1 / 52

Authentication and Auditing Part Deux

Authentication and Auditing Part Deux. EECS 710: Information and Assurance Presented By: Gabe Wishnie Instructor: Professor Saiedian November 30, 2006. Outline. Authentication Authentication 101 – A Recap Web Authentication Case Study Recent Techniques and Challenges Biometrics Auditing

rfedele
Download Presentation

Authentication and Auditing Part Deux

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication and AuditingPart Deux EECS 710: Information and Assurance Presented By: Gabe Wishnie Instructor: Professor Saiedian November 30, 2006

  2. Outline • Authentication • Authentication 101 – A Recap • Web Authentication Case Study • Recent Techniques and Challenges • Biometrics • Auditing • Auditing 101 – A Recap • Designing an Auditing System • Auditing Mechanisms • Audit Browsing • Conclusion

  3. Authorization 101 – A Recap • Most common form of verification is the password • Common attacks include • Social Engineering • Dictionary • Smart Dictionary (DNA System) • Brute Force • Replay • Offline Guessing • Many, many more

  4. Authorization 101 – A Recap • Countermeasures • Password complexity requirements • Password aging • Password Hashing, etc.

  5. Outline • Authentication • Authentication 101 – A Recap • Web Authentication Case Study • Recent Techniques and Challenges • Biometrics • Auditing • Auditing 101 – A Recap • Designing an Auditing System • Auditing Mechanisms • Audit Browsing • Conclusion

  6. Web Authentication Case Study • Taking all the techniques we have learned, we will design a secure Web authentication mechanism for a self registering system • Covering the following parts: • Self registration form • Credential storage • Login form and password reset

  7. Case Study – Registration Form • User selects a username, typically email address is used for global uniqueness • User selects a password • First, what limits a passwords complexity? • Password memorability study • The setup • 300 students • 3 different groups (control, random, and pass phrase) • Attempted to crack using common attacks

  8. Case Study – Registration Form • Password memorability study results

  9. Case Study – Registration Form • Summing up the password memorability study • Confirmed Myths • Users have trouble memorizing random passwords • Mnemonic passwords are harder to crack than conventional • Disproved Myths • Random passwords are harder to crack than mnemonic • Mnemonic passwords are harder to remember than conventional

  10. Case Study – Registration Form • So what does this mean for our registration form? • Rather then just instruct users the complexity requirements instruct them HOW to choose a good password. (The best balance between complexity and memorability is mnemonic). • As expected password size does matter – at least 8 • Character variation matters – force both numbers, symbols, and characters

  11. Case Study – Registration Form • What else can we do to help a user choose a good password? • Improving password selection through the user interface design • The typical Password Selection Mechanism (PSM)

  12. Case Study – Registration Form • The problem, current PSMs do not help the user choose good passwords, they only allow them to • Some myths • Users choose bad passwords because it is all they can memorize • Users choose bad passwords because they do not care about security • So why do users choose bad passwords? • They just do not understand what makes a password strong vs. weak

  13. Case Study – Registration Form • How do we help users choose good passwords? • Feedback mechanisms

  14. Case Study – Registration Form • Finally, we want to make sure people cannot easily create bots to create thousands of accounts. How can this be accomplished? • CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) • Most common type:

  15. Case Study – Registration Form • Real World Examples: • Can you spot the good/bad practices of the following registration forms? • Google • Yahoo! • Windows Live

  16. Case Study – Credential Storage • How should credentials be stored? • Passwords should be salted and hashed • Password Salting • Appending randomly generated bits to a password before hashing • Used for one main reason – incase 2 people choose the same password the hash will still be different

  17. Case Study – Credential Storage • Hashing Benefits • Fast • Secure • Removes any indication of original password length

  18. Case Study – Login Form • Basic components: • User name field • Password field • Forgot password/password reset mechanism • When an invalid password or username is entered only show a generic message (Example) • Lock the user’s account after x password attempts • Require the user change their password after x amount of time

  19. Case Study – Forgot/Reset Password • What is a secure way to allow a user to recover/reset their password? • Recall passwords are hashed • Common approach • User is asked to select a security question • User selects to reset their password • Email is sent to the specified account with time sensitive URL • When visited the URL presents the user with their password reset question • User answers question and is allowed to reset password

  20. Case Study Summary • Urge users to use mnemonic passwords as they are easily memorized and as secure as random passwords • Use a feedback mechanism to indicate to the user when they have chose a strong password • Provide clear instructions to guide the user to select secure passwords • Use CAPTCHA to help reduce automated registrations (both visual and audio)

  21. Case Study Summary • Salt and hash passwords for storage • Allow users to reset their passwords when desired using a multi-step process • If invalid credentials are entered display a generic message

  22. Outline • Authentication • Authentication 101 – A Recap • Web Authentication Case Study • Recent Techniques and Challenges • Biometrics • Auditing • Auditing 101 – A Recap • Designing an Auditing System • Auditing Mechanisms • Audit Browsing • Conclusion

  23. Recent Techniques and Challenges • What comes to mind?

  24. Recent Techniques and Challenges • ING DIRECT Image Key • In addition to passwords users are asked to select an image from a set and enter a phrase • Each time they log in they will be asked to enter the phrase

  25. Recent Techniques and Challenges • InCard Technologies • New password verification technique • Card is capable of generating one time passwords that can validate an online purchase

