Lecture 7 Authentication PDF

AUTHENTICATION Prepared by: Dr. Alia Alabdulkarim Access Control Overview In many web applications it is important that only certain users be permitted to access protected resources (Assets ). Enforcing this kind of control means that you need to have a strong access control system. An access control is a mechanism that regulates access to (1) data or (2) functionality by determining whether a subject is permitted to perform an operation on a target object. Something or person Something or person That are doing the That are receiving action the action 2 Access Control Overview Two related processes: Authentication and Authorization. Authentication: is essentially proving that you are who you claim to be. Username (identity) and password (authentication factor) Authorization: is the process of determining whether the validated identity has the rights to do what they want to do. Permissions 3 Access Control Overview 4 Access control process 5 Authentication Fundamentals The process involves two steps: identification and authentication (confirmation). If an application doesn’t perform proper authentication, then anyone with my username could impersonate me. Without authentication, we can’t perform authorization. You can have authentication without authorization, but not vice-versa Because authorization looks up permissions based on a confirmed identity, it must follow after authentication A well-designed access control mechanism will first perform authentication and then perform authorization whenever access is requested to any protected resource. 6 Proving Your Identity Three classes: Something you know Passwords, PIN, passphrases, …. Something that you know can become something you just forgot. If you write it down, then other people might find it. if you select an easy to remember, easy to guess. There must be some mechanism for resetting the password (because passwords will get forgotten and compromised). 7 Proving Your Identity Three classes: Something you have Digital certificate, smart card… Example in web application? This form of human authentication removes the problem of forgetting something some object now must be with you any time you want to be authenticated. Such an object might be stolen and then becomes something the attacker has. 8 Proving Your Identity Three classes: Something you are Fingerprint, hand geometry, topography of your face… Base authentication on something intrinsic to the principal being authenticated. Voice print, Keystroke timing, DNA Signature, Retinal scan. It is much harder to lose a fingerprint than a wallet. Unfortunately, biometric sensors are fairly expensive. 9 Two-Factor and Three-Factor Authentication Two-factor (2FA): using factors from two of the three categories. Three-factor (3FA): using factors from each category. Two-step validation (2SV): using factors from one category. Using multiple factors from the same class doesn’t increase the factors. 10 Web Application Authentication Usernames and passwords are the standard for authenticating users to web application. A second factor such as hardware or software security token may be used to increase the security of the authentication process. The use of biometrics is almost unheard of for a web application. 11 Password-Based Authentication Systems A number of different username and password systems exist for web apps: Built-in HTTP authentication Single Sign-On (SSO) authentication Custom authentication systems (Reading Assignment) Read page 67-69 12 Built-in HTTP Authentication HTTP protocol specification support two forms of authentication: Basic access authentication: doesn’t use encryption. Uses base64 encoding easily be decoded. Digest access authentication: uses MD5 hashing, vulnerable to Man-in-the-middle attack (MIM). Both of them have significant weaknesses and they’re not recommended for use under any circumstances. 13 Single Sign-On Authentication Allow a user to log in to a single interface and gain access to multiple independently secured systems. Intranets (commonly found) Internet SSO 14 Single Sign-On Authentication Example: Microsoft’s Live ID When you log on using Microsoft Live ID account you will gain access to Windows Live Hotmail Windows Live Messenger Office Live Xbox Live and more. Allows for third-party integration: developers can use the Windows Live ID Web Authentication SDK to leverage the Live ID authentication system in their sites 15 Single Sign-On Authentication Example: Google Accounts Internet SSO When you log on using google account you will gain access to: ▪ Gmail ▪ Drive ▪ YouTube ▪ And more Are Third-party web applications supported? 