Authentication Methods

Questions and Answers

Which of the following is the most accurate description of Authentication?

• The process of granting access to resources based on predefined rules.
• The process of ensuring data integrity during transmission.
• The process of verifying a claimed identity. (correct)
• The process of monitoring access to resources.

What is the primary security risk associated with knowledge-based authentication factors such as passwords and PINs?

• They can be captured through eavesdropping or captured by masquerading systems. (correct)
• Once compromised, they cannot be easily revoked.
• They require specialized hardware for implementation.
• They are easily lost or forgotten by the user.

In the context of authentication factors, which of the following is an example of 'something the user has'?

• A smart card. (correct)
• A passphrase.
• Personal data.
• A biometric fingerprint.

Why is it crucial for an authentication system to prevent attackers from masquerading as legitimate users?

To maintain user accountability and prevent unauthorized actions. (A)

Which of the following is a key disadvantage of relying solely on knowledge-based authentication, such as passwords or PINs?

User accountability issues. (D)

What is a primary limitation of using magnetic stripe cards for authentication?

They are vulnerable to counterfeiting. (B)

Synchronized password generators, as part of one-shot password tokens, aim to address which security concern?

Preventing the reuse of compromised passwords. (B)

In challenge-response authentication systems, what is the primary role of the 'challenge'?

To generate a random stimulus that prevents replay attacks. (B)

Which of the following is a key advantage of multi-factor authentication?

It significantly increases the confidence that users are indeed authorized. (B)

What is the primary goal of implementing 'least privilege' access control?

To minimize the potential damage from insider threats or compromised accounts. (D)

In the context of access control, what is the role of the 'reference monitor'?

To enforce the security policies governing access requests. (D)

What is the key characteristic of Discretionary Access Control (DAC)?

Resource owners have the authority to grant access to their resources. (B)

What is the primary purpose of data loss prevention (DLP) mechanisms?

To prevent unauthorized access and disclosure of sensitive information. (C)

Which of the following is a critical aspect of handling privileges to maintain security?

Regularly reviewing and revoking unnecessary privileges. (A)

What is the primary goal of Digital Rights Management (DRM)?

To enable content producers to control how their content is accessed and used. (D)

What does the principle of Kerckhoffs state regarding the security of a cryptographic system?

The system's security should remain even if everything except the key is public. (C)

Which of the following is an example of a 'passive attack' in the context of network security?

Monitoring network traffic to gather information. (D)

What is the primary goal of a 'replay attack'?

To impersonate a legitimate user by resending captured data. (A)

What is the purpose of salting passwords before hashing them?

to make dictionary attacks more difficult. (B)

Which of the following best describes a 'rainbow table attack'?

A precomputed lookup table for reversing cryptographic hash functions. (C)

In cryptography, what is meant by the term 'data integrity'?

Data cannot be altered in an unauthorized manner. (D)

What is the key difference between symmetric and asymmetric encryption?

Symmetric encryption uses one key for both encryption and decryption; asymmetric uses two distinct keys. (A)

What is the purpose of a 'digital signature'?

To verify the integrity and authenticity of a message. (A)

In the context of cryptographic hash functions, what does 'collision resistance' mean?

It is difficult to find two different inputs that produce the same hash value. (D)

What is a primary advantage of stream ciphers compared to block ciphers?

Lower computational overhead and suitability for real-time services. (C)

Which of the following describes the purpose of 'padding' in block cipher encryption?

To extend the plaintext message to be a multiple of the block size. (B)

What is the purpose of a Message Authentication Code (MAC)?

To provide integrity and data origin authentication. (C)

What is a major challenge in using Asymmetric (public-key) cryptography?

Computational complexity and slower encryption speeds. (D)

Which of the following is an important step in generating an RSA keypair?

Selecting an element that is coprime to the product of two large primes minus one. (B)

In RSA cryptography, what is the purpose of the private key?

To decrypt messages encrypted with the corresponding public key. (B)

What is one way to attempt to break RSA encryption?

