cause significant administrative overhead • Something not only you have – Google: quot;index ofquot; +ovpn – Courtesy Aleksander P.
  20. 20. 3. Ownership One Time Password (OTP) list • Session based authentication • Valid only once – Usually only for a short period of time • Not reusable by design – Not susceptible to replay attacks • A paper list or an electronic generator
  21. 21. 3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
  22. 22. 3. Ownership Asynchronous token (challenge – response) Usually requires user to retype the challenge into the token http://www.cc.com.pl/img/vasco/300photo.gif
  23. 23. 3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
  24. 24. 3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
  25. 25. 3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
  26. 26. 3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
  27. 27. 3. Ownership Synchronous token • Generates a deterministic random-looking value every minute/button push • The value is cryptographically derived from: – The previous value – A shared secret known only to a token and to an authentication server v1 = f(seed, secret); v2 = f(v1, secret); etc. • The secret is unrecoverable from the token* * With today’s technology
  28. 28. 3. Ownership Synchronous token • Time-based synchronisation – De-syncing in time if not used – Clock drift is corrected – Server accepts neighbouring values • Event-based synchronisation – Easily de-synced by issuing to many values ahead http://www.radiocomputerguy.com/images/paypal_token.gif http://admin.avisian.com/images/rsa1.gif http://en.wikipedia.org/wiki/Image:RSA-SecurID-Tokens.jpg http://www.comprosec.ch/fileadmin/images/rsa/securid/SD520_450x297_72dpi_crop.jpg
  29. 29. 3. Ownership Software tokens • Java (J2ME) applets • More convenient • Easier to reverse engineer the secret out http://www.developer.com/img/2006/06/Marcia6.JPG
  30. 30. 3. Ownership Man in the Middle (MITM) • None of the factors solve the MITM problem • Insecure connection allows for credentials disclosure – SSL allows only for a TCP link authentication
  31. 31. 3. Ownership Phishing case
  32. 32. 3. Ownership Phishing case
  33. 33. 3. Ownership Phishing case
  34. 34. 3. Ownership Phishing case
  35. 35. 3. Ownership Phishing case
  36. 36. 3. Ownership Phishing case
  37. 37. 3. Ownership Phishing case • A customised attack • A time-limited OTP is better but still not enough
  38. 38. 3. Ownership Out of band channel • E.g. mobile text messaging (SMS) • Adresses the MITM problem • Allows for mutual end-to-end authentication • Convenient
  39. 39. 3. Ownership Out of band channel
  40. 40. 3. Ownership Out of band channel
  41. 41. 3. Ownership Out of band channel
  42. 42. 3. Ownership Out of band channel
  43. 43. 3. Ownership Out of band channel
  44. 44. 3. Ownership Out of band channel
  45. 45. 3. Ownership Out of band channel
  46. 46. 3. Ownership Memory card • Also called a swipe card or a magnetic stripe card • Equipped with a magnetic stripe • Interacts with a reader • Stores authentication information • Relatively inexpensive • Fairly easy to duplicate – Harder then a password, though
  47. 47. http://www.cl.cam.ac.uk/~mkb23/atm-skim1.jpg
  48. 48. 3. Ownership Smartcard • Interacts through a reader • Contains authentication information – e.g. PKI certificate • Is able to do crypto on-board • Allows for continous authentication • Tamper-proof  solves the duplication problem http://gallery.hd.org/_exhibits/money/_more2003/_more02/UK-bank-and-credit-cards-smartcard-smartcards-VISA-Mastercard-Nationwide-Barclaycard-Egg-cropped-JR.jpg
  49. 49. 3. Ownership http://en.wikipedia.org/wiki/Image:Matkakortti_ja_kortinlukija.jpg
  50. 50. 3. Ownership Contactless Smartcard • Contains an RF transciver (RFID) • Works in close proximity to a reader – Up to 10cm (ISO 14443) – Up to 50cm (ISO 15693) • Quick and hands-free • Contactless credit card – No PIN required – Small amounts $5-50
  51. 51. 3. Ownership Potential issues with smartcards • Privacy concerns – Contactless smartcards make it possible to track individuals without their knowledge • Easy to damage the chip
  52. 52. 3. Ownership iButton http://commons.wikimedia.org/wiki/Image:1-Wire_lock.jpg
  53. 53. 3. Ownership Form factor • Feasibly small and convenient • Attachable to something you usually have with you – Key-dongles – Wallet size cards – Credit-card size tokens – Phone applets or a phone itself
  54. 54. 3. Ownership SYH Pros/Cons • Not susceptible to classic attacks – Key logging – Shoulder surfing – Brute force/dictionary attacks – Sniffing and replay attacks • Hinders social engineering attacks • Impedes IT Staff abuse of privileges • Stronger accountability – Responsibility of the owner – Although still not strong enough
  55. 55. http://img.thedailywtf.com/Images/200612/rsakey.jpg
  56. 56. 3. Ownership SYH Pros/Cons • Easily lost – Burden of revoking the token and getting a new one – Not much harm if combined with another factor
  57. 57. 4/5 Characteristics (Something You Are)
  58. 58. 4. Characteristics Static Physiological characteristics of a human body • Fingerprints • Iris granularity • Retina blood vessels • Facial looks • Hand geometry
