Strong Authentication (Michal Sobiegraj)

Strong Authentication (2FA) Michał Sobiegraj, CISSP michal@sobiegraj.com

1. Access Control 2. Knowledge 3. Ownership 4. Characteristics 5. 2FA

1/5 Access Control

1 Access control 1. Identification – Who you say you are? 2. Authentication (1) – Prove it! 3. Authorisation (1 & 2 & ACL/Capability List) – OK, so here is what you can do. 4. Accountability (1 & 2 & Audit trail) – You are responsible for this!

1 Identification methods • User ID • Account number • PIN • Badge • Biometrics

1 Identifier characteristics • Unique to each user • Not relating to a job function • Standardised naming conventions

1 Authentication • Knowledge based – Something only you know • Ownership based – Something only you have • Characteristics based – Something only you are

1 Traditional means of identification and authentication • People knew each other in person – They used face recognition – Something only you are (biometrics) • Internet made it useless – More need for proving identity – Impossible to know people in person

1 Authentication Each single factor is fairly easy to compromise Lets use 2 factors!

1

1 Classic examples of 2FA ATM (Automated Teller Machine) – Something you have (card) – Something you know (PIN) Credit card and signature – Something you have (card) – Something you are (signature)

2/5 Knowledge (Something You Know)

2. Knowledge Password/PIN • Free • Easy to use – People got used to it and understand it • The weakest factor – Easily guessable/bruteforcable or complex • To complex ones get written down – One password everywhere or many to remember • If there is to many, they get written down

2. Knowledge Cognitive password • Series of random personal questions • Takes longer to authenticate • No need to remember a password • Fairly weak if based on personal information

2. Knowledge Passphrase • Longer to enter than a password • Less susceptible to brute forcing and guessing • Still sniff-able and susceptible to key logging

2. Knowledge SYK Pros/Cons • No need to carry anything • Susceptible to classic attacks – Key logging – Social engineering/shoulder surfing – Brute force/dictionary attacks – Sniffing and replay attacks – IT Staff abuse of privileges – Man in the middle attacks http://img.alibaba.com/photo/11475911/KeyShark_Hardware_Keylogger.jpg http://www.phuketgazette.com/newsimages/bull8282007-5914-4.jpg

2. Knowledge SYK Pros/Cons • No strong accountability – Easily shareable • Frequently written down in predictable places http://klaatu.anastrophe.com/wp-images/postit.jpg

3/5 Ownership (Something You Have)

3. Ownership PKI Certificate • Transfers trust – Make sure the signer is trustworthy! • Usually server authenticates to the user – Mutual authentication may cause significant administrative overhead • Something not only you have – Google: \"index of\" +ovpn – Courtesy Aleksander P.

3. Ownership One Time Password (OTP) list • Session based authentication • Valid only once – Usually only for a short period of time • Not reusable by design – Not susceptible to replay attacks • A paper list or an electronic generator

3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif

3. Ownership Asynchronous token (challenge – response) Usually requires user to retype the challenge into the token http://www.cc.com.pl/img/vasco/300photo.gif

3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif

3. Ownership Synchronous token • Generates a deterministic random-looking value every minute/button push • The value is cryptographically derived from: – The previous value – A shared secret known only to a token and to an authentication server v1 = f(seed, secret); v2 = f(v1, secret); etc. • The secret is unrecoverable from the token* * With today’s technology

3. Ownership Synchronous token • Time-based synchronisation – De-syncing in time if not used – Clock drift is corrected – Server accepts neighbouring values • Event-based synchronisation – Easily de-synced by issuing to many values ahead http://www.radiocomputerguy.com/images/paypal_token.gif http://admin.avisian.com/images/rsa1.gif http://en.wikipedia.org/wiki/Image:RSA-SecurID-Tokens.jpg http://www.comprosec.ch/fileadmin/images/rsa/securid/SD520_450x297_72dpi_crop.jpg