  26. Recent Techniques and Challenges • RSA Hosted SecurID • Allow customers to pay to issue RSA tokens and allow the use of OTP (one-time passwords) on their site • Largest user so far is E*Trade Financial

  27. Recent Techniques and Challenges • OpenID – Single Sign On for the Web • How it works • Site places login form on page, only contains single field asking for OpenID identifier • You are then redirected to your OpenID provider to enter whatever credentials necessary • Once authenticated you are then sent back to the original site • Also allows the account information to be exchanged

  28. Recent Techniques and Challenges • Phishing • Using social engineering to trick users into providing personal information • Common method • Sending email that looks like it came from a business • Email asks users to verify their account information, update their records, etc. • User clicks link on email and is really taken to phishing site • User mistakenly enters their information

  29. Recent Techniques and Challenges • Phishing Continued

  30. Recent Techniques and Challenges • Phishing continued • Presents an interesting problem for sites. • They now have to “authenticate” themselves to users. • In other words, how do you prove to users that it is really an authentic site they are on?

  31. Current Techniques and Challenges • Phishing continued • Yahoo! sign-in seal • Allows users to customize their login page • Stores image information in Flash shared object (a cookie for Flash)

  32. Recent Techniques and Challenges • Summary • Recently there have been a lot of money invested in developing new authentication techniques • Phishing causes the majority of issues • It is predicted that by the end of 2007 60-75% of financial institutions will use something stronger than a password. However only 7% will go as far as to hand out hardware tokens • By the end of 2007 half of today’s stronger authentication methods will not be strong enough anymore • The password is not dead, it will merely be used as one phase of multiple phase authentication

  33. Outline • Authentication • Authentication 101 – A Recap • Web Authentication Case Study • Recent Techniques and Challenges • Biometrics • Auditing • Auditing 101 – A Recap • Designing an Auditing System • Auditing Mechanisms • Audit Browsing • Conclusion

  34. Biometrics • As we learned last class, the main types of biometric authentication is: • Fingerprints • Voices • Eyes • Faces • Keystrokes

  35. Biometrics

  36. Biometrics • The Electronic Passport • One of the first major public implementations of biometrics • Same as a regular passport except it contains a contactless chip in the back cover • Chip stores same information as on the photo page but also includes a digital copy of the image • The image can then be used for facial recognition at international borders

  37. Outline • Authentication • Authentication 101 – A Recap • Web Authentication Case Study • Recent Techniques and Challenges • Biometrics • Auditing • Auditing 101 – A Recap • Designing an Auditing System • Auditing Mechanisms • Audit Browsing • Conclusion

  38. Auditing 101 – A Recap • Why audit? • To trace access to sensitive or important information as well as access to the computers themselves • Some terminology • Logging • Recording events or statistics to provide information about system use and performance • Auditing • Analyzing the log records to present the information in a clear and understandable manner

  39. Auditing 101 – A Recap • Two problems related to auditing • What information to log? • Which of that information gather should be audited? • What makes up an auditing system? • Logger • Analyzer • Notifier

  40. Auditing 101 – A Recap • The Logger • Records the information • Can be binary, human-readable, or sent directly to an analysis mechanism • The Analyzer • Takes the log as input and analyzes it • Results of analysis may lead to data being recorded or detection of a problem

  41. Auditing 101 – A Recap • The Notifier • Takes the results of the analysis • Informs the analyst and other entities of the results • An action may then be taken by the notified entities

  42. Outline • Authentication • Authentication 101 – A Recap • Web Authentication Case Study • Recent Techniques and Challenges • Biometrics • Auditing • Auditing 101 – A Recap • Designing an Auditing System • Auditing Mechanisms • Audit Browsing • Conclusion

  43. Designing an Auditing System • Build to detect violations in the security policy • Log meaningful information • Log sanitization • Users must only be able to view information in the logs that they have access to • 2 types of sanitizing logs: • User privacy • External viewing

  44. Designing an Auditing System • Sanitizing for user privacy: • Sanitizing for external viewing: Logging System Sanitizer Log Users Logging System Log Sanitizer Users

  45. Designing an Auditing System • Two types of logs • Application • Cannot connect • Configuration file not found • System • Utilize both types of logs to get a complete picture of what led up to a particular event

  46. Outline • Authentication • Authentication 101 – A Recap • Web Authentication Case Study • Recent Techniques and Challenges • Biometrics • Auditing • Auditing 101 – A Recap • Designing an Auditing System • Auditing Mechanisms • Audit Browsing • Conclusion

  47. Auditing Mechanisms • Secure Systems • Auditing is integrated with the system design and implementation • Typically provides a language or interface to configure what is monitored • Nonsecure Systems • Record a lesser level of activity • Auditing is typically only used for purposes of accounting rather than security violations

  48. Outline • Authentication • Authentication 101 – A Recap • Web Authentication Case Study • Recent Techniques and Challenges • Biometrics • Auditing • Auditing 101 – A Recap • Designing an Auditing System • Auditing Mechanisms • Audit Browsing • Conclusion

  49. Audit Browsing • Purpose is to present logs in a single tool and indicate the associations between the disconnected log files • Six Basic Browsing Techniques • Text Display • Hypertext Display • Relational database browsing • Replay • Graphing • Slicing

  50. Conclusion • Passwords are here to stay • Passwords do not need to be weak to be able to be memorized • Mnemonic passwords are as strong as random • The typical user interface can be improved to allow users to choose stronger passwords • Auditing is important component of a system • Typically overlooked until needed but provides valuable information when needed

More Related