Authentication and Auditing Part Deux
description
Transcript of Authentication and Auditing Part Deux
![Page 1: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/1.jpg)
Authentication and AuditingPart Deux
EECS 710: Information and AssurancePresented By: Gabe WishnieInstructor: Professor Saiedian
November 30, 2006
![Page 2: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/2.jpg)
2
Outline• Authentication
– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics
• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing
• Conclusion
![Page 3: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/3.jpg)
3
Authorization 101 – A Recap• Most common form of verification is the
password• Common attacks include
– Social Engineering– Dictionary– Smart Dictionary (DNA System)– Brute Force– Replay– Offline Guessing– Many, many more
![Page 4: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/4.jpg)
4
Authorization 101 – A Recap• Countermeasures
– Password complexity requirements– Password aging– Password Hashing, etc.
![Page 5: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/5.jpg)
5
Outline• Authentication
– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics
• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing
• Conclusion
![Page 6: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/6.jpg)
6
Web Authentication Case Study• Taking all the techniques we have learned,
we will design a secure Web authentication mechanism for a self registering system
• Covering the following parts:– Self registration form– Credential storage – Login form and password reset
![Page 7: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/7.jpg)
7
Case Study – Registration Form• User selects a username, typically email
address is used for global uniqueness• User selects a password• First, what limits a passwords complexity?
– Password memorability study• The setup
– 300 students– 3 different groups (control, random, and pass
phrase)– Attempted to crack using common attacks
![Page 8: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/8.jpg)
8
Case Study – Registration Form• Password memorability study results
![Page 9: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/9.jpg)
9
Case Study – Registration Form• Summing up the password memorability
study– Confirmed Myths
• Users have trouble memorizing random passwords• Mnemonic passwords are harder to crack than
conventional– Disproved Myths
• Random passwords are harder to crack than mnemonic
• Mnemonic passwords are harder to remember than conventional
![Page 10: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/10.jpg)
10
Case Study – Registration Form• So what does this mean for our
registration form?– Rather then just instruct users the complexity
requirements instruct them HOW to choose a good password. (The best balance between complexity and memorability is mnemonic).
– As expected password size does matter – at least 8
– Character variation matters – force both numbers, symbols, and characters
![Page 11: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/11.jpg)
11
Case Study – Registration Form• What else can we do to help a user choose
a good password?– Improving password selection through the user
interface design– The typical Password Selection Mechanism
(PSM)
![Page 12: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/12.jpg)
12
Case Study – Registration Form• The problem, current PSMs do not help the
user choose good passwords, they only allow them to
• Some myths– Users choose bad passwords because it is all
they can memorize– Users choose bad passwords because they do
not care about security• So why do users choose bad passwords?
– They just do not understand what makes a password strong vs. weak
![Page 13: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/13.jpg)
13
Case Study – Registration Form• How do we help users choose good
passwords?– Feedback mechanisms
![Page 14: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/14.jpg)
14
Case Study – Registration Form• Finally, we want to make sure people
cannot easily create bots to create thousands of accounts. How can this be accomplished?
• CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart)
• Most common type:
![Page 15: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/15.jpg)
15
Case Study – Registration Form• Real World Examples:
- Can you spot the good/bad practices of the following registration forms?
- Google- Yahoo!- Windows Live
![Page 16: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/16.jpg)
16
Case Study – Credential Storage• How should credentials be stored?
