SlideShare ist ein Scribd-Unternehmen logo

Strong Authentication (Michal Sobiegraj)

msobiegraj
msobiegraj

Michal Sobiegraj

1 von 84
Strong Authentication (2FA) Michał Sobiegraj, CISSP michal@sobiegraj.com
1. Access Control 2. Knowledge 3. Ownership 4. Characteristics 5. 2FA
1/5 Access Control
1 Access control 1. Identification – Who you say you are? 2. Authentication (1) – Prove it! 3. Authorisation (1 & 2 & ACL/Capability List) – OK, so here is what you can do. 4. Accountability (1 & 2 & Audit trail) – You are responsible for this!
1 Identification methods • User ID • Account number • PIN • Badge • Biometrics
1 Identifier characteristics • Unique to each user • Not relating to a job function • Standardised naming conventions
1 Authentication • Knowledge based – Something only you know • Ownership based – Something only you have • Characteristics based – Something only you are
1 Traditional means of identification and authentication • People knew each other in person – They used face recognition – Something only you are (biometrics) • Internet made it useless – More need for proving identity – Impossible to know people in person
1 Authentication Each single factor is fairly easy to compromise Lets use 2 factors!
1
1 Classic examples of 2FA ATM (Automated Teller Machine) – Something you have (card) – Something you know (PIN) Credit card and signature – Something you have (card) – Something you are (signature)
2/5 Knowledge (Something You Know)
2. Knowledge Password/PIN • Free • Easy to use – People got used to it and understand it • The weakest factor – Easily guessable/bruteforcable or complex • To complex ones get written down – One password everywhere or many to remember • If there is to many, they get written down
2. Knowledge Cognitive password • Series of random personal questions • Takes longer to authenticate • No need to remember a password • Fairly weak if based on personal information
2. Knowledge Passphrase • Longer to enter than a password • Less susceptible to brute forcing and guessing • Still sniff-able and susceptible to key logging
2. Knowledge SYK Pros/Cons • No need to carry anything • Susceptible to classic attacks – Key logging – Social engineering/shoulder surfing – Brute force/dictionary attacks – Sniffing and replay attacks – IT Staff abuse of privileges – Man in the middle attacks http://img.alibaba.com/photo/11475911/KeyShark_Hardware_Keylogger.jpg http://www.phuketgazette.com/newsimages/bull8282007-5914-4.jpg
2. Knowledge SYK Pros/Cons • No strong accountability – Easily shareable • Frequently written down in predictable places http://klaatu.anastrophe.com/wp-images/postit.jpg
3/5 Ownership (Something You Have)
3. Ownership PKI Certificate • Transfers trust – Make sure the signer is trustworthy! • Usually server authenticates to the user – Mutual authentication may cause significant administrative overhead • Something not only you have – Google: quot;index ofquot; +ovpn – Courtesy Aleksander P.
3. Ownership One Time Password (OTP) list • Session based authentication • Valid only once – Usually only for a short period of time • Not reusable by design – Not susceptible to replay attacks • A paper list or an electronic generator
3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
3. Ownership Asynchronous token (challenge – response) Usually requires user to retype the challenge into the token http://www.cc.com.pl/img/vasco/300photo.gif
3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
3. Ownership Synchronous token • Generates a deterministic random-looking value every minute/button push • The value is cryptographically derived from: – The previous value – A shared secret known only to a token and to an authentication server v1 = f(seed, secret); v2 = f(v1, secret); etc. • The secret is unrecoverable from the token* * With today’s technology
3. Ownership Synchronous token • Time-based synchronisation – De-syncing in time if not used – Clock drift is corrected – Server accepts neighbouring values • Event-based synchronisation – Easily de-synced by issuing to many values ahead http://www.radiocomputerguy.com/images/paypal_token.gif http://admin.avisian.com/images/rsa1.gif http://en.wikipedia.org/wiki/Image:RSA-SecurID-Tokens.jpg http://www.comprosec.ch/fileadmin/images/rsa/securid/SD520_450x297_72dpi_crop.jpg