16 Single Sign-On Authentication Example: Facebook Connect system Connect API allows third-party developers to leverage the authentication system in addition to being able to connect with other users as they would on Facebook. Examples of sites using Facebook Connect: CNN, Vimeo, Huffington Post 17 Single Sign-On Authentication Pros: reduce the number of credentials that must be remembered by users Cons: Single-point of failure If one compromised, many websites are compromised too 18 Custom authentication (Reading assignment) Most common authentication. Developer coded their own application to process credential. Validating credential: user input (username and password) are compared with the correct one (Next slide) 19 Validating Credentials There are several ways Depends on: the location of comparison logic and how the passwords are being stored in the back-end system 1.Comparison logic in the application with plaintext passwords 2.Comparison logic in the database with plaintext passwords SQL Injection 3.Comparison logic in the application with hashed passwords 4.Comparison logic in the database with hashed passwords 20 Validating Credentials $result = sql_query('SELECT users.password FROM users WHERE userId = %i', $userId); if ($result['password'] == $userPassword) { print 'access granted'; } else { print 'wrong credentials’; } $result = sql_query('SELECT (users.password = %s) AS passwordOk FROM users WHERE userId = %i', $userPassword, $userId); if ($result['passwordOk'] == 1) { print 'access granted'; } else { print 'wrong credentials'; } 21 Validating Credentials It is important to understand the different forms of credential validation It is the baseline against which you can understand how the attacks work against your system Example: SQL injection (more in Chapter 9) 22 Securing Password-Based Authentication Most popular way of confirming your identity Attackers will attempt to break them How to defend against their attacks? 23 Attacks Against Passwords(Reading Assignment) They all come down to guessing Either on live system (online) or hashed or encrypted passwords (offline) Common Variations: Common attacks Dictionary attack Brute-force attack Pre-computed dictionary attack Rainbow table Rubber hose attack (harm or harmless) Video 24 The Importance Of Password Complexity Our goal is to make it harder for attackers to guess the passwords, by making the key space (domain) larger By “difficult” we mean to make it take as long as possible to exhaustively search the potential key space Minimum length Mixed character set Change them regularly 25 Password best practices Require minimum password length NIST: eight-character minimum length. Enforce minimum password complexity Tip: include at least one (uppercase, lower case, number, special character) Rotate passwords Require password uniqueness Password cannot equal username Disable accounts Properly store passwords [plaintext – encrypted – hashed] 26 IAM 27 Secure Authentication Best Practices Authentication plays a fundamental role in access control. Must explore best practices. 1.When and where to perform authentication 2.Securing web authentication mechanisms 28 When And Where To Perform Authentication It’s important to keep in mind that even after the most obvious authentication step of providing a username and password, the web application continues to authenticate the user. Cookies this happens without users interaction Browsers append associated cookie values to all HTTP requests Session ID = persistent authentication token that you have https://networkencyclopedia.com/http-cookie/ Unless cookie expires 29 When And Where To Perform Authentication Session ID must be validated in your code with every request. Your code also should perform authorization (more details in the next chapter). Examples of Re-authentication: Amazon (before you place your order) Changing password Increase privileges → update cookie or issue a new one 30 When And Where To Perform Authentication The rule is to perform authentication every time that a request is made to access a protected resource: When a user’s access level or rights change With every request to protected data or functionality When accessing an outside or third-party resource 31 Securing Web Authentication Mechanisms Secure the transmission SSL/TLS Allow account lockout After certain number of failed attempts Counter measure against online password attacks 32 Securing Web Authentication Mechanisms Allow account lockout (cont.) May cause DoS ➔ admins accounts should never be locked-out Sometimes not feasible → flooding customer support with requests to unlock accounts Alternatives (solutions): Increasing time out values → not common ▪ Slow down brute force attack CAPTCHA → works against brute-force attacks Allow accounts to be disabled Reduce attack surface 33 No default accounts when system generate you a username and password (house router) Securing Web Authentication Mechanisms Don’t hard-code credentials They can be extracted with little effort Recommendation: use keys or credential management system, or use a properly secured configuration file Avoid remember me Classic example of security vs. convenience tradeoff Provides users with authentication for long periods of time For high security apps → never use Standard security apps → only remember username Never be a default 34 References Web Application Security: A Beginner’s Guide Chapter 2 Chapter 3 35

Lecture 7 Authentication PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue