Classification of user authentication mechanisms and their review
During the writing of my thesis on the protection of information on the development of a new user authentication algorithm, I was faced with the task of classifying the existing authentication mechanisms so that I could determine what class my development belongs to.
I was faced with the fact that there is no generally accepted classification, and each author has his own, if there is one at all. Therefore, I offer you my classification, synthesized from those that I met in the process. And I would like to hear the opinion of experts, how rational, adequate and useful it is. And most importantly, have you heard it somewhere before?
After analyzing the existing user authentication mechanisms, I identified 3 main characteristics that each of them has:
The degree of automation may be complete or incomplete . This refers to the automation of authentication from the system, not the user. Those. authentication system on Habré is fully automated, and the authentication system with the help of an intercom is not completely, because Host authentication is required for guest authentication.
')
The priority of use is the order in which the user uses this authentication method.
The main authentication method As the name suggests, this method is used for regular login. The most common of these is password login, which is used in the vast majority of computer systems. A less common way is to use hardware identifiers to which access keys or user passwords are written.
Two-factor authentication is also popular in the corporate sector. As a rule, this means a bundle of e-token and a PIN code entered by the user, but there are also more exotic combinations consisting of a biometric scanner and a hardware identifier or user password.
Backup authentication method In case of loss of a password or an e-token, or account hacking, backup authentication methods take effect. However, these are not so much authentication methods as password reset mechanisms.
Two methods are most common: answering a “secret question” and sending a password to a trusted mailbox specified during registration. These methods are included in the gentleman's set of any self-respecting information service.
There are many interesting modifications to this authentication method. For example, one of the first was the proposal to use their own "secret questions" [1]. What was almost immediately implemented by leading providers [2].
You can also give an example of an advanced backup authentication system based on questions from the online dating database. There are many such questions, they are simple in themselves, but in aggregate one can clearly enough imagine the character of a person. When contacting, the system asks some of the questions from which the user answered during registration, if he can correctly answer most of them, then authentication is considered successful [3].
A very similar idea was described in recent papers [4, 5]. Both of them tried to build authentication based on a set of simple “secret questions” into the PKI architecture. And if in the first work Randy Baden, Neil Spring and Bobi Bhatacharji tried to generate a common encryption key for two friends based on answers to such “secret questions” compiled by users [4], in the second work the authorization server with the base appeared as the second user personal data [5].
There are no less original ideas about using user information, for example, everyone knows captcha (and how annoying it can be): difficult-to-read combinations of letters and numbers that you have to enter in order, say, to complete the registration. And although her task is to protect information services from ubiquitous bots, Facebook engineers decided to cross it with “secret questions” and use it as a backup authentication system. Not long ago, Facebook introduced Social Authentication [6] on Facebook, which is a wrong name. The user is shown several photos of his friends, and he must correctly enter the names of friends.
As mentioned at the beginning, the second method is to send the password to a trusted mailbox. In general, the concept of shifting responsibility for authenticating a person from one side to another is not new. Authenticating users via an alternate email address shifts the responsibility of authentication to the provider of that alternate address. It should be added that since the box is not the main one, it is used less frequently, and therefore the probability of forgetting the password or the answer to the “secret question” becomes much higher. True, since the number of mobile phones sold in Russia exceeded its total population, many providers have the opportunity to send new passwords using sms messages. For the first time, this system was used by banks for additional authentication of transactions [7, 8], after which, having proved its effectiveness, it was adopted by other Internet services. But such a system also has its drawbacks inherent in all hardware identifiers. Phones are very often lost, stolen or broken. For example, in a 2008 article, it is reported that more than 60,000 mobile phones are forgotten every year in New York taxis alone [9].
last-resort mechanism (“last resort”) Despite all the drawbacks and weaknesses of such backup access recovery mechanisms, leading Internet companies have to use them, because the alternative to this is the use of “last-resort” authentication [10], which can be translated as authentication of the "last resort", that is, the mechanism resorted to in the most extreme cases, when all other methods were powerless. At the moment, this means contacting information system administrators or special customer support departments, and this is prohibitively expensive given that all of the two largest mail providers have the number of active users per year more than a billion [11, 12]. But even such departments are virtually defenseless against social engineering, as the legendary hacker Kevin Mitnick wrote in 2002 in his book [13]. He rightly points out that a person will be the weakest link even in the most complex system of protection.
