1

SECURITY IN Toolbox:
Authentication, Access
COMPUTING, Control, and
Cryptography

FIFTH EDITION
 2

Authentication
• The act of proving that a user is who
she says she is

• Methods:
• 1. Something the user knows
• 2. Something the user is
• 3. Something user has
• 4. Location Factors
• 5. Behavioural Factors
 3

1. Something You Know

• Passwords

• Security questions

• Knowledge Factors Are The Least Secure Authentication

Factors

• Attacks on “something you know”:

• Dictionary attacks
• Inferring likely passwords/answers
• Guessing
• Defeating concealment
• Exhaustive or brute-force attack
• Rainbow tables
 4

2. Something the user is

Generally biometric Factors

• Something unique to the user's physical attributes.

• Examples include fingerprints, facial recognition, voice recognition,

retina scans, and other forms of biometric data.

• Banks and investment firms commonly use voice recognition when

you call them to verify your identity. Your voice is analyzed based on
its acoustics and individual characteristics like your accent, speech
rhythm, and vocabulary.

• As an example of multi-factor authentication that uses biometrics,

consider your cell phone. You can enable multi-factor authentication
so that you have to enter a PIN (something you know) and scan your
fingerprint (something you have).

• Biometrics are a convenient form of authentication because you

have them readily available.
 5

2. Biometrics - problems

Intrusive – Expensive -Single point of failure - Sampling

error - False readings – Speed - Forgery
 6

3. Something the user has

Possession factor technologies include the following:

• Security tokens are small hardware devices that store a user's personal
information and are used to authenticate that person's identity electronically.
The device may be a smart card, an embedded chip in an object, such as a
Universal Serial Bus (USB) drive, or a wireless tag.

• A software-based security token application generates a single-use login

PIN. Soft tokens are often used for mobile multifactor authentication, in which
the device itself -- such as a smartphone -- provides the possession factor
authentication.

Typical possession factor user scenarios include the following:

• Mobile authentication, where users receive a code via their smartphone to gain
or grant access -- variations include text messages and phone calls sent to a
user as an out-of-band method, smartphone OTP apps, SIM cards and smart
cards with stored authentication data; and

• Attaching a USB hardware token to a desktop that generates an OTP and using
it to log in to a VPN client.
 7

4. Location Factors
• Somewhere the user is.

• This can involve geolocation services to verify that the user is

accessing the system from an expected or approved location.

• Some see it as authorisation factor instead of an authentication

factor

• Three main difficulties around the use of location to help give

confidence that an identity is authentic are

• Specificity - How much space do you occupy at any one time

• Accuracy - consumer hardware is affected by so many variables, that we can’t

trust any location data is accurate at this level of resolution with current
technology.

• Reliability - we need to know that the data provided, even if really accurate, is
authoritative. Location data as it stands is often trivial to spoof, there are also issues
with GPS jamming,
 8

5. Behavioural Factor
• Something related to the user's behaviour or patterns of interaction.

• Examples include typing speed, mouse movement patterns, and other behavioural characteristics.

• Benefits of behavioural biometrics authentication, include the following:

REMOVE ANY UNCERTAINTY ABOUT A USER’S IDENTITY

• Behavioural biometrics authentication uses unique data points to continuously authenticate a user,
irrespective of what they’re doing on their computer. This eliminates any opportunity for identity theft
or fraud since there is no way to steal or replicate biometric information.

PRESERVE PRIVACY
• Behavioural biometrics authentication does not reveal user identity like traditional authentication
methods do. This preserves user privacy and allows them to keep their personal information private.

EVALUATION OF USER INTERACTION WITH THE DEVICE IN REAL TIME

• Behavioural biometrics authentication evaluates a user’s ongoing interaction with their device in real
time, making it harder for hackers to get around security measures.

