1 18-Authentication

Previous: 17-DefensiveProgramming.html

1.1 Screencasts

1.2 Introduction

1.2.1 User Authentication

1.2.2 Authentication Process

1.2.3 Types Four Means of Authentication

Authentication Model

1.3 Risk assessment

1.4 Passwords

1.4.1 Password Authentication

Widely used line of defense against intruders
* User provides name/login and password
* System compares password with the one stored for that specified login The user ID

1.4.2 Password Vulnerabilities

1.4.3 Hashes and salts

Pass the salt, not the hash

Hashing passwords, with and without salt

/ WhyQ /////
Why use a slow hash?
/ WhyQ ///// Password hashing with salt benefits

1.4.4 Password attacks Machine learning

Machine learning on real password databases
In a particular simulation, with a particular set of passwords (perhaps of limited generalizable utility) Password File Access Control

/etc/shadow.html (actual password hashes.html)
/etc/passwd.html (user meta-data.html) Protection Vulnerabilities

1.4.5 Improving Passwords User Education

User Education on Password Strength
https://explainxkcd.com/wiki/index.php/936:_Password_Strength Proactive Password Checker

Rule enforcement (example)
* All passwords must be at least n characters long.
* In the first n characters, the passwords must include at least one each of uppercase, lowercase, numeric digits, and punctuation marks.

Password checker
* Compile a large dictionary of possible “bad” passwords.
* When a user selects a password, the system checks to make sure that it is not on the disapproved list.
* Computationally expensive

Bloom filter
* Like hash table, but faster, grabbing a “fingerprint” for each password.
* First loaded up with common bad passwords, generating a fingerprint for each.
* Passwords with common “fingerprints” will be rejected.
* Block users from using words on a common list or anything which hashes to common values.
* An empty Bloom filter is a bit array of m bits, all set to 0.
* k different hash functions defined, each of which maps or hashes some set element to one of the m array positions
* k is a constant, much smaller than m, which is proportional to the number of elements to be added
* To add an element, feed it to each of the k hash functions to get k array positions. Set the bits at all these positions to 1.
* To query for an element (test whether it is in the set), feed it to each of the k hash functions to get k array positions. If any of the bits at these positions is 0, the element is definitely not in the set; if it were, then all the bits would have been set to 1 when it was inserted. If all are 1, then either the element is in the set, or the bits have by chance been set to 1 during the insertion of other elements, resulting in a false positive.

Bloom filter
* An example of a Bloom filter, representing the set {x, y, z}.
* The colored arrows show the positions in the bit array that each set element is mapped to.
* The element w is not in the set {x, y, z}, because it hashes to one bit-array position containing 0.
* For this figure, m = 18 and k = 3.

Bloom Filter Performance (Lower Y is Better)
Storage size is lesser on the left, and greater on the right.
Why: space versus speed

1.5 Multi-factor authentication

2 factor authentication anyone?

1.5.1 Hardware tokens


For example:
* https://onlykey.io/ (open source, good for actual static passwords)
* https://www.nitrokey.com/ (open source, good for remote stuff, challenge-response)
* https://www.yubico.com/ (not open source, though popular)
* https://solokeys.com/ (open source)

Objects that a user possesses for the purpose of user authentication are called hardware ­tokens.

1.5.2 Biometric authentication


Biometric modes

Decision thresholds

Decision thresholds

Decision thresholds

Remote biometrics

Discussion question:
What happens when your fingerprint database is corrupted?
What are some disadvantages and advantages of biometrics compared to passwords?

1.5.3 Challenge-response based schemes

(zero-knowledge proofs, like we previously covered)


1.5.4 Mobile-phone 2-factor

When used in addition to a password, can be more secure, but:
* Text messages to mobile phones using SMS are insecure and can be intercepted.
* If the phone is unable to display messages, such as if it becomes damaged or shuts down for an update or due to temperature extremes (e.g. winter exposure), access is often impossible without backup plans.
* Account recovery typically bypasses mobile-phone two-factor authentication.
* Email is usually always logged in. So if the phone is lost or stolen, all accounts for which the email is the key can be hacked as the phone can receive the second factor. So smart phones combine the two factors into one factor.
* SIM cloning gives hackers access to mobile phone connections. Social-engineering attacks against mobile-operator companies have resulted in the handing over of duplicate SIM cards to criminals.

Cahoot 18.1

Next: 19a-AccessControls.html