520 likes | 531 Views
Authentication and Auditing Part Deux. EECS 710: Information and Assurance Presented By: Gabe Wishnie Instructor: Professor Saiedian November 30, 2006. Outline. Authentication Authentication 101 – A Recap Web Authentication Case Study Recent Techniques and Challenges Biometrics Auditing
E N D
Authentication and AuditingPart Deux EECS 710: Information and Assurance Presented By: Gabe Wishnie Instructor: Professor Saiedian November 30, 2006
Outline • Authentication • Authentication 101 – A Recap • Web Authentication Case Study • Recent Techniques and Challenges • Biometrics • Auditing • Auditing 101 – A Recap • Designing an Auditing System • Auditing Mechanisms • Audit Browsing • Conclusion
Authorization 101 – A Recap • Most common form of verification is the password • Common attacks include • Social Engineering • Dictionary • Smart Dictionary (DNA System) • Brute Force • Replay • Offline Guessing • Many, many more
Authorization 101 – A Recap • Countermeasures • Password complexity requirements • Password aging • Password Hashing, etc.
Outline • Authentication • Authentication 101 – A Recap • Web Authentication Case Study • Recent Techniques and Challenges • Biometrics • Auditing • Auditing 101 – A Recap • Designing an Auditing System • Auditing Mechanisms • Audit Browsing • Conclusion
Web Authentication Case Study • Taking all the techniques we have learned, we will design a secure Web authentication mechanism for a self registering system • Covering the following parts: • Self registration form • Credential storage • Login form and password reset
Case Study – Registration Form • User selects a username, typically email address is used for global uniqueness • User selects a password • First, what limits a passwords complexity? • Password memorability study • The setup • 300 students • 3 different groups (control, random, and pass phrase) • Attempted to crack using common attacks
Case Study – Registration Form • Password memorability study results
Case Study – Registration Form • Summing up the password memorability study • Confirmed Myths • Users have trouble memorizing random passwords • Mnemonic passwords are harder to crack than conventional • Disproved Myths • Random passwords are harder to crack than mnemonic • Mnemonic passwords are harder to remember than conventional
Case Study – Registration Form • So what does this mean for our registration form? • Rather then just instruct users the complexity requirements instruct them HOW to choose a good password. (The best balance between complexity and memorability is mnemonic). • As expected password size does matter – at least 8 • Character variation matters – force both numbers, symbols, and characters
Case Study – Registration Form • What else can we do to help a user choose a good password? • Improving password selection through the user interface design • The typical Password Selection Mechanism (PSM)
Case Study – Registration Form • The problem, current PSMs do not help the user choose good passwords, they only allow them to • Some myths • Users choose bad passwords because it is all they can memorize • Users choose bad passwords because they do not care about security • So why do users choose bad passwords? • They just do not understand what makes a password strong vs. weak
Case Study – Registration Form • How do we help users choose good passwords? • Feedback mechanisms
Case Study – Registration Form • Finally, we want to make sure people cannot easily create bots to create thousands of accounts. How can this be accomplished? • CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) • Most common type:
Case Study – Registration Form • Real World Examples: • Can you spot the good/bad practices of the following registration forms? • Google • Yahoo! • Windows Live
Case Study – Credential Storage • How should credentials be stored? • Passwords should be salted and hashed • Password Salting • Appending randomly generated bits to a password before hashing • Used for one main reason – incase 2 people choose the same password the hash will still be different
Case Study – Credential Storage • Hashing Benefits • Fast • Secure • Removes any indication of original password length
Case Study – Login Form • Basic components: • User name field • Password field • Forgot password/password reset mechanism • When an invalid password or username is entered only show a generic message (Example) • Lock the user’s account after x password attempts • Require the user change their password after x amount of time
Case Study – Forgot/Reset Password • What is a secure way to allow a user to recover/reset their password? • Recall passwords are hashed • Common approach • User is asked to select a security question • User selects to reset their password • Email is sent to the specified account with time sensitive URL • When visited the URL presents the user with their password reset question • User answers question and is allowed to reset password
Case Study Summary • Urge users to use mnemonic passwords as they are easily memorized and as secure as random passwords • Use a feedback mechanism to indicate to the user when they have chose a strong password • Provide clear instructions to guide the user to select secure passwords • Use CAPTCHA to help reduce automated registrations (both visual and audio)
Case Study Summary • Salt and hash passwords for storage • Allow users to reset their passwords when desired using a multi-step process • If invalid credentials are entered display a generic message
Outline • Authentication • Authentication 101 – A Recap • Web Authentication Case Study • Recent Techniques and Challenges • Biometrics • Auditing • Auditing 101 – A Recap • Designing an Auditing System • Auditing Mechanisms • Audit Browsing • Conclusion
Recent Techniques and Challenges • What comes to mind?
Recent Techniques and Challenges • ING DIRECT Image Key • In addition to passwords users are asked to select an image from a set and enter a phrase • Each time they log in they will be asked to enter the phrase
Recent Techniques and Challenges • InCard Technologies • New password verification technique • Card is capable of generating one time passwords that can validate an online purchase
Recent Techniques and Challenges • RSA Hosted SecurID • Allow customers to pay to issue RSA tokens and allow the use of OTP (one-time passwords) on their site • Largest user so far is E*Trade Financial
Recent Techniques and Challenges • OpenID – Single Sign On for the Web • How it works • Site places login form on page, only contains single field asking for OpenID identifier • You are then redirected to your OpenID provider to enter whatever credentials necessary • Once authenticated you are then sent back to the original site • Also allows the account information to be exchanged
Recent Techniques and Challenges • Phishing • Using social engineering to trick users into providing personal information • Common method • Sending email that looks like it came from a business • Email asks users to verify their account information, update their records, etc. • User clicks link on email and is really taken to phishing site • User mistakenly enters their information
Recent Techniques and Challenges • Phishing Continued
Recent Techniques and Challenges • Phishing continued • Presents an interesting problem for sites. • They now have to “authenticate” themselves to users. • In other words, how do you prove to users that it is really an authentic site they are on?
Current Techniques and Challenges • Phishing continued • Yahoo! sign-in seal • Allows users to customize their login page • Stores image information in Flash shared object (a cookie for Flash)
Recent Techniques and Challenges • Summary • Recently there have been a lot of money invested in developing new authentication techniques • Phishing causes the majority of issues • It is predicted that by the end of 2007 60-75% of financial institutions will use something stronger than a password. However only 7% will go as far as to hand out hardware tokens • By the end of 2007 half of today’s stronger authentication methods will not be strong enough anymore • The password is not dead, it will merely be used as one phase of multiple phase authentication
Outline • Authentication • Authentication 101 – A Recap • Web Authentication Case Study • Recent Techniques and Challenges • Biometrics • Auditing • Auditing 101 – A Recap • Designing an Auditing System • Auditing Mechanisms • Audit Browsing • Conclusion
Biometrics • As we learned last class, the main types of biometric authentication is: • Fingerprints • Voices • Eyes • Faces • Keystrokes
Biometrics • The Electronic Passport • One of the first major public implementations of biometrics • Same as a regular passport except it contains a contactless chip in the back cover • Chip stores same information as on the photo page but also includes a digital copy of the image • The image can then be used for facial recognition at international borders
Outline • Authentication • Authentication 101 – A Recap • Web Authentication Case Study • Recent Techniques and Challenges • Biometrics • Auditing • Auditing 101 – A Recap • Designing an Auditing System • Auditing Mechanisms • Audit Browsing • Conclusion
Auditing 101 – A Recap • Why audit? • To trace access to sensitive or important information as well as access to the computers themselves • Some terminology • Logging • Recording events or statistics to provide information about system use and performance • Auditing • Analyzing the log records to present the information in a clear and understandable manner
Auditing 101 – A Recap • Two problems related to auditing • What information to log? • Which of that information gather should be audited? • What makes up an auditing system? • Logger • Analyzer • Notifier
Auditing 101 – A Recap • The Logger • Records the information • Can be binary, human-readable, or sent directly to an analysis mechanism • The Analyzer • Takes the log as input and analyzes it • Results of analysis may lead to data being recorded or detection of a problem
Auditing 101 – A Recap • The Notifier • Takes the results of the analysis • Informs the analyst and other entities of the results • An action may then be taken by the notified entities
Outline • Authentication • Authentication 101 – A Recap • Web Authentication Case Study • Recent Techniques and Challenges • Biometrics • Auditing • Auditing 101 – A Recap • Designing an Auditing System • Auditing Mechanisms • Audit Browsing • Conclusion
Designing an Auditing System • Build to detect violations in the security policy • Log meaningful information • Log sanitization • Users must only be able to view information in the logs that they have access to • 2 types of sanitizing logs: • User privacy • External viewing
Designing an Auditing System • Sanitizing for user privacy: • Sanitizing for external viewing: Logging System Sanitizer Log Users Logging System Log Sanitizer Users
Designing an Auditing System • Two types of logs • Application • Cannot connect • Configuration file not found • System • Utilize both types of logs to get a complete picture of what led up to a particular event
Outline • Authentication • Authentication 101 – A Recap • Web Authentication Case Study • Recent Techniques and Challenges • Biometrics • Auditing • Auditing 101 – A Recap • Designing an Auditing System • Auditing Mechanisms • Audit Browsing • Conclusion
Auditing Mechanisms • Secure Systems • Auditing is integrated with the system design and implementation • Typically provides a language or interface to configure what is monitored • Nonsecure Systems • Record a lesser level of activity • Auditing is typically only used for purposes of accounting rather than security violations
Outline • Authentication • Authentication 101 – A Recap • Web Authentication Case Study • Recent Techniques and Challenges • Biometrics • Auditing • Auditing 101 – A Recap • Designing an Auditing System • Auditing Mechanisms • Audit Browsing • Conclusion
Audit Browsing • Purpose is to present logs in a single tool and indicate the associations between the disconnected log files • Six Basic Browsing Techniques • Text Display • Hypertext Display • Relational database browsing • Replay • Graphing • Slicing
Conclusion • Passwords are here to stay • Passwords do not need to be weak to be able to be memorized • Mnemonic passwords are as strong as random • The typical user interface can be improved to allow users to choose stronger passwords • Auditing is important component of a system • Typically overlooked until needed but provides valuable information when needed