1 18-Authentication


1.1 Screencasts

1.2 Introduction

1.2.1 User Authentication

NIST SP 800-63-3 (Digital Authentication Guideline, October 2016) defines user authentication as:
“The process of establishing confidence in user identities that are presented electronically to an information system.”
Systems can use an authenticated identity to determine if the authenticated individual is authorized to perform particular functions.
### Authentication Process
* Fundamental building block and primary line of defense
* Basis for access control and user accountability
* Identification step: Presenting an identifier to the security system
* Verification step: Presenting or generating authentication information that corroborates the binding between the entity and the identifier
### Types

1.2.1.1 Four Means of Authentication

Authentication Model
Authentication/f1-crop.png

1.3 Risk assessment

1.4 Passwords

1.4.1 Password Authentication

1.4.1.1 The user ID

1.4.2 Password Vulnerabilities

1.4.3 Hashes and salts

Pass the salt, not the hash

Hashing passwords, with and without salt
Authentication/f2-crop.png

Discussion question:
Why use a slow hash?

1.4.3.1 Password hashing with salt benefits

1.4.4 Password attacks

1.4.4.1 Machine learning

Machine learning on real password databases
Authentication/f3-crop.png
In a particular simulation, with a particular set of passwords (perhaps of limited generalizable utility)

1.4.4.2 Password File Access Control

/etc/shadow (actual password hashes)
/etc/passwd (user meta-data)

1.4.4.2.1 Protection
1.4.4.2.2 Vulnerabilities

1.4.5 Improving Passwords

1.4.5.1 User Education

User Education on Password Strength
Authentication/password_strength.png
https://xkcd.com/936/
https://explainxkcd.com/wiki/index.php/936:_Password_Strength

1.4.5.2 Proactive Password Checker

Rule enforcement (example)

Password checker

Bloom filter

Bloom filter
Authentication/bloom.png

Bloom Filter Performance (Lower Y is Better)
Authentication/f4-crop.png
Storage size is lesser on the left, and greater on the right.
Why: space versus speed

1.5 Multi-factor authentication

2 factor authentication anyone?
Authentication/security.png

1.5.1 Hardware tokens

https://en.wikipedia.org/wiki/Security_token

For example:
https://onlykey.io/ (open source, good for actual static passwords)
https://www.nitrokey.com/ (open source, good for remote stuff, challenge-response)
https://solokeys.com/ (open source)
https://www.yubico.com/ (not open source, though popular)

Objects that a user possesses for the purpose of user authentication are called hardware ­tokens.
Authentication/image13.png

1.5.2 HOTP/TOTP

Using a counter:
https://en.wikipedia.org/wiki/HMAC-based_one-time_password

Using the time:
https://en.wikipedia.org/wiki/Time-based_one-time_password

The simplest thing is to take the secret that the provider gives you,
save it somewhere secure,
and do this with it at the command line:

sudo dnf/apt/zypper/etc. install oathtool

oathtool --base32 --totp --digits=6 "THESECRET"

Then, copy the resulting time-dependent password.

Plenty of password managers (like KeePassXC) will do that for you:
https://en.wikipedia.org/wiki/Comparison_of_OTP_applications

However, it’s easy to create a script to do this easily on Unix/Linux/Mac:

Put this is ~/bin/totp,
where dir/dir is any directory tree,
and secret is your TOTP secret.

#!/bin/bash
# use like this: `pass dir/dir/secret | totp`
# use like this: `gpg2 dir/dir/secret.gpg | totp`
# use like this: `cat dir/dir/secret.txt | totp`

read secret
oathtool --base32 --totp --digits=6 "$secret" | xclip -i -r -selection clipboard

1.5.3 Biometric authentication

Authentication/f7-crop.png

Biometric modes
Authentication/f8-crop.png

Decision thresholds
Authentication/f9-crop.png

Decision thresholds
Authentication/f10-crop.png

Decision thresholds
Authentication/f11-crop.png

Remote biometrics
Authentication/f13-crop.png

Discussion question:
What happens when your fingerprint database is corrupted?
What are some disadvantages and advantages of biometrics compared to passwords?

1.5.4 Challenge-response based schemes

(zero-knowledge proofs, like we previously covered)

Authentication/f12-crop.png

1.5.5 Mobile-phone 2-factor

When used in addition to a password, can be more secure, but:

++++++++++++++++
Cahoot 18.1