This document discusses strong authentication methods that use two factors of identification. It describes traditional methods like ATM cards that use something you have (the card) and something you know (the PIN). Modern methods discussed include one-time passwords, smart cards, and out-of-band authentication using a mobile phone for an extra layer of security beyond just a password. The document analyzes the security and weaknesses of various knowledge-based and ownership-based authentication approaches.
The subject of passwords is important today since they protect all of your accounts, and are frequently attacked by crackers. In this presentation I examine the technology used to handle and protect passwords, and make recommendations for what the user can do to protect themselves online.
The document discusses advanced fraud detection challenges in the financial sector. Cybercrime is growing more sophisticated as attacks now come from smart hackers targeting high-value systems and users. Traditional defenses using signatures are ineffective against modern threats like spear phishing, coordinated hacker attacks, malware, and insider threats. The document argues a new approach is needed that can detect patterns across networked systems, privileged users, and applications to spot fraud early. It provides examples of how advanced detection techniques can identify attacks including botnets, man-in-the-browser, and compromised insider accounts.
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureAdaCore
Formal security analysis methods like the applied pi calculus and ProVerif tool can help analyze critical infrastructure systems by finding vulnerabilities. The speaker discusses past work analyzing e-passports, EMV cards, basic access control for passports, and contactless payments. Formal modeling of a European train control system found issues like messages could be replayed or delayed without detection. The conclusion emphasizes that formal methods help analysts thoroughly examine systems and have found issues missed by other analyses, especially for proprietary crypto.
Wireless Hotspot: The Hackers PlaygroundJim Geovedi
This document discusses security issues with publicly accessible wireless hotspot networks. It begins with an overview of how wireless hotspots work and then explores various ways hackers could exploit vulnerabilities, including using default or guessable credentials, tunneling to bypass restrictions, hijacking active sessions, and discovering private user information by guessing room numbers. It demonstrates tools and techniques a hacker could use to decrypt passwords, access administrative interfaces, and steal credit card details from poorly secured hotspot systems. The goal is to raise awareness of inherent security flaws in hotspot networks and promote safer mobile computing practices.
The document discusses improving security user interfaces (UIs) on web browsers. It proposes replacing the ubiquitous padlock icon with an identity indicator called "Larry" that clearly shows website identity using extended validation certificates. Larry is evaluated against five rules for good security UI ("MRRAB"): meaningful, relevant, robust, available, and brave. The document also considers other aspects of security UI and explores ideas like using social connections and past browsing history to help users identify legitimate websites. It aims to spark discussion on making security indicators more understandable and effective for users.
Authentication tokens are used to prove one's identity electronically. They can be hardware or software based, and use passwords, cryptographic keys, or biometric data to authenticate users. Time-synchronized one-time password tokens generate new passwords constantly, while algorithm-based tokens use complex math to generate unguessable one-time passwords. Connected tokens transmit authentication data automatically when connected, while disconnected tokens require manual entry of generated passwords. Smart cards are a type of disconnected token that store and process data using an embedded microchip, providing secure multi-factor authentication through passwords, cryptography, and potentially biometric data.
Learn about basic cybersecurity tips for protecting your computes, accounts and personal information. Topics include passwords and authentication, proactive defense against unwanted software and how to keep your devices current with security updates.
This document proposes adding fingerprint authentication to ATM security to address weaknesses in traditional PIN-based security. The objective is to provide biometric security through fingerprint scanning. Fingerprints provide highly accurate identification compared to traditional security methods. Advantages include ease of use, inability to forget or lose fingerprints, and standardization. Disadvantages include potential for misidentification, high cost, and difficulties for some users like those with injuries affecting fingerprints. The conclusion is that fingerprint security provides stability, reliability, and ease of use for ATM access.
The subject of passwords is important today since they protect all of your accounts, and are frequently attacked by crackers. In this presentation I examine the technology used to handle and protect passwords, and make recommendations for what the user can do to protect themselves online.
