3. Threats to authentication
Hackers are always looking for ways into a
network. If they can acquire your method to
gain access they save themselves hours of
research
Keep in mind that different accounts have
different levels of access, as well if they can
gain any foot hold into a network it gives
them an advantage when looking for more
vulnerabilities.
Also if they use accounts already within the
system it actually helps to mask their actions
because the account they are using will
already have been granted authentication
rights to one degree or another
4. Why is this important?
Authentication-based attacks factored
into about four of every five breaches
involving hacking in 2012
After Celebrity Photo Hack, How Safe Is
the Cloud?
◦ The real question is less about how good
iCloud security is and more about how strong
(and how unique) a user's password is.
• If you can masquerade as another
person, there are no limits on how much
you can compromise the privacy and
integrity of anyone's online data
5. Weakness for authentication
Most developers build their own
authentication and session management
schemes
Authentication and session management
schemes are complex and these custom
built ones tend to have flaws
Since there is no standard for this and
each point of development is different at
times these flaws are difficult to find
when they are not being looked for, such
as when a hacker finally does find them
6. Some Common Authentication
Methods
Use of user ID’s
◦ Standard first initial.Last name, or something more
complex
Passwords
◦ complexity, length, age, timeout, re-tries,
• Multifactor authentication
◦ something you know, have, are
Encryption
◦ PGP, Public-Key Cryptography, SSL, S-HTTP and
S/MIME
One Time Passwords
◦ Hardware/software tokens
Digital Signatures
7. Common Authentication Method
examples:
Use of user ID’s
◦ Common methods revolve around first initial
and last name. ex: r.smith
◦ However this could give an attacker an edge
on finding new accounts. Brute force attack
with every letter of alphabet and #.smith
◦ Possible new method to add protection.
Use of initials and numbers ex. rs1234@spsu.edu
Or in some cases fully different alias’s ex.
ws1289@spsu.edu can actually be
rs1234@spsu.edu
Think in terms of being as obscure so no correlation
can be made to actual data aka. Data Obfuscation
which is used in electronic health records
8. Common Authentication Method
examples:
Passwords
We want a password to have certain complexity to
thwart dictionary and brute force attacks
A good method for solid passwords is the Schneier
scheme
◦ WIw7,mstmsritt... = When I was seven, my sister threw my
stuffed rabbit in the toilet.
◦ Wow...doestcst = Wow, does that couch smell terrible.
◦ Ltime@go-inag~faaa! = Long time ago in a galaxy not far
away at all.
◦ uTVM,TPw55:utvm,tpwstillsecure = Until this very moment,
these passwords were still secure.
Here we take a phrase and break it down into one word
or smaller supposed nonsensical phrase much more
difficult to crack
11. What is it?
Whenever we have data entered in a
form we want to make sure that it is valid
and not corrupted in any way. Here we
are looking at checking the password
someone enters
* Note, while I am using this method here
for my report, you should not do this, a
more secure method would be to email a
token to a person and have them enter a
password there. Having someone enter a
password and gaining access directly
12. Application
Password validation ranges from
checking regular expressions, to
length and complexity. This is used as
a pre curser to defend against brute
force attacks
13. Common Authentication Method
examples:
Multifactor authentication
Something you know – password
Have – security token
Are – a biometric feature, finger print, eye scan
and so on
It is a combination of two or more things, thus
giving a layered defense
Typical scenarios
use of a card, or pins, VPN and use of digital
certificates, finger prints, hard or soft tokens
14. Common Authentication Method
examples:
Encryption
◦ PGP – uses hashes, and compression,
along with symmetric key(one key to
encrypt/decrypt) to protect data
◦ Public-Key Cryptography – use of
asymmetric encryption( one key encrypt,
other decrypt)
◦ SSL, S-HTTP – use of certificates
◦ S/MIME – securing of email
15. Common Authentication Method
examples:
One Time Passwords
◦ Use of challenges and responses for
users
◦ Only good for that session and then times
out
◦ Can be a hard or soft token, emailed or
texted password
Users can be tricked into giving these up with
social engineering and hackers can use that
info to devise a pattern
Possibly subjected to man in middle attacks
due to transmission methods
16. Common Authentication Method
examples:
Digital Signatures
• helps to prove that data sent is from a
reliable source
• gives reassurance
• confirms message wasn’t tampered with
17. Common Authentication Method
examples:
In the next slide we see an example of
hashing a password
And we will see extra security applied
to it with a salt
These are examples of defense in
depth, no one method or layer is
100% reliable
19. What is it?
A hash is a method in which we take a
password in this case and apply a
mathematical algorithm, this algorithm
takes the fixed length password and
turns it into a fixed length binary value.
20. Application
Hash's tend to be used as digital
signatures for software to ensure it
hasn’t been tampered with or
corrupted when downloaded. However
in this case we can use it to protect
our passwords for our users that
attempt to log into our site.
22. What is it?
It is random data that is applied to a
one way function then is added to the
hash of a password
23. Application
Salts when combined with password
hash's help to add a new level of
difficulty in defending against
dictionary attacks
24. Actual Authentication Threats
Confidence Tricks
◦ Various phishing methods
• Remote Technical Tricks
◦ Spoof, proxy exploits, sniffing, old exploits to technology
• Local Technical Tricks
◦ Software vulnerabilities, Trojans, viruses, hardware attacks
• Victim Mistakes
◦ Weak passwords, written down sensitive data, user errors
• Implementation oversights
◦ Replays, trusting bad data, sensitive data remembered in
forms
• Denial of service attacks
◦ Lock outs for authorized users
• Enrollment errors
◦ new set of credentials created
25. Authentication attacks
Attack types Attack description
Brute Force Allows an attacker to guess a
person's user name, password,
credit card number, or
cryptographic key by using an
automated process of trial and
error.
