Authentication and Auditing Part Deux
description
Transcript of Authentication and Auditing Part Deux
Authentication and AuditingPart Deux
EECS 710: Information and AssurancePresented By: Gabe WishnieInstructor: Professor Saiedian
November 30, 2006
2
Outline• Authentication
– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics
• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing
• Conclusion
3
Authorization 101 – A Recap• Most common form of verification is the
password• Common attacks include
– Social Engineering– Dictionary– Smart Dictionary (DNA System)– Brute Force– Replay– Offline Guessing– Many, many more
4
Authorization 101 – A Recap• Countermeasures
– Password complexity requirements– Password aging– Password Hashing, etc.
5
Outline• Authentication
– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics
• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing
• Conclusion
6
Web Authentication Case Study• Taking all the techniques we have learned,
we will design a secure Web authentication mechanism for a self registering system
• Covering the following parts:– Self registration form– Credential storage – Login form and password reset
7
Case Study – Registration Form• User selects a username, typically email
address is used for global uniqueness• User selects a password• First, what limits a passwords complexity?
– Password memorability study• The setup
– 300 students– 3 different groups (control, random, and pass
phrase)– Attempted to crack using common attacks
8
Case Study – Registration Form• Password memorability study results
9
Case Study – Registration Form• Summing up the password memorability
study– Confirmed Myths
• Users have trouble memorizing random passwords• Mnemonic passwords are harder to crack than
conventional– Disproved Myths
• Random passwords are harder to crack than mnemonic
• Mnemonic passwords are harder to remember than conventional
10
Case Study – Registration Form• So what does this mean for our
registration form?– Rather then just instruct users the complexity
requirements instruct them HOW to choose a good password. (The best balance between complexity and memorability is mnemonic).
– As expected password size does matter – at least 8
– Character variation matters – force both numbers, symbols, and characters
11
Case Study – Registration Form• What else can we do to help a user choose
a good password?– Improving password selection through the user
interface design– The typical Password Selection Mechanism
(PSM)
12
Case Study – Registration Form• The problem, current PSMs do not help the
user choose good passwords, they only allow them to
• Some myths– Users choose bad passwords because it is all
they can memorize– Users choose bad passwords because they do
not care about security• So why do users choose bad passwords?
– They just do not understand what makes a password strong vs. weak
13
Case Study – Registration Form• How do we help users choose good
passwords?– Feedback mechanisms
14
Case Study – Registration Form• Finally, we want to make sure people
cannot easily create bots to create thousands of accounts. How can this be accomplished?
• CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart)
• Most common type:
15
Case Study – Registration Form• Real World Examples:
- Can you spot the good/bad practices of the following registration forms?
- Google- Yahoo!- Windows Live
16
Case Study – Credential Storage• How should credentials be stored?
– Passwords should be salted and hashed• Password Salting
– Appending randomly generated bits to a password before hashing
– Used for one main reason – incase 2 people choose the same password the hash will still be different
17
Case Study – Credential Storage• Hashing Benefits
– Fast– Secure– Removes any indication of original password
length
18
Case Study – Login Form• Basic components:
– User name field– Password field– Forgot password/password reset mechanism
• When an invalid password or username is entered only show a generic message (Example)
• Lock the user’s account after x password attempts
• Require the user change their password after x amount of time
19
Case Study – Forgot/Reset Password• What is a secure way to allow a user to
recover/reset their password?– Recall passwords are hashed
• Common approach1. User is asked to select a security question2. User selects to reset their password3. Email is sent to the specified account with time
sensitive URL4. When visited the URL presents the user with their
password reset question5. User answers question and is allowed to reset
password
20
Case Study Summary• Urge users to use mnemonic passwords as
they are easily memorized and as secure as random passwords
• Use a feedback mechanism to indicate to the user when they have chose a strong password
• Provide clear instructions to guide the user to select secure passwords
• Use CAPTCHA to help reduce automated registrations (both visual and audio)
21
Case Study Summary• Salt and hash passwords for storage• Allow users to reset their passwords when
desired using a multi-step process• If invalid credentials are entered display a
generic message
22
Outline• Authentication
– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics
• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing
• Conclusion
23
Recent Techniques and Challenges• What comes to mind?
24
Recent Techniques and Challenges• ING DIRECT Image Key
– In addition to passwords users are asked to select an image from a set and enter a phrase
– Each time they log in they will be asked to enter the phrase
25
Recent Techniques and Challenges• InCard Technologies
– New password verification technique– Card is capable of generating one time
passwords that can validate an online purchase
26
Recent Techniques and Challenges• RSA Hosted SecurID
– Allow customers to pay to issue RSA tokens and allow the use of OTP (one-time passwords) on their site
– Largest user so far is E*Trade Financial
27
Recent Techniques and Challenges• OpenID – Single Sign On for the Web
– How it works• Site places login form on page, only contains single
field asking for OpenID identifier
• You are then redirected to your OpenID provider to enter whatever credentials necessary
• Once authenticated you are then sent back to the original site
• Also allows the account information to be exchanged
28
Recent Techniques and Challenges• Phishing
– Using social engineering to trick users into providing personal information
– Common method• Sending email that looks like it came from a business• Email asks users to verify their account information,
update their records, etc.• User clicks link on email and is really taken to
phishing site• User mistakenly enters their information
29
Recent Techniques and Challenges• Phishing Continued
30
Recent Techniques and Challenges• Phishing continued
– Presents an interesting problem for sites. – They now have to “authenticate” themselves
to users.– In other words, how do you prove to users that
it is really an authentic site they are on?