Authentication factor used - authentication is the process of comparing information provided by the user with the reference one. Depending on the type of information, it can be attributed to one of the four main factors, or to their combination.
The knowledge factor (Password Authentication) is “what you know.”
The first and most common authentication mechanism at the moment is the input of something that only the user knows, such as a password or a secret question answer. Theoretically, this is the easiest and safest authentication method, since it has sufficient cryptographic strength, it is easy and cheap to implement, and all that is needed from the user is to memorize an 8–12-character combination of letters, numbers, and various signs. However, in practice, everything is completely different.
Firstly, users, as a rule, set weak passwords, which is connected with the very physiology of a person, or more precisely, of his brain. Our thinking is associative and directly related to speech, we think in images, each of which has a name, so as a password we choose the name of one of them. Thus, we can find most of the passwords set by users in a regular dictionary, and therefore they are easily selected using the dictionary search method. A lot of articles have been written about weak cryptographic strength of user-selectable passwords. One of the oldest dates back to 1990. In it, Daniel Klein describes how he, having armed himself with a dictionary of 62,727 words, was able to pick up passwords to 3,340 accounts in a couple of weeks, which accounted for 24.2% of the total [14]. It is worth noting two factors:
1. People have not asked for more complex passwords since.
2. According to "Moore's Law", the computing power of computers has since grown more than 16 thousand times.
Of course, since then a lot of research has been done and many systems for constructing complex passwords based on mnemonic phrases have been proposed on their basis. But as a percentage, few people use them.
Moreover, in spite of any miracle system, with increasing password complexity, it is harder to remember. A SafeNet study from 2004 found that 47% of respondents forgot their passwords during the year [15]. And with the increasing number of accounts from various computer systems, which every year becomes more and more, the situation is even more aggravated. The ability to remember passwords was studied in Wu's laboratory in 2007. After the first week, 12.5% ​​of participants forgot their six-letter alphanumeric passwords. Of the participants who had to remember the passwords of five accounts, 25% forgot at least one [16].
In addition, with the increasing complexity of passwords, the number of errors when entering it increases. For example, Brosstoff and Sayss noticed that permission to enter up to ten wrong passwords in a row reduces the number of requests to reset them [17]. Actually, after this research, many companies have adjusted their password policies.
But even this is not the worst. A study by John Ladeon in 2003 revealed the frightening tendency of office workers to communicate their passwords to strangers for a nominal fee. The study involved 152 people. They were asked a series of questions, one of which asked for the user's password, and 75% of the respondents immediately called him. They revealed their password in exchange for a trinket worth less than one pound sterling [18].
The next most common authentication mechanism is usually used if the password is still lost. Then the user is asked to answer the so-called "secret question", the answer to which he indicated during the registration of the account. Such a system is used by 4 leading mail providers AOL, Google (Gmail), Microsoft (Hotmail), and Yahoo! [nineteen].
However, the cryptographic resistance of such “question and answers” ​​chosen by users is even lower than that of the passwords they choose. In 2009, a study report was published at the IEEE Security and Privacy conference, which was attended by 130 people. The results showed that slightly less than a third of the subjects - 28 percent - were able to “guess” the answer to the secret password, if they knew their opponent closely. If the opponent was completely unfamiliar, then the answer to the question guessed 17 percent of the subjects. However, the final result depends on the complexity of the question. For example, the question of the user's favorite team or his favorite city will not be a big problem in 30 and 57 percent of cases, respectively. But even to questions of a personal nature — the city of birth, or the pet’s nickname — the hacker gives the correct answer in 45 and 40 percent of cases, respectively. In addition, after 3 to 6 months, 49 participants asked to remember their answers, 16% forgot them [20]. Earlier in 2008, Ariel Rabkin conducted a similar study saying that many of the “secret questions” were or were not applicable to more than 15% of the general public, not remembered, ambiguous, easily guessed even without information about the victim, or easily guessed with minimal knowledge of the victim [21]. Similar work was carried out earlier in 1996 [22] and in 1990 [23]. They also investigated the ability to memorize and guess the answers to “secret questions”. And they showed similar results, namely: spouses and close friends could guess 33% -39% of responses, and 20% -22% forgot their answers within 3 months.