The document discusses advanced fraud detection challenges in the financial sector. Cybercrime is growing more sophisticated as attacks now come from smart hackers targeting high-value systems and users. Traditional defenses using signatures are ineffective against modern threats like spear phishing, coordinated hacker attacks, malware, and insider threats. The document argues a new approach is needed that can detect patterns across networked systems, privileged users, and applications to spot fraud early. It provides examples of how advanced detection techniques can identify attacks including botnets, man-in-the-browser, and compromised insider accounts.
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureAdaCore
Formal security analysis methods like the applied pi calculus and ProVerif tool can help analyze critical infrastructure systems by finding vulnerabilities. The speaker discusses past work analyzing e-passports, EMV cards, basic access control for passports, and contactless payments. Formal modeling of a European train control system found issues like messages could be replayed or delayed without detection. The conclusion emphasizes that formal methods help analysts thoroughly examine systems and have found issues missed by other analyses, especially for proprietary crypto.
Wireless Hotspot: The Hackers PlaygroundJim Geovedi
This document discusses security issues with publicly accessible wireless hotspot networks. It begins with an overview of how wireless hotspots work and then explores various ways hackers could exploit vulnerabilities, including using default or guessable credentials, tunneling to bypass restrictions, hijacking active sessions, and discovering private user information by guessing room numbers. It demonstrates tools and techniques a hacker could use to decrypt passwords, access administrative interfaces, and steal credit card details from poorly secured hotspot systems. The goal is to raise awareness of inherent security flaws in hotspot networks and promote safer mobile computing practices.
The document discusses improving security user interfaces (UIs) on web browsers. It proposes replacing the ubiquitous padlock icon with an identity indicator called "Larry" that clearly shows website identity using extended validation certificates. Larry is evaluated against five rules for good security UI ("MRRAB"): meaningful, relevant, robust, available, and brave. The document also considers other aspects of security UI and explores ideas like using social connections and past browsing history to help users identify legitimate websites. It aims to spark discussion on making security indicators more understandable and effective for users.
Authentication tokens are used to prove one's identity electronically. They can be hardware or software based, and use passwords, cryptographic keys, or biometric data to authenticate users. Time-synchronized one-time password tokens generate new passwords constantly, while algorithm-based tokens use complex math to generate unguessable one-time passwords. Connected tokens transmit authentication data automatically when connected, while disconnected tokens require manual entry of generated passwords. Smart cards are a type of disconnected token that store and process data using an embedded microchip, providing secure multi-factor authentication through passwords, cryptography, and potentially biometric data.
Learn about basic cybersecurity tips for protecting your computes, accounts and personal information. Topics include passwords and authentication, proactive defense against unwanted software and how to keep your devices current with security updates.
This document proposes adding fingerprint authentication to ATM security to address weaknesses in traditional PIN-based security. The objective is to provide biometric security through fingerprint scanning. Fingerprints provide highly accurate identification compared to traditional security methods. Advantages include ease of use, inability to forget or lose fingerprints, and standardization. Disadvantages include potential for misidentification, high cost, and difficulties for some users like those with injuries affecting fingerprints. The conclusion is that fingerprint security provides stability, reliability, and ease of use for ATM access.
This document provides an overview of authentication topics, including:
- Defining authentication and the three main electronic authentication factors: something you know, something you have, something you are.
- Discussing common authentication methods like usernames/passwords and their benefits and drawbacks.
- Covering other authentication methods such as one-time passwords, biometrics, digital certificates, and knowledge-based authentication.
- Identifying issues with initial credentialing and key concepts regarding the state of digital authentication.
This document provides an overview of authentication topics, including:
- Defining authentication and the three main electronic authentication factors: something you know, something you have, something you are.
- Discussing common authentication methods like usernames/passwords and their benefits and drawbacks.
- Explaining one-time password devices, biometric authentication, and digital certificates.
- Identifying issues with current authentication techniques and outlining key concepts regarding authentication.
Web security involves protecting information transmitted over the internet from attacks like viruses, worms, trojans, ransomware, and keyloggers. Users can help secure themselves by using antivirus software, avoiding phishing scams, and reporting spam. Larger attacks often involve botnets, which are networks of infected computers that can overwhelm websites and services with traffic through distributed denial of service attacks.
