User authentication

8 minute read

Updated:

7. User authentication

Objectives

  • For you to recognize the main approaches that exist for user authentication
  • For you to understand the theoretical and practical levels of security achievable with passwords
  • For you to appreciate the benefits and limitations of security tokens and biometrics

Basis for Authentication

  • Authentication: As a system, specific individuals get granted access to that system. Can they prove their identity to that system to have access?
    • Diff users will have diff level of permission
  • Something you know: bit of secret information - PIN, password, passphrase
  • Something you have: physical security token -key, smartcard
  • Something you are: some properties of you that are diff from other people - Biometric measurement
  • Ur ability to keep that bit of information and not guessable by anyone else. And if it is short, 4 digits, there are only limited number of possibilities. && Your ability hold of that token to not lose it – have a copy?

How many passwords?

  • Most prevalent is the password
  • Password - Sth that you must type on a std keyboard
  • Solution
    • N unique characters that can be typed
      • N~~ 95for UK keyboard
    • Length = 8, so NL possibilities. 958 password possibilities
    • 6.6 quintillion!
  • The longer ur password is, more secure it is, but it is possible to brute force.
  • Password sounds like a good approach, yet they are not in practice a good authentication device coz its used by humans and we don’t wanna remember all these strings. So we only have a limited space. (~8digits)

Cases where passwords were revealed

  • 2005: GNER Control Center
    • Can get pretty extreme – need to have this password
    • He was on a train from Leeds to London. GNER produced the LiveWire – inflight magazine
    • And he picked it up and read it, and he came across that GNER was opening a control center in York. And he came across a pic that has username and pw written down. Password = TRAIN!! Wtf
    • And its written on a white board – anyone could see it. And it was in a magazine that could be read by users
  • 2014: Winter Floods
    • Top right of the white board they could see the username and pw
  • 2015: Waterloo Station
    • BBC – but they had password written down on the top of the monitor - Password3
  • 2016: Labour Leadership Contest
    • When you zoom in the white board – you could see username and pw with client ID and in a white board
  • 2018: Trump Administration
    • White house staff wrote a password and address in a white house stationary and left it at the bus stop
  • In theory, password, when long enough, is a reasonable authentication device. BUT the problem is people write it down and publish photo on the internet.

Conclusions

  • Problem is people want the pw to be easy to remember – we have a very small region of ‘password space’
  • Phases that are meaningful to them – e.g. bday
  • If you chose sth that it’s not easy, ull write it down! Likely. This is further compounded coz other people can see the pwd

Other Risks

  • Factory defaults – where a piece of hardware or software ships w default pwd – when you set it up, ull delete the account or change it. But it isn’t usually done! you have access with high privelege
    • PDP and mapd - out of the box – id:field, pwd:service .So they can come to ur business and reset. But it was common for people to use this default account. So, if you knew about this, ull have a high privilege access.

  • Shoulder surfing’ – walking past, looking over someone’s password

  • Social engineering – active persuasion by sounding convincing.

  • Keystroke loggers / Trojans – follows whatever you are typing, and steal the credentials/ data

  • Live brute-forcing- systematically tryna logging in by brute forcing. Solution - Limit the number of attempts and lock you out. But it could be used maliciously to lock you out. And with admin account, you don’t wanna mistype it and force you out as an admin!!

  • Cracking of stolen hashes -

  • Information leakage in system logs – could record fail login attempt. For this id and pw used will be recorded as fail - gives idea of what’s right and make it guessable. It could log mistyped pw too

Social Engineering

  • Is done on a large scale using phishing and more targeted to a specific individual
    • U get a phone call – and you know there’s TOM in IT, and you have a CRM server. So you think yh maybe. Much more likely to fool non-technicals who doesn’t know that they’d never ask for pw
  • It could be an info can be found out in the back of office, looking for thrown out documents which could make you sound like a plausible insider
  • Active persuasion – by sounding convincing.