3. Ownership Software tokens • Java (J2ME) applets • More convenient • Easier to reverse engineer the secret out http://www.developer.com/img/2006/06/Marcia6.JPG
3. Ownership Man in the Middle (MITM) • None of the factors solve the MITM problem • Insecure connection allows for credentials disclosure – SSL allows only for a TCP link authentication
3. Ownership Phishing case
3. Ownership Phishing case
3. Ownership Phishing case
3. Ownership Phishing case
3. Ownership Phishing case
3. Ownership Phishing case
3. Ownership Phishing case • A customised attack • A time-limited OTP is better but still not enough
3. Ownership Out of band channel • E.g. mobile text messaging (SMS) • Adresses the MITM problem • Allows for mutual end-to-end authentication • Convenient
3. Ownership Out of band channel
3. Ownership Out of band channel
3. Ownership Out of band channel
3. Ownership Out of band channel
3. Ownership Out of band channel
3. Ownership Out of band channel
3. Ownership Out of band channel
3. Ownership Memory card • Also called a swipe card or a magnetic stripe card • Equipped with a magnetic stripe • Interacts with a reader • Stores authentication information • Relatively inexpensive • Fairly easy to duplicate – Harder then a password, though
http://www.cl.cam.ac.uk/~mkb23/atm-skim1.jpg
3. Ownership Smartcard • Interacts through a reader • Contains authentication information – e.g. PKI certificate • Is able to do crypto on-board • Allows for continous authentication • Tamper-proof  solves the duplication problem http://gallery.hd.org/_exhibits/money/_more2003/_more02/UK-bank-and-credit-cards-smartcard-smartcards-VISA-Mastercard-Nationwide-Barclaycard-Egg-cropped-JR.jpg
3. Ownership http://en.wikipedia.org/wiki/Image:Matkakortti_ja_kortinlukija.jpg
3. Ownership Contactless Smartcard • Contains an RF transciver (RFID) • Works in close proximity to a reader – Up to 10cm (ISO 14443) – Up to 50cm (ISO 15693) • Quick and hands-free • Contactless credit card – No PIN required – Small amounts $5-50
3. Ownership Potential issues with smartcards • Privacy concerns – Contactless smartcards make it possible to track individuals without their knowledge • Easy to damage the chip
3. Ownership iButton http://commons.wikimedia.org/wiki/Image:1-Wire_lock.jpg
3. Ownership Form factor • Feasibly small and convenient • Attachable to something you usually have with you – Key-dongles – Wallet size cards – Credit-card size tokens – Phone applets or a phone itself
3. Ownership SYH Pros/Cons • Not susceptible to classic attacks – Key logging – Shoulder surfing – Brute force/dictionary attacks – Sniffing and replay attacks • Hinders social engineering attacks • Impedes IT Staff abuse of privileges • Stronger accountability – Responsibility of the owner – Although still not strong enough
http://img.thedailywtf.com/Images/200612/rsakey.jpg
3. Ownership SYH Pros/Cons • Easily lost – Burden of revoking the token and getting a new one – Not much harm if combined with another factor
4/5 Characteristics (Something You Are)
4. Characteristics Static Physiological characteristics of a human body • Fingerprints • Iris granularity • Retina blood vessels • Facial looks • Hand geometry
4. Characteristics Dynamic Behavioral characteristics of a human body • Voice inflections • Keyboard strokes • Signature dynamics
4. Characteristics Biometrics selection criteria • Accuracy • Acceptability • Reaction time
4. Characteristics Crossover Error Rate User friendlieness Error Rate CER Security Accuracy False Acceptance Error Rate (Type II) False Rejection Error Rate (Type I)
4. Characteristics http://www.newenglandchapel.org/images/fingerprint.jpg
4. Characteristics Fingerprint static • Characteristic points are marked on a print • Positions are specified relatively to other marks http://shs.westport.k12.ct.us/forensics/04-fingerprints/fingerprint_parts.jpg
4. Characteristics Fingerprint and palm print static • Compares computed pattern with a stored one • High accuracy – Fairly simple for small sets of potential matches • Good acceptance • 5 – 7 seconds for reaction
