Hex dump of Gibe-F worm.

Authentication Tools

Authentication Concepts

Authentication is based one or more of these:
• Things you know (password, PIN, etc)
• Things you have (physical tokens: badge, RSA token, etc)
• Things you are (biometrics: fingerprint, hand shape, iris pattern, etc)
The Way You Do Things (behavioral)

Those are listed in the order of how often they are used today on computer systems: passwords are the most common, and so on. DARPA's Active Authentication research project just started around 2015 and there don't seem to be any usefully practical implementations yet. However, human society has used different versions of these over the millennia.

Something you are is the oldest, predating language. Is that a family member that should be allowed into the shelter? That evolved over millennia into official guards only allowing recognized persons to enter controlled spaces. Only recognized advisors and family members were allowed into the royal chamber.

Something you know would have been the next one. The guard doesn't recognize the visitor, but the visitor knows the special pass phrase needed to gain admittance.

Something you have would have started with the development of stamps which could create recognizable patterns. Artisans with the skill required to create the technology to generate stamped clay tablets or papyrus sheets would have been employed by the state, with counterfeiting forbidden under penalty of death.

Something you do is based on how you behave, physically and/or linguistically. This seems like a new research project, but it's been used for authentication at least since the Bronze Age. Consider the following passage, describing events from around 1370-1070 BCE and probably written around 700 BCE. The inhabitants of Giliad, a mountainous region east of the Jordan River, had defeated the invading tribe of Ephraim. The surviving Ephraimites were trying to cross back over the River Jordan into their home territory. In order to identify and kill them, the Giliadites blocked the river crossings and told each suspected Ephraimite to say the word שְׁבּׂלְת or shibboleth. The Ephraimite dialect did not contain the "sh" (or ש) sound, so anyone pronouncing it as sibboleth was killed. The reported body count was 42,000.

1 The Ephraimites were called up for battle and crossed over to Zaphon. They said to Jephthah, "Why did you cross over to fight the Ammonites and not call us to go with you? We're going to burn down your house over you!" 2 Jephthah replied to them, "My people and I were in a great conflict with the Ammonites. But when I cried out to you, you didn't rescue me from their power. 3 When I saw that you weren't going to rescue me, I risked my own life and crossed over against the Ammonites, and the Lord handed them over to me. So why have you marched against me today to fight me?" 4 So Jephthah gathered all the men of Gilead and fought the Ephraimites. The Gileadites defeated the Ephraimites, because they had said, "You are fugitives from Ephraim! Gilead stands within Ephraim and Manasseh." 5 The Gileadites took control of the Jordan's crossing points into Ephraim. Whenever one of the Ephraimite fugitives said, "Let me cross," the Gileadites would ask him, "Are you an Ephraimite?" If he said, "No," 6 they would tell him, "Then say shibboleth." But he would say, "sibboleth," because he couldn't pronounce it correctly. So they would seize him and kill him at the Jordan's crossing points. Forty-two thousand of the Ephraimites fell at that time.

Judges 12:1-6

Physical Tokens

Below is a proximity card or just a "prox card" for short, and a similar key-fob-like proximity device. These are unpowered RFID systems. You hold the device against a reader to unlock an outer door, or to command an elevator outside normal operating hours to do anything other than go to the lobby.

Proximity devices
in capsule hotels

I've been told that if you find one of these, you can call Datawatch Systems at the toll-free number listed on the card, read off the code number printed on it, and they will tell you where it can be used. +1-800-899-9872, 301-39731, and 234-56540 11101450973-1 if you're trying to read these examples.

Datawatch Systems proximity card used as a physical authentication token.
Datawatch Systems proximity device used as a physical authentication token.
Datawatch Systems proximity device used as a physical authentication token.

Smart Phone Apps Make Your Phone a Token

In 2015 the Hilton chain of hotels began to deploy a "digital key" system in which your smart phone can serve as your room key.

You have to install the Hilton HHonors app and tell it your HHonors number and password. Then, once your room is ready, data will be available the next time you start the app.

I had assumed it would use NFC (or Near-Field Communication), easier to integrate with the proximity sensors already in use at some hotels. On those you hold the key card near the disk on the door exterior, there is no slot in which to dip it.