Here are the discussions that are mentioned in P19 of "Fend Off Cyberattack with Episodic Memory"
https://www.slideshare.net/HitoshiKokumai/fend-off-cyberattack-with-episodic-memory-24feb2023
This document discusses user authentication and host-to-host authentication. It describes several methods of user authentication including passwords, one-time passwords, smart cards, and biometrics. It also discusses network-based authentication and cryptographic techniques for host-to-host authentication, noting that cryptographic authentication provides stronger authentication but requires solutions to issues like securing the key distribution center and protecting hosts' cryptographic keys.
The document summarizes a workshop on cryptography and ethical hacking. It discusses several modules that will be covered, including cryptography concepts, Windows password hacking, phishing and data security, SQL injection and webcam hacking, and batch programming and viruses. For the first module on cryptography concepts, the document provides an overview of topics like threats to electronic communications, cryptography principles, message digests, symmetric and asymmetric cryptography, practical cryptography implementation, the role of public authorities, and conclusions. Examples of cryptographic algorithms and standards like DES, RSA, and digital certificates are also outlined.
This document outlines tips and techniques used by penetration testers. It begins with an introduction explaining that penetration testing involves both standardized methodologies as well as improvisation. The document then provides several tips related to reconnaissance, scanning, networking, passwords, and reporting from penetration tests. Each tip is meant to help save time, enable hacks that otherwise wouldn't be possible, or better help clients understand security risks. Overall, the tips suggest using common tools and techniques creatively to find and exploit security vulnerabilities.
Johnathan Nightingale of Mozilla Corporation presents ideas for improving browser security user interfaces (UI). He argues that existing security UIs like padlocks are sparse, incomprehensible, and not carefully designed. He proposes five rules for good security UI: be meaningful, relevant, robust, available, and brave. As an example, he suggests replacing padlocks with "Larry", an identity indicator that clearly shows website identity and is based on standardized Extended Validation certificates. The presentation concludes by discussing additional aspects of security UI and soliciting further ideas and discussion.
Sergey Gordeychik gave a presentation on how to hack telecom networks and stay alive. He discussed that telecom networks have many perimeters including subscribers, partners, offices, and technology networks. He outlined specific attacks such as gaining unauthorized access to subscriber self-service portals or exploiting vulnerabilities in VoIP infrastructure. Gordeychik emphasized that telecom networks are complex with many third-party systems, exotic technologies, and administrative issues that can enable attacks if not properly secured. Forensics after an attack can also be very challenging in these large, dynamic networks.
F. Questier, Computer security, workshop for Lib@web international training program 'Management of Electronic Information and Digital Libraries', university of Antwerp, October 2015
Revisiting atm vulnerabilities for our fun and vendor’sOlga Kochetova
The document discusses vulnerabilities in ATM systems that can allow attackers to steal cash or users' financial information. It provides examples of past malware attacks on ATMs and describes technical methods attackers have used to gain unauthorized access and control of ATM components like card readers, cash dispensers, and PIN pads. The authors argue that current security measures are insufficient and that vendors prioritize profits over fixing issues. They call for implementing stronger authentication of ATM devices and transactions to help address ongoing threats.
The document discusses how to secure electronic passports. It outlines passport threats like forgery and look-alike fraud. It then summarizes available protection mechanisms under ICAO standards, including storing certificates and biometrics on chips. It analyzes security challenges for inspection terminals and accessing personal data. It concludes that while electronic passports improve forgery protection, look-alike fraud remains an issue without reliable biometrics, and contactless chips introduce privacy concerns.
Trends in electronic crimes and its impact on businesses like yoursMotherGuardians
The USSS discusses its dual mission of presidential protection and investigating financial crimes such as counterfeiting, identity theft, and cyber crimes. It outlines current cyber crime trends like skimming devices, network intrusions, point of sale breaches, targeted malware, and data breaches. It then provides a case study of how a network intrusion investigation may proceed, from initial detection to identifying compromised systems and retrieving stolen data.