Using a small modulus N to the ciphertext without the secret decryption key. (D)

What security goal is achieved by Digital signatures?

It is possible to provide data integrity, data origin authentication and non-repudiation. (C)

What challenge is presented by Shor's algorithm in the context of post-quantum cryptography?

Shor's algorithm can break many of the public-key cryptosystems used today. (B)

Which of the following describes the 'Data Link Layer' in the OSI model.

The technologies used to connect 2 machines across a network where the physical layer already exists. (A)

What is a key reason why 'Layer 2' is considered the weakest OSI Model?

LANs traditionally were under the administrative control of organizations. (B)

In the context of network security, what is the purpose of an Intrusion Detection System (IDS)?

To monitor network traffic for suspicious activity and generate alerts. (A)

Compared to Intrusion Detection Systems (IDS), how does Intrusion Prevention Systems (IPS) enhance network security?

IPS blocks attack, active takings or isolation measures, when a threat is detected and is active (A)

What is the primary function of the IPSec protocol?

A protocol suite for protecting IP communications, ensuring data security during transmission by providing encryption, authentication and integrity protection at the network layer. (D)

What are the two operation modes of the main IPSec?

The two operation modes of the main IPSec are Tunnel mode and Transport mode. (B)

What is the function of a 'Security Association' in IPSec?

defines the security parameters (such as encryption algorithm, key and protocol mode) used by both communicating parties. (B)

What security functions are most relevant for Transport Layer Security?

Providing Data encryption and Data integrity (D)

What is the primary purpose of a VPN?

A technology that establishes a secure connection through a public network (such as the internet), VPN creates an encrypted tunnel between the user's device and the target network, ensuring that the data cannot be eavesdropped or tampered with during transmission. (D)

Why does Process and Memory Protection matter?

It is implemented by an operating system to ensure that processes operate in isolation. (D)

What security risk does ASLR mainly mitigate?

mitigated by ASLR, NX it, and stack canaries. (D)

In the context of auditing and logging for security, what does 'comprehensive logging' refer to?

Log relevant details such as timestamps, user IDs, IP addresses and event descriptions, Ensure all critical systems, applications, and devices generate logs. (A)

Flashcards

Authentication

Verifies an entity's claimed identity, ensuring "identity" makes sense to the "verifier" using authentication factors to prove claims

Authentication of Users

Proving to a system that users are who they claim to be, ensuring attackers can't impersonate legitimate users, and protecting users from masquerade attacks.

Authentication Factors

Knowledge-based (something you know), possession-based (something you have), and inherence-based (something you are)

Knowledge-based Authentication

Uses secret knowledge, like passwords or PINs, for authentication. Advantage: it's cheap. Disadvantage: Can be captured.

Graphical Password

Using images instead of text, graphical passwords require users to interact with images for authentication.

One-time Passwords

Passwords that are only used once. Prevents reuse if intercepted. Requires access to a device

Password Cracking

Attempting all possible combinations or using dictionaries of common passwords to crack an account.

Synchronized Password Token

An authentication token that generates the same sequence of random passwords in a token and host system through time

Challenge-Response Systems

One party presents a challenge and the other must provide a valid response using a shared secret key.

Biometrics

Automated methods of verifying or recognizing a person based on physical or behavioral characteristics

Identification

Determine who is accessing the system.

Authentication

Verify or disprove given identity.

Multi-Factor Authentication

Using two authentication factors for security.

Two-Factor Authentication

A physical device (card, token) along with a PIN or password to enhance security.

Access Control

A collection of mechanisms that work together to create security architecture to protect the assets of an information system.

Access Control

Who is allowed to do what.

Personal Accountability

The goal of access control is personal accountability, ensuring actions can be traced to individuals.

Authorisation

Verifies if an access request should be permitted or denied.

Accountability

The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.

Information Owner

The individual responsible for the information and decisions on who uses the system and its recovery

Physical Access Control

Locks, security guards, badges, to control physical access.

Logical Access Control

Procedures relating to information and the knowledge to access it.

Loss of Data Confidentiality

Protection of data, so that access is not authorised.