4. Characteristics Fingerprint scanner types • Static picture scanner • Line scanners – Scan is dynamic – Harder to fool http://www.trustedreviews.com/images/article/inline/3331-6.jpg http://www.mrgadget.com.au/catalog/images/targus_defcon_authenticator_usb.jpg
4. Characteristics
4. Characteristics Hand geometry scan static • Measures hand features – Length, width, thickness and contour of fingers • Not very accurate – Not good in large populations • Hand shape is not as unique as a finger print – Good in combination with another factor • Well accepted • Very fast reaction (3 – 5 seconds) • Reader is quite large
4. Characteristics Diagram of a human eye http://en.wikipedia.org/wiki/Image:Human_eye_cross-sectional_view_grayscale.png
4. Characteristics http://research.unc.edu/endeavors/win2005/images/retina.jpg
4. Characteristics Retinal scan static • Compares blood vessels with a reference • Very high accuracy – Retinal pattern is entirely unique – Poor lighting can affect results • Susceptible to eye changes – Diabetes, Heart attacks – Cataract, Glaucoma – Pregnancy • Bad acceptance – Highly invasive – Not very user friendly • Fast reaction (4 – 7 seconds)
4. Characteristics http://en.wikipedia.org/wiki/Image:Humaniris.jpg
4. Characteristics Iris scan static • Compares retina texture with a reference • Very high accuracy (IrisCode algorithm) – No false match reported ever – Iris texture remain stable over decades • Good acceptance – No need to touch anything • Very fast reaction (1 – 2 seconds) • Allows for continuous monitoring – Distance from 10 cm to a few meters – Needs cooperation
4. Characteristics Dynamic characteristics • Measures confidence level – Instead of the traditional pass/fail • Allows for explicitly defined individual risk appetite – By changing accepted confidence level
4. Characteristics Voice pattern dynamic • Compares a speech sample with a reference material • Low accuracy – Even lower with a background noise • Well accepted • Long response time (10 – 14 seconds) http://en.wikipedia.org/wiki/Image:Human_voice_spectrogram.jpg
4. Characteristics Facial recognition dynamic • Measures certain features of the face – 14 of measurable 80 features are selected – Distance between eyes – Shape of chin and jaw – Length and width of the nose – Shape of cheek bones and eye sockets http://www.wpi.edu/News/Transformations/2002Spring/Images/recognition1.jpg
4. Characteristics Facial recognition dynamic • Good for authentication – Accurate in controlled environment – Could provide continuous authentication – Less invasive then retinal scan • Not very good for identification – Less accurate in moving crowd – Not well accepted due to privacy reasons
4. Characteristics Signature dynamics dynamic • Records pen stroke dynamics – Speed – Direction – Pressure • Accurate • Well accepted • Way better then a static signature – More features can be observed – No physical leftovers
4. Characteristics Typing rhythm (keystroke dynamics) dynamic • Measures key dwell- and flight time • Well accepted • Accurate • Very easy to deploy • Provides continuous authentication – Helps to identify account sharing • Temporal variations may render false negatives – Gazillion of reasons
4. Characteristics SYA Pros/Cons • Not easily transferable between humans – Very good accountability (nothing to lose) – Although one can lose their finger • Immune to most of the classic attacks – Key logging – Shoulder surfing – Brute force/dictionary attacks • Hinders social engineering attacks • Impedes IT Staff abuse of privileges
4. Characteristics SYA Pros/Cons • May be used to track individuals (privacy concerns) • The most intrusive factor • Susceptible to sniffing and replay attacks – Suitable for local authentication
5/5 2FA (Strong Authentication)
What is 2FA again? Combination of any 2 of the 3 available factors
And what’s not a 2FA? • Finger scanner on your laptop • Door pass at the premises • Thumb-locked pendrive http://www.turbogadgets.com/wp-content/uploads/2007/03/fingerprint-pendrive.jpg
http://blog.kievukraine.info/uploaded_images/2043-733282.jpg