– Passwords should be salted and hashed• Password Salting
– Appending randomly generated bits to a password before hashing
– Used for one main reason – incase 2 people choose the same password the hash will still be different
![Page 17: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/17.jpg)
17
Case Study – Credential Storage• Hashing Benefits
– Fast– Secure– Removes any indication of original password
length
![Page 18: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/18.jpg)
18
Case Study – Login Form• Basic components:
– User name field– Password field– Forgot password/password reset mechanism
• When an invalid password or username is entered only show a generic message (Example)
• Lock the user’s account after x password attempts
• Require the user change their password after x amount of time
![Page 19: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/19.jpg)
19
Case Study – Forgot/Reset Password• What is a secure way to allow a user to
recover/reset their password?– Recall passwords are hashed
• Common approach1. User is asked to select a security question2. User selects to reset their password3. Email is sent to the specified account with time
sensitive URL4. When visited the URL presents the user with their
password reset question5. User answers question and is allowed to reset
password
![Page 20: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/20.jpg)
20
Case Study Summary• Urge users to use mnemonic passwords as
they are easily memorized and as secure as random passwords
• Use a feedback mechanism to indicate to the user when they have chose a strong password
• Provide clear instructions to guide the user to select secure passwords
• Use CAPTCHA to help reduce automated registrations (both visual and audio)
![Page 21: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/21.jpg)
21
Case Study Summary• Salt and hash passwords for storage• Allow users to reset their passwords when
desired using a multi-step process• If invalid credentials are entered display a
generic message
![Page 22: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/22.jpg)
22
Outline• Authentication
– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics
• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing
• Conclusion
![Page 23: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/23.jpg)
23
Recent Techniques and Challenges• What comes to mind?
![Page 24: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/24.jpg)
24
Recent Techniques and Challenges• ING DIRECT Image Key
– In addition to passwords users are asked to select an image from a set and enter a phrase
– Each time they log in they will be asked to enter the phrase
![Page 25: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/25.jpg)
25
Recent Techniques and Challenges• InCard Technologies
– New password verification technique– Card is capable of generating one time
passwords that can validate an online purchase
![Page 26: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/26.jpg)
26
Recent Techniques and Challenges• RSA Hosted SecurID
– Allow customers to pay to issue RSA tokens and allow the use of OTP (one-time passwords) on their site
– Largest user so far is E*Trade Financial
![Page 27: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/27.jpg)
27
Recent Techniques and Challenges• OpenID – Single Sign On for the Web
– How it works• Site places login form on page, only contains single
field asking for OpenID identifier
• You are then redirected to your OpenID provider to enter whatever credentials necessary
• Once authenticated you are then sent back to the original site
• Also allows the account information to be exchanged
![Page 28: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/28.jpg)
28
Recent Techniques and Challenges• Phishing
– Using social engineering to trick users into providing personal information
– Common method• Sending email that looks like it came from a business• Email asks users to verify their account information,
update their records, etc.• User clicks link on email and is really taken to
phishing site• User mistakenly enters their information
![Page 29: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/29.jpg)
29
Recent Techniques and Challenges• Phishing Continued
![Page 30: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/30.jpg)
30
Recent Techniques and Challenges• Phishing continued
– Presents an interesting problem for sites. – They now have to “authenticate” themselves
to users.– In other words, how do you prove to users that
it is really an authentic site they are on?
![Page 31: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/31.jpg)
31
Current Techniques and Challenges• Phishing continued
– Yahoo! sign-in seal• Allows users to customize their login page• Stores image information in Flash shared object (a
cookie for Flash)
![Page 32: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/32.jpg)
32
Recent Techniques and Challenges• Summary
– Recently there have been a lot of money invested in developing new authentication techniques
– Phishing causes the majority of issues– It is predicted that by the end of 2007 60-75% of
financial institutions will use something stronger than a password. However only 7% will go as far as to hand out hardware tokens
– By the end of 2007 half of today’s stronger authentication methods will not be strong enough anymore
– The password is not dead, it will merely be used as one phase of multiple phase authentication
![Page 33: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/33.jpg)
33
Outline• Authentication
– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics
• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing
• Conclusion
![Page 34: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/34.jpg)
34
Biometrics• As we learned last class, the main types of
biometric authentication is:– Fingerprints– Voices– Eyes– Faces– Keystrokes
![Page 35: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/35.jpg)
35
Biometrics
![Page 36: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/36.jpg)
36
Biometrics• The Electronic Passport
– One of the first major public implementations of biometrics
– Same as a regular passport except it contains a contactless chip in the back cover
– Chip stores same information as on the photo page but also includes a digital copy of the image
– The image can then be used for facial recognition at international borders
![Page 37: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/37.jpg)
37
Outline• Authentication
– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics
• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing
• Conclusion
![Page 38: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/38.jpg)
38
Auditing 101 – A Recap• Why audit?
