ITS 2110 - Introduction to Network Security

Lesson 11 - Chapter 11,Authentication and Account Management

Objectives:

This lesson covers chapter 11 in the text. It discusses authentication in a network. Objectives important to this lesson:


  1. Authentication credentials
  2. Single sign-on
  3. Securing accounts and passwords
Concepts:

Chapter 11 continues last week's discussion with more details on authentication. Authentication can be defined as the second phase of access control: when the requester's credentials are checked and confirmed. It is one of three key elements to security:

  • authentication - confirmation of identity
  • authorization - granting permissions that are linked to the user's account
  • accounting/auditing - tracking what the user does

Most security is based on one or more of three types of things:

  • something you have (like a key or an ID card)
  • something you know (like a PIN or a password)
  • something you are (like recognizing your fingerprint or your face)

The text adds two more elements to this list in the story on page 473:

  • something you do - The hero of the story is recognized for an ability he has. This is a little shaky, since he is not the only person in the world with that particular skill.
  • somewhere you are - Our hero is supposedly authenticated by being where a person with his identity is allowed to be. I do not buy this one at all. The logic would also say that if I hear someone walking down my front hallway at three in the morning, it must be someone who is supposed to be there because they are there. Are we supposed to believe that the only people on a military base are military people? This is not true. We are trusting that a different system has already authenticated the individual, which should be true, but may not be. The clip below illustrates that wandering around a secure facility will generally require repeated authentication. Failure to authenticate again should result in denial of access.


The text continues with a discussion of the most used something you know concept.

Passwords

The text discusses some myths about passwords. Its main point is that passwords should be longer, should be memorable to the user, and should be changed frequently. Of course, people hate long passwords, often pick passwords they forget, and raise a fuss when they are forced to choose a new password.

A new section talks about attacks meant to discover passwords. There is a bit of overlap across them:

  • social engineering - the text mentions shoulder surfing (watching someone enter the password), phishing (asking for the password in an email scam), and dumpster diving (looking through someone's trash; you would be surprised how many people will tell you their password if you just ask
  • capturing - using a key logger; staging a man in the middle attack
  • resetting - if a person can be lured away from their computer while it is unlocked, the attacker may be able to set the password to one they like; booting from a disc or a USB drive can let the attacker run a reset program from that device

The text also describes some classic password attack methods:

  • brute force attack - trying all possible password combinations; this is confounded by a system that locks out an account once a set number of login failures have occurred
  • stealing the hash file - user passwords are often stored on a system in a hashed (encrypted) format; an attacker may steal the hash file, then compare it to hashes of known words in order to determine actual passwords
    in a pass the hash attack, the attacker passes a captured hash for a known user directly to the authentication system,
  • dictionary attack - trying each word in a file, possibly an actual dictionary; variations usually include common substitutions of numbers or symbols for letters
  • rainbow tables - rainbow tables are precomputed tables of hash values and passwords, constructed to enhance the speed of cracking a hashed password; a stolen hash table can be compared to a rainbow table: when the hashes match, you have the user's password
  • mask attack - if the attacker knows any features of a user's password, an attack can be customized to follow a known pattern, length, or character set; this is what the text means by a mask


The author moves on to discuss passwords themselves, advocating a strong password policy: a mixture of character types, no actual words, longer when possible, and so on. He presents a convincing table on page 484.

  • If we assume a standard 95 character keyboard (upper and lower case, numerals, punctuation ad symbols), then the number of possible passwords is the number of possible characters raised to the power of the length of the password.
  • In this scenario, there are 9025 possible 2 character passwords. That is not a lot when an attacker uses password breaking tools.
  • Every time you add a new position to the length of a password, the number of combinations is multiplied by 95 again, assuming that many possible characters. The average person looking at the table in question would assume that 6 character password is complex enough. It is not.
  • The text's recommendation is 14 or more characters.

The author adds the idea of using characters that are not on the keyboard but are available in Windows through holding down an Alt key and entering a four digit code on the numeric keypad. I have entered his example of using alt-0163 to generate the pound sterling character, , which does not appear on the usual American keyboard. If your browser is not showing a pound sterling character, you can use an HTML escape code to show it on a web page: £ will show a . The main problem with this idea is that this method is not available on all systems, and the codes are not memorable unless you use them frequently.