Empfohlen

Passwords
PasswordsPasswords
Passwords
Kevin OBrien
 
C:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud WebinarC:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud Webinar
TechBiz Forense Digital
 
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureHIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
AdaCore
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers Playground
Jim Geovedi
 
Os Nightingale
Os NightingaleOs Nightingale
Os Nightingale
oscon2007
 
Smartcards and Authentication Tokens
Smartcards and Authentication TokensSmartcards and Authentication Tokens
Smartcards and Authentication Tokens
saniacorreya
 
Cyber Safety 101
Cyber Safety 101Cyber Safety 101
Cyber Safety 101
Jeff Niebaum, M.A
 
Atm using finger print
Atm using finger printAtm using finger print
Atm using finger print
Manoranjan Roy
 

Empfohlen

Passwords
PasswordsPasswords
Passwords
Kevin OBrien
 
C:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud WebinarC:\Fakepath-6 09 10 Financial Fraud Webinar
C:\Fakepath-6 09 10 Financial Fraud Webinar
TechBiz Forense Digital
 
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureHIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
AdaCore
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers Playground
Jim Geovedi
 
Os Nightingale
Os NightingaleOs Nightingale
Os Nightingale
oscon2007
 
Smartcards and Authentication Tokens
Smartcards and Authentication TokensSmartcards and Authentication Tokens
Smartcards and Authentication Tokens
saniacorreya
 
Cyber Safety 101
Cyber Safety 101Cyber Safety 101
Cyber Safety 101
Jeff Niebaum, M.A
 
Atm using finger print
Atm using finger printAtm using finger print
Atm using finger print
Manoranjan Roy
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication Technologies
Nicholas Davis
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologies
Nicholas Davis
 
Web Security
Web SecurityWeb Security
Web Security
Bharath Manoharan
 
More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)
Hitoshi Kokumai
 
Cryptographic authentication
Cryptographic authenticationCryptographic authentication
Cryptographic authentication
nirmal08
 
Beyond Security Theater -- With a CTF
Beyond Security Theater -- With a CTFBeyond Security Theater -- With a CTF
Beyond Security Theater -- With a CTF
Sam Bowne
 
Workshop on 03 11-2012
Workshop on 03 11-2012Workshop on 03 11-2012
Workshop on 03 11-2012
Gaurav Gautam
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
amiable_indian
 
Beyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UIBeyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UI
mozilla.presentations
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
Positive Hack Days
 
Computer Security
Computer SecurityComputer Security
Computer Security
Frederik Questier
 
Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’s
Olga Kochetova
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passports
Riscure
 
Trends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursTrends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yours
MotherGuardians
 
DEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malwareDEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malware
Felipe Prado
 
Masabi Rail Ticketing ITS
Masabi Rail Ticketing ITSMasabi Rail Ticketing ITS
Masabi Rail Ticketing ITS
Masabi
 
Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile Applications
Masabi
 
Protecting Customer Confidential Information
Protecting Customer Confidential InformationProtecting Customer Confidential Information
Protecting Customer Confidential Information
William McBorrough
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
 
5 ways
5 ways5 ways
5 ways
OliviaJune1
 
[ISSA] Zagrożenia na 2008 rok
[ISSA] Zagrożenia na 2008 rok[ISSA] Zagrożenia na 2008 rok
[ISSA] Zagrożenia na 2008 rok
msobiegraj
 
[ISSA] IDS
[ISSA] IDS[ISSA] IDS
[ISSA] IDS
msobiegraj
 

Weitere ähnliche Inhalte

Ähnlich wie Strong Authentication (Michal Sobiegraj)

Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication Technologies
Nicholas Davis
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologies
Nicholas Davis
 
Cryptographic authentication
Cryptographic authenticationCryptographic authentication
Cryptographic authentication
nirmal08
 
Workshop on 03 11-2012
Workshop on 03 11-2012Workshop on 03 11-2012
Workshop on 03 11-2012
Gaurav Gautam
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
amiable_indian
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
Positive Hack Days
 

Ähnlich wie Strong Authentication (Michal Sobiegraj) (20)

Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication Technologies
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologies
 
Web Security
Web SecurityWeb Security
Web Security
 
More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)
 
Cryptographic authentication
Cryptographic authenticationCryptographic authentication
Cryptographic authentication
 
Beyond Security Theater -- With a CTF
Beyond Security Theater -- With a CTFBeyond Security Theater -- With a CTF
Beyond Security Theater -- With a CTF
 
Workshop on 03 11-2012
Workshop on 03 11-2012Workshop on 03 11-2012
Workshop on 03 11-2012
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Beyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UIBeyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UI
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’s
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passports
 
Trends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursTrends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yours
 
DEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malwareDEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malware
 
Masabi Rail Ticketing ITS
Masabi Rail Ticketing ITSMasabi Rail Ticketing ITS
Masabi Rail Ticketing ITS
 
Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile Applications
 
Protecting Customer Confidential Information
Protecting Customer Confidential InformationProtecting Customer Confidential Information
Protecting Customer Confidential Information
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
5 ways
5 ways5 ways
5 ways
 

Mehr von msobiegraj

Web Application Firewall -- potrzeba,rozwiązania, kryteria ewaluacji
Web Application Firewall -- potrzeba,rozwiązania, kryteria ewaluacjiWeb Application Firewall -- potrzeba,rozwiązania, kryteria ewaluacji
Web Application Firewall -- potrzeba,rozwiązania, kryteria ewaluacji
msobiegraj
 
Technology Risk Management of Web Applications — A Case Study
Technology Risk Management of Web Applications — A Case StudyTechnology Risk Management of Web Applications — A Case Study
Technology Risk Management of Web Applications — A Case Study
msobiegraj
 
Reputacja jako aktywa. Zagrożenia, przewidywanie strat i zarządzanie ryzykiem
Reputacja jako aktywa. Zagrożenia, przewidywanie strat i zarządzanie ryzykiemReputacja jako aktywa. Zagrożenia, przewidywanie strat i zarządzanie ryzykiem
Reputacja jako aktywa. Zagrożenia, przewidywanie strat i zarządzanie ryzykiem
msobiegraj
 

Mehr von msobiegraj (12)

[ISSA] Zagrożenia na 2008 rok
[ISSA] Zagrożenia na 2008 rok[ISSA] Zagrożenia na 2008 rok
[ISSA] Zagrożenia na 2008 rok
 
[ISSA] IDS
[ISSA] IDS[ISSA] IDS
[ISSA] IDS
 
[ISSA] Web Appication Firewall
[ISSA] Web Appication Firewall[ISSA] Web Appication Firewall
[ISSA] Web Appication Firewall
 
[ISSA] Incident Responce
[ISSA] Incident Responce[ISSA] Incident Responce
[ISSA] Incident Responce
 
2FA w bankowosci (Bartosz Nowak)
2FA w bankowosci (Bartosz Nowak)2FA w bankowosci (Bartosz Nowak)
2FA w bankowosci (Bartosz Nowak)
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portals
 
ISSA Wroclaw -- Aktywacja
ISSA Wroclaw -- AktywacjaISSA Wroclaw -- Aktywacja
ISSA Wroclaw -- Aktywacja
 
Web Application Firewall -- potrzeba,rozwiązania, kryteria ewaluacji
Web Application Firewall -- potrzeba,rozwiązania, kryteria ewaluacjiWeb Application Firewall -- potrzeba,rozwiązania, kryteria ewaluacji
Web Application Firewall -- potrzeba,rozwiązania, kryteria ewaluacji
 
Drobne błędy w portalach WWW -- prawdziwe studium przypadku
Drobne błędy w portalach WWW -- prawdziwe studium przypadkuDrobne błędy w portalach WWW -- prawdziwe studium przypadku
Drobne błędy w portalach WWW -- prawdziwe studium przypadku
 
Technology Risk Management of Web Applications — A Case Study
Technology Risk Management of Web Applications — A Case StudyTechnology Risk Management of Web Applications — A Case Study
Technology Risk Management of Web Applications — A Case Study
 
Jak maszyny rozpoznają ludzi? Odwrotny test Turinga i jego skutki uboczne
Jak maszyny rozpoznają ludzi? Odwrotny test Turinga i jego skutki uboczneJak maszyny rozpoznają ludzi? Odwrotny test Turinga i jego skutki uboczne
Jak maszyny rozpoznają ludzi? Odwrotny test Turinga i jego skutki uboczne
 
Reputacja jako aktywa. Zagrożenia, przewidywanie strat i zarządzanie ryzykiem
Reputacja jako aktywa. Zagrożenia, przewidywanie strat i zarządzanie ryzykiemReputacja jako aktywa. Zagrożenia, przewidywanie strat i zarządzanie ryzykiem
Reputacja jako aktywa. Zagrożenia, przewidywanie strat i zarządzanie ryzykiem
 

Strong Authentication (Michal Sobiegraj)