This document summarizes a talk given by Weston Hecker on his new open source anti-malware software called Skimbad. Hecker has over 11 years experience in security research and penetration testing. Skimbad aims to stop credit card data exfiltration by malware by generating fake credit card numbers that will make any batches of stolen numbers unusable. The software works by monitoring memory for credit card numbers and replacing real numbers with randomized fake numbers on the point-of-sale system before the data can be sent to a server by malware. Hecker believes this approach could be built into all point-of-sale systems to help prevent credit card data breaches.
Slides from Ben Whitaker's talk about new mobile ticketing approaches for public transport including mobile payments via credit card this month at the UK's ITS Passenger Information Interest Group's seminar on Options for Ticketing and Standards in Ticketing on the 27th May 2009 in London.
Highlights of new features in the UK's Rail Barcode Ticket standard, and a brief summary of the lower capital expenditure soft-rollout of visual barcode ticketing on paper and mobile versus the large up-front costs of smartcard. Finally a summary of selling tickets from the mobile phone, and the benefits it brings to the operator.
Challenges Building Secure Mobile ApplicationsMasabi
This document discusses the challenges of building secure mobile applications. It covers why security is important for mobile, how to secure applications in an insecure mobile environment, and case studies of mobile security implementations. Some key points discussed include using HTTPS for end-to-end security, securing the key exchange process, ensuring strong entropy for keys, implementing message integrity checks, and supporting a wide range of mobile devices and networks.
This document discusses protecting customer confidential information and cybersecurity for small and medium-sized businesses. It outlines common data breaches, regulations around privacy, and strategies for securing data through technical controls and policies for people, including restricting access, encryption, training, and disposal of old data. The presentation emphasizes assessing risks and building security into daily operations, not as an extra task.
Token Authentication for Java ApplicationsStormpath
Everyone building a web application that supports user login is concerned with security. How do you securely authenticate users and keep their identity secure? With the huge growth in Single Page Applications (SPAs), JavaScript and mobile applications, how do you keep users safe even though these are 'unsafe' client environments?
This presentation will demystify HTTP Authentication and explain how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale.
How to implement PassKeys in your applicationMarian Marinov
PassKeys is relatively new way of authentication. This presentation aims to provide a bit of guidance on how you can implement them in your own application.
This document provides an overview of authentication topics, including:
- Defining authentication and the three main electronic authentication factors: something you know, something you have, something you are.
- Discussing common authentication methods like usernames/passwords and their benefits and drawbacks.
- Covering other authentication methods such as one-time passwords, biometrics, digital certificates, and knowledge-based authentication.
- Identifying issues with initial credentialing and key concepts regarding the state of digital authentication.
This document provides an overview of authentication topics, including:
- Defining authentication and the three main electronic authentication factors: something you know, something you have, something you are.
- Discussing common authentication methods like usernames/passwords and their benefits and drawbacks.
- Explaining one-time password devices, biometric authentication, and digital certificates.
- Identifying issues with current authentication techniques and outlining key concepts regarding authentication.
Web security involves protecting information transmitted over the internet from attacks like viruses, worms, trojans, ransomware, and keyloggers. Users can help secure themselves by using antivirus software, avoiding phishing scams, and reporting spam. Larger attacks often involve botnets, which are networks of infected computers that can overwhelm websites and services with traffic through distributed denial of service attacks.
Here are the discussions that are mentioned in P19 of "Fend Off Cyberattack with Episodic Memory"
https://www.slideshare.net/HitoshiKokumai/fend-off-cyberattack-with-episodic-memory-24feb2023
This document discusses user authentication and host-to-host authentication. It describes several methods of user authentication including passwords, one-time passwords, smart cards, and biometrics. It also discusses network-based authentication and cryptographic techniques for host-to-host authentication, noting that cryptographic authentication provides stronger authentication but requires solutions to issues like securing the key distribution center and protecting hosts' cryptographic keys.
The document summarizes a workshop on cryptography and ethical hacking. It discusses several modules that will be covered, including cryptography concepts, Windows password hacking, phishing and data security, SQL injection and webcam hacking, and batch programming and viruses. For the first module on cryptography concepts, the document provides an overview of topics like threats to electronic communications, cryptography principles, message digests, symmetric and asymmetric cryptography, practical cryptography implementation, the role of public authorities, and conclusions. Examples of cryptographic algorithms and standards like DES, RSA, and digital certificates are also outlined.