MORE SECURE THAN TRADITIONAL SECURITY MEASURES

• Unlike standard security measures, which are susceptible to theft or replication, behavioural
biometrics authentication is almost impossible to replicate. This makes it more secure than traditional
security measures.
 9

Multi-factor Authentication

When implementing MFA, it's generally recommended to

use a combination of these factors to ensure a higher
level of security. For example, a common MFA setup might
involve a password (knowledge factor) and a one-time code
from an authenticator app (possession factor).

This way, even if one factor is compromised, the attacker

would still need the other factor to gain access
 10

Distribution of Password Types

 11

Password Storage
1. Use Strong Encryption: - Employ strong, industry-standard encryption algorithms (like bcrypt, scrypt, or Argon2) to hash
passwords before storing them. Avoid using weak or outdated encryption methods.

2. Salted Hashing: Always use a unique, random value (known as a "salt") for each password before hashing. This helps
protect against rainbow table attacks.

3. Avoid Plain Text Storage: - Never store passwords in plain text. If a database is breached, plain text can be easily exploited.

4. Implement Key Strengthening: - Use techniques like key stretching to make the hashing process computationally intensive.
This slows down brute-force and dictionary attacks.

5. Regularly Update Password Hashes: - Periodically rehash passwords using stronger algorithms or longer salts. This helps
to stay ahead of advances in computational power.

6. Protect the Database: - Implement strong access controls and encryption for the database where passwords are stored.
Use firewalls and intrusion detection systems to safeguard against unauthorized access.

7. Access Control: - Limit access to the password database to only those who need it. Use strict access controls and strong
authentication for administrators.

8. Monitor for Anomalies - Set up monitoring systems to detect unusual activity related to password storage or access.

9. Multi-Factor Authentication (MFA): - Implement MFA for privileged users who have access to password databases.

10. Use a Trusted Password Manager: If possible, encourage users to use trusted password managers to generate, store,
and manage their passwords securely.

11. Regularly Audit Password Security: - Conduct regular security audits and vulnerability assessments to identify and address
any weaknesses in the password storage process.
 12

Brute Force Hacking

Brute force hacking is a method used by attackers to gain unauthorized access to a system or an account
by systematically trying out all possible combinations of usernames and passwords until the correct one is
found. This method does not rely on any specialized knowledge or vulnerabilities in the system; instead, it
relies on the sheer computational power and persistence of the attacker.

1.Selection of Target: The attacker identifies a target, which could be a specific account (like an email or
social media account) or a system (like a website, server, or application) that they want to access.

2.Credential List: The attacker compiles a list of potential usernames and passwords. These lists can be
generated in various ways, including using common passwords, dictionary words, or by harvesting data
from previous breaches.

3.Iteration: The attacker uses a program or script to automate the process of attempting to log in. The
program iterates through the list of usernames and tries each one with every password.

4.Testing Credentials: For each combination of username and password, the program sends a login request
to the target system. If the combination is correct, the attacker gains access.

5.Iterative Process: The process continues until the correct combination is found or until the entire list of
possible combinations has been exhausted.

6.Time and Resources: The success of a brute force attack depends on the strength and complexity of the
passwords, the computational power available to the attacker, and the effectiveness of any
countermeasures in place (such as account lockouts after a certain number of failed login attempts).
 13

Bruce Force Hacking Countermeasures

1. Account Lockouts: After a certain number of failed login attempts, an account may be
temporarily locked to prevent further unauthorized access attempts.
2. CAPTCHA: CAPTCHA challenges can be used to differentiate between human users
and automated scripts.
3. Strong Password Policies: Requiring complex passwords with a combination of
uppercase, lowercase, numbers, and special characters can significantly increase the
difficulty of a successful brute force attack.
4. Multi-Factor Authentication (MFA): Adding an extra layer of authentication, e.g. a
one-time code sent to a user's mobile device, greatly mitigates the effectiveness of
brute force attacks.