Interesting work was published the year before. Its purpose was to find out the cryptographic answers to the “secret questions” by themselves. To this end, the authors have collected a huge database (about 269 million) of names, surnames, pet names, dates, and birthplaces of users. When analyzing these data, it turned out, but it didn’t surprise me that they obey the Zipf distribution, a special case of which is the “Pareto law”, i.e. 20% of names and dates accounted for 80% of users. As a result, it turned out that the cryptographic resistance of the answers to these “secret questions” corresponds to the cryptographic strength of the encryption key with a length of 8 to 23 bits, depending on the prevalence of a particular name or surname [24].
In 2005, V. Griffin and M. Jacobson conducted a study that revealed that the answers to the most popular "secret questions" can be found in open sources. This was brilliantly confirmed in practice in 2008 during the US presidential election, when the account of Sarah Palin, the Republican candidate, was cracked with the help of a “secret question” [25].
The real factor (hardware authentication) is “what you own.” The second most popular authentication factor. First of all, this refers to hardware-software systems for identification and authentication (SIA) or input devices for identification features [26]. The SIA includes hardware identifiers, input-output devices (readers, contact devices, adapters, system board connectors, etc.) and the corresponding software. Identifiers are designed to store unique identification features. In addition, they can store and process sensitive data. I / O devices and software exchange data between the identifier and the protected system.
In electronic CIA, identification signs are represented as a digital code stored in the identifier's memory. According to the method of data exchange between the identifier and the input-output device, electronic SIA are divided into:
• contact:
o iButton - information button - information "tablet";
o smart cards - smart cards;
o USB keys or USB tokens (token is an identifying mark, a marker);
• contactless:
o RFID identifiers - radio-frequency identification - radio frequency identifiers;
o smart cards.
Contact reading implies direct contact of the identifier with an I / O device. The contactless (remote) exchange method does not require a clear positioning of the identifier and the I / O device. Reading or writing data occurs when an identifier is presented at a certain distance to an I / O device.
SIA based on smart cards and radio frequency identifiers can be attributed to the time of their creation to the older one, iButton to the middle one, and USB keys to the younger generation.
When discussing the reliability of an AIA, the most important and at the same time the weakest link in the system - the identifier - is usually considered. In turn, the reliability of identifiers is associated with the degree of their protection from mechanical effects, the effects of temperature, external electromagnetic fields, corrosive media, dust, moisture, as well as from attacks aimed at opening chips that store secret data.
The developers of iButton identifiers ensure the safety of the characteristics of their products during a mechanical shock of 500g, falling from a height of 1.5 m onto a concrete floor, a working temperature range from -40 to 70 ° C, exposure to electromagnetic fields and the atmosphere. This is facilitated by a sealed steel case identifier, which retains strength with a million contacts with an input-output device. Some identifiers (DS1991, DS1963S) memory is protected from access. The lifetime of the iButton ID is 10 years.
The disadvantages of an iButton-based SIA include the absence of cryptographic tools built into identifiers that implement data encryption during storage and transfer to a computer. Therefore, iButton is usually used in conjunction with other systems that are entrusted with encryption functions.
Of course, RFIDs, smart cards, and USB keys are inferior to the iButton in terms of their mechanical reliability. Plastic compete with steel is difficult. Card failure due to mechanical damage is not a rare event. The ten-year research conducted on the French GIE Carte Bancaire project over 22 million cards showed that the probability of their failure for a number of reasons (which also includes mechanical damage) is 0.022.
The bottleneck of USB keys is also the resource of their USB connectors. The developers of these identifiers even include this indicator in the technical specifications of the products. For example, for identifiers of the eToken family, the guaranteed number of connections is at least 5000 times.
The advantage of radio-frequency identifiers, smart cards and USB-keys is that they include a secure non-volatile memory and a cryptographic processor, which allows to increase the level of protection of devices. However, the attacking side does not sleep, coming up with various ways of revealing secret information.
Published many works that describe a variety of attacks on the chips identifiers.These studies are both theoretical and practical. Theoretical methods of dissection include, in particular, Bellcore attacks, differential analysis of distortions DFA (Differential Fault Analysis) and power DPA (Differential Power Analysis). Practical methods include glitching and physical attacks aimed at unpacking the chip and extracting the necessary information.
Developers of cryptographic processors seek, as far as possible, to adequately respond to attacks with the help of various external and internal protection mechanisms. The external protection mechanisms include the installation of sensors (capacitive or optical sensor), chip coating with a metal layer, special adhesives, etc., bus encryption, random clocking, repeated calculations, noise generation are internal.
In general, due to the cost of hardware identifiers, they are used mainly in business, where convenience, reliability and high cryptographic strength are required. There are only two main disadvantages: they can be taken away or lost and they can break.
Biofactor (Biometric Authentication)- “what is a part of you.” Biometric data, for removal of which, as a rule, special software and hardware are necessary - so-called biometric scanners, which differ in the nature of the read data.
Static based biometric scanners:
• Fingerprint recognition. This is the most common static method of biometric identification, which is based on the uniqueness for each person of the pattern of papillary patterns on the fingers. A fingerprint image obtained using a special scanner is converted into a digital code (convolution) and compared with a previously entered pattern (reference) or a set of templates;
• Recognition by hand geometry. This static method is based on the recognition of hand geometry, which is also a unique biometric characteristic of a person. Using a special device that allows you to get a three-dimensional image of the hand (some manufacturers scan the shape of several fingers), you get the measurements necessary to obtain a unique digital convolution that identifies a person;
• Iris recognition. This recognition method is based on the uniqueness of the iris pattern. To implement the method, a camera is needed, which allows to obtain an image of a human eye with sufficient resolution, and specialized software that allows to isolate the image of the iris of the eye from the resulting image, which is used to build a digital code to identify a person.
Biometric scanners based on dynamic methods:
• Handwriting recognition. As a rule, his signature (sometimes writing a code word) is used for this dynamic method of identifying a person. The digital identification code is formed according to the dynamic characteristics of the spelling, that is, a convolution is built to identify, which includes information on the graphic parameters of the signature, the time characteristics of applying the signature and the dynamics of pressure on the surface, depending on the capabilities of the equipment (graphics tablet, handheld screen, etc.) .)
• Recognition by handwriting. The method is generally similar to the above, but instead of a signature, it uses a certain code word, and only the standard keyboard is required from the hardware. The main characteristic by which the convolution is constructed for identification is the dynamics of the codeword set;
• Recognition by voice. Currently, the development of this one of the oldest technologies has accelerated, since it is expected to be widely used in the construction of intelligent buildings. There are many ways to build a voice identification code: as a rule, these are various combinations of frequency and statistical characteristics of the latter.
In general, for many of the above methods, you need fairly expensive equipment and equally expensive software. There are quite good developments in this area, but they will not soon become the same standard as the above listed methods. Moreover, with the development of technology, the role of biometrics as a means of authentication will decrease, as it becomes easier for an attacker to access such data. You can record a voice, take a picture of your face and eyes, and scan your fingerprints. Then create a computer model, and print the mask on a 3D printer. As a result, biometrics will become more a means of identification.
Social Factor (Social Authentication)- "those who know you." As a last factor, you can use someone who knows you, but of course not you, but a legal user. Such a system can be called based on trusted authentication. For example, in organizations, the responsibility for authenticating a user who has forgotten or lost a password is often transferred to the system administrator, security, or other technical personnel. Microsoft has long used an account-based account recovery form for its own employees: if an employee forgot his credentials, his manager or colleagues could request a temporary password on his behalf [27]. Such a mechanism, by definition, requires the intervention of another person, and is applicable, often, in small systems of small and medium-sized companies,where the system administrator can find the time to generate a new password. In large companies and corporations, there are entire departments dealing with similar problems. Therefore, this authentication method is currently one of the most expensive. However, Facebook is a pioneer in this area. They were the first to introduce an automated social authentication system called “trusted friends”, which probably saved a lot of money for those support.under the name "trusted friends", which certainly saved a lot of money for those support.under the name "trusted friends", which certainly saved a lot of money for those support.
I hope someone this article will seem useful.
REFERENCES
1. M. Just. Designing authentication systems with challenge questions. In the LF Cranor and the Security Corp., editors, Security & Usability, Sebastopol, CA, 2005. O'Reilly Media, Inc.
2. B. Sullivan. 'forgot your password?' may be weakest link. MSNBC Red Tape Chronicles, Aug. 26, 2008. URL: redtape.msnbc.com/2008/08/almost-everyone.html
3. M. Jakobsson, E. Stolterman, S. Wetzel, and L. Yang. Love and authentication. In CHI '08: Proceeding of the Twenty-Sixth Annual Conference on Computing Systems, pages 197–200, New York, NY, USA, 2008. ACM.
4. Identifying Close Friendship on the Internet - Randy Baden, Neil Spring, Bobby Bhattacharjee
5. FaceTrust: Assessing the Online Personas via Social Networks - Michael Sirivianos, Kyungbaek Kim, Xiaowei Yang
6. Social Authentication. Alex Rice URL: blog.facebook.com/blog.php?post=486790652130 (accessed January 2011).
7. T. Pullar-Strecker. NZ bank adds security online. Sidney Morning Herald, 8 November 2004. Referenced 2006 AT www.smh.com.au THE .
8. CommonwealthBank. NetBank NetCode SMS, 2008. URL: www.commbank.com.au/netbank/netcodesms .
9. CREDANT Technologies. New York Cabs, 16th of May 2008. URL:www.credant.com/mountains-of-mobiles-left-in-the-back-of-new-york-cabs.html .
10. S. Schechter, S. Egelman, and RW Reeder. It’s a social approach to last-resort authentication. In CHI '09: ProMedings of the ACM SIGCHI Conference on Human Factors in Computing Systems, Boston, MA, 2009. ACM.
11. J. Kremer. Happy 10th birthday, Yahoo! Mail, Oct. 2007. URL: ycorpblog.com/2007/10/08/happy-10th-birthday-yahoo-mail .
12. Microsoft Corporation. Windows live hotmail fact sheet, May 2007. URL: www.microsoft.com/presspass/newsroom/msn/factsheet/hotmail.mspx .
13. KD Mitnick and WL Simon. The Art of Deception: Controlling the Human Element of Security. Wiley, 2002.
14. DV Klein. Foiling the cracker: In UNIX Security II: USENIX Workshop Proceedings, pages 5–14, Berkeley, CA, 1990.
15. SafeNet, Inc. 2004 annual password survey results, 2005. URL: www.safenet-inc.com/news/view.asp?news ID = 239.
16. K.-PL Vu, RW Proctor, A. Bhargav-Spantzel, B.-LB Tai, J. Cook, and EE Schultz. Improving password security and organizational information. Int. J. Hum.-Comput. Stud., 65 (8): 744–757, 2007.
17. S. Brostoff and AM Sasse. Increasing the number of attempts to improve the password usability. In Proceedings of CHI 2003 Workshop on HCI and Security Systems, 2003.
18. J. Leyden. Office workers give away passwords for a cheap pen. The Register, 18 April 2003. Referenced 2006 at www.theregister.co.uk .
19. HP Ltd. Top 20 websites, 2008. URL: www.hitwise.com/datacenter/rankings.php .
20. S. Schechter, AJB Brush, and S. Egelman. It's no secret: Measuring the security and reliability of authentication via `secret 'questions. In IEEE Security and Privacy. IEEE, 2009.
21. Rabkin. Fallback questions. In SOUPS '08: Proceedings of the 4th Symposium on Usable Privacy Policy, pages 13–23, New York, NY, USA, 2008. ACM.
22. J. Podd, J. Bunnell, and R. Henderson. Cost-effective computer security: Cognitive and associative passwords. In OZCHI '96: Proceedings of the 6th Australian Conference on Computer-Human Interaction (OZCHI '96), page 304, Washington, DC, USA, 1996. IEEE Computer Society.
