• Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Well done, Michał.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
3,366
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
0
Comments
1
Likes
7

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Strong Authentication (2FA) Michał Sobiegraj, CISSP michal@sobiegraj.com
  • 2. 1. Access Control 2. Knowledge 3. Ownership 4. Characteristics 5. 2FA
  • 3. 1/5 Access Control
  • 4. 1 Access control 1. Identification – Who you say you are? 2. Authentication (1) – Prove it! 3. Authorisation (1 & 2 & ACL/Capability List) – OK, so here is what you can do. 4. Accountability (1 & 2 & Audit trail) – You are responsible for this!
  • 5. 1 Identification methods • User ID • Account number • PIN • Badge • Biometrics
  • 6. 1 Identifier characteristics • Unique to each user • Not relating to a job function • Standardised naming conventions
  • 7. 1 Authentication • Knowledge based – Something only you know • Ownership based – Something only you have • Characteristics based – Something only you are
  • 8. 1 Traditional means of identification and authentication • People knew each other in person – They used face recognition – Something only you are (biometrics) • Internet made it useless – More need for proving identity – Impossible to know people in person
  • 9. 1 Authentication Each single factor is fairly easy to compromise Lets use 2 factors!
  • 10. 1
  • 11. 1 Classic examples of 2FA ATM (Automated Teller Machine) – Something you have (card) – Something you know (PIN) Credit card and signature – Something you have (card) – Something you are (signature)
  • 12. 2/5 Knowledge (Something You Know)
  • 13. 2. Knowledge Password/PIN • Free • Easy to use – People got used to it and understand it • The weakest factor – Easily guessable/bruteforcable or complex • To complex ones get written down – One password everywhere or many to remember • If there is to many, they get written down
  • 14. 2. Knowledge Cognitive password • Series of random personal questions • Takes longer to authenticate • No need to remember a password • Fairly weak if based on personal information
  • 15. 2. Knowledge Passphrase • Longer to enter than a password • Less susceptible to brute forcing and guessing • Still sniff-able and susceptible to key logging
  • 16. 2. Knowledge SYK Pros/Cons • No need to carry anything • Susceptible to classic attacks – Key logging – Social engineering/shoulder surfing – Brute force/dictionary attacks – Sniffing and replay attacks – IT Staff abuse of privileges – Man in the middle attacks http://img.alibaba.com/photo/11475911/KeyShark_Hardware_Keylogger.jpg http://www.phuketgazette.com/newsimages/bull8282007-5914-4.jpg
  • 17. 2. Knowledge SYK Pros/Cons • No strong accountability – Easily shareable • Frequently written down in predictable places http://klaatu.anastrophe.com/wp-images/postit.jpg
  • 18. 3/5 Ownership (Something You Have)
  • 19. 3. Ownership PKI Certificate • Transfers trust – Make sure the signer is trustworthy! • Usually server authenticates to the user – Mutual authentication may cause significant administrative overhead • Something not only you have – Google: quot;index ofquot; +ovpn – Courtesy Aleksander P.
  • 20. 3. Ownership One Time Password (OTP) list • Session based authentication • Valid only once – Usually only for a short period of time • Not reusable by design – Not susceptible to replay attacks • A paper list or an electronic generator
  • 21. 3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
  • 22. 3. Ownership Asynchronous token (challenge – response) Usually requires user to retype the challenge into the token http://www.cc.com.pl/img/vasco/300photo.gif
  • 23. 3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
  • 24. 3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
  • 25. 3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
  • 26. 3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
  • 27. 3. Ownership Synchronous token • Generates a deterministic random-looking value every minute/button push • The value is cryptographically derived from: – The previous value – A shared secret known only to a token and to an authentication server v1 = f(seed, secret); v2 = f(v1, secret); etc. • The secret is unrecoverable from the token* * With today’s technology
