authentication and session v4
TRANSCRIPT
Authentication Defined
Authentication – when applied to
network security we want to make
sure who the entity/data claims they
are is factual
Threats to authentication
Hackers are always looking for ways into a network. If they can acquire your method to gain access they save themselves hours of research
Keep in mind that different accounts have different levels of access, as well if they can gain any foot hold into a network it gives them an advantage when looking for more vulnerabilities.
Also if they use accounts already within the system it actually helps to mask their actions because the account they are using will already have been granted authentication rights to one degree or another
Why is this important?
Authentication-based attacks factored into about four of every five breaches involving hacking in 2012
After Celebrity Photo Hack, How Safe Is the Cloud?◦ The real question is less about how good
iCloud security is and more about how strong (and how unique) a user's password is.
• If you can masquerade as another person, there are no limits on how much you can compromise the privacy and integrity of anyone's online data
Weakness for authentication
Most developers build their own authentication and session management schemes
Authentication and session management schemes are complex and these custom built ones tend to have flaws
Since there is no standard for this and each point of development is different at times these flaws are difficult to find when they are not being looked for, such as when a hacker finally does find them
Some Common Authentication
Methods Use of user ID’s◦ Standard first initial.Last name, or something more
complex
Passwords◦ complexity, length, age, timeout, re-tries,
• Multifactor authentication
◦ something you know, have, are
Encryption◦ PGP, Public-Key Cryptography, SSL, S-HTTP and
S/MIME
One Time Passwords◦ Hardware/software tokens
Digital Signatures
Common Authentication Method
examples:
Use of user ID’s◦ Common methods revolve around first initial
and last name. ex: r.smith
◦ However this could give an attacker an edge on finding new accounts. Brute force attack with every letter of alphabet and #.smith
◦ Possible new method to add protection. Use of initials and numbers ex. [email protected]
Or in some cases fully different alias’s ex. [email protected] can actually be [email protected]
Think in terms of being as obscure so no correlation can be made to actual data aka. Data Obfuscation which is used in electronic health records
Common Authentication Method
examples: Passwords
We want a password to have certain complexity to thwart dictionary and brute force attacks
A good method for solid passwords is the Schneierscheme
◦ WIw7,mstmsritt... = When I was seven, my sister threw my stuffed rabbit in the toilet.
◦ Wow...doestcst = Wow, does that couch smell terrible.
◦ Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.
◦ uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.
Here we take a phrase and break it down into one word or smaller supposed nonsensical phrase much more difficult to crack
Common Authentication Method
examples: Passwords
In the next slide we see a method to
make sure the password entered is
actually valid
What is it?
Whenever we have data entered in a form we want to make sure that it is valid and not corrupted in any way. Here we are looking at checking the password someone enters
* Note, while I am using this method here for my report, you should not do this, a more secure method would be to email a token to a person and have them enter a password there. Having someone enter a password and gaining access directly tends to be very unsecure
Application
Password validation ranges from
checking regular expressions, to
length and complexity. This is used as
a pre curser to defend against brute
force attacks
Common Authentication Method
examples: Multifactor authentication
Something you know – password
Have – security token
Are – a biometric feature, finger print, eye scan
and so on
It is a combination of two or more things, thus
giving a layered defense
Typical scenarios
use of a card, or pins, VPN and use of digital
certificates, finger prints, hard or soft tokens
Common Authentication Method
examples: Encryption
◦ PGP – uses hashes, and compression,
along with symmetric key(one key to
encrypt/decrypt) to protect data
◦ Public-Key Cryptography – use of
asymmetric encryption( one key encrypt,
other decrypt)
◦ SSL, S-HTTP – use of certificates
◦ S/MIME – securing of email
Common Authentication Method
examples: One Time Passwords
◦ Use of challenges and responses for
users
◦ Only good for that session and then times
out
◦ Can be a hard or soft token, emailed or
texted password
Users can be tricked into giving these up with
social engineering and hackers can use that
info to devise a pattern
Possibly subjected to man in middle attacks
due to transmission methods
Common Authentication Method
examples: Digital Signatures
• helps to prove that data sent is from a
reliable source
• gives reassurance
• confirms message wasn’t tampered with
Common Authentication Method
examples:
In the next slide we see an example of
hashing a password
And we will see extra security applied
to it with a salt
These are examples of defense in
depth, no one method or layer is
100% reliable
What is it?
A hash is a method in which we take a
password in this case and apply a
mathematical algorithm, this algorithm
takes the fixed length password and
turns it into a fixed length binary value.
Application
Hash's tend to be used as digital
signatures for software to ensure it
hasn’t been tampered with or
corrupted when downloaded. However
in this case we can use it to protect
our passwords for our users that
attempt to log into our site.
What is it?
It is random data that is applied to a
one way function then is added to the
hash of a password
Application
Salts when combined with password
hash's help to add a new level of
difficulty in defending against
dictionary attacks
Actual Authentication Threats
Confidence Tricks◦ Various phishing methods
• Remote Technical Tricks◦ Spoof, proxy exploits, sniffing, old exploits to technology
• Local Technical Tricks◦ Software vulnerabilities, Trojans, viruses, hardware attacks
• Victim Mistakes◦ Weak passwords, written down sensitive data, user errors
• Implementation oversights◦ Replays, trusting bad data, sensitive data remembered in
forms
• Denial of service attacks◦ Lock outs for authorized users
• Enrollment errors◦ new set of credentials created
Authentication attacks
Attack types Attack description
Brute Force Allows an attacker to guess a
person's user name, password,
credit card number, or
cryptographic key by using an
automated process of trial and
error.