23. M. Zviran and WJ Haga. User authentication by cognitive passwords: an empirical assessment. In JCIT: Jerusalem Conference on Information Technology, pages 137–144, Los Alamitos, CA, USA, 1990. IEEE Computer Society Press.
24. Joseph Bonneau, University of Cambridge, Mike Just, Greg Matthews, What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. In Financial Cryptography and Data Security '10
25. T. Bridis. Hacker impersonated Palin, stole e-mail password, Sept. 18, 2008. Associated Press.
26. GOST R 51241-98
27. S. Schechter, S. Egelman, and RW Reeder. It’s a social approach to last-resort authentication. In CHI '09: ProMedings of the ACM SIGCHI Conference on Human Factors in Computing Systems, Boston, MA, 2009. ACM.
I was faced with the fact that there is no generally accepted classification, and each author has his own, if there is one at all. Therefore, I offer you my classification, synthesized from those that I met in the process. And I would like to hear the opinion of experts, how rational, adequate and useful it is. And most importantly, have you heard it somewhere before?
After analyzing the existing user authentication mechanisms, I identified 3 main characteristics that each of them has:
The degree of automation may be complete or incomplete . This refers to the automation of authentication from the system, not the user. Those. authentication system on Habré is fully automated, and the authentication system with the help of an intercom is not completely, because Host authentication is required for guest authentication.
')
The priority of use is the order in which the user uses this authentication method.
The main authentication method As the name suggests, this method is used for regular login. The most common of these is password login, which is used in the vast majority of computer systems. A less common way is to use hardware identifiers to which access keys or user passwords are written.
Two-factor authentication is also popular in the corporate sector. As a rule, this means a bundle of e-token and a PIN code entered by the user, but there are also more exotic combinations consisting of a biometric scanner and a hardware identifier or user password.
Backup authentication method In case of loss of a password or an e-token, or account hacking, backup authentication methods take effect. However, these are not so much authentication methods as password reset mechanisms.
Two methods are most common: answering a “secret question” and sending a password to a trusted mailbox specified during registration. These methods are included in the gentleman's set of any self-respecting information service.
There are many interesting modifications to this authentication method. For example, one of the first was the proposal to use their own "secret questions" [1]. What was almost immediately implemented by leading providers [2].
You can also give an example of an advanced backup authentication system based on questions from the online dating database. There are many such questions, they are simple in themselves, but in aggregate one can clearly enough imagine the character of a person. When contacting, the system asks some of the questions from which the user answered during registration, if he can correctly answer most of them, then authentication is considered successful [3].
A very similar idea was described in recent papers [4, 5]. Both of them tried to build authentication based on a set of simple “secret questions” into the PKI architecture. And if in the first work Randy Baden, Neil Spring and Bobi Bhatacharji tried to generate a common encryption key for two friends based on answers to such “secret questions” compiled by users [4], in the second work the authorization server with the base appeared as the second user personal data [5].
There are no less original ideas about using user information, for example, everyone knows captcha (and how annoying it can be): difficult-to-read combinations of letters and numbers that you have to enter in order, say, to complete the registration. And although her task is to protect information services from ubiquitous bots, Facebook engineers decided to cross it with “secret questions” and use it as a backup authentication system. Not long ago, Facebook introduced Social Authentication [6] on Facebook, which is a wrong name. The user is shown several photos of his friends, and he must correctly enter the names of friends.
As mentioned at the beginning, the second method is to send the password to a trusted mailbox. In general, the concept of shifting responsibility for authenticating a person from one side to another is not new. Authenticating users via an alternate email address shifts the responsibility of authentication to the provider of that alternate address. It should be added that since the box is not the main one, it is used less frequently, and therefore the probability of forgetting the password or the answer to the “secret question” becomes much higher. True, since the number of mobile phones sold in Russia exceeded its total population, many providers have the opportunity to send new passwords using sms messages. For the first time, this system was used by banks for additional authentication of transactions [7, 8], after which, having proved its effectiveness, it was adopted by other Internet services. But such a system also has its drawbacks inherent in all hardware identifiers. Phones are very often lost, stolen or broken. For example, in a 2008 article, it is reported that more than 60,000 mobile phones are forgotten every year in New York taxis alone [9].
