User Authentication Methods

Questions and Answers

According to RFC 4949, what is the primary function of user authentication?

• Granting access to system resources.
• Auditing user activity within a system.
• Encrypting user data for secure storage.
• Verifying an identity claimed by a system entity. (correct)

Which of the following is a fundamental building block and primary line of defense in the authentication process?

• Data encryption.
• Authentication. (correct)
• User identification.
• Access control lists.

Which of the following authentication methods falls under the category of 'something the individual is'?

• Smartcard
• Fingerprint (correct)
• PIN
• Password

Which of these is an example of 'something the individual possesses' for authentication?

Smartcard. (D)

What is the initial step in the authentication process?

Identification step (C)

In the context of user authentication, what is the purpose of the 'verification step'?

To present or generate authentication information that confirms the binding between the entity and the identifier. (A)

According to the NIST SP 800-63-2 E-Authentication Architectural Model, what role does the 'Relying Party (RP)' play?

Requests authentication from the subscriber. (A)

Which of the following is a primary function of the user ID in password authentication?

Determining the user's privileges. (A)

Which of the following is a common vulnerability associated with password authentication?

Offline dictionary attack. (C)

What is the purpose of 'salt' in the context of storing passwords?

To add randomness to the password hashing process. (B)

In the UNIX password scheme, what is the purpose of the 'slow hash function'?

To increase the time it takes to crack the password. (A)

Which of the following algorithms is used by OpenBSD for password hashing?

Bcrypt (C)

What is the main advantage of using a complex password policy?

It forces users to pick stronger passwords. (A)

What is the primary goal of a 'reactive password checking' system?

To periodically run password crackers to find guessable passwords. (B)

What is the main purpose of a Bloom filter in proactive password checking?

To build a table based on a dictionary of passwords and check desired passwords against this table. (A)

Which of the following is a primary characteristic of memory cards?

They can store data but do not process it. (A)

Which of the following is a key characteristic of smart cards?

They include an embedded microprocessor. (C)

What is the purpose of the PACE protocol in electronic identity cards (eID)?

To ensure that the contactless RF chip in the eID card cannot be read without explicit access control. (B)

In the context of biometric authentication, what does the term 'enrollment' refer to?

The process of capturing and storing a user's biometric data. (A)

What is a 'rainbow table attack' in the context of password security?

A pre-computed table used to crack password hashes. (B)

What is the significance of 'equal error rate' in biometric authentication systems?

The point where the false match rate equals the false non-match rate. (D)

Which of the following password selection strategies is the MOST effective in preventing users from choosing easily guessable passwords?

A combination of user education, proactive password checking, and complex password policy. (C)

What is the primary advantage of using biometric authentication over traditional password-based systems?

Biometric characteristics are unique and harder to steal or guess. (C)

What is the main purpose of the 'verification step' in the context of user biometrics?

To compare the presented biometric data against a stored template to confirm the user's identity. (D)

In the context of remote authentication, what is a 'challenge-response protocol' primarily designed to mitigate?

Eavesdropping and replay attacks. (D)

Which of the following is the most significant risk associated with storing password hashes without salting?

Susceptibility to rainbow table attacks. (D)

What is the primary security benefit of using a 'one-time password' (OTP) in a token-based authentication system?

It prevents replay attacks because the password is only valid for a single use. (C)

In the context of password security, what is the function of 'password stretching'?

Increasing the computation time required to generate password hashes. (C)

Which of the following is a critical security consideration when implementing biometric authentication in a remote setting?

Encrypting the biometric data during transmission to prevent interception and replay attacks. (C)

How does the use of 'multi-factor authentication' typically enhance the security of user authentication?

By requiring users to authenticate with multiple independent factors, making it harder for an attacker to compromise all factors. (C)

Consider a biometric system with a high false match rate. In which application scenario would this system be MOST inappropriate?

A high-security government facility requiring stringent access control. (C)

Imagine an attacker has successfully gained access to a system's password database, which contains salted and hashed passwords. Which strategy would provide the LEAST benefit in mitigating the attacker's ability to crack the passwords?

Switching to a more computationally efficient hashing algorithm. (B)

A system administrator discovers that an employee has written their password on a sticky note attached to their monitor. Which of the following security measures would BEST address this specific vulnerability?

Conducting security awareness training to educate employees about password security risks. (B)

How does salting passwords protect against attackers who have obtained a database of password hashes?

It makes rainbow table attacks ineffective. (C)

What is the purpose of using multiple hash functions in Bloom filters for proactive password checking?

To decrease the probability of false positives. (B)

A company decides to implement a biometric system for employee access. Which factor should have the highest priority when selecting a specific biometric method?

The accuracy and reliability of the biometric method. (B)

How can a 'Denial of Service' attack specifically target a user authentication service?

By flooding the service with numerous authentication requests. (A)

Which statement correctly describes the relationship between 'false match rate' and 'false non-match rate' in a biometric system, and their impact on security?

Decreasing the 'false match rate' improves security, while decreasing the 'false non-match rate' increases convenience. (B)

Which type of authentication is inherently the LEAST secure against replay attacks if not properly implemented?

