Authentication and Session

Management

Bob Laskowski

IT 6873

Southern Polytechnic State

University

Authentication Defined

Authentication – when applied to

network security we want to make

sure who the entity/data claims they

are is factual

Threats to authentication

Hackers are always looking for ways into a network. If they can acquire your method to gain access they save themselves hours of research

Keep in mind that different accounts have different levels of access, as well if they can gain any foot hold into a network it gives them an advantage when looking for more vulnerabilities.

Also if they use accounts already within the system it actually helps to mask their actions because the account they are using will already have been granted authentication rights to one degree or another

Why is this important?

Authentication-based attacks factored into about four of every five breaches involving hacking in 2012

After Celebrity Photo Hack, How Safe Is the Cloud?◦ The real question is less about how good

iCloud security is and more about how strong (and how unique) a user's password is.

• If you can masquerade as another person, there are no limits on how much you can compromise the privacy and integrity of anyone's online data

Weakness for authentication

Most developers build their own authentication and session management schemes

Authentication and session management schemes are complex and these custom built ones tend to have flaws

Since there is no standard for this and each point of development is different at times these flaws are difficult to find when they are not being looked for, such as when a hacker finally does find them

Some Common Authentication

Methods Use of user ID’s◦ Standard first initial.Last name, or something more

complex

Passwords◦ complexity, length, age, timeout, re-tries,

• Multifactor authentication

◦ something you know, have, are

Encryption◦ PGP, Public-Key Cryptography, SSL, S-HTTP and

S/MIME

One Time Passwords◦ Hardware/software tokens

Digital Signatures

Common Authentication Method

examples:

Use of user ID’s◦ Common methods revolve around first initial

and last name. ex: r.smith

◦ However this could give an attacker an edge on finding new accounts. Brute force attack with every letter of alphabet and #.smith

◦ Possible new method to add protection. Use of initials and numbers ex. rs1234@spsu.edu

Or in some cases fully different alias’s ex. ws1289@spsu.edu can actually be rs1234@spsu.edu

Think in terms of being as obscure so no correlation can be made to actual data aka. Data Obfuscation which is used in electronic health records

Common Authentication Method

examples: Passwords

We want a password to have certain complexity to thwart dictionary and brute force attacks

A good method for solid passwords is the Schneierscheme

◦ WIw7,mstmsritt... = When I was seven, my sister threw my stuffed rabbit in the toilet.

◦ Wow...doestcst = Wow, does that couch smell terrible.

◦ Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.

◦ uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.

Here we take a phrase and break it down into one word or smaller supposed nonsensical phrase much more difficult to crack

Common Authentication Method

examples: Passwords

In the next slide we see a method to

make sure the password entered is

actually valid

password validation function

What is it?

Whenever we have data entered in a form we want to make sure that it is valid and not corrupted in any way. Here we are looking at checking the password someone enters

* Note, while I am using this method here for my report, you should not do this, a more secure method would be to email a token to a person and have them enter a password there. Having someone enter a password and gaining access directly tends to be very unsecure

Application

Password validation ranges from

checking regular expressions, to

length and complexity. This is used as

a pre curser to defend against brute

force attacks

Common Authentication Method

examples: Multifactor authentication

Something you know – password

Have – security token

Are – a biometric feature, finger print, eye scan

and so on

It is a combination of two or more things, thus

giving a layered defense

Typical scenarios

use of a card, or pins, VPN and use of digital

certificates, finger prints, hard or soft tokens

Common Authentication Method

examples: Encryption

◦ PGP – uses hashes, and compression,

along with symmetric key(one key to

encrypt/decrypt) to protect data

◦ Public-Key Cryptography – use of

asymmetric encryption( one key encrypt,

other decrypt)

◦ SSL, S-HTTP – use of certificates

◦ S/MIME – securing of email

Common Authentication Method

examples: One Time Passwords

◦ Use of challenges and responses for

users

◦ Only good for that session and then times

out

◦ Can be a hard or soft token, emailed or

texted password

Users can be tricked into giving these up with

social engineering and hackers can use that

info to devise a pattern

Possibly subjected to man in middle attacks

due to transmission methods

Common Authentication Method

examples: Digital Signatures

• helps to prove that data sent is from a

reliable source

• gives reassurance

• confirms message wasn’t tampered with

Common Authentication Method

examples:

In the next slide we see an example of

hashing a password

And we will see extra security applied

to it with a salt

These are examples of defense in

depth, no one method or layer is

100% reliable

The One-Way Password

Hashing Algorithm

What is it?

A hash is a method in which we take a

password in this case and apply a

mathematical algorithm, this algorithm

takes the fixed length password and

turns it into a fixed length binary value.

Application

Hash's tend to be used as digital

signatures for software to ensure it

hasn’t been tampered with or

corrupted when downloaded. However

in this case we can use it to protect

our passwords for our users that

attempt to log into our site.

pseudo-random salt generator

What is it?

It is random data that is applied to a

one way function then is added to the

hash of a password

Application

Salts when combined with password

hash's help to add a new level of

difficulty in defending against

dictionary attacks

Actual Authentication Threats

Confidence Tricks◦ Various phishing methods

• Remote Technical Tricks◦ Spoof, proxy exploits, sniffing, old exploits to technology

• Local Technical Tricks◦ Software vulnerabilities, Trojans, viruses, hardware attacks

• Victim Mistakes◦ Weak passwords, written down sensitive data, user errors

• Implementation oversights◦ Replays, trusting bad data, sensitive data remembered in

forms

• Denial of service attacks◦ Lock outs for authorized users

• Enrollment errors◦ new set of credentials created

Authentication attacks

Attack types Attack description

Brute Force Allows an attacker to guess a

person's user name, password,

credit card number, or

cryptographic key by using an

automated process of trial and

error.

