Hex dump of Gibe-F worm.

Authentication Tools

Authentication Concepts

Authentication is based one or more of these:
• Things you know (password, PIN, etc)
• Things you have (physical tokens: badge, RSA token, etc)
• Things you are (biometrics: fingerprint, hand shape, iris pattern, etc)
The Way You Do The Things You Do (behavioral)

Those are listed in the order of how often they are used today on computer systems: passwords are the most common, and so on. DARPA's Active Authentication research project just started around 2015 and there don't seem to be any usefully practical implementations yet. However, human society has used different versions of these over the millennia.

Something you are is the oldest, predating language. Is that a family member that should be allowed into the shelter? That evolved over millennia into official guards only allowing recognized persons to enter controlled spaces. Only recognized advisors and family members were allowed into the royal chamber.

Something you know would have been the next one. The guard doesn't recognize the visitor, but the visitor knows the special pass phrase needed to gain admittance.

Something you have would have started with the development of stamps which could create recognizable patterns. Artisans with the skill required to create the technology to generate stamped clay tablets or papyrus sheets would have been employed by the state, with counterfeiting forbidden under penalty of death.

Something you do is based on how you behave, physically and/or linguistically. This seems like a new research project, but it's been used for authentication at least since the Bronze Age. Consider the following passage, describing events from around 1370-1070 BCE and probably written around 700 BCE. The inhabitants of Giliad, a mountainous region east of the Jordan River, had defeated the invading tribe of Ephraim. The surviving Ephraimites were trying to cross back over the River Jordan into their home territory. In order to identify and kill them, the Giliadites blocked the river crossings and told each suspected Ephraimite to say the word שְׁבּׂלְת or shibboleth. The Ephraimite dialect did not contain the "sh" (or ש) sound, so anyone pronouncing it as sibboleth was killed. The reported body count was 42,000.

1 The Ephraimites were called up for battle and crossed over to Zaphon. They said to Jephthah, "Why did you cross over to fight the Ammonites and not call us to go with you? We're going to burn down your house over you!" 2 Jephthah replied to them, "My people and I were in a great conflict with the Ammonites. But when I cried out to you, you didn't rescue me from their power. 3 When I saw that you weren't going to rescue me, I risked my own life and crossed over against the Ammonites, and the Lord handed them over to me. So why have you marched against me today to fight me?" 4 So Jephthah gathered all the men of Gilead and fought the Ephraimites. The Gileadites defeated the Ephraimites, because they had said, "You are fugitives from Ephraim! Gilead stands within Ephraim and Manasseh." 5 The Gileadites took control of the Jordan's crossing points into Ephraim. Whenever one of the Ephraimite fugitives said, "Let me cross," the Gileadites would ask him, "Are you an Ephraimite?" If he said, "No," 6 they would tell him, "Then say shibboleth." But he would say, "sibboleth," because he couldn't pronounce it correctly. So they would seize him and kill him at the Jordan's crossing points. Forty-two thousand of the Ephraimites fell at that time.

Judges 12:1-6

Physical Tokens

Below is a proximity card or just a "prox card" for short, and a similar key-fob-like proximity device. These are unpowered RFID systems. You hold the device against a reader to unlock an outer door, or to command an elevator outside normal operating hours to do anything other than go to the lobby.

I've been told that if you find one of these, you can call Datawatch Systems at the toll-free number listed on the card, read off the code number printed on it, and they will tell you where it can be used. +1-800-899-9872, 301-39731, and 234-56540 11101450973-1 if you're trying to read these examples.

Datawatch Systems proximity card used as a physical authentication token.
Datawatch Systems proximity device used as a physical authentication token.
Datawatch Systems proximity device used as a physical authentication token.

Smart Phone Apps Make Your Phone a Token

In 2015 the Hilton chain of hotels began to deploy a "digital key" system in which your smart phone can serve as your room key.

You have to install the Hilton HHonors app and tell it your HHonors number and password. Then, once your room is ready, data will be available the next time you start the app.

I had assumed it would use NFC (or Near-Field Communication), easier to integrate with the proximity sensors already in use at some hotels. On those you hold the key card near the disk on the door exterior, there is no slot in which to dip it.

But this phone-based system uses Bluetooth to communicate with what look like conventional hotel door locks with slots for magnetic key cards. The bottom of the lock mechanism has the usual coaxial DC power connector and 1/8" jack for over-riding with a handheld device.