Insufficient Authentication Allows an attacker to access a
website that contains sensitive
content or functions without having
to properly authenticate with the
website.
Weak Password Recovery
Validation
Allows an attacker to access a
website that provides them with
the ability to illegally obtain,
change, or recover another user's
password.
Repercussions from
Authentication attacks
Accounts can be locked out, or the
entire user database can be locked
out
Outages can occur if there are
accounts that do batch work
There can a loss of confidence in the
business if such an attack is
publicized
Prevention Methods
First and foremost proper code development◦ Think like a hacker, look for what can go
wrong instead of waiting for it
Have informed users◦ Over inform on proper security procedures,
automate the mundane
• User access lattices◦ Only access to what they need access to
• Security in layers◦ Never assume one layer will do it all
Session management Defined
Session Management – the practice of
overseeing a transfer of data between
two or more entities
Session management focuses on an
already authenticated user
This authenticated user has their
information bound to an actual session
token/ID
Threats to Session
management We've already authenticated properly to
a connection and we begin to do what it is we do, work, shopping, surfing the web, our banking…etc
There will be a session identifier for what you are doing, similar to a tracking cookie if you will, this id ties you to what you are actually doing
In essence your leaving a sort of digital bread crumb trail
Why is this important?
Crack in Internet’s foundation of
trust allows HTTPS session
hijacking
◦ “Once the session cookie is decrypted, hackers
can exploit it to gain unauthorized access to the
user account the session cookie is designed to
authenticate. The process from start to finish
takes "a few minutes,“
Yahoo session hijacking likely
culprit of Android spam
Weakness for session
management Most developers build their own
authentication and session management schemes
Authentication and session management schemes are complex and these custom built ones tend to have flaws
Since there is no standard for this and each point of development is different at times these flaws are difficult to find when they are not being looked for, such as when a hacker finally does find them
Some Common Session
Management Methods Validate Session ID values coming from clients
◦ Have checks in place to confirm who's who
Hard-to-Guess Cookie Values◦ Match cookies values to session variables to complicate things
User Authentication◦ Good authentication always helps
SSL Encryption◦ Encryption always complicates things for hackers
Use of trusted third parties◦ Use a third party session management implementation to offset risk
Use sufficient session Id length
◦ Same as passwords longer equals more secure
Ensuring no patterns become evident
◦ You don’t want your patterns to be found in your session id’s thy could be susceptible to brute force attacks
• Associate session id with ip address
◦ Extra layers of security
Common Session Management
Method in depth Hard-to-Guess Cookie Values
Cookies are related to HTTP headers and allow control over token expiration, time and other granular features, this is why it’s the most common method used
The session uses the cookie to maintain the connection, much like when you authenticate, the cookie keeps your credentials active over the session
Making sure cookie values are not easily guessable prevents a hacker from using the values and trying to guess a new one and establish a connection
Common Session Management
Method in depth SSL Encryption
Since cookies are the most common method to
establish and maintain the connection we
should also look at a layered protection
Making sure the cookies are sent over a secure
connection
This will enable one to prevent a successful
man in the middle attack and gain useable data
from a cookie
Actual Session Management
threats Session hijacking attacks, targeted or generic◦ Targeted goal to impersonate a specific user
◦ Generic they look for any user
Session fixation attack◦ Attacker hijacks a valid session
Brute force◦ Finding valid id’s through brute force searches
Cross-site script attack◦ Use of web applications to gain info
Man-in-the-middle attack/Man-in-the-browser attack ◦ Actively/passively gaining info from unsuspecting
people
• Prediction attacks◦ Here a good ID is known and a next valid one is
guessed
Repercussions from Session
Management attacks Users can be impersonated and
damage can be masked
Fraud and or theft can occur
dependent upon system access
Worst case elevation of privileges
granted
Best case comprised account is
locked out
Prevention Methods
User of cookies◦ Use of secure flag in header, makes them un-
sniffable, use of restrictions
• Don’t allow users to determine session ids◦ Make sure they cant reuse old session info
• Each user should get a new identifier to your site
• Time-out session identifiers◦ Creates smaller window for attacker
• Allow clean log outs◦ User logs out session invalidates on client and
server
• Use of secure channels for session cookies◦ Encryption always hampers things for attackers
Summary
Never assume you are hack proof
however make sure you mitigate your
risk, by prioritizing your levels correctly
Take into consideration of what needs
to be protected the most and what the
damage will be if there was a issue
with it
Always make sure to use security in
layers and never put all your eggs in
one basket
This article covers some of the principals
laid out earlier in my slide deck
Securing PHP User Authentication,
Login, and Sessions
http://blackbe.lt/php-secure-sessions/
We see use of hashing, linking to ip
addresses, a password validation, length,
complexity, used to make the password and
session id more difficult to discover
References and readings https://www.owasp.org/index.php/Session_Management_Cheat_She
et
http://en.wikipedia.org/wiki/Session_%28computer_science%29
http://blackbe.lt/php-secure-sessions/
http://www.zdnet.com/hackers-favor-authentication-based-attacks-report-shows-7000014426/
https://www.owasp.org/index.php/Comprehensive_list_of_Threats_to_Authentication_Procedures_and_Data
http://searchsecurity.techtarget.com/feature/State-based-attacks-Session-management
https://www.owasp.org/index.php/Session_Management
http://www.securityninja.co.uk/secure-development/session-management/
https://www.google.com/search?q=obstrufucation+of+data&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&channel=np&source=hp#rls=org.mozilla:en-US:official&channel=np&q=obsufucation+of+data