Insufficient Authentication Allows an attacker to access a

website that contains sensitive

content or functions without having

to properly authenticate with the

website.

Weak Password Recovery

Validation

Allows an attacker to access a

website that provides them with

the ability to illegally obtain,

change, or recover another user's

password.

Repercussions from

Authentication attacks

Accounts can be locked out, or the

entire user database can be locked

out

Outages can occur if there are

accounts that do batch work

There can a loss of confidence in the

business if such an attack is

publicized

Prevention Methods

First and foremost proper code development◦ Think like a hacker, look for what can go

wrong instead of waiting for it

Have informed users◦ Over inform on proper security procedures,

automate the mundane

• User access lattices◦ Only access to what they need access to

• Security in layers◦ Never assume one layer will do it all

Session management Defined

Session Management – the practice of

overseeing a transfer of data between

two or more entities

Session management focuses on an

already authenticated user

This authenticated user has their

information bound to an actual session

token/ID

Threats to Session

management We've already authenticated properly to

a connection and we begin to do what it is we do, work, shopping, surfing the web, our banking…etc

There will be a session identifier for what you are doing, similar to a tracking cookie if you will, this id ties you to what you are actually doing

In essence your leaving a sort of digital bread crumb trail

Why is this important?

Crack in Internet’s foundation of

trust allows HTTPS session

hijacking

◦ “Once the session cookie is decrypted, hackers

can exploit it to gain unauthorized access to the

user account the session cookie is designed to

authenticate. The process from start to finish

takes "a few minutes,“

Yahoo session hijacking likely

culprit of Android spam

Weakness for session

management Most developers build their own

authentication and session management schemes

Authentication and session management schemes are complex and these custom built ones tend to have flaws

Since there is no standard for this and each point of development is different at times these flaws are difficult to find when they are not being looked for, such as when a hacker finally does find them

Some Common Session

Management Methods Validate Session ID values coming from clients

◦ Have checks in place to confirm who's who

Hard-to-Guess Cookie Values◦ Match cookies values to session variables to complicate things

User Authentication◦ Good authentication always helps

SSL Encryption◦ Encryption always complicates things for hackers

Use of trusted third parties◦ Use a third party session management implementation to offset risk

Use sufficient session Id length

◦ Same as passwords longer equals more secure

Ensuring no patterns become evident

◦ You don’t want your patterns to be found in your session id’s thy could be susceptible to brute force attacks

• Associate session id with ip address

◦ Extra layers of security

Common Session Management

Method in depth Hard-to-Guess Cookie Values

Cookies are related to HTTP headers and allow control over token expiration, time and other granular features, this is why it’s the most common method used

The session uses the cookie to maintain the connection, much like when you authenticate, the cookie keeps your credentials active over the session

Making sure cookie values are not easily guessable prevents a hacker from using the values and trying to guess a new one and establish a connection

Common Session Management

Method in depth SSL Encryption

Since cookies are the most common method to

establish and maintain the connection we

should also look at a layered protection

Making sure the cookies are sent over a secure

connection

This will enable one to prevent a successful

man in the middle attack and gain useable data

from a cookie

Actual Session Management

threats Session hijacking attacks, targeted or generic◦ Targeted goal to impersonate a specific user

◦ Generic they look for any user

Session fixation attack◦ Attacker hijacks a valid session

Brute force◦ Finding valid id’s through brute force searches

Cross-site script attack◦ Use of web applications to gain info

Man-in-the-middle attack/Man-in-the-browser attack ◦ Actively/passively gaining info from unsuspecting

people

• Prediction attacks◦ Here a good ID is known and a next valid one is

guessed

Repercussions from Session

Management attacks Users can be impersonated and

damage can be masked

Fraud and or theft can occur

dependent upon system access

Worst case elevation of privileges

granted

Best case comprised account is

locked out

Prevention Methods

User of cookies◦ Use of secure flag in header, makes them un-

sniffable, use of restrictions

• Don’t allow users to determine session ids◦ Make sure they cant reuse old session info

• Each user should get a new identifier to your site

• Time-out session identifiers◦ Creates smaller window for attacker

• Allow clean log outs◦ User logs out session invalidates on client and

server

• Use of secure channels for session cookies◦ Encryption always hampers things for attackers

Summary

Never assume you are hack proof

however make sure you mitigate your

risk, by prioritizing your levels correctly

Take into consideration of what needs

to be protected the most and what the

damage will be if there was a issue

with it

Always make sure to use security in

layers and never put all your eggs in

one basket

This article covers some of the principals

laid out earlier in my slide deck

Securing PHP User Authentication,

Login, and Sessions

http://blackbe.lt/php-secure-sessions/

We see use of hashing, linking to ip

addresses, a password validation, length,

complexity, used to make the password and

session id more difficult to discover

References and readings https://www.owasp.org/index.php/Session_Management_Cheat_She

et

http://en.wikipedia.org/wiki/Session_%28computer_science%29

http://blackbe.lt/php-secure-sessions/

http://www.zdnet.com/hackers-favor-authentication-based-attacks-report-shows-7000014426/

https://www.owasp.org/index.php/Comprehensive_list_of_Threats_to_Authentication_Procedures_and_Data

http://searchsecurity.techtarget.com/feature/State-based-attacks-Session-management

https://www.owasp.org/index.php/Session_Management

http://www.securityninja.co.uk/secure-development/session-management/

https://www.google.com/search?q=obstrufucation+of+data&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&channel=np&source=hp#rls=org.mozilla:en-US:official&channel=np&q=obsufucation+of+data