The app says to get within five feet, but it would usually detect the door and work within ten to fifteen feet. The app has detected a door that it knows how to unlock, and shows you which it is — "My Room" or "Concierge Lounge". You press the circle: blinking, wait, blinking, wait, after about 5 seconds the door unlocks. The green LED on the door lights, and the app shows "Unlocked!"

Hilton hotel chain smart phone app.
Hilton hotel chain smart phone app.

I got "My Room" and "Concierge Lounge" when near those two places, but the phone also successfully discovered "Main" in the lobby near the elevators. I could apparently unlock whatever this was, getting the successful "Unlocked!" indication on the phone, but no secret doorway swung open. I tried it a number of times in the area, but couldn't see anything happening and I couldn't figure out where the signal was coming from.

I don't really have high expectations for hotel door lock security to start with, so I don't see this as making things any worse. The standard Onity hotel locks were spectacularly hacked a few years ago.

This system is not just something you know. It's something you have, and have charged, and on which you have booted the OS, and started the app, and the app has found the stored keys, and the app has checked for updates from the network. And talk about applying ridiculous amounts of computing power to solve a simple problem... Even my old phone has about 1.6 times the compute power and 16 times the memory of a Cray X-MP, the world's fastest supercomputer from 1983-1985.

Windows Authentication

Microsoft has a very nice page describing Credentials Management in Windows Authentication.

Securus Global has a nice article on dumping Windows credentials. Once you have SYSTEM level access, you may have better things to do than dump user credentials. But it's possible that credentials on a poorly secured host could lead to far more useful credentials elsewhere.

First, save the SYSTEM, SECURITY, and SAM hives to your USB drive:

C:\> mkdir e:\collection
C:\> reg.exe save hklm\sam e:\collection\sam.save
C:\> reg.exe save hklm\security e:\collection\security.save
C:\> reg.exe save hklm\system e:\collection\system.save 

Then, collect the hashes of the passwords for local accounts, cached domain credentials, and LSA secrets using secretsdump.py.

Attack those with password cracking tools or use a Pass the Hash attack.

How to Create Strong Passwords

Here is a very good essay on how to choose good passwords. Explanations of why common schemes generate passwords that are hard to remember but easy for automated attacks to find, suggestions for making very strong passwords that can be remembered.

Well-Known Default Passwords

Many systems come with well-known default passwords which go unchanged by lazy admins. Here are lists, do you have any remaining risks?:
phenoelit-us.org cirt.net defaultpassword.com

The "What's My Pass?" page claims to list "The Top 500 Worst Passwords of All Time", but there is no explanation of where they got that data. Since admin isn't even on the list despite being the default password on lots of network gear, I don't think the list is very authoritative. But it's kind of interesting.

Studies of real-world passwords and PINS

PIN study

Bruce Schneier wrote about a study of real-world passwords chosen by MySpace users. Distributions of lengths, character mixes, especiallly common passwords.

An excellent PIN analysis studied a collection of almost 3.4 million four-digit passwords and found that:

Researchers at Microsoft and Carleton University did a nice study of how people use passwords, "An Administrator's Guide to Internet Password Research". See their presentation and read their paper. They conclude that password strength meters and most suggestions for constructing strong passwords are almost completely useless. An important conclusion is that people usually put accounts into different categories based on the impact of account compromise, and that's a good thing. Use silly passwords like literal "password" and "123456" for silly situations like the magazine or newspaper that requires you to create an account to view their web site. Just don't use the same password for accounts in different sensitivity categories.

Mandatory Password Changes are Harmful

The Chief Technologist for the U.S. Federal Trade Commission wrote about how mandatory password changes are harmful. She cited a 2009 U.S. NIST publication "Guide to Enterprise Password Management" (SP 800-118), a 2009–2010 University of North Carolina study of password expiration, "The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis", a 2013 Carnegie Mellon University study "Measuring Password Guessability for an Entire University", a 2015 Carleton University study, "Quantifying the Security Advantage of Password Expiration Policies". These studies discovered that policies that enforce password change lead to weaker passwords. Password change reduces the impact of a successful password-guessing attack, but it makes such an attack more likely to succeed. NIST wrote (and has since retired) a draft document, SP 800-118, Guide to Enterprise Password Management, criticizing passwords for the small amount of security provided given the level of frustration they cause.

The physical world analogy would be an airbag system for cars that made crashes more likely to happen.

Passwords

See these pages:

How Passwords Work How to Crack Passwords

Password Tools

If you have too many passwords on multiple systems, you need a secure means to store them on one system:

Also see the page on system configuration testing and auditing for several password cracking and password testing packages.