KeySweeper

  • Devious example coz its designed to look like a phone charger
  • And when it connects, it has a battery, so even if you plug it out it’ll work.
  • It sniffs keystrokes and logs them in this device, and you can steal id and pw, and send credentials via SMS
  • E.g. – looks like an apple USB cable – but inside is built electronic firmware that allows you to steal info

Cracking Stolen Hashes

  • Biggest problem of them all
  • When pw is stored, it should store as hashes. But the hashes can get stolen. And they get stolen and often offered for sale- like in LinkedIn.
  • Price halved – bc once the announcement is out, people will change it So limited window opportunity when it has high value – so attempt to sell it.
  • In hash form, some processing is required to recover what the pw are. So how does it work?- UNIX

UNIX-style Passwords

  • Traditionally, not anymore, the idea was to use DES cipher – and essentially encrypt a string repeatedly using a variant DES, and treating pw as a key. And output was stored as a hash.
  • We dont just store the hash, we compute the hash on pw+ salt (random)
    • coz if we only store hash, it’ll be crackable for attackers to have a lookup table and pre compute possible hashes, and match it up.
  • The success depends on the size of the lookup table, but it can be successful.
  • Way to make it a bt harder is to introduce randomness- same pw doesn’t always produce same hash. So even if the user uses same pw, it would be a diff hash.
    • 12 bits of salt – 2^12 possible hash for individually pw– the size for ur lookup table is way bigger now
    • If the size is bigger, its impractical to keep the lookup or store it on a disk
  • why we use salt
    • The hash = salt+ hash = aavFyamradh aa is our hash
    • And if you change the salt hash changes completely
    • But the limitation is it only took the first 8 characters – so kangaroo and kangaroos made same hash!!

Cracking Stolen UNIX Hashes

  • Assume ur not brute forcing and you stole the hash and you wanna crack the hash. you can’t invert it in a simple way, but you gotta generate all pw, hash it and see if it matches up
  • But people don’t choose word from a word list – common technique you use to vary the dictionary words - is to change o to 0, add numbers in front, etc
  • For every word, you generate the variation, and you compute the hash for each variation
  • image
  • Simple but remarkably successful – 20-35% of pw can be cracked !!! wtf
    • Bigger the wordlist, longer it takes but more possibilities to crack

Physical Tokens &2FA

  • Password is not the only option – we use physical tokens too
  • Pws are flawed – so combining with a second authentication to have two-factor authentication
  • E.g. mobile phone, smartcard, YubiKey
    • YubiKey – when you plug it in ur computer, when you touch the button, it generates OTP – whenever you get a prompt to input a pwd, and you touch it and it inputs it
    • Authenticator app on ur phone also generates PIN that are only valid for short – and with conjunction with ur pw – not as good as yubikey but still
  • Supply OTP with normal pw you have for ur system

Biometrics

  • Good for user coz there’s nothing to lose and forget – most convenient
  • But can be expensive to implement
  • Choosing the right traits
    • Voice – can be faked, affected by mood and age, cold
    • Fingerprints – widely used
    • Facial geometry
    • Eyes – retinal blood vessels or iris texture

Some Examples

  • Windows Hello– face recognition
    • Near IR images – to prevent holding a photo of someone
    • And samples texture around the landmark points
    • Has a depth sensor built in
  • Apples touchID and faceID
    • But can create a realistic finger model to scan it
  • Not an authentication used as a security aids necessarily

Iris Codes

  • Indian gov was using this – you look at the iris and there’s a pattern that’s unique to u, and you do that into binary 256 byte of data – iris code
  • 2 code that computes from same iris – 90% match
  • Microsoft’s Lumia uses this

The Revocation Problem

  • Real problem is what if you have biometrics stored in a server somewhere and this gets stolen?
  • Password is revocable. If it gets hacked, get a new one. But you cant have new eyes!! Eyeballs transplant lol
  • So, combine biometric factor and revocable factor, and hash it all together and store this
    • If stolen, revoke the hash and change the hash and update it.

Summary

  • Seen that, although the space of possible passwords is typically quite large, passwords are often poorly chosen / written down by users
  • Discussed a range of other password-related risks
  • Considered how easy it is to crack stolen password hashes
  • Noted that 2FA strengthens password authentication by combining it with a physical token
  • Examined some popular biometric techniques

Leave a comment