Implementing Authentication Controls

# Summarize Authentication Design Concepts [[Principles of Security]] ## Identity and Access Management (IAM) - **A**uthentication (login) -> **A**uthorization (what can access) -> **A**ccounting (auditing and logging, like how many times it take to login, what resources used) - **Subjects** - Users or software that requests access - subjects take actions on objects - **Objects** - Resources such as networks, servers, and data - **Identification** - Associating a valid subject with a computer/network account - **Authentication** - Challenge to the subject to supply a credential to operate the account - **Authorization** - Rights, Permissions, or privileges assigned to the account - **Accounting** - Auditing use of the account ## Authentication Factors - Something you know - Knowledge factor - password - PIN (person identification number) - Swipe pattern - Challenge questions/password reset - Something you have - Ownership factor - hardware tokens and fobs - one time code sent to phone - Something you are/do - Biometric factor ## Authentication Design - Meet requirements for confidentiality, integrity, and availability - Confidentiality - Keep credentials secure - Integrity - threat actors cannot bypass or subvert the authentication mechanism - Availability - the mechanism does not cause undue delay or support issues ## Multifactor Authentication - Strong authentication requires 2 (or 3) types - Knowledge factor only is weak in terms of confidentiality - MFA - 2FA - Something you **know** and something you **have** - Something you **know** and something you **are** - **NOT** something you know and something else you know -> that is only 1 factor. ## Authentication Attributes - Somewhere you are - Geolocation via location services - IP location (logical vs geolocation) - Switch port, virtual LAN (VLAN), or wireless network name - Something you can do - Performing an action in a way that can be captured as a unique pattern - typing certain ways - Something you exhibit - A behavior or personality trait that can be captured as a unique pattern - Someone you know - Web of trust ![[Pasted image 20230629103013.png]] # Implement Knowledge-based Authentication ## Local, Network, and Remote Authentication - Authentication providers - Passwords vs password hashes - passwords are typically stored as hashes now. When you login the computer hashes the entered password and then compares it too the record (/etc/shadow) - Windows authentication - Local sign-in - Network sign-in (Kerberos and NTLM) -> validates credentials to a domain controller - Remote sign-in - Linux authentication - /etc/passwd and /etc/shadow - Pluggable authentication modules (PAMs) - Single sign-on (SSO) ## Kerberos Authentication - Sigle sign-on authentication and authorization provider - Clients - Application Servers - Key Distribution Center (KDC) - Authentication Service - Ticket Granting Ticket - Ticket Granting Service - Service Ticket ![[Pasted image 20230629104646.png]] ![[Pasted image 20230629104656.png]] ## PAP, CHAP, and MS-CHAP Authentication - Password authentication designed to work with remote access protocols (Point-to-Point) - Password Authentication Protocol (PAP) - Completely unsecure - Challenge Handshake Authentication Protocol (CHAP) ## Password Attacks - Plaintext/unencrypted - Sniffing passwords from unsecure protocols - Locating passwords in documents/code repos - Online password attack - Adversary interacts with authentication service - Restrict logon rates - Shun suspect hosts - Horizontal brute force/password spraying - Offline attacks - Password database - hash transmitted directly - hash used as key to sign an HMAC ## Brute Force Dictionary Attacks - Exploit weak user password selection or weak cryptographic mechanisms - Brute force attack - Generate every possible combination to match a hash - large output space and sufficiently long input password increase time required - Dictionary attack and rainbow tables - Use a dictionary to test common words or phrases first - Rainbow tables assist dictionary attacks again Windows password databases by precomputing hash chains - Using salt means hash chains cannot be pre-computed - Hybrid attack - Dictionary and brute force - Fuzzing of dictionary terms (james1, james2, tom1, tom2) ## Password Crackers - Cain and L0phtcrack - Hashcat - hash type - Attack mode - Dictionary/word lists - Brute force - Masked ## Authentication Management - Hardware and software solutions for storing and submitting multiple user passwords - Password key - USB token - Possible Bluetooth/NFC connectivity - password vaults/manager - Software-based - Federal Information Processing Standard (FIPS 140-2) # Implement Authentication Technologies ## Smart Card Authentication - Kerberos based smart card logon - Card stores user's private key and certificate - Use of card is protected by a pin ## Key Management Devices - **Hardware Security Module (HSM)** - privision keys to devices accross the network - Key archive and escrow - Reduced attack surface and tamper-evident - **Trusted Platform Module (TPM)** - Virtual smart cards - the keys to decrypt encrypted drives. Stored in computer ## Extensible Authentication Protocol/IEEE 802.1X - Authenticate user at network access devices - Wireless networks - Port authentication for switched networks - Remote access over a VPN - **Extensible Authentication Protocol (EAP)** - Supports multiple authentication implementations - Certificates and smart cards - IEEE 802.1X Port based Network Access Control (NAC) - Supplicant - Network Access Server (NAS) - AAA Server ![[Pasted image 20230630074618.png]] - Commonly used with wireless networks & VPN - Another AAA authentication mechanism - Enterprise mode router points to a RADIUS server ## Terminal Access Controller Access-Control System - **TACACS+** - AAA functionality - Centralizing administrative logins for network appliances (network devices) - Reliable TCP transport over port 49 - Data encryption - Discrete authentication, authorization, and accounting functions ## Token Keys and Static Codes - One time password - Generated by some algorithm and used only once - RSA SecurID - Static Code - Dumb smart cards ## Open Authentication (OATH) ![[Pasted image 20230630075236.png]] ## 2-Step Verification - Transmits a code via an out-of-band channel - SMS - Phone call - Push notification Email account - Possibility of interception # Summarize Biometric Authentication Concepts ![[Pasted image 20230630075428.png]] - CER -> where FRR and FAR come together, the area you want to target - FER -> System is unable to enroll you ## Fingerprint Recognition - Fingerprint sensors - Small capacitive cells - Easy to implement - Relatively simple enrollment - Quite vulnerable to spoofing - Vein matching (vascular biometrics) - More complex scanner ## Facial Recognition - Facial Recognition - Enrollment can be relatively slow - Privacy issues - Prone to relatively high false acceptance/rejection rates/spoofing - Retinal scan - Pattern of blood vessels - Scanning relatively intrusive and complex - Iris Scan - Pattern of eye surface - easier to scan - More vulnerable to spoofing ## Behavioral Technologies - Something you do - Voice recognition - Gait analysis - Signature recognition - Typing - Other uses then authentication - Identification/alerting - Continuous authentication/account locking