3. Ownership Software tokens • Java (J2ME) applets • More convenient • Easier to reverse engineer the secret out http://www.developer.com/img/2006/06/Marcia6.JPG

3. Ownership Man in the Middle (MITM) • None of the factors solve the MITM problem • Insecure connection allows for credentials disclosure – SSL allows only for a TCP link authentication

3. Ownership Phishing case

3. Ownership Phishing case • A customised attack • A time-limited OTP is better but still not enough

3. Ownership Out of band channel • E.g. mobile text messaging (SMS) • Adresses the MITM problem • Allows for mutual end-to-end authentication • Convenient

3. Ownership Out of band channel

3. Ownership Memory card • Also called a swipe card or a magnetic stripe card • Equipped with a magnetic stripe • Interacts with a reader • Stores authentication information • Relatively inexpensive • Fairly easy to duplicate – Harder then a password, though

http://www.cl.cam.ac.uk/~mkb23/atm-skim1.jpg

3. Ownership Smartcard • Interacts through a reader • Contains authentication information – e.g. PKI certificate • Is able to do crypto on-board • Allows for continous authentication • Tamper-proof  solves the duplication problem http://gallery.hd.org/_exhibits/money/_more2003/_more02/UK-bank-and-credit-cards-smartcard-smartcards-VISA-Mastercard-Nationwide-Barclaycard-Egg-cropped-JR.jpg

3. Ownership http://en.wikipedia.org/wiki/Image:Matkakortti_ja_kortinlukija.jpg

3. Ownership Contactless Smartcard • Contains an RF transciver (RFID) • Works in close proximity to a reader – Up to 10cm (ISO 14443) – Up to 50cm (ISO 15693) • Quick and hands-free • Contactless credit card – No PIN required – Small amounts $5-50

3. Ownership Potential issues with smartcards • Privacy concerns – Contactless smartcards make it possible to track individuals without their knowledge • Easy to damage the chip

3. Ownership iButton http://commons.wikimedia.org/wiki/Image:1-Wire_lock.jpg

3. Ownership Form factor • Feasibly small and convenient • Attachable to something you usually have with you – Key-dongles – Wallet size cards – Credit-card size tokens – Phone applets or a phone itself

3. Ownership SYH Pros/Cons • Not susceptible to classic attacks – Key logging – Shoulder surfing – Brute force/dictionary attacks – Sniffing and replay attacks • Hinders social engineering attacks • Impedes IT Staff abuse of privileges • Stronger accountability – Responsibility of the owner – Although still not strong enough

http://img.thedailywtf.com/Images/200612/rsakey.jpg

3. Ownership SYH Pros/Cons • Easily lost – Burden of revoking the token and getting a new one – Not much harm if combined with another factor

4/5 Characteristics (Something You Are)

4. Characteristics Static Physiological characteristics of a human body • Fingerprints • Iris granularity • Retina blood vessels • Facial looks • Hand geometry

4. Characteristics Dynamic Behavioral characteristics of a human body • Voice inflections • Keyboard strokes • Signature dynamics

4. Characteristics Biometrics selection criteria • Accuracy • Acceptability • Reaction time

4. Characteristics Crossover Error Rate User friendlieness Error Rate CER Security Accuracy False Acceptance Error Rate (Type II) False Rejection Error Rate (Type I)

4. Characteristics http://www.newenglandchapel.org/images/fingerprint.jpg

4. Characteristics Fingerprint static • Characteristic points are marked on a print • Positions are specified relatively to other marks http://shs.westport.k12.ct.us/forensics/04-fingerprints/fingerprint_parts.jpg

4. Characteristics Fingerprint and palm print static • Compares computed pattern with a stored one • High accuracy – Fairly simple for small sets of potential matches • Good acceptance • 5 – 7 seconds for reaction

4. Characteristics Fingerprint scanner types • Static picture scanner • Line scanners – Scan is dynamic – Harder to fool http://www.trustedreviews.com/images/article/inline/3331-6.jpg http://www.mrgadget.com.au/catalog/images/targus_defcon_authenticator_usb.jpg