This document outlines tips and techniques used by penetration testers. It begins with an introduction explaining that penetration testing involves both standardized methodologies as well as improvisation. The document then provides several tips related to reconnaissance, scanning, networking, passwords, and reporting from penetration tests. Each tip is meant to help save time, enable hacks that otherwise wouldn't be possible, or better help clients understand security risks. Overall, the tips suggest using common tools and techniques creatively to find and exploit security vulnerabilities.
Johnathan Nightingale of Mozilla Corporation presents ideas for improving browser security user interfaces (UI). He argues that existing security UIs like padlocks are sparse, incomprehensible, and not carefully designed. He proposes five rules for good security UI: be meaningful, relevant, robust, available, and brave. As an example, he suggests replacing padlocks with "Larry", an identity indicator that clearly shows website identity and is based on standardized Extended Validation certificates. The presentation concludes by discussing additional aspects of security UI and soliciting further ideas and discussion.
Sergey Gordeychik gave a presentation on how to hack telecom networks and stay alive. He discussed that telecom networks have many perimeters including subscribers, partners, offices, and technology networks. He outlined specific attacks such as gaining unauthorized access to subscriber self-service portals or exploiting vulnerabilities in VoIP infrastructure. Gordeychik emphasized that telecom networks are complex with many third-party systems, exotic technologies, and administrative issues that can enable attacks if not properly secured. Forensics after an attack can also be very challenging in these large, dynamic networks.
F. Questier, Computer security, workshop for Lib@web international training program 'Management of Electronic Information and Digital Libraries', university of Antwerp, October 2015
Revisiting atm vulnerabilities for our fun and vendor’sOlga Kochetova
The document discusses vulnerabilities in ATM systems that can allow attackers to steal cash or users' financial information. It provides examples of past malware attacks on ATMs and describes technical methods attackers have used to gain unauthorized access and control of ATM components like card readers, cash dispensers, and PIN pads. The authors argue that current security measures are insufficient and that vendors prioritize profits over fixing issues. They call for implementing stronger authentication of ATM devices and transactions to help address ongoing threats.
The document discusses how to secure electronic passports. It outlines passport threats like forgery and look-alike fraud. It then summarizes available protection mechanisms under ICAO standards, including storing certificates and biometrics on chips. It analyzes security challenges for inspection terminals and accessing personal data. It concludes that while electronic passports improve forgery protection, look-alike fraud remains an issue without reliable biometrics, and contactless chips introduce privacy concerns.
Trends in electronic crimes and its impact on businesses like yoursMotherGuardians
The USSS discusses its dual mission of presidential protection and investigating financial crimes such as counterfeiting, identity theft, and cyber crimes. It outlines current cyber crime trends like skimming devices, network intrusions, point of sale breaches, targeted malware, and data breaches. It then provides a case study of how a network intrusion investigation may proceed, from initial detection to identifying compromised systems and retrieving stolen data.
This document summarizes a talk given by Weston Hecker on his new open source anti-malware software called Skimbad. Hecker has over 11 years experience in security research and penetration testing. Skimbad aims to stop credit card data exfiltration by malware by generating fake credit card numbers that will make any batches of stolen numbers unusable. The software works by monitoring memory for credit card numbers and replacing real numbers with randomized fake numbers on the point-of-sale system before the data can be sent to a server by malware. Hecker believes this approach could be built into all point-of-sale systems to help prevent credit card data breaches.
Slides from Ben Whitaker's talk about new mobile ticketing approaches for public transport including mobile payments via credit card this month at the UK's ITS Passenger Information Interest Group's seminar on Options for Ticketing and Standards in Ticketing on the 27th May 2009 in London.
Highlights of new features in the UK's Rail Barcode Ticket standard, and a brief summary of the lower capital expenditure soft-rollout of visual barcode ticketing on paper and mobile versus the large up-front costs of smartcard. Finally a summary of selling tickets from the mobile phone, and the benefits it brings to the operator.