  • 1. Strong Authentication (2FA) Michał Sobiegraj, CISSP michal@sobiegraj.com
  • 2. 1. Access Control 2. Knowledge 3. Ownership 4. Characteristics 5. 2FA
  • 3. 1/5 Access Control
  • 4. 1 Access control 1. Identification – Who you say you are? 2. Authentication (1) – Prove it! 3. Authorisation (1 & 2 & ACL/Capability List) – OK, so here is what you can do. 4. Accountability (1 & 2 & Audit trail) – You are responsible for this!
  • 5. 1 Identification methods • User ID • Account number • PIN • Badge • Biometrics
  • 6. 1 Identifier characteristics • Unique to each user • Not relating to a job function • Standardised naming conventions
  • 7. 1 Authentication • Knowledge based – Something only you know • Ownership based – Something only you have • Characteristics based – Something only you are
  • 8. 1 Traditional means of identification and authentication • People knew each other in person – They used face recognition – Something only you are (biometrics) • Internet made it useless – More need for proving identity – Impossible to know people in person
  • 9. 1 Authentication Each single factor is fairly easy to compromise Lets use 2 factors!
  • 10. 1
  • 11. 1 Classic examples of 2FA ATM (Automated Teller Machine) – Something you have (card) – Something you know (PIN) Credit card and signature – Something you have (card) – Something you are (signature)
  • 12. 2/5 Knowledge (Something You Know)
  • 13. 2. Knowledge Password/PIN • Free • Easy to use – People got used to it and understand it • The weakest factor – Easily guessable/bruteforcable or complex • To complex ones get written down – One password everywhere or many to remember • If there is to many, they get written down
  • 14. 2. Knowledge Cognitive password • Series of random personal questions • Takes longer to authenticate • No need to remember a password • Fairly weak if based on personal information
  • 15. 2. Knowledge Passphrase • Longer to enter than a password • Less susceptible to brute forcing and guessing • Still sniff-able and susceptible to key logging
  • 16. 2. Knowledge SYK Pros/Cons • No need to carry anything • Susceptible to classic attacks – Key logging – Social engineering/shoulder surfing – Brute force/dictionary attacks – Sniffing and replay attacks – IT Staff abuse of privileges – Man in the middle attacks http://img.alibaba.com/photo/11475911/KeyShark_Hardware_Keylogger.jpg http://www.phuketgazette.com/newsimages/bull8282007-5914-4.jpg
  • 17. 2. Knowledge SYK Pros/Cons • No strong accountability – Easily shareable • Frequently written down in predictable places http://klaatu.anastrophe.com/wp-images/postit.jpg
  • 18. 3/5 Ownership (Something You Have)
  • 19. 3. Ownership PKI Certificate • Transfers trust – Make sure the signer is trustworthy! • Usually server authenticates to the user – Mutual authentication may cause significant administrative overhead • Something not only you have – Google: quot;index ofquot; +ovpn – Courtesy Aleksander P.
  • 20. 3. Ownership One Time Password (OTP) list • Session based authentication • Valid only once – Usually only for a short period of time • Not reusable by design – Not susceptible to replay attacks • A paper list or an electronic generator
  • 21. 3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
  • 22. 3. Ownership Asynchronous token (challenge – response) Usually requires user to retype the challenge into the token http://www.cc.com.pl/img/vasco/300photo.gif
  • 23. 3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
  • 24. 3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
  • 25. 3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
  • 26. 3. Ownership Asynchronous token (challenge – response) http://www.cc.com.pl/img/vasco/300photo.gif
  • 27. 3. Ownership Synchronous token • Generates a deterministic random-looking value every minute/button push • The value is cryptographically derived from: – The previous value – A shared secret known only to a token and to an authentication server v1 = f(seed, secret); v2 = f(v1, secret); etc. • The secret is unrecoverable from the token* * With today’s technology