Use the pam_passwdqc PAM module for enforcing password quality on Solaris, Linux, HP-UX, BSD, and possibly elsewhere.

Two one-time password systems are S/KEY and OPIE ("One-Time Passwords in Everything"). OPIE is available to everyone from inner.net, and to .mil and .gov users only at ftp.nrl.navy.mil. S/KEY is available from ftp.cert.dfn.de.

In the late 1990s into the early 2000s S/KEY and specifically OPIE were used for remote authentication into servers. There were Linux PAM modules and everything. These days it makes far more sense to use cryptographic authentication into SSH for server administration. But, the users can use S/KEY authentication into web-based front ends. There are S/KEY libraries in various web APIs.

Good static passwords are essential. First, educate your users. Second, validate their actions with password cracking tests. See the system auditing section.

Password Breaches

Every large breach of a password database provides more information on how humans generate passwords. These insights go into the cracking software. There have been plenty of large databases exposed:

32 million from RockYou in 2009

6.4 million from LinkedIn leaked in 2012

24 million from Zappos in 2012

50 million from Evernote in 2013

50 million from LivingSocial in 2013

150 million from Adobe in 2013

32 million from Ashley Madison in 2015

360 million from MySpace, stolen in June 2013 and published online in May 2016

177.5 million password hashes for 164.6 million users of LinkedIn, obtained in 2012 and leaked in 2016

68 million email addresses and passwords from Dropbox, stolen in 2012 and released in 2016

Over 500 million Yahoo Inc. user accounts were stolen in late 2014 by what the company described as a "state-sponsored attack" but which researchers said was actually a theft by a criminal organization that then sold the data to an eastern European government.

200 million Yahoo Inc. user accounts were offered for sale in August 2016, nearly two months later Yahoo said that this was separate from the over 500 million stolen in 2014.

Over 412 million user accounts were stolen from Friend Finder Network in October 2016. A total of 412.214.295 users of sex-related web sites including adultfriendfinder.com, cams.com, penthouse.com, stripshow.com, and icams.com. See reports in LeakedSource and CSO Online. Information on over 3.5 million AdultFriendFinder user data had been stolen and posted online in May 2015, as reported on CNN and Channel 4 News and CSO Online.

This table and list of references points you to many more examples.

Other Prominent Breaches

U.S. DHHS
Breach Portal

The too-cutely named HITECH Act in the U.S. requires that the Secretary of the Department of Health and Human Services provide information to the public about all breaches affecting 500 or more individuals. See the department's breach portal for the details.

Kerberos

How does the Microsoft re-design break the security of their "Kerberos"? The initial request for a user identity ticket is the only thing that is supposed to be cleartext. There is no risk in seeing that some user on the network is currently asking to be authenticated as a specific user name. Microsoft includes an extra field in that request, something they call "pre-authentication". It's the current timestamp encrypted with the user's secret key. Since all hosts in a Kerberos realm must have their clocks synchronized, an attacker can capture the initial ticket request and then mount a known-plaintext attack. The free and commonly available package kerbcrack does exactly that.

Handheld Password Tokens

See a list of technologies and vendors at the Wikipedia page, or here are some:

Biometric Authentication

Fingerprints

Hand Shape

Recognition Systems, part of Ingersoll Rand and now working with Schlage, makes fingerprint and hand geometry systems:

Voice

Blood vessel pattern recognition —

"The technology has been more widely accepted than fingerprinting in Asia mainly for cultural reasons", says Michelle Shen of ePolymath Consulting in Toronto. "In Japan, they are very concerned about hygiene. They're reluctant with fingerprinting because they have to touch the sensor." (quoted in Technology Review, Dec 2003 / Jan 2004, pg 22).

Buttock Pressure Map (yes, really)

I have no idea if they want to apply this to biometrics, but it's intriguing.... A group at Purdue was working on this several years ago. A friend worked in that lab and was looking for test subjects. Here are my buttock pressure maps! The one at left is when sitting upright, the one at right is when intentionally slouching and leaning to one side as directed.

Buttock pressure map, upright position.
Buttock pressure map, on side position.

Some ten years later, a group at the Advanced Institute of Industrial Technology in Tokyo was working on a project to put 360 pressure sensors in the bucket seat of a car, claiming 98% accuracy in allowing only recognized people to start the car. See their presentation, and also see descriptions in Mobile Magazine, TechCrunch, and Wall Street Journal.

