CYF - Authentication (Lesson)

Data Authentication

As you have learned in a previous section, CIA Triad defines the goals of cybersecurity. To achieve those goals our primary tools are AAA. You can put these steps into context by using an exclusive party as an example.

  • Authentication – methods of proving that you are who you say you are. For the exclusive party, this would be showing the screener your ID to prove you are John Smith.
  • Access Control – okay, just because you are John Smith doesn’t mean you get into the party. The screener now has to check to see if you are on the invited list (are you allowed access?). Be careful, here – one of the synonyms, “Authorization” is often confused with “Authentication”. In fact, they are completely different security steps. The most understood term for Access Control is permission.
  • Accounting – this isn’t the financial type of accounting. This is the keeping track kind of accounting. If we want to know which of the invitees has already arrived at the party, we can review the list to see if their name is checked off. In computing, we use log files to keep a record of what has happened on the system.

Authentication

We will start our in-depth learning with the Authentication tool. Most people don’t realize that Authentication is about trust. In fact, we are developing authentication “fatigue” because our digital systems are constantly challenging us for passwords and PINs. But as we mentioned before, I can’t let you touch the valuable data until I know exactly who you are!

Something you know is the form of authentication that we rely on most, usually as a password, which is defined here as a combination of characters and numbers.

Password Attacks

In attacking “what you know,” the first method will be to try to steal your password – that’s the easiest way to get it! The next method is through trial and error – the hacker keeps guessing until it works or until the hacker gives up. A Brute force attack does not try to make any sense of your password, it just tries every combination of characters. If your 3-letter password uses only the 26 lowercase letters, then there are just 17,756 possible combinations and that will take a computer about 3 seconds to try all of those! Now you know why your passwords must be reasonably long and contain random characters! Make yourself too much trouble to hack!

We know that length and complexity will strengthen a password. It should have a mix of lower-case and upper-case characters and numbers and symbols and should be at least 8 characters long. However, most people are still very predictable!

Here are some fun facts that make hackers happy:

  • 50% of all passwords have at least one VOWEL
  • Capital letters are usually at the BEGINNING and then are followed by a
  • vowel
  • Numbers used are usually 1 OR 2 and they are usually placed at the end
  • Families often use personal names for passwords, like kids and pets.
  • People frequently use their hobbies and team names for passwords
  • These are the SYMBOLS used most often - ~ ! @ # $ % & ?

So malicious actors start with these basics!

Authentication Presentation

Databases

What are databases? A database is a structured collection of data that is stored and organized in such a way that it can be easily accessed, managed, and updated. Databases can be used to store a variety of data types, including text, numbers, images, and more. They are essential for a wide range of applications and systems, from websites and mobile apps to business operations and scientific research.

It is important to understand that a database is like an Excel spreadsheet or Google sheet but on a much larger scale and with code to make data retrieval fast and efficient. Databases are used for data such as airplane reservations, credit card numbers, student grades, and.... account user credentials!

Hackers often use databases for password guessing attacks, yikes!

Types of Password Attacks

A Dictionary Attack does not use a real dictionary like Webster’s, for example. It uses a large database of words in many different languages. Hackers create these dictionaries to include common names, movie names, teams, even l33t spelling.

  • Fun Fact: Pronounced “leet,” this is when the use of alternate keyboard characters to replace letters - i.e., 1 is used for i or t, @ is used for a, etc.). If there is a word in your password, even misspelled, the dictionary attack can find it.

A Hybrid Attack uses a combination of a dictionary database and brute force methods.

Password Spraying takes a database of common passwords and tests each one against a large number of different accounts. For example, getting access to even a few bank employee accounts could be a big payoff for the hacker. The same is true if they manage to take over user bank accounts that have large dollar balances.