But this phone-based system uses Bluetooth to communicate with what look like conventional hotel door locks with slots for magnetic key cards. The bottom of the lock mechanism has the usual coaxial DC power connector and 1/8" jack for over-riding with a handheld device.

The app says to get within five feet, but it would usually detect the door and work within ten to fifteen feet. The app has detected a door that it knows how to unlock, and shows you which it is — "My Room" or "Concierge Lounge". You press the circle: blinking, wait, blinking, wait, after about 5 seconds the door unlocks. The green LED on the door lights, and the app shows "Unlocked!"

Hilton hotel chain smart phone app.
Hilton hotel chain smart phone app.

I got "My Room" and "Concierge Lounge" when near those two places, but the phone also successfully discovered "Main" in the lobby near the elevators. I could apparently unlock whatever this was, getting the successful "Unlocked!" indication on the phone, but no secret doorway swung open. I tried it a number of times in the area, but couldn't see anything happening and I couldn't figure out where the signal was coming from.

I don't really have high expectations for hotel door lock security to start with, so I don't see this as making things any worse. The standard Onity hotel locks were spectacularly hacked a few years ago.

This system is not just something you know. It's something you have, and have charged, and on which you have booted the OS, and started the app, and the app has found the stored keys, and the app has checked for updates from the network. And talk about applying ridiculous amounts of computing power to solve a simple problem... Even my old phone has about 1.6 times the compute power and 16 times the memory of a Cray X-MP, the world's fastest supercomputer from 1983-1985.

Windows Authentication

Microsoft has a very nice page describing Credentials Management in Windows Authentication.

Securus Global has a nice article on dumping Windows credentials. Once you have SYSTEM level access, you may have better things to do than dump user credentials. But it's possible that credentials on a poorly secured host could lead to far more useful credentials elsewhere.

First, save the SYSTEM, SECURITY, and SAM hives to your USB drive:

C:\> mkdir e:\collection
C:\> reg.exe save hklm\sam e:\collection\sam.save
C:\> reg.exe save hklm\security e:\collection\security.save
C:\> reg.exe save hklm\system e:\collection\system.save 

Then, collect the hashes of the passwords for local accounts, cached domain credentials, and LSA secrets using secretsdump.py.

Attack those with password cracking tools or use a Pass the Hash attack.

How to Create Strong Passwords

Here is a very good essay on how to choose good passwords. Explanations of why common schemes generate passwords that are hard to remember but easy for automated attacks to find, suggestions for making very strong passwords that can be remembered.

Well-Known Default Passwords

Many systems come with well-known default passwords which go unchanged by lazy admins. Here are lists, do you have any remaining risks?:
phenoelit-us.org cirt.net defaultpassword.com

The "What's My Pass?" page claims to list "The Top 500 Worst Passwords of All Time", but there is no explanation of where they got that data. Since admin isn't even on the list despite being the default password on lots of network gear, I don't think the list is very authoritative. But it's kind of interesting.

Studies of real-world passwords and PINS

PIN study

Bruce Schneier wrote about a study of real-world passwords chosen by MySpace users. Distributions of lengths, character mixes, especiallly common passwords.

An excellent PIN analysis studied a collection of almost 3.4 million four-digit passwords and found that:

Researchers at Microsoft and Carleton University did a nice study of how people use passwords, "An Administrator's Guide to Internet Password Research". See their presentation and read their paper. They conclude that password strength meters and most suggestions for constructing strong passwords are almost completely useless. An important conclusion is that people usually put accounts into different categories based on the impact of account compromise, and that's a good thing. Use silly passwords like literal "password" and "123456" for silly situations like the magazine or newspaper that requires you to create an account to view their web site. Just don't use the same password for accounts in different sensitivity categories.

Mandatory Password Changes are Harmful

The Chief Technologist for the U.S. Federal Trade Commission wrote about how mandatory password changes are harmful. She cited a 2009 U.S. NIST publication "Guide to Enterprise Password Management" (SP 800-118), a 2009–2010 University of North Carolina study of password expiration, "The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis", a 2013 Carnegie Mellon University study "Measuring Password Guessability for an Entire University", a 2015 Carleton University study, "Quantifying the Security Advantage of Password Expiration Policies". These studies discovered that policies that enforce password change lead to weaker passwords. Password change reduces the impact of a successful password-guessing attack, but it makes such an attack more likely to succeed. NIST wrote (and has since retired) a draft document, SP 800-118, Guide to Enterprise Password Management, criticizing passwords for the small amount of security provided given the level of frustration they cause.