Static password authentication. (D)

A web application uses only client-side JavaScript to validate a user's inputted password. Why is this PRACTICE extremely dangerous?

Client-side validation can be easily bypassed, and the server must perform its own independent validation. (A)

A company is implementing a password policy that requires users to change their passwords every 90 days. What potential negative consequence should the security team consider?

It increases the likelihood of users choosing weaker passwords. (A)

Flashcards

User Authentication

Verifying an identity claimed by or for a system entity.

Identification step

Presenting an identifier to the security system.

Verification step

Presenting or generating authentication information that confirms the binding between the entity and the identifier.

Authentication by knowledge

Information only the individual knows, like a password or PIN.

Authentication by possession

Physical items that the individual possesses, like a smartcard or physical key.

Authentication by Static Biometrics

Relies on unique, unchanging physiological characteristics like fingerprints, retina, or face.

Authentication by Dynamic Biometrics

Authentication that uses behavioral characteristics like voice pattern, handwriting, or typing rhythm.

Password Authentication

A widely used line of defense against intruders, requiring a username and password.

Dictionary Attacks

Attacks that try to guess a password using a list of common words.

Rainbow Table Attacks

Pre-computed tables of hash values for all salts, used to crack passwords.

John the Ripper

Open-source password cracker that uses both brute-force and dictionary techniques.

Complex Password Policy

Forcing users to pick stronger passwords to improve security.

Password File Access Control

Blocking offline guessing attacks by restricting access to encrypted passwords.

User Education (passwords)

Involves educating users on the importance of strong passwords and providing guidelines.

Computer Generated Passwords

Generating passwords automatically, though users may find them hard to remember.

Reactive Password Checking

The system periodically runs its own password cracker to find guessable passwords.

Complex Password Policy

Allows users to select their own password, but checks if it meets certain complexity criteria.

Proactive Password Cracker

Compiling a dictionary of passwords not to use, based on common or easily guessable terms.

Bloom Filter

A table based on dictionary using hashes, which is used to check desired password against this table.

Token-Based Authentication

A means of token-based authentication using memory cards, smart cards, and electronic identity cards.

Memory cards

Can store data but cannot process data. Common example is the magnetic stripe card.

Smart Tokens

Possesses an embedded microprocessor and can perform computations.

Smart Cards

Has the appearance of a credit card and includes an electronic interface.

Electronic Identity Cards (eID)

Combining use of a smart card as a national identity card for citizens.

Password Authenticated Connection Establishment (PACE)

Ensures that the contactless RF chip in the eID card cannot be read without explicit access control.

Biometric Authentication

Authenticating an individual based on unique physical characteristics, involving pattern recognition.

Remote User Authentication

Authentication that occurs over a network, the Internet, or a communications link.

Eavesdropping (attack)

Occurs when an adversary attempts to learn a password by observing the user.

Denial-of-Service

Attempting to disable a user authentication service by flooding it with numerous authentication attempts.

Trojan Horse (authentication)

An application or physical device masquerades as an authentic application or device.

Replay Attack

Adversary repeats a previously captured user response to gain unauthorized access.

Study Notes

User Authentication

• RFC 4949 defines user authentication as the process of verifying an identity claimed by or for a system entity.
• It is a fundamental building block and primary line of defense,
• It is the basis for access control and user accountability.

Authentication Process

• It involves an identification step and a verification step.
• The identification step presents an identifier to the security system.
• The verification step presents or generates authentication information confirming the binding between the entity and the identifier.

Means of Authenticating User Identity

• Something the individual knows, such as a Password, PIN, or answers to prearranged questions.
• Something the individual possesses (token), such as a smartcard, electronic keycard, or physical key.
• Something the individual is ( static biometrics), such as a fingerprint, retina, or face.
• Something the individual does (dynamic biometrics), such as a voice pattern, handwriting, or typing rhythm.

Password Authentication

• Widely used line of defense against intruders.
• The user provides a name/login and password.
• The system compares the provided password with the one stored for that specified login.
• The user ID determines authorization to access the system, the user's privileges, and discretionary access control.

Password Vulnerabilities

• Offline dictionary attacks.
• Password guessing against a single user.
• Workstation hijacking.
• Electronic monitoring.
• Specific account attacks.
• Popular password attacks.
• Exploiting user mistakes.
• Exploiting multiple password use.

UNIX Password Scheme

• When loading a new password, a salt is combined with the password and fed into a slow hash function.
• The output is stored in the password file along with the user ID and salt.
• To verify a password, the system selects the user ID, salt, and hash code from the password file.
• combines the provided password with the salt, applies the slow hash function, and compares the result to the stored hash code.

UNIX Implementation

• An original scheme involves up to eight printable characters in length,
• It involves a 12-bit salt used to modify DES encryption into a one-way hash function,
• It involves a zero value repeatedly encrypted 25 times, and translated into an 11-character sequence.
• The original scheme with printable characters is now regarded as inadequate but is required for compatibility in existing systems.

