Authentication and AuditingPart Deux

EECS 710: Information and AssurancePresented By: Gabe WishnieInstructor: Professor Saiedian

November 30, 2006

2

Outline• Authentication

– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics

• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing

• Conclusion

3

Authorization 101 – A Recap• Most common form of verification is the

password• Common attacks include

– Social Engineering– Dictionary– Smart Dictionary (DNA System)– Brute Force– Replay– Offline Guessing– Many, many more

4

Authorization 101 – A Recap• Countermeasures

– Password complexity requirements– Password aging– Password Hashing, etc.

5

Outline• Authentication

– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics

• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing

• Conclusion

6

Web Authentication Case Study• Taking all the techniques we have learned,

we will design a secure Web authentication mechanism for a self registering system

• Covering the following parts:– Self registration form– Credential storage – Login form and password reset

7

Case Study – Registration Form• User selects a username, typically email

address is used for global uniqueness• User selects a password• First, what limits a passwords complexity?

– Password memorability study• The setup

– 300 students– 3 different groups (control, random, and pass

phrase)– Attempted to crack using common attacks

8

Case Study – Registration Form• Password memorability study results

9

Case Study – Registration Form• Summing up the password memorability

study– Confirmed Myths

• Users have trouble memorizing random passwords• Mnemonic passwords are harder to crack than

conventional– Disproved Myths

• Random passwords are harder to crack than mnemonic

• Mnemonic passwords are harder to remember than conventional

10

Case Study – Registration Form• So what does this mean for our

registration form?– Rather then just instruct users the complexity

requirements instruct them HOW to choose a good password. (The best balance between complexity and memorability is mnemonic).

– As expected password size does matter – at least 8

– Character variation matters – force both numbers, symbols, and characters

11

Case Study – Registration Form• What else can we do to help a user choose

a good password?– Improving password selection through the user

interface design– The typical Password Selection Mechanism

(PSM)

12

Case Study – Registration Form• The problem, current PSMs do not help the

user choose good passwords, they only allow them to

• Some myths– Users choose bad passwords because it is all

they can memorize– Users choose bad passwords because they do

not care about security• So why do users choose bad passwords?

– They just do not understand what makes a password strong vs. weak

13

Case Study – Registration Form• How do we help users choose good

passwords?– Feedback mechanisms

14

Case Study – Registration Form• Finally, we want to make sure people

cannot easily create bots to create thousands of accounts. How can this be accomplished?

• CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart)

• Most common type:

15

Case Study – Registration Form• Real World Examples:

- Can you spot the good/bad practices of the following registration forms?

- Google- Yahoo!- Windows Live

16

Case Study – Credential Storage• How should credentials be stored?

– Passwords should be salted and hashed• Password Salting

– Appending randomly generated bits to a password before hashing

– Used for one main reason – incase 2 people choose the same password the hash will still be different

17

Case Study – Credential Storage• Hashing Benefits

– Fast– Secure– Removes any indication of original password

length

18

Case Study – Login Form• Basic components:

– User name field– Password field– Forgot password/password reset mechanism

• When an invalid password or username is entered only show a generic message (Example)

• Lock the user’s account after x password attempts

• Require the user change their password after x amount of time

19

Case Study – Forgot/Reset Password• What is a secure way to allow a user to

recover/reset their password?– Recall passwords are hashed

• Common approach1. User is asked to select a security question2. User selects to reset their password3. Email is sent to the specified account with time

sensitive URL4. When visited the URL presents the user with their

password reset question5. User answers question and is allowed to reset

password

20

Case Study Summary• Urge users to use mnemonic passwords as

they are easily memorized and as secure as random passwords

• Use a feedback mechanism to indicate to the user when they have chose a strong password

• Provide clear instructions to guide the user to select secure passwords

• Use CAPTCHA to help reduce automated registrations (both visual and audio)

21

Case Study Summary• Salt and hash passwords for storage• Allow users to reset their passwords when

desired using a multi-step process• If invalid credentials are entered display a

generic message

22

Outline• Authentication

– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics

• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing

• Conclusion

23

Recent Techniques and Challenges• What comes to mind?

24

Recent Techniques and Challenges• ING DIRECT Image Key

– In addition to passwords users are asked to select an image from a set and enter a phrase

– Each time they log in they will be asked to enter the phrase

25

Recent Techniques and Challenges• InCard Technologies

– New password verification technique– Card is capable of generating one time

passwords that can validate an online purchase

26

Recent Techniques and Challenges• RSA Hosted SecurID

– Allow customers to pay to issue RSA tokens and allow the use of OTP (one-time passwords) on their site

– Largest user so far is E*Trade Financial

27

Recent Techniques and Challenges• OpenID – Single Sign On for the Web

– How it works• Site places login form on page, only contains single

field asking for OpenID identifier

• You are then redirected to your OpenID provider to enter whatever credentials necessary

• Once authenticated you are then sent back to the original site

• Also allows the account information to be exchanged

28

Recent Techniques and Challenges• Phishing

– Using social engineering to trick users into providing personal information

– Common method• Sending email that looks like it came from a business• Email asks users to verify their account information,

update their records, etc.• User clicks link on email and is really taken to

phishing site• User mistakenly enters their information

29

Recent Techniques and Challenges• Phishing Continued

30

Recent Techniques and Challenges• Phishing continued

– Presents an interesting problem for sites. – They now have to “authenticate” themselves

to users.– In other words, how do you prove to users that

it is really an authentic site they are on?