Challenges Building Secure Mobile ApplicationsMasabi
This document discusses the challenges of building secure mobile applications. It covers why security is important for mobile, how to secure applications in an insecure mobile environment, and case studies of mobile security implementations. Some key points discussed include using HTTPS for end-to-end security, securing the key exchange process, ensuring strong entropy for keys, implementing message integrity checks, and supporting a wide range of mobile devices and networks.
This document discusses protecting customer confidential information and cybersecurity for small and medium-sized businesses. It outlines common data breaches, regulations around privacy, and strategies for securing data through technical controls and policies for people, including restricting access, encryption, training, and disposal of old data. The presentation emphasizes assessing risks and building security into daily operations, not as an extra task.
Token Authentication for Java ApplicationsStormpath
Everyone building a web application that supports user login is concerned with security. How do you securely authenticate users and keep their identity secure? With the huge growth in Single Page Applications (SPAs), JavaScript and mobile applications, how do you keep users safe even though these are 'unsafe' client environments?
This presentation will demystify HTTP Authentication and explain how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale.
How to implement PassKeys in your applicationMarian Marinov
PassKeys is relatively new way of authentication. This presentation aims to provide a bit of guidance on how you can implement them in your own application.
Similar to Strong Authentication (Michal Sobiegraj) (20)
The document discusses various security issues that can occur on web portals, including cross-site scripting (XSS) vulnerabilities that allow altering of content or stealing cookies, and cross-site request forgery (CSRF) attacks. It provides examples of how these attacks can be carried out, such as using XSS to change website branding or send a user's cookies to an attacker. The document recommends mitigation techniques like input filtering, consistency checks, and tying sessions to IP addresses to help prevent these types of attacks.
4. 1
Access control
1. Identification
– Who you say you are?
2. Authentication (1)
– Prove it!
3. Authorisation (1 & 2 & ACL/Capability List)
– OK, so here is what you can do.
4. Accountability (1 & 2 & Audit trail)
– You are responsible for this!
5. 1
Identification methods
• User ID
• Account number
• PIN
• Badge
• Biometrics
6. 1
Identifier characteristics
• Unique to each user
• Not relating to a job function
• Standardised naming conventions
7. 1
Authentication
• Knowledge based
– Something only you know
• Ownership based
– Something only you have
• Characteristics based
– Something only you are
8. 1
Traditional means of identification
and authentication
• People knew each other in person
– They used face recognition
– Something only you are (biometrics)
• Internet made it useless
– More need for proving identity
– Impossible to know people in person
9. 1
Authentication
Each single factor is fairly
easy to compromise
Lets use 2 factors!
11. 1
Classic examples of 2FA
ATM (Automated Teller Machine)
– Something you have (card)
– Something you know (PIN)
Credit card and signature
– Something you have (card)
– Something you are (signature)
13. 2. Knowledge
Password/PIN
• Free
• Easy to use
– People got used to it and understand it
• The weakest factor
– Easily guessable/bruteforcable or complex
• To complex ones get written down
– One password everywhere or many to remember
• If there is to many, they get written down
14. 2. Knowledge
Cognitive password
• Series of random personal questions
• Takes longer to authenticate
• No need to remember a password
• Fairly weak if based on personal information
15. 2. Knowledge
Passphrase
• Longer to enter than a password
• Less susceptible to brute forcing and guessing
• Still sniff-able and susceptible to key logging
16. 2. Knowledge
SYK Pros/Cons
• No need to carry anything
• Susceptible to classic attacks
– Key logging
– Social engineering/shoulder surfing
– Brute force/dictionary attacks
– Sniffing and replay attacks
– IT Staff abuse of privileges
– Man in the middle attacks
http://img.alibaba.com/photo/11475911/KeyShark_Hardware_Keylogger.jpg
http://www.phuketgazette.com/newsimages/bull8282007-5914-4.jpg
17. 2. Knowledge
SYK Pros/Cons
• No strong accountability
– Easily shareable
• Frequently written down
in predictable places
http://klaatu.anastrophe.com/wp-images/postit.jpg
19. 3. Ownership
PKI Certificate
• Transfers trust
– Make sure the signer is trustworthy!