Loss of Data Integrity

Accuracy, completeness, and consistency.

Loss of Data Availability

Ensures business data is available for partners and end users.

Allocation of Privileges

Limiting the type of access assigned.

Mandatory Access Control

Centrally controlled policy to enforce security.

Discretionary Access Control (DAC)

Owner grants privileges to others.

Subjects

People/systems granted clearance.

Objects

Elements under protection.

Labels

Mechanism that binds objects to subjects.

Access Control Lists

List given to a system or resource.

The Least Privilege (Need-to-Know)

Ensuring only appropriate access is assigned.

Role-Based Access Control (RBAC)

Simplifies granting access by assigning users to groups with defined rights.

Informing User

Limitations of their access privilege and data.

Recording Privileges

Actions on recording.

Revoking Privileges

Withdrawing privileges but when/how?

Digital Rights Management (DRM)

Control access to digital content, prevent digital copying, and enable external parties.

Roots of Trust

Depends on threat model, modules are a hardware solution or software solution

Monitoring Accesses

The system records.

Study Notes

Authentication

• Authentication verifies an entity's claimed identity.
• "Identity" must be relevant to the "verifier".
  • It can be a globally unique identifier (a real-world identity).
  • It may be a local identifier established through enrolment.
• To validate their claim, the claimant has to provide authentication factors.

Authentication of Users

• Whenever users exercise their privileges, they must prove to the system the identity they claim.
• The system must guarantee that attackers cannot masquerade as legitimate users by manipulating identifiers.
• Users need assurance the system prevents masquerade attacks.
• The system needs to ensure users are communicating with authorized systems and that attackers are not responsible for actions performed.
• The system must ensure the user's persona cannot later be used to impersonate them.

Authentication Factors

• Main authentication factors: something the user knows, has, or is.

Something the User Knows

• Knowledge-based authentication:
  • Password
  • PIN
  • Pass Phrase
  • Personal data
  • Word Association

Password/PIN

• Knowledge-based authentication.
  • Cheap
  • Easily revoked
  • User acceptance is typically high.
  • Provides a high level of security.

Graphical Password

• Users interact with images rather than text.

Password/PIN Disadvantages

• Knowledge-based authentication
  • User accountability issues
  • Privilege is not controlled by the user once assigned
  • The user may be unaware of compromise
  • Demands remembering details
  • Susceptible to eavesdropping and illicit capture
  • Risk of capture by a masquerading system
  • Possible password leaks to untrustworthy entities

Password/PIN Alternatives

• One-Time Passwords
  • The user proves secret knowledge or access to secret knowledge
  • User responses differ with each login attempt
  • Eavesdropped or captured passwords can't be reused
  • Techniques involve device access under "Something the user has"

Textual Password Cracking

• Two methods for cracking textual passwords:
  • Brute force (trying all combinations)
  • Dictionary attacks (using common/likely passwords)

Password Cracking

• The process involves determining the hash function and possible salt.
• Requires deciding attempt to use
• Dictionary attacks are often enough for cracking "any account".
• Trying all possible combinations may be needed for "particular account" cracking.
• Locating and acquiring cracking resources is necessary.

Graphical Password cracking

• Involves pattern analysis on graphical unlock patterns
• Brute force attack [389,112 possible patterns]
• Pattern bias [start points and end points]
• Smudge attack [oily residue]

Something the User Has

• Authentication based on physical ownership:
  • Magnetic stripe card
  • One-shot password token
  • Smart cards

Magnetic Stripe Cards

• One-shot password tokens:
  • Synchronized password generators
  • Challenge-response systems
• Smart cards:
  • Stored data cards securely store data, preventing unauthorized copying or modification.
  • Cards have processing capability with an embedded computer chip and data storage.
• Magnetic Stripe Card:
  • Used widely in banking systems.
  • Contain identification information that includes special printing/holograms.
  • Include written signatures and customer data recorded on a magnetic stripe.
  • Easy to counterfeit by copying data from one card to another.
  • Universally accepted and cheap to produce, but with limited security and functionality.