  • 28. 3. Ownership Synchronous token • Time-based synchronisation – De-syncing in time if not used – Clock drift is corrected – Server accepts neighbouring values • Event-based synchronisation – Easily de-synced by issuing to many values ahead http://www.radiocomputerguy.com/images/paypal_token.gif http://admin.avisian.com/images/rsa1.gif http://en.wikipedia.org/wiki/Image:RSA-SecurID-Tokens.jpg http://www.comprosec.ch/fileadmin/images/rsa/securid/SD520_450x297_72dpi_crop.jpg
  • 29. 3. Ownership Software tokens • Java (J2ME) applets • More convenient • Easier to reverse engineer the secret out http://www.developer.com/img/2006/06/Marcia6.JPG
  • 30. 3. Ownership Man in the Middle (MITM) • None of the factors solve the MITM problem • Insecure connection allows for credentials disclosure – SSL allows only for a TCP link authentication
  • 31. 3. Ownership Phishing case
  • 32. 3. Ownership Phishing case
  • 33. 3. Ownership Phishing case
  • 34. 3. Ownership Phishing case
  • 35. 3. Ownership Phishing case
  • 36. 3. Ownership Phishing case
  • 37. 3. Ownership Phishing case • A customised attack • A time-limited OTP is better but still not enough
  • 38. 3. Ownership Out of band channel • E.g. mobile text messaging (SMS) • Adresses the MITM problem • Allows for mutual end-to-end authentication • Convenient
  • 39. 3. Ownership Out of band channel
  • 40. 3. Ownership Out of band channel
  • 41. 3. Ownership Out of band channel
  • 42. 3. Ownership Out of band channel
  • 43. 3. Ownership Out of band channel
  • 44. 3. Ownership Out of band channel
  • 45. 3. Ownership Out of band channel
  • 46. 3. Ownership Memory card • Also called a swipe card or a magnetic stripe card • Equipped with a magnetic stripe • Interacts with a reader • Stores authentication information • Relatively inexpensive • Fairly easy to duplicate – Harder then a password, though
  • 47. http://www.cl.cam.ac.uk/~mkb23/atm-skim1.jpg
  • 48. 3. Ownership Smartcard • Interacts through a reader • Contains authentication information – e.g. PKI certificate • Is able to do crypto on-board • Allows for continous authentication • Tamper-proof  solves the duplication problem http://gallery.hd.org/_exhibits/money/_more2003/_more02/UK-bank-and-credit-cards-smartcard-smartcards-VISA-Mastercard-Nationwide-Barclaycard-Egg-cropped-JR.jpg
  • 49. 3. Ownership http://en.wikipedia.org/wiki/Image:Matkakortti_ja_kortinlukija.jpg
  • 50. 3. Ownership Contactless Smartcard • Contains an RF transciver (RFID) • Works in close proximity to a reader – Up to 10cm (ISO 14443) – Up to 50cm (ISO 15693) • Quick and hands-free • Contactless credit card – No PIN required – Small amounts $5-50
  • 51. 3. Ownership Potential issues with smartcards • Privacy concerns – Contactless smartcards make it possible to track individuals without their knowledge • Easy to damage the chip
  • 52. 3. Ownership iButton http://commons.wikimedia.org/wiki/Image:1-Wire_lock.jpg
  • 53. 3. Ownership Form factor • Feasibly small and convenient • Attachable to something you usually have with you – Key-dongles – Wallet size cards – Credit-card size tokens – Phone applets or a phone itself
  • 54. 3. Ownership SYH Pros/Cons • Not susceptible to classic attacks – Key logging – Shoulder surfing – Brute force/dictionary attacks – Sniffing and replay attacks • Hinders social engineering attacks • Impedes IT Staff abuse of privileges • Stronger accountability – Responsibility of the owner – Although still not strong enough
  • 55. http://img.thedailywtf.com/Images/200612/rsakey.jpg
  • 56. 3. Ownership SYH Pros/Cons • Easily lost – Burden of revoking the token and getting a new one – Not much harm if combined with another factor
  • 57. 4/5 Characteristics (Something You Are)
  • 58. 4. Characteristics Static Physiological characteristics of a human body • Fingerprints • Iris granularity • Retina blood vessels • Facial looks • Hand geometry
  • 59. 4. Characteristics Dynamic Behavioral characteristics of a human body • Voice inflections • Keyboard strokes • Signature dynamics
  • 60. 4. Characteristics Biometrics selection criteria • Accuracy • Acceptability • Reaction time
  • 61. 4. Characteristics Crossover Error Rate User friendlieness Error Rate CER Security Accuracy False Acceptance Error Rate (Type II) False Rejection Error Rate (Type I)
  • 62. 4. Characteristics http://www.newenglandchapel.org/images/fingerprint.jpg
  • 63. 4. Characteristics Fingerprint static • Characteristic points are marked on a print • Positions are specified relatively to other marks http://shs.westport.k12.ct.us/forensics/04-fingerprints/fingerprint_parts.jpg