The physical world analogy would be an airbag system for cars that made crashes more likely to happen.

Old U.S. Government Requirements are Useless

U.S. NIST published SP 800-63-3, "Digital Identity Guidelines", in which they made three points:

Password complexity rules are harmful. When you require a mix of character types, people can't remember them or type them accurately. And, they don't really improve security against practical attacks. The author of the original NIST document insisting that they were a good idea has confessed that he didn't know what he was writing about.

Password expiration is harmful. See above, and also see this SANS Security Awareness Blog.

Use a password manager like KeePassX.

Passwords

See these pages:

How Passwords Work How to Crack Passwords

Password Tools

If you have too many passwords on multiple systems, you need a secure means to store them on one system:

Also see the page on system configuration testing and auditing for several password cracking and password testing packages.

Use the pam_passwdqc PAM module for enforcing password quality on Solaris, Linux, HP-UX, BSD, and possibly elsewhere.

Two one-time password systems are S/KEY and OPIE ("One-Time Passwords in Everything"). OPIE is available to everyone from inner.net, and to .mil and .gov users only at ftp.nrl.navy.mil. S/KEY is available from ftp.cert.dfn.de.

In the late 1990s into the early 2000s S/KEY and specifically OPIE were used for remote authentication into servers. There were Linux PAM modules and everything. These days it makes far more sense to use cryptographic authentication into SSH for server administration. But, the users can use S/KEY authentication into web-based front ends. There are S/KEY libraries in various web APIs.

Good static passwords are essential. First, educate your users. Second, validate their actions with password cracking tests. See the system auditing section.

Password Breaches

Every large breach of a password database provides more information on how humans generate passwords. These insights go into the cracking software. There have been plenty of large databases exposed:

32 million from RockYou in 2009

6.4 million from LinkedIn leaked in 2012

24 million from Zappos in 2012

50 million from Evernote in 2013

50 million from LivingSocial in 2013

150 million from Adobe in 2013

32 million from Ashley Madison in 2015

360 million from MySpace, stolen in June 2013 and published online in May 2016

177.5 million password hashes for 164.6 million users of LinkedIn, obtained in 2012 and leaked in 2016

68 million email addresses and passwords from Dropbox, stolen in 2012 and released in 2016

Over 150 million records from Adobe in October 2013.

Over 500 million Yahoo Inc. user accounts were stolen in late 2014 by what the company described as a "state-sponsored attack" but which researchers said was actually a theft by a criminal organization that then sold the data to an eastern European government.

200 million Yahoo Inc. user accounts were offered for sale in August 2016, nearly two months later Yahoo said that this was separate from the over 500 million stolen in 2014.

Over 412 million user accounts were stolen from Friend Finder Network in October 2016. A total of 412.214.295 users of sex-related web sites including adultfriendfinder.com, cams.com, penthouse.com, stripshow.com, and icams.com. See reports in LeakedSource and CSO Online. Information on over 3.5 million AdultFriendFinder user data had been stolen and posted online in May 2015, as reported on CNN and Channel 4 News and CSO Online.

Over one billion user accounts were stolen in Yahoo in August 2013, and only noticed and announced over three years later in November 2016. This is completely separate from the 500 million stolen in 2014 and announced in September 2016.

Up to 143 names, Social Security numbers, birthdates, and addresses were stolen from Equifax in May through July 2017.

This table and list of references points you to many more examples.

Other Prominent Breaches

U.S. DHHS
Breach Portal

The too-cutely named HITECH Act in the U.S. requires that the Secretary of the Department of Health and Human Services provide information to the public about all breaches affecting 500 or more individuals. See the department's breach portal for the details.

Kerberos

Get good documents from the source at MIT.

Download Kerberos from MIT.

See my page on building an Active Directory server and integrating UNIX hosts into it. "Active Directory" is really just Microsoft's term for their bundle of DNS, LDAP, and Kerberos service onto a single host.