One-Shot Password Tokens

• Synchronized password generators produce series of random passwords on both a token and host system.
  • Tokens include a clock.
  • Also feature an alphanumeric sequence generator.
• Challenge-response tokens are also part of the Something a user has category.

Challenge Response Systems

• Protocol wherein one party issues a challenge and the other provides a valid response.
• User and system share a secret key

Summary: Something the User Has

• Advantages:
  • Attackers require physical possession of the token.
  • Users cannot share tokens with each other.
  • Tokens can be combined with other methods, such as one-time passwords.
  • Users are aware if a token is lost.
  • The user must report token loss.
  • Illegal possession of a token is evidence of wrongdoing.
• Disadvantages:
  • Cost of the token and checking mechanism

Administration of Tokens

• Distribution
• Recording
• Lost token reporting
• Replacement of expired tokens
• Destruction

Something the User Is

• Biometrics use automated methods to verify/recognize someone based on characteristics.
• Methods are either physical or behavioral.

Basic Processes

• Analog capture of the user's attribute
• Development of a template of the user’s attribute via enrolment
• Template comparison against a stored value when access is requested.
• Decision on whether to grant access, based on the comparison.

Biometric Classification

• Physiological: body measurements include fingerprint, face, iris, and retina recognition.
• Behavioral: voice, signature recognition, keystroke/touch dynamics are measured.

Biometrics

• Proves or disproves identity by fingerprint recognition.

Biometric Types

• Authentication or Identification is determined by:
  • Voice recognition attempts to characterize a person's voice signature.
  • Signature recognition measures activities like signing on paper or digitizing tablets.
  • Gait analysis identifies individuals by the way they walk using accelerometers.
  • Behavior profiling aims to identify unique patterns of mobile service use
  • Keystroke dynamics utilize rhythm when typing on a keyboard.
  • Touch dynamics captures factors like touch duration via touchscreens.

Multi Factor Authentication

• Combining 2-3 authentication factors increases confidence that systems are accessed by authorized users.

Two-Factor Authentication

• Combines physical device and personal secret, like PIN or password, to enhance security.

Access Control

• A collection of mechanisms working to create a security architecture of an information system.
• A goal of access control is personal accountability, showing who performed a computer activity.

Authorisation

• This process determines if a principal's access request for an object should be granted.
• A reference monitor is the entity that enforces policy
• Access Control Lists (ACL) defines the policy.
• Setting the policy in the ACL is known as authorization.
• Process finds correct rules for a given access request.

Accountability

• Establishes the capability to trace actions uniquely to an entity, supporting key security goals.
• Nonrepudiation, deterrence, fault isolation, intrusion detection/prevention, recovery, and legal action are supported.
• Launched processes after events occur, such as regular/technical audits and incident-triggered investigations.

Information Owner

• Has overall responsibility for data within an information system.
• Decides who uses the system and system recovery.

Controlling Access

• Two main methods:
  • Physical access control: uses locks, guards, and badges to control entry to physical areas.
  • Logical access control: Relies on validated identity through PINs, cards and biometrics related to information and knowledge.

Access Control Goals

• Prevent attackers from gaining physical orlogical access to a system.

Primary Security Concerns

• CIA Triad:

Confidentiality

• Protect data, including privacy and proprietary information from unauthorized access.

Integrity

• Maintain accuracy, completeness, consistency, and validity of an organization's data.

Availability

• Ensure business data for org., partners and end-users is available when required.

Access Control Procedures

• Allocation of privileges: Limit the type of access granted.
• Administration of privileges: Recording and revocation of privileges.
• The need to monitor accesses and prevent unauthorized access.
• Identification and authentication of users.

Allocation of Privileges and mandatory access control

• Centrally controlled by a policy administrator for all users.
• The system decides who can access information based on the relationship between :
  • Subjects: People/systems granted clearance.
  • Objects: system elements being protected.
  • Labels: mechanisms binding object to subjects.
• Mandatory Access Control: the security clearance levels the subject's labeled security are guaranteed for all users.
• All users have a security clearance and all files have a security classification.
• System uses rules for user access to resources.