• Usually server authenticates to the user
– Mutual authentication may cause significant
administrative overhead
• Something not only you have
– Google: quot;index ofquot; +ovpn
– Courtesy Aleksander P.
20. 3. Ownership
One Time Password (OTP) list
• Session based authentication
• Valid only once
– Usually only for a short period of time
• Not reusable by design
– Not susceptible to replay attacks
• A paper list or an electronic generator
22. 3. Ownership
Asynchronous token
(challenge – response)
Usually requires user to
retype the challenge
into the token
http://www.cc.com.pl/img/vasco/300photo.gif
27. 3. Ownership
Synchronous token
• Generates a deterministic random-looking
value every minute/button push
• The value is cryptographically derived from:
– The previous value
– A shared secret known only to a token and to
an authentication server
v1 = f(seed, secret); v2 = f(v1, secret); etc.
• The secret is unrecoverable from the
token*
* With today’s technology
28. 3. Ownership
Synchronous token
• Time-based synchronisation
– De-syncing in time if not used
– Clock drift is corrected
– Server accepts neighbouring values
• Event-based synchronisation
– Easily de-synced by issuing to many values
ahead
http://www.radiocomputerguy.com/images/paypal_token.gif
http://admin.avisian.com/images/rsa1.gif
http://en.wikipedia.org/wiki/Image:RSA-SecurID-Tokens.jpg
http://www.comprosec.ch/fileadmin/images/rsa/securid/SD520_450x297_72dpi_crop.jpg
29. 3. Ownership
Software tokens
• Java (J2ME) applets
• More convenient
• Easier to reverse engineer
the secret out
http://www.developer.com/img/2006/06/Marcia6.JPG
30. 3. Ownership
Man in the Middle (MITM)
• None of the factors solve the MITM problem
• Insecure connection allows for credentials
disclosure
– SSL allows only for a TCP link authentication
37. 3. Ownership
Phishing case
• A customised attack
• A time-limited OTP is better but still
not enough
38. 3. Ownership
Out of band channel
• E.g. mobile text messaging (SMS)
• Adresses the MITM problem
• Allows for mutual end-to-end authentication
• Convenient
46. 3. Ownership
Memory card
• Also called a swipe card or a magnetic
stripe card
• Equipped with a magnetic stripe
• Interacts with a reader
• Stores authentication information
• Relatively inexpensive
• Fairly easy to duplicate
– Harder then a password, though
48. 3. Ownership
Smartcard
• Interacts through a reader
• Contains authentication information
– e.g. PKI certificate
• Is able to do crypto on-board
• Allows for continous authentication
• Tamper-proof solves the duplication
problem
http://gallery.hd.org/_exhibits/money/_more2003/_more02/UK-bank-and-credit-cards-smartcard-smartcards-VISA-Mastercard-Nationwide-Barclaycard-Egg-cropped-JR.jpg
50. 3. Ownership
Contactless Smartcard
• Contains an RF transciver (RFID)
• Works in close proximity to a reader
– Up to 10cm (ISO 14443)
– Up to 50cm (ISO 15693)
• Quick and hands-free
• Contactless credit card
– No PIN required
– Small amounts $5-50
51. 3. Ownership
Potential issues with smartcards
• Privacy concerns
– Contactless smartcards make it
possible to track individuals without
their knowledge
• Easy to damage the chip
53. 3. Ownership
Form factor
• Feasibly small and convenient
• Attachable to something you
usually have with you
– Key-dongles
– Wallet size cards
– Credit-card size tokens
– Phone applets or a phone itself
54. 3. Ownership
SYH Pros/Cons
• Not susceptible to classic attacks
– Key logging
– Shoulder surfing
– Brute force/dictionary attacks
– Sniffing and replay attacks
• Hinders social engineering attacks
• Impedes IT Staff abuse of privileges
• Stronger accountability
– Responsibility of the owner
– Although still not strong enough
58. 4. Characteristics
Static
Physiological characteristics of a human body
• Fingerprints
• Iris granularity
• Retina blood vessels
• Facial looks
• Hand geometry
59. 4. Characteristics
Dynamic
Behavioral characteristics of a human body
• Voice inflections
• Keyboard strokes
• Signature dynamics