31

Current Techniques and Challenges• Phishing continued

– Yahoo! sign-in seal• Allows users to customize their login page• Stores image information in Flash shared object (a

cookie for Flash)

32

Recent Techniques and Challenges• Summary

– Recently there have been a lot of money invested in developing new authentication techniques

– Phishing causes the majority of issues– It is predicted that by the end of 2007 60-75% of

financial institutions will use something stronger than a password. However only 7% will go as far as to hand out hardware tokens

– By the end of 2007 half of today’s stronger authentication methods will not be strong enough anymore

– The password is not dead, it will merely be used as one phase of multiple phase authentication

33

Outline• Authentication

– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics

• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing

• Conclusion

34

Biometrics• As we learned last class, the main types of

biometric authentication is:– Fingerprints– Voices– Eyes– Faces– Keystrokes

35

Biometrics

36

Biometrics• The Electronic Passport

– One of the first major public implementations of biometrics

– Same as a regular passport except it contains a contactless chip in the back cover

– Chip stores same information as on the photo page but also includes a digital copy of the image

– The image can then be used for facial recognition at international borders

37

Outline• Authentication

– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics

• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing

• Conclusion

38

Auditing 101 – A Recap• Why audit?

– To trace access to sensitive or important information as well as access to the computers themselves

• Some terminology– Logging

• Recording events or statistics to provide information about system use and performance

– Auditing• Analyzing the log records to present the information

in a clear and understandable manner

39

Auditing 101 – A Recap• Two problems related to auditing

– What information to log?– Which of that information gather should be

audited?• What makes up an auditing system?

– Logger– Analyzer– Notifier

40

Auditing 101 – A Recap• The Logger

– Records the information– Can be binary, human-readable, or sent

directly to an analysis mechanism• The Analyzer

– Takes the log as input and analyzes it– Results of analysis may lead to data being

recorded or detection of a problem

41

Auditing 101 – A Recap• The Notifier

– Takes the results of the analysis– Informs the analyst and other entities of the

results– An action may then be taken by the notified

entities

42

Outline• Authentication

– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics

• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing

• Conclusion

43

Designing an Auditing System• Build to detect violations in the security

policy• Log meaningful information• Log sanitization

– Users must only be able to view information in the logs that they have access to

– 2 types of sanitizing logs:• User privacy• External viewing

44

Designing an Auditing System• Sanitizing for user privacy:

• Sanitizing for external viewing:

Logging System LogSanitizer Users

Logging System SanitizerLog Users

45

Designing an Auditing System• Two types of logs

– Application• Cannot connect• Configuration file not found

– System• Utilize both types of logs to get a complete

picture of what led up to a particular event

46

Outline• Authentication

– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics

• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing

• Conclusion

47

Auditing Mechanisms• Secure Systems

– Auditing is integrated with the system design and implementation

– Typically provides a language or interface to configure what is monitored

• Nonsecure Systems– Record a lesser level of activity– Auditing is typically only used for purposes of

accounting rather than security violations

48

Outline• Authentication

– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics

• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing

• Conclusion

49

Audit Browsing• Purpose is to present logs in a single tool

and indicate the associations between the disconnected log files

• Six Basic Browsing Techniques– Text Display– Hypertext Display– Relational database browsing– Replay– Graphing– Slicing

50

Conclusion• Passwords are here to stay• Passwords do not need to be weak to be able to

be memorized• Mnemonic passwords are as strong as random• The typical user interface can be improved to

allow users to choose stronger passwords • Auditing is important component of a system• Typically overlooked until needed but provides

valuable information when needed

51

Questions?

52

ReferencesBiometrics, Wikipedia, http://en.wikipedia.org/wiki/Biometrics

Bishop, 2004, Introduction to Computer Security, Addison-Wesley, Boston, MA

Chandra, A. and Calderon, T. 2005. Challenges and constraints to the diffusion of biometrics in information systems. Commun. ACM 48, 12 (Dec. 2005), 101-106. DOI= http://doi.acm.org/10.1145/1101779.1101784

Conlan, R. M. and Tarasewich, P. 2006. Improving interface designs to help users choose better passwords. In CHI '06 Extended Abstracts on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22 - 27, 2006). CHI '06. ACM Press, New York, NY, 652-657. DOI= http://doi.acm.org/10.1145/1125451.1125585

RSA SecureID authentication, RSA Security, http://www.rsasecurity.com/

The U.S. Electronic Passport, U.S. Department of State, http://travel.state.gov/passport/eppt/eppt_2498.html

What is OpenID?, OpenID, http://openid.net/

Yan, J., Blackwell, A., and Grant, A. 2004. Password memorabillity and security: empirical results. Security & Privacy Magazine, IEEE. 2 (5). pp.25-31.