It is important to remember that password attackers need 3 things:

  1. a website where the user has an account
  2. the username
  3. the password

Most attacks start with the first and second, then use a method to test out passwords. But with Credential Stuffing, the attacker has the second and third from the database breach and must try out different websites to see where the credentials will work. Given the high percentage of people who reuse passwords, credential stuffing has become a successful account hacking technique. If you have been reusing passwords, now you know why it is not a smart thing to do.

 

In dictionary brute force attacks, the attacker can be slowed down by account lockouts that are triggered after 2-3 incorrect password attempts. Password Spraying won’t trigger this type of lockout so the hacker can be highly efficient in trying lots of accounts.

“Pwned” is pronounced like “Poned.” The term originated with gamers, and it means an opponent has been defeated, or “owned”. Many databases hold valuable and sometimes confidential information which makes them prime targets for hackers. When a database is no longer secure, whether it is accidentally made publicly accessible or stolen by hackers, that is called a “breach.” Often the attacker steals a company’s database in order to access a list of usernames and passwords. This could be a list of credentials for internal employees or for customers or for patients of a hospital, etc.

The scary part is that data breaches are rampant, and many people do not realize the sheer scale or frequency with which they occur!

Authentication and Password Attacks Presentation

Strong Password - Try It Activity

Password Hashing and Methods of Authentication

Now you know some sneaky ways hackers use to get valuable data. You also know some ways to protect yourself and your organization!

How are passwords stored on a system and what is password hashing? Let’s find out!

Identity Proofing vs Authentication

When you have forgotten your password and need to be given access to the reset option, you first must identify yourself as being the correct user. This is called Identify Proofing and it is NOT the same as Authentication. Why?

Let’s say someone pretends to be you and resets the password using stolen identity proofing questions. Unless they also have access to your phone or email, the hack will stop there because the reset link is sent there. Thus, the hacker can complete identity proofing but not authentication!

Password Terms

Let’s learn some terms so we can speak the same language.

Single Sign-On: This is used in organizations to make it easier for users to get access to all different kinds of data. It used to be that you logged onto your computer and, if you wanted a file from a shared drive, you would need to authenticate there. If you wanted to get on the Internet, you would need to authenticate with the Proxy filter. By configuring Single Sign-on, the organization only requires you to log onto your computer and then it keeps track of what data you can access without challenging you anymore for authentication repeats.

Passphrase: Complicated passwords like 14t$24tS32gR are hard for users to remember. Instead, using a string of words or sentences (aka passphrase) offers the same or better security AND it would be easier to remember. But it needs to be long enough which is a problem because users really don’t like to type and passphrases are quite difficult to use on a mobile device like a phone.

For example, passphrase “The 3 little pigs say do not forget the bacon!” is easy to remember, especially if you like pigs or bacon, but I would not want to type that several times a day, especially on my phone!

Where and how are passwords stored?

When you authenticate, you provide your username and password. The system checks to see if that is the same information that it has stored. Did you ever wonder where that is stored? If it is on a local computer, then it is stored in the SAM hive for Windows and the /etc/shadow file for Linux/Unix/Mac.

One important point is that your password should NEVER be stored in plain text! Most operating systems, networks, and websites will store the password in an unreadable form called a HASH.

Here’s how this works:

  1. You click to create a new account.
  2. You are asked for a username, so you type it in.
  3. You are prompted to create a password – you type your password.
  4. You then click submit.
  5. The system applies an algorithm to your password to turn it into a hash (more about this in just a minute).
  6. Your username and hashed password are put in system storage or they are transferred across the network to be put in network storage.

Hashing

Now back to hashing…

No one in a network has ever seen your password and they can’t access it from a database. If you forget your password and you try calling the network admin at your school to get it, the admin CAN’T. The only thing they can do is reset it so you can make a new one. This is because only password hashes are stored in the system, using a secure hash algorithm.

Let’s look at how hashing works in a little more detail.