  • 28. 3. Ownership Synchronous token • Time-based synchronisation – De-syncing in time if not used – Clock drift is corrected – Server accepts neighbouring values • Event-based synchronisation – Easily de-synced by issuing to many values ahead http://www.radiocomputerguy.com/images/paypal_token.gif http://admin.avisian.com/images/rsa1.gif http://en.wikipedia.org/wiki/Image:RSA-SecurID-Tokens.jpg http://www.comprosec.ch/fileadmin/images/rsa/securid/SD520_450x297_72dpi_crop.jpg
  • 29. 3. Ownership Software tokens • Java (J2ME) applets • More convenient • Easier to reverse engineer the secret out http://www.developer.com/img/2006/06/Marcia6.JPG
  • 30. 3. Ownership Man in the Middle (MITM) • None of the factors solve the MITM problem • Insecure connection allows for credentials disclosure – SSL allows only for a TCP link authentication
  • 31. 3. Ownership Phishing case
  • 32. 3. Ownership Phishing case
  • 33. 3. Ownership Phishing case
  • 34. 3. Ownership Phishing case
  • 35. 3. Ownership Phishing case
  • 36. 3. Ownership Phishing case
  • 37. 3. Ownership Phishing case • A customised attack • A time-limited OTP is better but still not enough
  • 38. 3. Ownership Out of band channel • E.g. mobile text messaging (SMS) • Adresses the MITM problem • Allows for mutual end-to-end authentication • Convenient
  • 39. 3. Ownership Out of band channel
  • 40. 3. Ownership Out of band channel
  • 41. 3. Ownership Out of band channel
  • 42. 3. Ownership Out of band channel
  • 43. 3. Ownership Out of band channel
  • 44. 3. Ownership Out of band channel
  • 45. 3. Ownership Out of band channel
  • 46. 3. Ownership Memory card • Also called a swipe card or a magnetic stripe card • Equipped with a magnetic stripe • Interacts with a reader • Stores authentication information • Relatively inexpensive • Fairly easy to duplicate – Harder then a password, though
  • 48. 3. Ownership Smartcard • Interacts through a reader • Contains authentication information – e.g. PKI certificate • Is able to do crypto on-board • Allows for continous authentication • Tamper-proof  solves the duplication problem http://gallery.hd.org/_exhibits/money/_more2003/_more02/UK-bank-and-credit-cards-smartcard-smartcards-VISA-Mastercard-Nationwide-Barclaycard-Egg-cropped-JR.jpg
  • 49. 3. Ownership http://en.wikipedia.org/wiki/Image:Matkakortti_ja_kortinlukija.jpg
  • 50. 3. Ownership Contactless Smartcard • Contains an RF transciver (RFID) • Works in close proximity to a reader – Up to 10cm (ISO 14443) – Up to 50cm (ISO 15693) • Quick and hands-free • Contactless credit card – No PIN required – Small amounts $5-50
  • 51. 3. Ownership Potential issues with smartcards • Privacy concerns – Contactless smartcards make it possible to track individuals without their knowledge • Easy to damage the chip
  • 52. 3. Ownership iButton http://commons.wikimedia.org/wiki/Image:1-Wire_lock.jpg
  • 53. 3. Ownership Form factor • Feasibly small and convenient • Attachable to something you usually have with you – Key-dongles – Wallet size cards – Credit-card size tokens – Phone applets or a phone itself
  • 54. 3. Ownership SYH Pros/Cons • Not susceptible to classic attacks – Key logging – Shoulder surfing – Brute force/dictionary attacks – Sniffing and replay attacks • Hinders social engineering attacks • Impedes IT Staff abuse of privileges • Stronger accountability – Responsibility of the owner – Although still not strong enough
  • 56. 3. Ownership SYH Pros/Cons • Easily lost – Burden of revoking the token and getting a new one – Not much harm if combined with another factor
  • 57. 4/5 Characteristics (Something You Are)
  • 58. 4. Characteristics Static Physiological characteristics of a human body • Fingerprints • Iris granularity • Retina blood vessels • Facial looks • Hand geometry
  • 59. 4. Characteristics Dynamic Behavioral characteristics of a human body • Voice inflections • Keyboard strokes • Signature dynamics
  • 60. 4. Characteristics Biometrics selection criteria • Accuracy • Acceptability • Reaction time
  • 61. 4. Characteristics Crossover Error Rate User friendlieness Error Rate CER Security Accuracy False Acceptance Error Rate (Type II) False Rejection Error Rate (Type I)
  • 62. 4. Characteristics http://www.newenglandchapel.org/images/fingerprint.jpg
  • 63. 4. Characteristics Fingerprint static • Characteristic points are marked on a print • Positions are specified relatively to other marks http://shs.westport.k12.ct.us/forensics/04-fingerprints/fingerprint_parts.jpg