It is important for individuals and organizations to implement strong password practices and
other security measures to protect against brute force attacks
 14

How Long Does It Take a Hacker to Brute Force a Password

Hive Systems conducts annual research to determine how long it takes to crack
passwords

Provides a time of how long it would take a hacker with a consumer budget to
crack passwords using a desktop computer with a top-level consumer-grade
graphics card.

If a password is set of 8 characters, using the NIST recommendation of choosing

a randomly generated string of 8-characters, using a top-of-a-range GPU that
was available in 2018 (RTX 2080) it would take 4 hours to crack a password with
numbers, upper- and lower-case letters, and symbols.

Today, using the latest GPUs (RTX 4090) it takes just 59 minutes, but if cloud
resources were used, the time taken to crack the password drops to just 19
minutes if using 8 x A100 GPUs from Amazon AWS, and 12 minutes if using 12.

The table on next slide shows how long it would take a hacker using standard
equipment to guess a password
 15

Time it takes hackers to brute force

passwords
 16

Federated Identity
Management
FIM is a system of single login, multiple access. For FIM to work effectively,
all involved partners must have a sense of mutual trust. Each trust domain
maintains its own identity management.

However, all domains are interlinked through a third-party service that

stores users' access credentials and provides the trust mechanism needed
for FIM to work. This third service is known as the identity provider or broker.

Users' credentials are provided to and stored with their identity provider,
which is their home domain. Then, when logging in to a service such as a
software-as-a-service application, they don't have to provide credentials
to the service provider. Rather, the service provider trusts the identity
provider to validate these credentials and grant them access.

Examples of FIM systems include OpenID and Open Authorization, as well

as Shibboleth, which is based on the Organization for the Advancement of
Structured Information Standards' Security Assertion Markup Language
(SAML).
 17

Federated Identity
Management

A federated identity management scheme is a union of separate

identification and authentication systems. Authentication is performed in
one place, and separate processes and systems determine that an
already authenticated user is to be activated
 18

Single Sign-On

Single sign-on lets a user log on once per session but access many different
applications/systems.

It often works in conjunction with federated identity management, with the

federated identity provider acting as the source of authentication for all the
applications.

Google, LinkedIn, Apple, Twitter and Facebook offer popular SSO services
that enable end users to log in to third-party applications with their social
media authentication credentials.
 19

Single Sign-On vs FIM

Single sign-on (SSO) is an important component of FIM, but it is not the
same as FIM.

Implementing single sign-on doesn't necessarily require FIM, but the latter
does rely heavily on SSO technologies for authentication among domains.

SSO enables users to use a single set of credentials to access multiple

systems within a single organization. It is token-based, meaning that users
are identified by a token rather than a password.

FIM enables users to access systems across federated organizations. They

can use the same credentials to access the applications and networks of
all members within the federated group. It provides single-step access to
multiple systems across different organizations. Unlike SSO, FIM users don't
provide credentials directly to an application, but to the FIM system itself.

Organizations that implement SSO do not necessarily use FIM. However, FIM
relies heavily on SSO technologies to authenticate users across domains.
 20

Access Policies
• Goals:
• Check every access
• Enforce least privilege
• Verify acceptable usage

• Track users’ access

• Enforce at appropriate
granularity

• Use audit logging to

track accesses
 21

Data Loss Prevention

(DLP) is a must-have Data Loss Prevention
security function for all
organizations. Used to
identify and prevent the
theft or misuse of
sensitive data (e.g.,
social security numbers,
financial information,
account credentials…)

It inspects content for

anomalies and to
identify user activities
that do not comply with
company guidelines or
government regulations.

It is an essential first line

of defence.