31
Current Techniques and Challenges• Phishing continued
– Yahoo! sign-in seal• Allows users to customize their login page• Stores image information in Flash shared object (a
cookie for Flash)
32
Recent Techniques and Challenges• Summary
– Recently there have been a lot of money invested in developing new authentication techniques
– Phishing causes the majority of issues– It is predicted that by the end of 2007 60-75% of
financial institutions will use something stronger than a password. However only 7% will go as far as to hand out hardware tokens
– By the end of 2007 half of today’s stronger authentication methods will not be strong enough anymore
– The password is not dead, it will merely be used as one phase of multiple phase authentication
33
Outline• Authentication
– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics
• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing
• Conclusion
34
Biometrics• As we learned last class, the main types of
biometric authentication is:– Fingerprints– Voices– Eyes– Faces– Keystrokes
35
Biometrics
36
Biometrics• The Electronic Passport
– One of the first major public implementations of biometrics
– Same as a regular passport except it contains a contactless chip in the back cover
– Chip stores same information as on the photo page but also includes a digital copy of the image
– The image can then be used for facial recognition at international borders
37
Outline• Authentication
– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics
• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing
• Conclusion
38
Auditing 101 – A Recap• Why audit?
– To trace access to sensitive or important information as well as access to the computers themselves
• Some terminology– Logging
• Recording events or statistics to provide information about system use and performance
– Auditing• Analyzing the log records to present the information
in a clear and understandable manner
39
Auditing 101 – A Recap• Two problems related to auditing
– What information to log?– Which of that information gather should be
audited?• What makes up an auditing system?
– Logger– Analyzer– Notifier
40
Auditing 101 – A Recap• The Logger
– Records the information– Can be binary, human-readable, or sent
directly to an analysis mechanism• The Analyzer
– Takes the log as input and analyzes it– Results of analysis may lead to data being
recorded or detection of a problem
41
Auditing 101 – A Recap• The Notifier
– Takes the results of the analysis– Informs the analyst and other entities of the
results– An action may then be taken by the notified
entities
42
Outline• Authentication
– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics
• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing
• Conclusion
43
Designing an Auditing System• Build to detect violations in the security
policy• Log meaningful information• Log sanitization
– Users must only be able to view information in the logs that they have access to
– 2 types of sanitizing logs:• User privacy• External viewing
44
Designing an Auditing System• Sanitizing for user privacy:
• Sanitizing for external viewing:
Logging System LogSanitizer Users
Logging System SanitizerLog Users
45
Designing an Auditing System• Two types of logs
– Application• Cannot connect• Configuration file not found
– System• Utilize both types of logs to get a complete
picture of what led up to a particular event
46
Outline• Authentication
– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics
• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing
• Conclusion
47
Auditing Mechanisms• Secure Systems
– Auditing is integrated with the system design and implementation
– Typically provides a language or interface to configure what is monitored
• Nonsecure Systems– Record a lesser level of activity– Auditing is typically only used for purposes of
accounting rather than security violations
48
Outline• Authentication
– Authentication 101 – A Recap– Web Authentication Case Study– Recent Techniques and Challenges– Biometrics
• Auditing– Auditing 101 – A Recap– Designing an Auditing System– Auditing Mechanisms– Audit Browsing
• Conclusion
49
Audit Browsing• Purpose is to present logs in a single tool
and indicate the associations between the disconnected log files
• Six Basic Browsing Techniques– Text Display– Hypertext Display– Relational database browsing– Replay– Graphing– Slicing
50
Conclusion• Passwords are here to stay• Passwords do not need to be weak to be able to
be memorized• Mnemonic passwords are as strong as random• The typical user interface can be improved to
allow users to choose stronger passwords • Auditing is important component of a system• Typically overlooked until needed but provides
valuable information when needed
51
Questions?
52
ReferencesBiometrics, Wikipedia, http://en.wikipedia.org/wiki/Biometrics
Bishop, 2004, Introduction to Computer Security, Addison-Wesley, Boston, MA
Chandra, A. and Calderon, T. 2005. Challenges and constraints to the diffusion of biometrics in information systems. Commun. ACM 48, 12 (Dec. 2005), 101-106. DOI= http://doi.acm.org/10.1145/1101779.1101784
Conlan, R. M. and Tarasewich, P. 2006. Improving interface designs to help users choose better passwords. In CHI '06 Extended Abstracts on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22 - 27, 2006). CHI '06. ACM Press, New York, NY, 652-657. DOI= http://doi.acm.org/10.1145/1125451.1125585
RSA SecureID authentication, RSA Security, http://www.rsasecurity.com/
The U.S. Electronic Passport, U.S. Department of State, http://travel.state.gov/passport/eppt/eppt_2498.html
What is OpenID?, OpenID, http://openid.net/
Yan, J., Blackwell, A., and Grant, A. 2004. Password memorabillity and security: empirical results. Security & Privacy Magazine, IEEE. 2 (5). pp.25-31.