  1. My password is “this” so I type it in.
  2. The computer translates each letter into ASCII values: t = 116, h = 104, i = 105, s =115.
  3. Then the hashing algorithm I am applying takes those decimal numbers and multiplies each by 2. This gives me the new numbers 232, 208, 210, and 230.
  4. Then my algorithm says we take those new numbers, add them up, and divide the sum by 10. My hashing algorithm is complete so the hash of my password = 88.

If you discover that my password hash is 88, that doesn’t help you in any way BECAUSE there are lots of ways to arrive at the number 88 – you could do 4 x 22, 8 x 11, and many other complicated ways. So just because you know my hash doesn’t mean you have any (well, a good chance - -more on that in a minute) chance of knowing my password.

Keep in mind, though, that the actual hashing algorithms are much more complex and do much more than just performing arithmetic operations using relatively small numbers. It is extremely difficult to determine the data that was hashed, even if you know the algorithm used to generate the hash.

The example above is just a very simplified explanation of how hashing works. The key is to demonstrate that a hash is not an encryption of the password that could then be decrypted. Hashes are conversions of text to a string of hex characters and there is no key that would make it reversible.

Hashing was a wonderful security innovation to improve upon storing plain text passwords. But unfortunately, hashing is not immune to attack. There are three main ways to attack hashed passwords.

Password Hashing Video

Rainbow Tables

As passwords became longer and more complex, the dictionary and brute force attacks became too time consuming. Someone came up with the bright idea of “pre-staging” an attack by taking an algorithm and hashing every word in the dictionaries and every possible combination of characters. That all compiles into a HUGE file called a Rainbow table. The attacker takes your hashed password and then uses specialized software to compare it to every hash in the Rainbow table. This is the sort of function that computers do VERY well and VERY quickly so the Rainbow table attack quickly became a favorite password attack.

The only downside to performing a Rainbow table attack is that the file is actually so big it was difficult to download. Fortunately, cybersecurity professionals came up with an effective way to stop a Rainbow table attack. It’s called “adding a salt.”

The intent is that even if two passwords are the same, because we add a unique set of characters every time before we apply the algorithm, the result will be two different hashes. Therefore, rainbow tables are not much of a threat anymore because the best practice is that all passwords are hashed with randomized salts. Unless you know the hashing algorithm used AND you know the exact salt used for that password, you are out of luck.

The Birthday Attack

It is based on a very cool mathematical rule called the Birthday Paradox which says that in a group of at least 23 people, there is a better than 50% chance that two people will have the same day/month. When the group size reaches 70%, there is a 99 % chance of two people sharing a birthday.

Take a minute to think about your friends and relatives. There is a good chance that someone in that group shares your birthday!

The Birthday Attack is similar – it says that for any hashing algorithm, there is a mathematical likelihood that two different passwords will come out with the same hash. When that happens, it is called a “hash collision” and it can be used to determine what hashing algorithm was used. Once hackers know it, they can reverse the hash to plaintext. Uh-oh, Happy Birthday! 😊

Yes, hashing isn’t intended to be reversed – it’s supposed to be a one-way conversion. But that doesn’t mean it’s impossible to reverse if someone is really trying!

Pass the Hash Attack

Since the system we are trying to log into never actually receives the plain text password, some smart attackers realized that they don’t need to reverse the hash to plain text. They don’t actually care what your password is, they just want to log in as you. That’s how the Pass the Hash attack was created. They created some specialized software so that the system would skip the few steps where the user puts in his plain text password and just go straight to the part where the username/hash are accepted.

Methods of Authentication

We spent a LOT of time in this lesson on passwords, the “what you know” authentication method, but there are other methods of authentication!

In the realm of authentication mechanisms, there are generally three recognized factors:

  1. Something you know: This is a piece of information only the user should know, like a password or PIN.
  2. Something you have: This refers to a physical object in the possession of the user, such as a smart card, security token, or a phone (in the case of mobile-based authentication).
  3. Something you are: This refers to biometrics, such as fingerprints, retina scans, or voice recognition.