Note very carefully that Microsoft ships something that they label as "Kerberos", although it does not follow the open standard, and Microsoft considers their alterations to be proprietary.

Handheld Password Tokens

See a list of technologies and vendors at the Wikipedia page, or here are some:

Biometric Authentication

Fingerprints

Fingerprint readers are weaker than expected. Yes, there have been demonstrations of stolen and fake fingerprints since the early 2000s. More recent work has shown that you can find "MasterPrints", synthetic (or real) partial fingerprints that happen to match one or more of the stored templates for significant fractions of users on a system.
MasterPrint: Exploring the Vulnerability of Partial Fingerprint-based Authentication Systems "That Fingerprint Sensor on Your Phone Is Not as Safe as You Think", New York Times

Fingerprints are not as reliable as we think. At the very least, they need to be interpreted by a human.
"Fingerprinting's Reliability Draws Growing Court Challenges", New York Times "Study questions reliability of fingerprint evidence" The Guardian "Accuracy and reliability of forensic latent fingerprint decisions", Proceedings of the National Academy of Sciences "Effects of Human Factors on the Accuracy of Fingerprint Analysis", National Institute of Justice, U.S. Department of Justice

Hand Shape

A number of companies have hand geometry systems, it looks like Honeywell bought Schlage and Ingersoll Rand's product lines.
Honeywell — HandKey

Voice

Several companies market voice authentication systems. That is, authentication, deciding who the speaker is, and not recognition, deciding what the speaker is saying. Vendors include:
Nice Nuance Microsoft VoiceVault

Blood vessel pattern recognition —

"The technology has been more widely accepted than fingerprinting in Asia mainly for cultural reasons", says Michelle Shen of ePolymath Consulting in Toronto. "In Japan, they are very concerned about hygiene. They're reluctant with fingerprinting because they have to touch the sensor." (quoted in Technology Review, Dec 2003 / Jan 2004, pg 22).

Get hardware from Techsphere of Seoul, South Korea, distributed by Identica, of Toronto, Canada. It's in use at the Toronto and Ottawa airports to authenticate ground crew, who often have dirty hands that don't work with fingerprinting.

Hitachi is working on this. "Finger vein authentication, introduced widely by Japanese banks in the last two years [2006-2008], is claimed to be the fastest and most secure biometric method" because blood vessels are invisible to the eye, extremely difficult to forge and simulate.

It uses near-IR absorption by hemoglobin. Fujitsu uses a similar approach but on a palm scanner rather than a fingertip, and its system has been installed at Carolina HealthCare System in Charlotte NC. See the story in the London Times.

Bionics Co., Ltd. is also working on the technology.

M2sys has published a case study of their system.

Buttock Pressure Map (yes, really)

A group at Purdue was working on this several years ago. A friend worked in that lab and was looking for test subjects. Here are my buttock pressure maps! The one at left is when sitting upright, the one at right is when intentionally slouching and leaning to one side as directed.

Buttock pressure map, upright position.
Buttock pressure map, on side position.

Some ten years later, a group at the Advanced Institute of Industrial Technology in Tokyo was working on a project to put 360 pressure sensors in the bucket seat of a car, claiming 98% accuracy in allowing only recognized people to start the car. See their presentation, and also see descriptions in Mobile Magazine, TechCrunch, and Wall Street Journal.

Comparing Biometric Methods

Here's a table from "Beyond Fingerprinting", Anil K Jain and Sharath Pankanti, Scientific American Sep 2008 pp 78-81, drawing from US NIST studies. They bring up an issue I hadn't seen before, technology will be less likely to be used if it is unsuitable as evidence in a court of law. Because iris recognition is based on complicated statistical analysis of subtle image features, "no known human experts can determine whether or not two iris images match. Hence, the data are unsuitable for evidence in a court of law."