63. 4. Characteristics
Fingerprint
static
• Characteristic points are marked on a print
• Positions are specified relatively to other
marks
http://shs.westport.k12.ct.us/forensics/04-fingerprints/fingerprint_parts.jpg
64. 4. Characteristics
Fingerprint and palm print
static
• Compares computed pattern with a stored
one
• High accuracy
– Fairly simple for small sets of potential matches
• Good acceptance
• 5 – 7 seconds for reaction
65. 4. Characteristics
Fingerprint scanner types
• Static picture scanner
• Line scanners
– Scan is dynamic
– Harder to fool
http://www.trustedreviews.com/images/article/inline/3331-6.jpg
http://www.mrgadget.com.au/catalog/images/targus_defcon_authenticator_usb.jpg
67. 4. Characteristics
Hand geometry scan
static
• Measures hand features
– Length, width, thickness and contour of fingers
• Not very accurate
– Not good in large populations
• Hand shape is not as unique as a finger print
– Good in combination with another factor
• Well accepted
• Very fast reaction (3 – 5 seconds)
• Reader is quite large
68. 4. Characteristics
Diagram of a human eye
http://en.wikipedia.org/wiki/Image:Human_eye_cross-sectional_view_grayscale.png
72. 4. Characteristics
Iris scan
static
• Compares retina texture with a reference
• Very high accuracy (IrisCode algorithm)
– No false match reported ever
– Iris texture remain stable over decades
• Good acceptance
– No need to touch anything
• Very fast reaction (1 – 2 seconds)
• Allows for continuous monitoring
– Distance from 10 cm to a few meters
– Needs cooperation
73. 4. Characteristics
Dynamic characteristics
• Measures confidence level
– Instead of the traditional pass/fail
• Allows for explicitly defined individual risk
appetite
– By changing accepted confidence level
74. 4. Characteristics
Voice pattern
dynamic
• Compares a speech sample with a
reference material
• Low accuracy
– Even lower with a background noise
• Well accepted
• Long response time (10 – 14 seconds)
http://en.wikipedia.org/wiki/Image:Human_voice_spectrogram.jpg
75. 4. Characteristics
Facial recognition
dynamic
• Measures certain features of
the face
– 14 of measurable 80 features
are selected
– Distance between eyes
– Shape of chin and jaw
– Length and width of the nose
– Shape of cheek bones and eye
sockets
http://www.wpi.edu/News/Transformations/2002Spring/Images/recognition1.jpg
76. 4. Characteristics
Facial recognition
dynamic
• Good for authentication
– Accurate in controlled environment
– Could provide continuous authentication
– Less invasive then retinal scan
• Not very good for identification
– Less accurate in moving crowd
– Not well accepted due to privacy reasons
77. 4. Characteristics
Signature dynamics
dynamic
• Records pen stroke dynamics
– Speed
– Direction
– Pressure
• Accurate
• Well accepted
• Way better then a static signature
– More features can be observed
– No physical leftovers
78. 4. Characteristics
Typing rhythm (keystroke dynamics)
dynamic
• Measures key dwell- and flight time
• Well accepted
• Accurate
• Very easy to deploy
• Provides continuous authentication
– Helps to identify account sharing
• Temporal variations may render false negatives
– Gazillion of reasons
79. 4. Characteristics
SYA Pros/Cons
• Not easily transferable between humans
– Very good accountability (nothing to lose)
– Although one can lose their finger
• Immune to most of the classic attacks
– Key logging
– Shoulder surfing
– Brute force/dictionary attacks
• Hinders social engineering attacks
• Impedes IT Staff abuse of privileges
80. 4. Characteristics
SYA Pros/Cons
• May be used to track individuals (privacy
concerns)
• The most intrusive factor
• Susceptible to sniffing and replay attacks
– Suitable for local authentication
82. What is 2FA again?
Combination of any
2 of the 3 available
factors
83. And what’s not a 2FA?
• Finger scanner on your laptop
• Door pass at the premises
• Thumb-locked pendrive
http://www.turbogadgets.com/wp-content/uploads/2007/03/fingerprint-pendrive.jpg