Smart cards are one example of “what you have” authentication. They are usually integrated into an employee ID card, often with a picture on the card. BUT it makes more sense to leave no visible information on the card so that if it is lost, the finder won’t realize that it can be used to get into your building or files.

One cool advantage of a proximity reader is that they can be built into a user’s computer or desk. That way, if they step away from their computer it will automatically secure it by activating the screen lock.

Another type of “what you have” authentication is a digital certificate. Certificates are very similar to using a driver’s license for personal identification. The Department of Motor Vehicles (DMV) is the third-party authority that looks at your documents and then provides a certificate (license) in which they vouch for your identity.

Here is an example… When you go to the Amazon website (I am sure you are just lookin’, not buyin’), you know it is really them because you see the lock indicating a valid certificate. Amazon went to a lot of trouble and expense to get that certificate so that you can safely do business with them. We will examine the online certificate system more closely in the module on encryption.

Biometrics, the “what you are” authentication example, is the MOST expensive method, but for some organizations it is worth it to protect their valuable data. Biometrics refers to the measurement and statistical analysis of people's unique physical and behavioral characteristics. These measurements are used for identification and access control, such as fingerprint recognition, facial recognition, iris and retina scan, voice recognition, hand geometry, palm vein and palm print recognition, and behavioral biometrics.

Multi-Factor Authentication (MFA) is incredibly secure because it is used only ONCE! if it is stolen or intercepted, it doesn’t matter because we are never going to use it again. The OTPs (One Time Passwords) are usually generated by a computer and delivered to a fob or phone, “something you have.”

Keep in mind that a two-factor authentication is a sub-set of Multi-Factor Authentication and not really the same thing. MFA aims to use at least two factors and security professionals are pushing hard to expand beyond the model of sending a PIN to a device as the second factor. It can be annoying to provide one or more additional factors to log in but it is a smart way to protect your data!

Methods of Authentication Video

Key Terms Review Activity

Download Key Terms Transcript Links to an external site.

The point of this lesson was to discuss how passwords are created and stored, various authentication methods, and how to protect your data.

Key Points

Here are some key points of this lesson:

  • If you have a strong password, it won’t be in the dictionary database and it will take too long to brute force!
  • We can’t possibly make our data completely secure but we can make it secure enough so that we are too much trouble to attack, so they will find someone easier.
  • When a robber comes to a neighborhood looking for a random house to rob, they want the easiest one where they can get in and out fast. They are looking for a house with no alarm system and no dogs and with an unlocked door or window that can’t be seen from the street. If your house has all those security measures, they aren’t going to stay at your house to pick a lock – that’s too much trouble and too much chance of getting caught! The robber will move on down the street to find an easier target.
  • THAT is what we are trying to achieve with most cybersecurity measures – to make ourselves too much trouble as a target.
  • Yes, there are situations where you have some asset that the attacker wants no matter what, but in most situations cyber-attacks are randomized searches for vulnerable targets.
  • Lockouts fit into this same category of making your network or account too much trouble to attack. If an attacker has to wait 30 minutes after three failed logins, then their brute force attack is going to take forever and they will most likely move on!
  • Two-factor authentication is when you require 2 of the “somethings” to complete authentication. The most popular right now is to use a password (something you know) + a PIN sent to your phone (something you have). In high security organizations, a three-factor authentication may be used – a password, smart swipe card, and a fingerprint scan.
  • The human factor is the biggest security weakness in any organization. The best locks in the world won’t keep you safe if a user props the door open.

Users are more likely to cooperate with security measures like strong passwords if they clearly understand the importance, so investing in user education is a must!

 

[CC BY-NC-SA 4.0 Links to an external site.] UNLESS OTHERWISE NOTED | IMAGES: LICENSED AND USED ACCORDING TO TERMS OF SUBSCRIPTION - INTENDED ONLY FOR USE WITHIN LESSON.  Image(s) used under license from Shutterstock.com and may not be repurposed.