Its performance,
however, depends on
the level and quality of •Expanded visibility into user identifiers and actions
the traffic intelligence it •Insights into links and attached files in email
receives and therefore •Extraction of files and/or file metadata (e.g., file extension, size, type, name,
on the deep packet content)
inspection (DPI) •Access to security metadata that enables the identification of tunneling on
technology it uses. protocols like DNS or ICMP
•Classification of encrypted and evasive traffic
 22

Access Control

Access Control Directory

Access Control List

Access Control
Matrix
23
 24

Encryption

• Sender
• Recipient
• Transmission medium
• Interceptor/intruder
• Encrypt, encode, or
encipher
• Decrypt, decode, or
decipher
• Cryptosystem
• Plaintext
• Ciphertext
 25

Problems Addressed by Encryption

• Suppose a sender
wants to send a
message to a
recipient. An attacker
may attempt to

• Block the message

• Intercept the message
• Modify the message
• Fabricate an
authentic-looking
alternate message
 26

Encryption/Decryption Process

The basic process of encrypting and then decrypting data.

Public Key (Asymmetric)
Cryptography
• Instead of two users sharing one secret key, each user
has two keys: one public and one private

• Messages encrypted using the user’s public key can only

be decrypted using the user’s private key, and vice
versa
 28

Symmetric vs. Asymmetric

The critical difference between symmetric and asymmetric is that symmetric

uses a single key for both encryption and decryption, whereas asymmetric
uses complementary keys.
 29

Stream vs Block Ciphers

In a stream cipher, each byte of the A block cipher encrypts a

data stream is encrypted separately. group of plaintext symbols
as a single block.
 30

DES: The Data Encryption

Standard
• Symmetric block cipher
• Developed in 1976 by IBM for the US National Institute of
Standards and Technology (NIST)
 31

AES: Advanced Encryption System

• Symmetric block cipher
• Developed in 1999 by
independent Dutch
cryptographers
• Still in common use
 32

DES vs. AES

 33

Secret Key vs. Public Key Encryption

Symmetric and asymmetric algorithms have complementary strengths and

weaknesses and are therefore used both for different purposes and in
concert with each other.
 34

Public Key to Exchange Secret Keys

This shows asymmetric and symmetric encryption being used together.

We need asymmetric to perform the initial exchange securely, but thereafter

we can benefit from the speed of a symmetric algorithm.
 35

Key Exchange Man in the Middle

This exchange is the same as on the previous slide, but with an attacker in the
middle.
 36

Error Detecting Codes

• Demonstrates that a block of data has been
modified

• Simple error detecting codes:

• Parity checks
• Cyclic redundancy checks
Parity Check
• Cryptographic error detecting codes:
• One-way hash functions
• Cryptographic checksums
• Digital signatures
 37

One-Way Hash Digital

Function Signature
A one-way hash function in computer
science is a function that is easy to
compute on any given input, but
extremely difficult to reverse engineer
and obtain the original input from its
hash value alone.

It is a fundamental tool used in

cryptography, data security, and
various other applications
 38

Certificates: Trustable Identities & Public

Keys
• A certificate is a public
key and an identity
bound together and
signed by a certificate
authority.

• A certificate authority is
an authority that users
trust to accurately verify
identities before
generating certificates
that bind those identities
to keys.
 39

Certificate Signing and Hierarchy

HTTPS helps greatly in reducing the

information leaked to third parties. However,
it does not prevent tracking.
Modern browser fingerprinting techniques
work even behind HTTPS. Security
Diana’s certificate is made using researchers have developed a browser
Edward’s signature. Delwyn’s certificate extension called HTTPS Everywhere that
includes Diana’s certificate so that it can attempts to use HTTPS whenever possible
effectively be tied back to Edward, and at the same time mitigate the use of
creating a chain of trust. fingerprinting techniques.
 40

Cryptographic Tool Summary

 41

Summary
• Users can authenticate using something
they know, something they are, or
something they have

• Systems may use a variety of

mechanisms to implement access
control

• Encryption helps prevent attackers from

revealing, modifying, or fabricating
messages

• Symmetric and asymmetric encryption

have complementary strengths and
weaknesses

• Certificates bind identities to digital

signatures