Improved Implementations

• A recommendation of the hash function suggests basing it on MD5 with a salt of up to 48 bits.
• An improved implementation's password length is unlimited and it produces a 128-bit hash.
• A loop of 1000 iterations is used to achieve slowdown.
• OpenBSD uses Blowfish block cipher-based hash algorithm called Bcrypt.
• Bcrypt is the most secure version of Unix hash/salt scheme,
• It uses a 128-bit salt to create a 192-bit hash value.

Password Cracking

• Dictionary attacks involve developing a large dictionary of possible passwords and trying each one against the password file.
• Each password must be hashed using each salt value and then compared to stored hash values.
• Rainbow table attacks pre-compute tables of hash values for all salts, creating a large table of hash values.
• Can be countered by using a sufficiently large salt value and a sufficiently large hash length
• Password crackers exploit the fact that people choose easily guessable passwords.
• Shorter password lengths are also easier to crack.
• John the Ripper is an open-source password cracker that was developed in 1996.
• A combination of brute-force and dictionary techniques are used.

Modern Approaches to Passwords

• A comples password policy should force users to pick stronger passwords.
• Password-cracking techniques have also improved drastically, where there is an increase of the processing capacity,
• The use of sophisticatedalgorithms, and study of actual passwords in use.

Password File Access Control

• Offline guessing attacks are prevented by denying access to encrypted passwords.
• The weaknesses in the OS ,Accidents related to permissons, , users having multiple accounts, and access through media or network traffic may lead to vulnerabilities.

Password Selection Strategies

• User education is recommended to promote the usage of hard-to-guess passwords and selecting guidelines for selecting strong passwords.
• Computer generated passwords cause trouble with the users remembering them.
• Reactive password checking can take form when the system peridically runs its own password cracker to find guessable passwords.
• Complex password policies, where the user is allowed to select their own password is encouraged, however is checked by a system where otherwise will reject the password.

Proactive Password Checking

• An effective password checker technique that rejects a word on a list that has been implemented on systems.
• Password Cracker - Compile a large dictionary of passwords
• Rule enforcement - apply multiple rules that passwords must adhere to
• Bloom Filter - Use dictionary table and hashes to check desired password

Token-Based Authentication

• Used with memory cards, smart cards, and electronic identity cards.

Types of Cards

• Embossed cards typically used on old credit carts, Raised characters only, on front.
• Magnetic Stripe Cards, Magnetic bar on characters on front.
• Memory Cards, Electrical Memory inside, could be used for a prepaid phone card.
• Smart contact Cards, Electricial memory and processor inside, electrical contacts exposed on surface.
• Smart contacless cards, Radio Attenna Embedded inside.

Memory Cards

• They can store but not process data.
• The most common is the magnetic stripe card.
• They can include internal electronic memory, and can be used alone for physical access such as hotel rooms and ATMs.
• Provides significantly greater security when combined with a password or PIN.
• Drawbacks are that this requires a special reader, loss of the token, and user dissatisfaction if used for computers.

Smart Tokens Physical Characteristics

• Include an embedded microprocessor.
• A smart token looks like a bank card and can look like calculators, keys, small portable objects.
• Interfaces can be Manual which includes the keypad for interface, or electronic where it communicates/reads data

Smart Tokens Authentication

• Static Authentication
• Dynamic password generator
• Challange-Response

Smart Cards

• Most important category of smart token, it has the appeareance of a credit card, and an electronic interface.
• Includes an entire microprocessor, with an I/O port
• Stores read-only memory (ROM), and electrically erasable progrqammable ROM (EEPROM), and RAM

Smart Card Activation

• Activated through an ATR (answer to reset) followed by a protocal called PTS.

Electronic Identity Cards (eID)

• Serves as a national identity card, driver's license, for access to commercial services.
• Provides stronger proof of identity and a wider variety of applications.
• Is a smart card that has been verified by the national government as valid and authentic.
• A key example is the German Card, which has a readable data prinited such as Name and Birthdate.

Password Authenticated Connection Establishment (PACE)

• Ensures that contactelss RF chips cannot be reead without explicit access control
• Online applications need acess that is established with a 6-digit PIN
• Offline applications use an MRZ code on the back, or 6-digit card (CAN) on the front.

Electronic Functions and Data for eID Cards

• ePass: Reserved for government usage with biometric functions
• eID: Stores identity records that require cardholder permissons
• eSign: Certifcation with electronic signatures.

Biometric Authentication

• Attempts to authenticate individuals based on unique physical characteristics based on patter recognition.
• Is technically complex and expensive than passwords or tokens,
• Physical characteristics such are Iris, Fingerprins, Hand geometry and voice.

Biometric Profiles

• Biometrics work by measure profile types such as an inputer profile, genuir profile, average score and matching scores.

High Security Applications

• A high security application may require a very low false match rate.

Forensic Applications

• For forensic applications, require low false non-match rates.

Remote User Authentication

• Authentication over the internet or a communications link is more complex
• Adds Security threats; eavesdropping, capturing passwords, replaying authentification sequence
• Requires relies some form of challange-response

Authentification and Security Issues

• Includes Denial of Services, Eveasdropping, Trojan Horses, Client Attacks, Host Attacks and Replay.