Some of his advice is based on the behavior of known password attack programs. The best advice is to avoid using these variations in your passwords. Hackers and password cracking programs will try them all:

  • words from a dictionary
  • common passwords: password, 123456, letmein
  • adding common suffixes to the common passwords
  • substituting common symbols for letters: @ for a, 3 for e, 1 for i, 0 for o, $ for s
  • meaningful dates (meaningful to the password owner)

On page 489, the text discusses commonly used solutions that address something you have.

  • tokens - typically a device that fits in a pocket or on a key chain, featuring an LCD display that changes to a new password on a set schedule (often once a minute); must be synchronized with matching software on the authentication server you use to enter the system in question
  • cards - smart cards that include a computer circuit that typically communicates with a sensor by Near Field Communication to authenticate the holder of the card
  • cell phones - the user runs an app on the phone to request a pass code that is sent by a system that generates a new code with each request

On page 492, the text discusses commonly used solutions that address something you are.

Standard Biometrics

Biometric devices measure something about a living being, such a fingerprint, face shape, hand print, iris pattern, and retina pattern. The text discusses two kinds of fingerprint scanners. Static fingerprint scanners read a print from a finger that is placed on a scanner. This technology has some known spoofs, such as using gummy bears. Dynamic fingerprint scanners require a finger to be passed across a reader that uses electrical resistance to create the image of the fingerprint.

Behavioral Biometrics

Measuring how a person performs a task is the concept behind behavioral biometrics. Several possibilities are listed, each with their own faults and virtues:

  • keystroke dynamics - how the user types on a keyboard
  • voice recognition - how the user says particular phrases
  • computer footprinting - a pattern of use including time of day, location, and the computer being used to access a system

Cognitive Biometrics

This method asks the user for particular facts about specific life events. This seems to be a faulty idea. If I were to respond to a series of questions about a wedding, wouldn't most other people who had attended the same event share the same knowledge about it?

The text expands its discussion of somewhere you are on page 499. This time it makes a better case for using this information in a negative way. If someone is attempting to log in to a system across the Internet, and we can tell they are in a location where the actual user is unlikely to be, the connection may be refused. This makes more sense than allowing the connection because the requester is somewhere we know the proper user has been.

The text has a short section on single sign-on, which is a concept that suggests a user can log on to a system and use multiple services without an additional login. This usually works in the background for printers on a network: log in to the network and you can print to any printer you want to use. In a similar way, I can log on to MyBaker then use email and Canvas without another login. In this example, I can also use any Google service that is available through my email menu.

The text points out that single sign-on services are marketed in clusters. You can log in and use all of Google's products, but you may have to log in again to access a cluster of services from Microsoft.

The last important point in the chapter begins on page 502. Account Management is about maintaining rules, policies, and standards that relate to accounts on a system.

Most users who log in to a Windows domain use passwords that must meet the restrictions set in the Domain Password Policy. Table 11-5 lists six attributes that can be set for domain passwords. The maximum settings given were true at the time the text was printed

  • Enforce password history - sets the number of passwords that a user must set and use before a specific previous password can be used again; 10 seems to be a common setting, but the book recommends 24
  • Maximum password age - the age at which a password must be changed; note that Active Directory notifies users (daily) when their passwords are within 14 days of expiration, and users are given no grace logins once the password actually expires
  • Minimum password age - the age at which a password may voluntarily be changed; this is set to keep users from changing passwords too rapidly (for instance, trying to cycle through a list to get back to a favorite)
  • Minimum password length - self explanatory
  • Complexity requirements - when enabled, they typically require that the password include three out of four kinds of characters: upper case, lower case, numerals, symbols; note the other complexity requirements for this one
  • Store passwords with reversible encryption - not recommended, this setting is for legacy applications that require access to the user's password

The book did not previously mention three other settings you may want to know about. This edition lists them on page 504:

  • account lockout threshold - the number of failed login attempts thhat must occur to automatically lock an account; it may be unlocked by an administrator, or by the duration period expiring; if this property is set to 0, the account will never lock (not recommended)
  • account lockout duration - the time that must expire for a lockedd account to unlock automatically; if this property is set to 0, the account will not unlock automatically, and must be unlocked by an administrator
  • reset account lockout after - this is the time that must expire afteer the last failed login attempt for the bad login counter to reset to 0; the system counts bad login attempts and this counter is the trigger to lock an account; the value of this property must be the same or less than the value of account lockout duration