– To trace access to sensitive or important information as well as access to the computers themselves
• Some terminology– Logging
• Recording events or statistics to provide information about system use and performance
– Auditing• Analyzing the log records to present the information
in a clear and understandable manner
![Page 39: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/39.jpg)
39
Auditing 101 – A Recap• Two problems related to auditing
– What information to log?– Which of that information gather should be
audited?• What makes up an auditing system?
– Logger– Analyzer– Notifier
![Page 40: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/40.jpg)
40
Auditing 101 – A Recap• The Logger
– Records the information– Can be binary, human-readable, or sent
directly to an analysis mechanism• The Analyzer
– Takes the log as input and analyzes it– Results of analysis may lead to data being
recorded or detection of a problem
![Page 41: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/41.jpg)
41
Auditing 101 – A Recap• The Notifier
– Takes the results of the analysis– Informs the analyst and other entities of the
results– An action may then be taken by the notified
entities
![Page 42: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/42.jpg)
42
Outline• Authentication
– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics
• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing
• Conclusion
![Page 43: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/43.jpg)
43
Designing an Auditing System• Build to detect violations in the security
policy• Log meaningful information• Log sanitization
– Users must only be able to view information in the logs that they have access to
– 2 types of sanitizing logs:• User privacy• External viewing
![Page 44: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/44.jpg)
44
Designing an Auditing System• Sanitizing for user privacy:
• Sanitizing for external viewing:
Logging System LogSanitizer Users
Logging System SanitizerLog Users
![Page 45: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/45.jpg)
45
Designing an Auditing System• Two types of logs
– Application• Cannot connect• Configuration file not found
– System• Utilize both types of logs to get a complete
picture of what led up to a particular event
![Page 46: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/46.jpg)
46
Outline• Authentication
– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics
• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing
• Conclusion
![Page 47: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/47.jpg)
47
Auditing Mechanisms• Secure Systems
– Auditing is integrated with the system design and implementation
– Typically provides a language or interface to configure what is monitored
• Nonsecure Systems– Record a lesser level of activity– Auditing is typically only used for purposes of
accounting rather than security violations
![Page 48: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/48.jpg)
48
Outline• Authentication
– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics
• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing
• Conclusion
![Page 49: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/49.jpg)
49
Audit Browsing• Purpose is to present logs in a single tool
and indicate the associations between the disconnected log files
• Six Basic Browsing Techniques– Text Display– Hypertext Display– Relational database browsing– Replay– Graphing– Slicing
![Page 50: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/50.jpg)
50
Conclusion• Passwords are here to stay• Passwords do not need to be weak to be able to
be memorized• Mnemonic passwords are as strong as random• The typical user interface can be improved to
allow users to choose stronger passwords • Auditing is important component of a system• Typically overlooked until needed but provides
valuable information when needed
![Page 51: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/51.jpg)
51
Questions?
![Page 52: Authentication and Auditing Part Deux](https://reader036.fdocuments.us/reader036/viewer/2022062400/5681675f550346895ddc301a/html5/thumbnails/52.jpg)
52
ReferencesBiometrics, Wikipedia, http://en.wikipedia.org/wiki/Biometrics
Bishop, 2004, Introduction to Computer Security, Addison-Wesley, Boston, MA
Chandra, A. and Calderon, T. 2005. Challenges and constraints to the diffusion of biometrics in information systems. Commun. ACM 48, 12 (Dec. 2005), 101-106. DOI= http://doi.acm.org/10.1145/1101779.1101784
Conlan, R. M. and Tarasewich, P. 2006. Improving interface designs to help users choose better passwords. In CHI '06 Extended Abstracts on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22 - 27, 2006). CHI '06. ACM Press, New York, NY, 652-657. DOI= http://doi.acm.org/10.1145/1125451.1125585
RSA SecureID authentication, RSA Security, http://www.rsasecurity.com/
The U.S. Electronic Passport, U.S. Department of State, http://travel.state.gov/passport/eppt/eppt_2498.html
What is OpenID?, OpenID, http://openid.net/
Yan, J., Blackwell, A., and Grant, A. 2004. Password memorabillity and security: empirical results. Security & Privacy Magazine, IEEE. 2 (5). pp.25-31.