  • 64. 4. Characteristics Fingerprint and palm print static • Compares computed pattern with a stored one • High accuracy – Fairly simple for small sets of potential matches • Good acceptance • 5 – 7 seconds for reaction
  • 65. 4. Characteristics Fingerprint scanner types • Static picture scanner • Line scanners – Scan is dynamic – Harder to fool http://www.trustedreviews.com/images/article/inline/3331-6.jpg http://www.mrgadget.com.au/catalog/images/targus_defcon_authenticator_usb.jpg
  • 66. 4. Characteristics
  • 67. 4. Characteristics Hand geometry scan static • Measures hand features – Length, width, thickness and contour of fingers • Not very accurate – Not good in large populations • Hand shape is not as unique as a finger print – Good in combination with another factor • Well accepted • Very fast reaction (3 – 5 seconds) • Reader is quite large
  • 68. 4. Characteristics Diagram of a human eye http://en.wikipedia.org/wiki/Image:Human_eye_cross-sectional_view_grayscale.png
  • 69. 4. Characteristics http://research.unc.edu/endeavors/win2005/images/retina.jpg
  • 70. 4. Characteristics Retinal scan static • Compares blood vessels with a reference • Very high accuracy – Retinal pattern is entirely unique – Poor lighting can affect results • Susceptible to eye changes – Diabetes, Heart attacks – Cataract, Glaucoma – Pregnancy • Bad acceptance – Highly invasive – Not very user friendly • Fast reaction (4 – 7 seconds)
  • 71. 4. Characteristics http://en.wikipedia.org/wiki/Image:Humaniris.jpg
  • 72. 4. Characteristics Iris scan static • Compares retina texture with a reference • Very high accuracy (IrisCode algorithm) – No false match reported ever – Iris texture remain stable over decades • Good acceptance – No need to touch anything • Very fast reaction (1 – 2 seconds) • Allows for continuous monitoring – Distance from 10 cm to a few meters – Needs cooperation
  • 73. 4. Characteristics Dynamic characteristics • Measures confidence level – Instead of the traditional pass/fail • Allows for explicitly defined individual risk appetite – By changing accepted confidence level
  • 74. 4. Characteristics Voice pattern dynamic • Compares a speech sample with a reference material • Low accuracy – Even lower with a background noise • Well accepted • Long response time (10 – 14 seconds) http://en.wikipedia.org/wiki/Image:Human_voice_spectrogram.jpg
  • 75. 4. Characteristics Facial recognition dynamic • Measures certain features of the face – 14 of measurable 80 features are selected – Distance between eyes – Shape of chin and jaw – Length and width of the nose – Shape of cheek bones and eye sockets http://www.wpi.edu/News/Transformations/2002Spring/Images/recognition1.jpg
  • 76. 4. Characteristics Facial recognition dynamic • Good for authentication – Accurate in controlled environment – Could provide continuous authentication – Less invasive then retinal scan • Not very good for identification – Less accurate in moving crowd – Not well accepted due to privacy reasons
  • 77. 4. Characteristics Signature dynamics dynamic • Records pen stroke dynamics – Speed – Direction – Pressure • Accurate • Well accepted • Way better then a static signature – More features can be observed – No physical leftovers
  • 78. 4. Characteristics Typing rhythm (keystroke dynamics) dynamic • Measures key dwell- and flight time • Well accepted • Accurate • Very easy to deploy • Provides continuous authentication – Helps to identify account sharing • Temporal variations may render false negatives – Gazillion of reasons
  • 79. 4. Characteristics SYA Pros/Cons • Not easily transferable between humans – Very good accountability (nothing to lose) – Although one can lose their finger • Immune to most of the classic attacks – Key logging – Shoulder surfing – Brute force/dictionary attacks • Hinders social engineering attacks • Impedes IT Staff abuse of privileges
  • 80. 4. Characteristics SYA Pros/Cons • May be used to track individuals (privacy concerns) • The most intrusive factor • Susceptible to sniffing and replay attacks – Suitable for local authentication
  • 81. 5/5 2FA (Strong Authentication)
  • 82. What is 2FA again? Combination of any 2 of the 3 available factors
  • 83. And what’s not a 2FA? • Finger scanner on your laptop • Door pass at the premises • Thumb-locked pendrive http://www.turbogadgets.com/wp-content/uploads/2007/03/fingerprint-pendrive.jpg
  • 84. http://blog.kievukraine.info/uploaded_images/2043-733282.jpg