  • 64. 4. Characteristics Fingerprint and palm print static • Compares computed pattern with a stored one • High accuracy – Fairly simple for small sets of potential matches • Good acceptance • 5 – 7 seconds for reaction
  • 65. 4. Characteristics Fingerprint scanner types • Static picture scanner • Line scanners – Scan is dynamic – Harder to fool http://www.trustedreviews.com/images/article/inline/3331-6.jpg http://www.mrgadget.com.au/catalog/images/targus_defcon_authenticator_usb.jpg
  • 67. 4. Characteristics Hand geometry scan static • Measures hand features – Length, width, thickness and contour of fingers • Not very accurate – Not good in large populations • Hand shape is not as unique as a finger print – Good in combination with another factor • Well accepted • Very fast reaction (3 – 5 seconds) • Reader is quite large
  • 68. 4. Characteristics Diagram of a human eye http://en.wikipedia.org/wiki/Image:Human_eye_cross-sectional_view_grayscale.png
  • 69. 4. Characteristics http://research.unc.edu/endeavors/win2005/images/retina.jpg
  • 70. 4. Characteristics Retinal scan static • Compares blood vessels with a reference • Very high accuracy – Retinal pattern is entirely unique – Poor lighting can affect results • Susceptible to eye changes – Diabetes, Heart attacks – Cataract, Glaucoma – Pregnancy • Bad acceptance – Highly invasive – Not very user friendly • Fast reaction (4 – 7 seconds)
  • 71. 4. Characteristics http://en.wikipedia.org/wiki/Image:Humaniris.jpg
  • 72. 4. Characteristics Iris scan static • Compares retina texture with a reference • Very high accuracy (IrisCode algorithm) – No false match reported ever – Iris texture remain stable over decades • Good acceptance – No need to touch anything • Very fast reaction (1 – 2 seconds) • Allows for continuous monitoring – Distance from 10 cm to a few meters – Needs cooperation
  • 73. 4. Characteristics Dynamic characteristics • Measures confidence level – Instead of the traditional pass/fail • Allows for explicitly defined individual risk appetite – By changing accepted confidence level
  • 74. 4. Characteristics Voice pattern dynamic • Compares a speech sample with a reference material • Low accuracy – Even lower with a background noise • Well accepted • Long response time (10 – 14 seconds) http://en.wikipedia.org/wiki/Image:Human_voice_spectrogram.jpg
  • 75. 4. Characteristics Facial recognition dynamic • Measures certain features of the face – 14 of measurable 80 features are selected – Distance between eyes – Shape of chin and jaw – Length and width of the nose – Shape of cheek bones and eye sockets http://www.wpi.edu/News/Transformations/2002Spring/Images/recognition1.jpg
  • 76. 4. Characteristics Facial recognition dynamic • Good for authentication – Accurate in controlled environment – Could provide continuous authentication – Less invasive then retinal scan • Not very good for identification – Less accurate in moving crowd – Not well accepted due to privacy reasons
  • 77. 4. Characteristics Signature dynamics dynamic • Records pen stroke dynamics – Speed – Direction – Pressure • Accurate • Well accepted • Way better then a static signature – More features can be observed – No physical leftovers
  • 78. 4. Characteristics Typing rhythm (keystroke dynamics) dynamic • Measures key dwell- and flight time • Well accepted • Accurate • Very easy to deploy • Provides continuous authentication – Helps to identify account sharing • Temporal variations may render false negatives – Gazillion of reasons
  • 79. 4. Characteristics SYA Pros/Cons • Not easily transferable between humans – Very good accountability (nothing to lose) – Although one can lose their finger • Immune to most of the classic attacks – Key logging – Shoulder surfing – Brute force/dictionary attacks • Hinders social engineering attacks • Impedes IT Staff abuse of privileges
  • 80. 4. Characteristics SYA Pros/Cons • May be used to track individuals (privacy concerns) • The most intrusive factor • Susceptible to sniffing and replay attacks – Suitable for local authentication
  • 81. 5/5 2FA (Strong Authentication)
  • 82. What is 2FA again? Combination of any 2 of the 3 available factors
  • 83. And what’s not a 2FA? • Finger scanner on your laptop • Door pass at the premises • Thumb-locked pendrive http://www.turbogadgets.com/wp-content/uploads/2007/03/fingerprint-pendrive.jpg