Comparing Biometric Methods

Here's a table from "Beyond Fingerprinting", Anil K Jain and Sharath Pankanti, Scientific American Sep 2008 pp 78-81, drawing from US NIST studies. They bring up an issue I hadn't seen before, technology will be less likely to be used if it is unsuitable as evidence in a court of law. Because iris recognition is based on complicated statistical analysis of subtle image features, "no known human experts can determine whether or not two iris images match. Hence, the data are unsuitable for evidence in a court of law."

Fingerprint Face Iris Voice
Distinctiveness High Low High Low
Permanence High Medium High Low
How well trait can be sensed Medium High Medium Medium
Speed and cost efficiency of system High Low High Low
Willingness of people to have trait used Medium High Low High
Difficulty of spoofing the trait High Low High Low
False rejection rate 0.4% 1.0—2.5% 1.1—1.4% 5—10%
False acceptance rate 0.1% 0.1% 0.1% 2—5%

Body Shape and Motion

SRO or Single Room
Occupancy Hotels
Hong Kong and the
Chungking Mansions

The authors of "FreeSense: Indoor Human Identification with WiFi Signals" worked to identify individuals based on the ways that body shape and motion interact with indoor WiFi signals. They get about 90% accuracy with single-digit numbers of users. They were looking to solve the problem of distinguishing between 2 to 6 family members in a 6×5 meter "smart home environment". I had a hard time getting past the idea of to 6 people living in a 6×5 meter space, and how they extended their experiment to 9 people. The research was done at Northwestern Polytechnic University in Xi'an, People's Republic of China, where things are packed tighter than I'm used to. Anyway, they got about 94.5% accuracy with just 2 people, down to 88.9% with 6 and 75.5% with 9.

DNA

DNA evidence is not infallible. The assumption that DNA evidence always led to perfect decisions began to be questioned starting around 2015. See the coverage by PBS Frontline, The Atlantic, New Scientist, Science and Justice, and the Pittsburgh Post-Gazette.

But meanwhile, FBI and local law enforcement are trying to force private companies to archive genetic data.

Active Authentication

DARPA is running an Active Authentication project. They describe this work as:

The current standard method for validating a user's identity for authentication on an information system requires humans to do something that is inherently unnatural: create, remember, and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard. Thus unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console.

The Active Authentication program seeks to address this problem by developing novel ways of validating the identity of the person at the console that focus on the unique aspects of the individual through the use of software based biometrics. Biometrics are defined as the characteristics used to uniquely recognize humans based on one or more intrinsic physical or behavioral traits. This program focuses on the behavioral traits that can be observed through how we interact with the world. Just as when you touch something your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a "cognitive fingerprint."

The first phase of the program will focus on researching biometrics that do not require the installation of additional hardware sensors, rather the program will look for research on biometrics that can be captured through the technology we already use looking for aspects of this "cognitive fingerprint." These could include, for example, how the user handles the mouse and how the user crafts written language in an e-mail or document. A heavy emphasis will be placed on validating any potential new biometrics with empirical tests to ensure they would be effective in large scale deployments.

When Apple released their iPhone 5s with a fingerprint scanner they seemed to be working on this technology. A New Yorker story reported that in the week before the iPhone 5s release, Apple was awarded a patent for gesture based authentication.

Researchers have found that they could identify drivers based on how they use the controls of a vehicle. Read the Wired overview or the researchers' paper "Automobile Driver Fingerprinting".

Protect Sysadmin Authentication With sudo

Don't just hand out the system administrator's password! Allow certain users to run only certain commands with sysadmin privileges, with the sudo tool.

TCP Wrappers and xinetd for Host Authentication

It's weak, as it trusts DNS, but tcpd and xinetd can do double DNS lookups and require consistency. To be honest, this won't keep the bad guys out, and you will realize what a sloppy and imcomplete job many places do with the PTR records.

Software Authentication/Piracy

Software piracy (kinda) falls under authentication. Authenticate your software, make sure it's legitimate.

Why audit yourself? If your site has pirated software, you may incur huge fines. Disgruntled employees will turn you in for rewards from SPA and BSA (Software Publishers Association and Business Software Alliance), who shows up with federal agents and search warrants. Fines in the $100,000-200,000 range are common, and can go into the millions. Autodesk, maker of AutoCAD, recovered more than US$ 35 million from North American copyright infringers in 1989-1999 (SC Magazine, April 1999, pg 18). The SPAudit tool is available for free. It audits what software is installed where, and also inventories hardware and system boot files. Further info is available on software piracy.


Back to the Security Page