Insufficient Authentication Allows an attacker to access a
website that contains sensitive
content or functions without having
to properly authenticate with the
website.
Weak Password Recovery
Validation
Allows an attacker to access a
website that provides them with
the ability to illegally obtain,
change, or recover another user's
password.
26. Repercussions from
Authentication attacks
Accounts can be locked out, or the
entire user database can be locked
out
Outages can occur if there are
accounts that do batch work
There can a loss of confidence in the
business if such an attack is
publicized
27. Prevention Methods
First and foremost proper code
development
◦ Think like a hacker, look for what can go
wrong instead of waiting for it
Have informed users
◦ Over inform on proper security procedures,
automate the mundane
• User access lattices
◦ Only access to what they need access to
• Security in layers
◦ Never assume one layer will do it all
28. Session management Defined
Session Management – the practice of
overseeing a transfer of data between
two or more entities
Session management focuses on an
already authenticated user
This authenticated user has their
information bound to an actual session
token/ID
29. Threats to Session
management
We've already authenticated properly to
a connection and we begin to do what it
is we do, work, shopping, surfing the
web, our banking…etc
There will be a session identifier for what
you are doing, similar to a tracking
cookie if you will, this id ties you to what
you are actually doing
In essence your leaving a sort of digital
bread crumb trail
30. Why is this important?
Crack in Internet’s foundation of
trust allows HTTPS session
hijacking
◦ “Once the session cookie is decrypted, hackers
can exploit it to gain unauthorized access to the
user account the session cookie is designed to
authenticate. The process from start to finish
takes "a few minutes,“
Yahoo session hijacking likely
culprit of Android spam
31. Weakness for session
management
Most developers build their own
authentication and session management
schemes
Authentication and session management
schemes are complex and these custom
built ones tend to have flaws
Since there is no standard for this and
each point of development is different at
times these flaws are difficult to find
when they are not being looked for, such
as when a hacker finally does find them
32. Some Common Session
Management Methods
Validate Session ID values coming from clients
◦ Have checks in place to confirm who's who
Hard-to-Guess Cookie Values
◦ Match cookies values to session variables to complicate things
User Authentication
◦ Good authentication always helps
SSL Encryption
◦ Encryption always complicates things for hackers
Use of trusted third parties
◦ Use a third party session management implementation to offset risk
Use sufficient session Id length
◦ Same as passwords longer equals more secure
Ensuring no patterns become evident
◦ You don’t want your patterns to be found in your session id’s thy
could be susceptible to brute force attacks
• Associate session id with ip address
◦ Extra layers of security
33. Common Session Management
Method in depth
Hard-to-Guess Cookie Values
Cookies are related to HTTP headers and allow
control over token expiration, time and other
granular features, this is why it’s the most
common method used
The session uses the cookie to maintain the
connection, much like when you authenticate,
the cookie keeps your credentials active over
the session
Making sure cookie values are not easily
guessable prevents a hacker from using the
values and trying to guess a new one and
establish a connection
34. Common Session Management
Method in depth
SSL Encryption
Since cookies are the most common method to
establish and maintain the connection we
should also look at a layered protection
Making sure the cookies are sent over a secure
connection
This will enable one to prevent a successful
man in the middle attack and gain useable data
from a cookie
35. Actual Session Management
threats
Session hijacking attacks, targeted or generic
◦ Targeted goal to impersonate a specific user
◦ Generic they look for any user
Session fixation attack
◦ Attacker hijacks a valid session
Brute force
◦ Finding valid id’s through brute force searches
Cross-site script attack
◦ Use of web applications to gain info
Man-in-the-middle attack/Man-in-the-browser
attack
◦ Actively/passively gaining info from unsuspecting
people
• Prediction attacks
◦ Here a good ID is known and a next valid one is
36. Repercussions from Session
Management attacks
Users can be impersonated and
damage can be masked
Fraud and or theft can occur
dependent upon system access
Worst case elevation of privileges
granted
Best case comprised account is
locked out
37. Prevention Methods
User of cookies
◦ Use of secure flag in header, makes them un-
sniffable, use of restrictions
• Don’t allow users to determine session ids
◦ Make sure they cant reuse old session info
• Each user should get a new identifier to your
site
• Time-out session identifiers
◦ Creates smaller window for attacker
• Allow clean log outs
◦ User logs out session invalidates on client and
server
• Use of secure channels for session cookies
◦ Encryption always hampers things for attackers
38. Summary
Never assume you are hack proof
however make sure you mitigate your
risk, by prioritizing your levels correctly
Take into consideration of what needs
to be protected the most and what the
damage will be if there was a issue
with it
Always make sure to use security in
layers and never put all your eggs in
one basket
39. This article covers some of the principals
laid out earlier in my slide deck
Securing PHP User Authentication,
Login, and Sessions
http://blackbe.lt/php-secure-sessions/
We see use of hashing, linking to ip
addresses, a password validation, length,
complexity, used to make the password and
session id more difficult to discover