  59. 59. 4. Characteristics Dynamic Behavioral characteristics of a human body • Voice inflections • Keyboard strokes • Signature dynamics
  60. 60. 4. Characteristics Biometrics selection criteria • Accuracy • Acceptability • Reaction time
  61. 61. 4. Characteristics Crossover Error Rate User friendlieness Error Rate CER Security Accuracy False Acceptance Error Rate (Type II) False Rejection Error Rate (Type I)
  62. 62. 4. Characteristics http://www.newenglandchapel.org/images/fingerprint.jpg
  63. 63. 4. Characteristics Fingerprint static • Characteristic points are marked on a print • Positions are specified relatively to other marks http://shs.westport.k12.ct.us/forensics/04-fingerprints/fingerprint_parts.jpg
  64. 64. 4. Characteristics Fingerprint and palm print static • Compares computed pattern with a stored one • High accuracy – Fairly simple for small sets of potential matches • Good acceptance • 5 – 7 seconds for reaction
  65. 65. 4. Characteristics Fingerprint scanner types • Static picture scanner • Line scanners – Scan is dynamic – Harder to fool http://www.trustedreviews.com/images/article/inline/3331-6.jpg http://www.mrgadget.com.au/catalog/images/targus_defcon_authenticator_usb.jpg
  66. 66. 4. Characteristics
  67. 67. 4. Characteristics Hand geometry scan static • Measures hand features – Length, width, thickness and contour of fingers • Not very accurate – Not good in large populations • Hand shape is not as unique as a finger print – Good in combination with another factor • Well accepted • Very fast reaction (3 – 5 seconds) • Reader is quite large
  68. 68. 4. Characteristics Diagram of a human eye http://en.wikipedia.org/wiki/Image:Human_eye_cross-sectional_view_grayscale.png
  69. 69. 4. Characteristics http://research.unc.edu/endeavors/win2005/images/retina.jpg
  70. 70. 4. Characteristics Retinal scan static • Compares blood vessels with a reference • Very high accuracy – Retinal pattern is entirely unique – Poor lighting can affect results • Susceptible to eye changes – Diabetes, Heart attacks – Cataract, Glaucoma – Pregnancy • Bad acceptance – Highly invasive – Not very user friendly • Fast reaction (4 – 7 seconds)
  71. 71. 4. Characteristics http://en.wikipedia.org/wiki/Image:Humaniris.jpg
  72. 72. 4. Characteristics Iris scan static • Compares retina texture with a reference • Very high accuracy (IrisCode algorithm) – No false match reported ever – Iris texture remain stable over decades • Good acceptance – No need to touch anything • Very fast reaction (1 – 2 seconds) • Allows for continuous monitoring – Distance from 10 cm to a few meters – Needs cooperation
  73. 73. 4. Characteristics Dynamic characteristics • Measures confidence level – Instead of the traditional pass/fail • Allows for explicitly defined individual risk appetite – By changing accepted confidence level
  74. 74. 4. Characteristics Voice pattern dynamic • Compares a speech sample with a reference material • Low accuracy – Even lower with a background noise • Well accepted • Long response time (10 – 14 seconds) http://en.wikipedia.org/wiki/Image:Human_voice_spectrogram.jpg
  75. 75. 4. Characteristics Facial recognition dynamic • Measures certain features of the face – 14 of measurable 80 features are selected – Distance between eyes – Shape of chin and jaw – Length and width of the nose – Shape of cheek bones and eye sockets http://www.wpi.edu/News/Transformations/2002Spring/Images/recognition1.jpg
  76. 76. 4. Characteristics Facial recognition dynamic • Good for authentication – Accurate in controlled environment – Could provide continuous authentication – Less invasive then retinal scan • Not very good for identification – Less accurate in moving crowd – Not well accepted due to privacy reasons
  77. 77. 4. Characteristics Signature dynamics dynamic • Records pen stroke dynamics – Speed – Direction – Pressure • Accurate • Well accepted • Way better then a static signature – More features can be observed – No physical leftovers
  78. 78. 4. Characteristics Typing rhythm (keystroke dynamics) dynamic • Measures key dwell- and flight time • Well accepted • Accurate • Very easy to deploy • Provides continuous authentication – Helps to identify account sharing • Temporal variations may render false negatives – Gazillion of reasons
  79. 79. 4. Characteristics SYA Pros/Cons • Not easily transferable between humans – Very good accountability (nothing to lose) – Although one can lose their finger • Immune to most of the classic attacks – Key logging – Shoulder surfing – Brute force/dictionary attacks • Hinders social engineering attacks • Impedes IT Staff abuse of privileges
  80. 80. 4. Characteristics SYA Pros/Cons • May be used to track individuals (privacy concerns) • The most intrusive factor • Susceptible to sniffing and replay attacks – Suitable for local authentication
  81. 81. 5/5 2FA (Strong Authentication)
  82. 82. What is 2FA again? Combination of any 2 of the 3 available factors
  83. 83. And what’s not a 2FA? • Finger scanner on your laptop • Door pass at the premises • Thumb-locked pendrive http://www.turbogadgets.com/wp-content/uploads/2007/03/fingerprint-pendrive.jpg
  84. 84. http://blog.kievukraine.info/uploaded_images/2043-733282.jpg

×