NIST SP 800-171: Identification and Authentication

Questions and Answers

According to NIST SP 800-63-3, what does digital user authentication establish?

• Encryption keys for user data
• Confidence in user identities presented electronically (correct)
• The security of the information system
• Network protocols for user communication

NIST SP 800-171 requires that information systems must identify users, processes acting on behalf of users, or devices.

True (A)

According to the NIST SP 800-171, what type of authentication should be used for local and network access to privileged accounts?

• Multifactor authentication (correct)
• Password-only authentication
• Single-factor authentication
• Biometric authentication

According to NIST SP 800-171, password reuse should be allowed without restrictions for ease of use.

False (B)

Which of the following is NOT one of the four means of authenticating user identity?

Something the individual believes (D)

A smartcard is an example of something an individual ______.

possesses

Which of the following is an example of a static biometric?

Fingerprint (C)

Assurance Level refers to the potential damage that could result from a security breach.

False (B)

What does Assurance Level describe?

The degree of confidence in the vetting process (D)

According to FIPS 199, an authentication error with a limited effect on organizational operations represents what potential impact level?

Low (A)

An authentication error resulting in a serious adverse effect would be categorized as what level of potential impact?

Moderate (A)

Password-based authentication is rarely used as a line of defense against intruders.

False (B)

In password-based authentication, what does the user ID determine?

The user's authorization to access the system (C)

Match the password vulnerability to its description:

Offline dictionary attack = Trying a large list of possible passwords against a password file. Specific account attack = Targeting a particular user's account with various password attempts. Popular password attack = Using a list of commonly used passwords to gain unauthorized access. Workstation hijacking = Gaining control of a user's computer to access their credentials.

In the original UNIX password scheme, more than 16 characters could be used for a password.

False (B)

In the original Unix password scheme, a 12-bit ______ was used to modify DES encryption.

salt

Which of the following is a stronger hash/salt scheme available for Unix?

MD5 (A)

Rainbow tables are used to pre-compute tables of salt values.

False (B)

What can counter rainbow table attacks?

Using a sufficiently large salt value (D)

What is the primary goal of password selection strategies?

To eliminate guessable passwords while allowing memorable ones (A)

Reactive password checking involves users being educated on using hard-to-guess passwords.

False (B)

What is the purpose of a Bloom filter in proactive password checking?

To check a desired password against a table of known passwords not to use (C)

Which type of card uses raised characters only, on the front?

Embossed (A)

Memory cards can process data internally.

False (B)

A common type of memory card is the ______ stripe card

magnetic

What is a key characteristic of Smart Tokens?

They include an embedded microprocessor. (B)

What type of memory typically stores data that does not change during a smart card's life?

ROM (D)

Electronic Identity Cards (eIDs) can only be used for government services.

False (B)

When using an eID for online applications, how is access established?

By entering a 6-digit PIN known to the cardholder (B)

Which of the following is a biometric characteristic used for authentication?

Retinal pattern (D)

Flashcards

Digital User Authentication

Establishing confidence in user identities presented electronically to an information system.

Authentication

Verifying identities of users, processes, or devices before granting access.

Multifactor Authentication

Using multiple authentication methods to verify a user's identity.

Assurance Level

Organization's degree of certainty a user has presented a credential referring to their identity.

Potential Impact

Three levels that define impact if breached: Low, Moderate, High

Low Potential Impact

An authentication error with a limited adverse effect on organizational operations.

Moderate Potential Impact

An authentication error with a serious adverse effect.

High Potential Impact

An authentication error with a severe or catastrophic adverse effect.

Password-Based Authentication

Line of defense where user provides name/login and password.

Offline Dictionary Attack

Dictionary attack conducted without accessing the system directly.

Password File Access Control

Countermeasure that denies access to encrypted passwords.

Password Selection Strategies

Strategy emphasizing user education for strong password selection.

Rule Enforcement

Specific conventions passwords must follow.

Memory Card

Card that stores data but cannot process it, most common is magnetic stripe.

Smart Token

More advanced token with an embedded microprocessor.

Smart Card

Smart token resembling a credit card with an electronic interface.

Electronic Identity Card (eID)

Smart card used as a national identity card.

Password Authenticated Connection Establishment (PACE)

Ensures contactless RF chip in eID card is unreadable without explicit access control.

Biometric Authentication

Authenticating an individual based on unique physical characteristics

Remote User Authentication Threats

Eavesdropping, capturing passwords or replaying auth sequences.

Eavesdropping (Authentication Security)

Attempts to learn password by proximity attacks.

Host Attacks (Authentication Security)

Attacks directed at user file on the host where credentials are kept.

Replay (Authentication Security)

Adversary repeats a captured user response.

Trojan Horse (Authentication Security)

App masquerading as authentic for credential capture.

Denial-of-Service (Authentication Security)

Overwhelming a user authentication service with attempts.

Study Notes

• NIST SP 800-63-3 defines digital user authentication as establishing confidence in user identities presented electronically to an information system.