Discretionary Access Control (DAC)

• Information owner grants privileges, giving subjects control over access.
• OS systems rely on DAC principles for access and operations.

Access Control Lists

• A list of users granted access to a system and what access they have.
• Privileges are typically: Read, Write, Update, Delete or Rename.

The Least Privilege (Need-to-Know)

• Assurance of confidentiality is achieved by giving users only what is needed.
• Authority to perform a transaction or access a resource is based on need.

Role-Based Access Control (RBAC)

• Controls access by assigning users to groups with specific rights.
• Suited for environments with high employee turnover and movements
• Avoids any one users holding too much control

Administration of Privileges

• Procedures are used to hand over, inform users, record privileges, and revoke privileges.

Handing over Privileges

• Identification of the recipient needed, alongside legitimacy / Is he/she who they claim to be
• Security is paramount / risk of secret leaks - such as passwords

Informing Users

• Inform users of use conditions, such as:
  • Access limitations.
  • Disclosure restrictions.
  • Handling unauthorized requests.
  • Disciplinary consequences for violations.
  • Actions during security incidents, Reporting procedures.

Recording Privileges

• Mechanisms needed to record user access details, such as:
  • How access is recorded.
  • Associating access with users.
  • Identifying users with access to specific resources.
  • Securing records against disclosure.

Revoking Privileges

• Mechanisms needed for privilege revocation without user cooperation.
  • The need to notify relevant parties about the withdrawal.
  • Processes for users to return privileges.
  • User verification of privilege withdrawal is needed
• Physical access is harder to revoke than logical access.

Digital Rights Management (DRM)

• From the entertainment sector to control games, videos, and music ("content").
• Prevents content producers and distributors from facing losses because of copying of digital content
• Controls how content is accessed/used on customer devices.
• DRM places a third-party security policy onto the system owner rather than protecting it.

Roots of Trust

• Requires high tamper resistance.
• Trusted platform modules (TPMs) offer hardware assurance.
• Trusted execution environments (TEEs) use software enclaves, such as Intel SGX.
• Attestation enables trustworthy platform setup information.
  • Direct Anonymous Attestation protects user privacy.
• Remote attestation supports software security policies running remotely.

Monitoring Accesses

• Defends against access control loopholes Provides evidence of security incidents.
• Models normal behavior.

System Monitoring & Threats

Why monitor?

• Legitimate users may bypass access control.
• Protection against attackers is needed
• Authentication could be vulnerable
• Users granted limited authorization may abuse it

Security Practices

• To collect security event evidence model normal behaviors
• It also can provide feedback on previous successful and unsucessfull logins.
• Password Expermentation and logins detected when its not a use.

Aspects of Logs Levels.

• High level logs may fail, because if defects in software this could fail.
• Low Level logging will impact performace massive amount of audit dat.

Accountability.

• Provides what events will be logged
• Hackers could hide traces if aquired.
• Tamper Resistance: Log rely on phsycial means.
• Privacy can impede results of whats to be logged.

Data levels.

• Filing System is Clear Text
• Dedicated Authentication Server Clear Text
• Password + Encryption
• Hasging
• Has using a username and password

Adding Data.

• Instead use "Store of Password"
• Verify password to make sure its store in an actual file

Password Security

• Algorithm better than trial and erro.
• Hard to find (Hpassword) some string.

Salting

• Use a rando piece of data and has this before the String.
• Use the has different times.
• Store the Data that will be encrypte.

Agressive Hacking

• Get salt code and rehash the data.

Hash attack

• Determine the Alphabet to Find passwords.
• 95 Caracter Standard keyboard/ may not exceed this limit.
• Password Polices may not apply.

Rainbow Tables

• Trade off between time frame
• Requires more Space for Slide and calculator

Dictionary Atacks.

• If password in the dictionary select different languages
• To make up tailors subject can be used.

Lists could contains Popular names, actors and people. Special dates, and common pets.