Fingerprint Face Iris Voice
Distinctiveness High Low High Low
Permanence High Medium High Low
How well trait can be sensed Medium High Medium Medium
Speed and cost efficiency of system High Low High Low
Willingness of people to have trait used Medium High Low High
Difficulty of spoofing the trait High Low High Low
False rejection rate 0.4% 1.0—2.5% 1.1—1.4% 5—10%
False acceptance rate 0.1% 0.1% 0.1% 2—5%

Body Shape and Motion

The authors of "FreeSense: Indoor Human Identification with WiFi Signals" worked to identify individuals based on the ways that body shape and motion interact with indoor WiFi signals. They get about 90% accuracy with single-digit numbers of users. They were looking to solve the problem of distinguishing between 2 to 6 family members in a 6×5 meter "smart home environment". I had a hard time getting past the idea of to 6 people living in a 6×5 meter space, and how they extended their experiment to 9 people. The research was done at Northwestern Polytechnic University in Xi'an, People's Republic of China, where things are packed tighter than I'm used to. Anyway, they got about 94.5% accuracy with just 2 people, down to 88.9% with 6 and 75.5% with 9.

DNA

DNA evidence is not infallible. The assumption that DNA evidence always led to perfect decisions began to be questioned starting around 2015. See the coverage by PBS Frontline, The Atlantic, New Scientist, Science and Justice, and the Pittsburgh Post-Gazette.

But meanwhile, FBI and local law enforcement are trying to force private companies to archive genetic data.

Active Authentication

DARPA is running an Active Authentication project. They describe this work as:

The current standard method for validating a user's identity for authentication on an information system requires humans to do something that is inherently unnatural: create, remember, and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard. Thus unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console.

The Active Authentication program seeks to address this problem by developing novel ways of validating the identity of the person at the console that focus on the unique aspects of the individual through the use of software based biometrics. Biometrics are defined as the characteristics used to uniquely recognize humans based on one or more intrinsic physical or behavioral traits. This program focuses on the behavioral traits that can be observed through how we interact with the world. Just as when you touch something your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a "cognitive fingerprint."

The first phase of the program will focus on researching biometrics that do not require the installation of additional hardware sensors, rather the program will look for research on biometrics that can be captured through the technology we already use looking for aspects of this "cognitive fingerprint." These could include, for example, how the user handles the mouse and how the user crafts written language in an e-mail or document. A heavy emphasis will be placed on validating any potential new biometrics with empirical tests to ensure they would be effective in large scale deployments.

When Apple released their iPhone 5s with a fingerprint scanner they seemed to be working on this technology. A New Yorker story reported that in the week before the iPhone 5s release, Apple was awarded a patent for gesture based authentication.

Researchers have found that they could identify drivers based on how they use the controls of a vehicle. Read the Wired overview or the researchers' paper "Automobile Driver Fingerprinting".

Three researchers at the University of Padova in Italy have reported something similar to active authentication, as they are using mouse movement timing and patterns assess the confidence with which questions are answered. However, I think this is more of a method to tell how well a would-be identity thief has done their research. See: "The detection of faked identity using unexpected questions and mouse dynamics", PLOS One, 18 May 2017, https://doi.org/10.1371/journal.pone.0177851, and a short Science article describing the research.

Protect Sysadmin Authentication With sudo

Don't just hand out the system administrator's password! Allow certain users to run only certain commands with sysadmin privileges, with the sudo tool.

TCP Wrappers and xinetd for Host Authentication

TCP Wrapper and xinetd are weak, as they trusts DNS, but they can do double DNS lookups and require consistency. Xinetd gives you finer control over access such as time-sensitive access rules, limitations on maximum simultaneous connections, throttling connection rates, and more. To be honest, these won't keep the bad guys out, and you will realize what a sloppy and imcomplete job many places do with the PTR records.

Also, with systemd replacing and modifying much of the Linux boot and service control mechanisms, xinetd seems to have been retired from Linux.

Some organizations use TCP Wrapper for warning and explanatory banners for compliance, and do access control in service-specific ways.

Software Authentication/Piracy

Software piracy (kinda) falls under authentication. Authenticate your software, make sure it's legitimate.

Why audit yourself? If your site has pirated software, you may incur huge fines. Disgruntled employees will turn you in for rewards from SPA and BSA (Software Publishers Association and Business Software Alliance), who shows up with federal agents and search warrants. Fines in the $100,000-200,000 range are common, and can go into the millions. Autodesk, maker of AutoCAD, recovered more than US$ 35 million from North American copyright infringers in 1989-1999 (SC Magazine, April 1999, pg 18). The SPAudit tool is available for free. It audits what software is installed where, and also inventories hardware and system boot files. Further info is available on software piracy.


Back to the Security Page