4. Characteristics

4. Characteristics Hand geometry scan static • Measures hand features – Length, width, thickness and contour of fingers • Not very accurate – Not good in large populations • Hand shape is not as unique as a finger print – Good in combination with another factor • Well accepted • Very fast reaction (3 – 5 seconds) • Reader is quite large

4. Characteristics Diagram of a human eye http://en.wikipedia.org/wiki/Image:Human_eye_cross-sectional_view_grayscale.png

4. Characteristics http://research.unc.edu/endeavors/win2005/images/retina.jpg

4. Characteristics Retinal scan static • Compares blood vessels with a reference • Very high accuracy – Retinal pattern is entirely unique – Poor lighting can affect results • Susceptible to eye changes – Diabetes, Heart attacks – Cataract, Glaucoma – Pregnancy • Bad acceptance – Highly invasive – Not very user friendly • Fast reaction (4 – 7 seconds)

4. Characteristics http://en.wikipedia.org/wiki/Image:Humaniris.jpg

4. Characteristics Iris scan static • Compares retina texture with a reference • Very high accuracy (IrisCode algorithm) – No false match reported ever – Iris texture remain stable over decades • Good acceptance – No need to touch anything • Very fast reaction (1 – 2 seconds) • Allows for continuous monitoring – Distance from 10 cm to a few meters – Needs cooperation

4. Characteristics Dynamic characteristics • Measures confidence level – Instead of the traditional pass/fail • Allows for explicitly defined individual risk appetite – By changing accepted confidence level

4. Characteristics Voice pattern dynamic • Compares a speech sample with a reference material • Low accuracy – Even lower with a background noise • Well accepted • Long response time (10 – 14 seconds) http://en.wikipedia.org/wiki/Image:Human_voice_spectrogram.jpg

4. Characteristics Facial recognition dynamic • Measures certain features of the face – 14 of measurable 80 features are selected – Distance between eyes – Shape of chin and jaw – Length and width of the nose – Shape of cheek bones and eye sockets http://www.wpi.edu/News/Transformations/2002Spring/Images/recognition1.jpg

4. Characteristics Facial recognition dynamic • Good for authentication – Accurate in controlled environment – Could provide continuous authentication – Less invasive then retinal scan • Not very good for identification – Less accurate in moving crowd – Not well accepted due to privacy reasons

4. Characteristics Signature dynamics dynamic • Records pen stroke dynamics – Speed – Direction – Pressure • Accurate • Well accepted • Way better then a static signature – More features can be observed – No physical leftovers

4. Characteristics Typing rhythm (keystroke dynamics) dynamic • Measures key dwell- and flight time • Well accepted • Accurate • Very easy to deploy • Provides continuous authentication – Helps to identify account sharing • Temporal variations may render false negatives – Gazillion of reasons

4. Characteristics SYA Pros/Cons • Not easily transferable between humans – Very good accountability (nothing to lose) – Although one can lose their finger • Immune to most of the classic attacks – Key logging – Shoulder surfing – Brute force/dictionary attacks • Hinders social engineering attacks • Impedes IT Staff abuse of privileges

4. Characteristics SYA Pros/Cons • May be used to track individuals (privacy concerns) • The most intrusive factor • Susceptible to sniffing and replay attacks – Suitable for local authentication

5/5 2FA (Strong Authentication)

What is 2FA again? Combination of any 2 of the 3 available factors

And what’s not a 2FA? • Finger scanner on your laptop • Door pass at the premises • Thumb-locked pendrive http://www.turbogadgets.com/wp-content/uploads/2007/03/fingerprint-pendrive.jpg

http://blog.kievukraine.info/uploaded_images/2043-733282.jpg

Strong Authentication (Michal Sobiegraj)

1 comments

Notes on slide 1

3 Favorites & 1 Group