Identification and Authentication (NIST SP 800-171)

• Basic security requirements include identifying users, processes, or devices.
• Authentication verifies the identities of users, processes, or devices before granting access.
• Derived security requirements include using multifactor authentication for local and network access.
• Replay-resistant authentication mechanisms should be used for network access.
• Prevent reuse of identifiers for a defined period.
• Disable identifiers after a defined period of inactivity.
• Enforce password complexity and character changes when new passwords are created.
• Password reuse should be prohibited for a number of generations.
• Use temporary passwords for system logons with immediate change to permanent passwords.
• Store and transmit only cryptographically protected passwords.
• Obscure feedback of authentication information.

NIST SP 800-63-3 E-Authentication Architectural Model

• The model includes registration, credential issuance, and maintenance.
• Key components are the Registration Authority (RA), Subscriber/Claimant, and Relying Party (RP).
• The Credential Service Provider (CSP) issues tokens/credentials.
• The process involves identity proofing, user registration, token/credential registration, and validation.

Means of Authenticating User Identity

• Something the individual knows, like passwords, PINs, or answers to questions.
• Something the individual possesses, such as a smartcard, electronic keycard, or physical key.
• Something the individual is (static biometrics), like fingerprint, retina, or face.
• Something the individual does (dynamic biometrics), like voice pattern, handwriting, or typing rhythm.

Multifactor Authentication

• Multifactor authentication utilizes multiple authentication factors for increased security.
• The client must pass authentication using multiple factors.

Risk Assessment for User Authentication

• Assurance Level refers to the degree of certainty that a user has presented a credential that refers to their identity.
• Potential Impact relates to the level of impact on organizations or individuals should a breach of security occur.
• Areas of Risk need to be assessed and considered.

Assurance Level Details

• Assurance Level describes the degree of certainty regarding a user's presented credential.
• It reflects confidence in the vetting process for credential issuance, and confidence that the user of the credential is the correct individual.
• There are four assurance levels: Level 1 (little to no confidence), Level 2 (some confidence), Level 3 (high confidence), and Level 4 (very high confidence).

Potential Impact

• FIPS 199 defines three levels of potential impact on organizations/individuals if a security breach occurs.
• Low impact means the authentication error has a limited adverse effect on organizational operations.
• Moderate impact means the authentication error has a serious adverse effect.
• High impact means the authentication error has a severe or catastrophic adverse effect.

Maximum Potential Impacts for Each Assurance Level

• Inconvenience, distress, or damage to standing/reputation ranges from low to high across assurance levels.
• Financial loss increases from low to high across assurance levels.
• Harm to organization programs/interests ranges from none to high across assurance levels.
• Unauthorized data release ranges from none to high across assurance levels.
• Personal safety increases none to mod/high across assurance levels.
• Civil/criminal violations range from none to high across assurance levels.

Password-Based Authentication

• It's a widely used defense line against intruders.
• The user provides name/login and password.
• The system compares the password to the one stored for the specified login.
• The User ID determines authorization and previleges in the system

Password Vulnerabilities

• Offline dictionary attack
• Specific account attack
• Popular password attack
• Password guessing against single user
• Workstation hijacking.
• Exploiting user mistakes
• Exploiting multiple password use
• Electronic monitoring

UNIX Password Scheme

• The scheme involves loading a new password and verifying a password.
• It uses a password file with User ID, Salt, and Hash code.
• A slow hash function is applied.

UNIX Implementation

• The original scheme used up to eight printable characters.
• It employed a 12-bit salt to modify DES encryption into a one-way hash function.
• Zero value was repeatedly encrypted 25 times.
• Output was translated to an 11 character sequence.
• This implementation is now regarded as inadequate.
• However, it's still required for compatibility with existing account management software.

Improved Implementations

• Stronger hash/salt schemes are available for Unix.
• The recommended hash function is based on MD5.
• Salt can be up to 48-bits, and password length is unlimited.
• It produces a 128-bit hash.
• Uses an inner loop with 1000 iterations for slowdown.
• OpenBSD uses a Blowfish block cipher based hash algorithm called Bcrypt (most secure version).
• Uses a 128-bit salt to create a 192-bit hash value.

Password Cracking

• Employing dictionary attacks (using dictionary of possible passwords).
• Rainbow table attacks use precomputed hash tables for salts.
• Password crackers exploit easily guessable passwords.
• Shorter passwords lengths are easier to crack.
• John the Ripper is an open-source password cracker (developed in 1996).
• John the Ripper uses brute-force and dictionary techniques.

Modern Approaches

• Complex password policy to force strong passwords.
• Improved password-cracking techniques.
• Increased processing capacity for password cracking.
• Use of sophisticated algorithms to generate potential passwords.
• Studying examples and structures of actual passwords in use.

Password File Access Control

• It can block offline guessing attacks via denying access to encrypted passwords.
• Make available only to privileged users (shadow password file).
• Vulnerabilities include weakness in the OS, accident with permissions, users with same password on other systems, access from backup media, and sniffing passwords.

Password Selection Strategies

• User education regarding the importance of strong passwords.
• Computer generated passwords (users often have trouble remembering them).
• Reactive password checking (periodic system check).
• Complex password policy (user selects password, system checks it, goal is memorability).

Proactive Password Checking

• Rule enforcement (specific rules passwords must adhere to).
• Password checker (compiles dictionary of passwords not to use).
• Bloom filter is used to build a table based on hash values.
• The desired password is checked against the table.

Types of Cards Used as Tokens

• Embossed cards have raised characters only, such as old credit cards.
• Magnetic stripe cards have a magnetic bar on the back, such as bank cards.
• Memory cards have electronic memory inside, like prepaid phone cards.
• Smart cards have electronic memory and a processor inside, like Biometric ID cards.
• Contactless cards have electrical contacts exposed on the surface or a radio antenna embedded inside.

Memory Cards

• Memory cards can store data but not process it.
• The most common example is the magnetic stripe card.
• They can include an internal electronic memory.
• Usable alone for physical access (hotel room, ATM).
• Provides significantly greater security when combined with a password/PIN.
• Drawbacks include the requirement for a special reader, loss of token, and user dissatisfaction.

Smart Tokens

• Physical characteristics include an embedded microprocessor.
• A smart token can resemble a bank card, calculator, keys, or small portable object.
• Manual interfaces include a keypad and display for human/token interaction.
• Electronic interfaces require a compatible reader/writer.
• Authentication protocol: Static, dynamic password generator, challenge-response.

Smart Cards

• They are the most important category of smart token.
• Appearance of credit card
• Contains and Entire Microprocessor
• Has an electronic interface.
• Contains a Processor
• Has a memory
• Has I/O ports.
• May use any of the smart token protocols.

Smart Cards Memory

• Contains Read-only memory (ROM).
• Stores data that does not change during the card's life.
• Electrically erasable programmable ROM (EEPROM).
• Holds application data and programs.
• Random access memory (RAM).
• Holds temporary data generated when applications are executed.

Electronic Identity Cards (eID)

• Smart card as a national identity card for citizens.
• Serves the same purposes as national ID cards, driver's licenses, for access to government and commercial services.
• Provides stronger proof of identity and can be used in a wider variety of applications.
• A smart card verified by the national government as valid and authentic.

Electronic Functions and Data for eID Cards

• Most advanced deployment is the German card neuer Personalausweis.
• Data printed on its surface includes personal data, document number, card access number (CAN), and machine readable zone (MRZ).
• ePass authorizes offline inspection systems read the data.
• elD allows online applications read the data or access functions as authorized.
• eSign allows a certification authority installs the signature certificate online.
• Citizens make signature creation of electronic signature with eSign PIN.

Password Authenticated Connection Establishment (PACE)

• It ensures the contactless RF chip is not read without explicit access control.
• Established by the user entering the 6-digit PIN.
• For offline applications, either the MRZ printed on the card or the six-digit card access number (CAN) printed on the front is used.

Biometric Authentication

• Attempts to authenticate an individual based on unique physical characteristics.
• Based on pattern recognition.
• Technically complex and expensive compared to passwords/tokens.
• Physical characteristics include facial characteristics, fingerprints, hand geometry, retinal pattern, iris, signature, and voice.

Generic Biometric System Enrollment

• Enrollment creates an association between a user and the user's biometric characteristics.
• User authentication can be done by verifying a user or finding an unknown user

Profiles of a Biometric Characteristic

• Comparison between presented feature and a reference feature is reduced to a single numeric value.
• If the input value (s) is greater than a preassigned threshold (t), a match is declared.

Remote User Authentication

• Authentication is more complex over a network/Internet.
• Additional security threats include eavesdropping, capturing passwords, and replaying authentication sequences.
• Typically relies on a challenge-response protocol to counter threats.

Potential Attacks, Susceptible Authenticators, and Typical Defenses

• Client attacks (guessing, Brute force) and Host attacks.
• Replay with password or token.
• Trojan Horse installation.
• Denial of Service flood attack.

Authentication Security Issues

• Eavesdropping: Adversary attempts to learn the password via physical proximity
• Host Attacks: Directed at the user file at the host where passwords are stored
• Replay: Adversary repeats a previously captured user response
• Client Attacks: Adversary attempts to achieve user authentication without direct access to the remote host.
• Trojan Horse: masquerades to capture credentials
• Denial-of-Service: Attempts to disable authentication service by flooding it with requests.

Key summary points

• Digital user authentication principles
• A model for digital user authentication
• Means of authentication
• Risk assessment for user authentication
• Password-based authentication
• The vulnerability of passwords
• The use of hashed passwords
• Password cracking of user-chosen passwords
• Password file access control
• Password selection strategies
• Token-based authentication
• Memory cards
• Smart cards
• Electronic identity cards
• Biometric authentication
• Physical characteristics used in biometric applications
• Operation of a biometric authentication system
• Biometric accuracy
• Remote user authentication
• Password protocol
• Token protocol
• Static biometric protocol
• Dynamic biometric protocol
• Security issues for user authentication