last-resort mechanism (“last resort”) Despite all the drawbacks and weaknesses of such backup access recovery mechanisms, leading Internet companies have to use them, because the alternative to this is the use of “last-resort” authentication [10], which can be translated as authentication of the "last resort", that is, the mechanism resorted to in the most extreme cases, when all other methods were powerless. At the moment, this means contacting information system administrators or special customer support departments, and this is prohibitively expensive given that all of the two largest mail providers have the number of active users per year more than a billion [11, 12]. But even such departments are virtually defenseless against social engineering, as the legendary hacker Kevin Mitnick wrote in 2002 in his book [13]. He rightly points out that a person will be the weakest link even in the most complex system of protection.
Authentication factor used - authentication is the process of comparing information provided by the user with the reference one. Depending on the type of information, it can be attributed to one of the four main factors, or to their combination.
The knowledge factor (Password Authentication) is “what you know.”
The first and most common authentication mechanism at the moment is the input of something that only the user knows, such as a password or a secret question answer. Theoretically, this is the easiest and safest authentication method, since it has sufficient cryptographic strength, it is easy and cheap to implement, and all that is needed from the user is to memorize an 8–12-character combination of letters, numbers, and various signs. However, in practice, everything is completely different.
Firstly, users, as a rule, set weak passwords, which is connected with the very physiology of a person, or more precisely, of his brain. Our thinking is associative and directly related to speech, we think in images, each of which has a name, so as a password we choose the name of one of them. Thus, we can find most of the passwords set by users in a regular dictionary, and therefore they are easily selected using the dictionary search method. A lot of articles have been written about weak cryptographic strength of user-selectable passwords. One of the oldest dates back to 1990. In it, Daniel Klein describes how he, having armed himself with a dictionary of 62,727 words, was able to pick up passwords to 3,340 accounts in a couple of weeks, which accounted for 24.2% of the total [14]. It is worth noting two factors:
1. People have not asked for more complex passwords since.
2. According to "Moore's Law", the computing power of computers has since grown more than 16 thousand times.
Of course, since then a lot of research has been done and many systems for constructing complex passwords based on mnemonic phrases have been proposed on their basis. But as a percentage, few people use them.
Moreover, in spite of any miracle system, with increasing password complexity, it is harder to remember. A SafeNet study from 2004 found that 47% of respondents forgot their passwords during the year [15]. And with the increasing number of accounts from various computer systems, which every year becomes more and more, the situation is even more aggravated. The ability to remember passwords was studied in Wu's laboratory in 2007. After the first week, 12.5% ​​of participants forgot their six-letter alphanumeric passwords. Of the participants who had to remember the passwords of five accounts, 25% forgot at least one [16].
In addition, with the increasing complexity of passwords, the number of errors when entering it increases. For example, Brosstoff and Sayss noticed that permission to enter up to ten wrong passwords in a row reduces the number of requests to reset them [17]. Actually, after this research, many companies have adjusted their password policies.
But even this is not the worst. A study by John Ladeon in 2003 revealed the frightening tendency of office workers to communicate their passwords to strangers for a nominal fee. The study involved 152 people. They were asked a series of questions, one of which asked for the user's password, and 75% of the respondents immediately called him. They revealed their password in exchange for a trinket worth less than one pound sterling [18].
The next most common authentication mechanism is usually used if the password is still lost. Then the user is asked to answer the so-called "secret question", the answer to which he indicated during the registration of the account. Such a system is used by 4 leading mail providers AOL, Google (Gmail), Microsoft (Hotmail), and Yahoo! [nineteen].
However, the cryptographic resistance of such “question and answers” ​​chosen by users is even lower than that of the passwords they choose. In 2009, a study report was published at the IEEE Security and Privacy conference, which was attended by 130 people. The results showed that slightly less than a third of the subjects - 28 percent - were able to “guess” the answer to the secret password, if they knew their opponent closely. If the opponent was completely unfamiliar, then the answer to the question guessed 17 percent of the subjects. However, the final result depends on the complexity of the question. For example, the question of the user's favorite team or his favorite city will not be a big problem in 30 and 57 percent of cases, respectively. But even to questions of a personal nature — the city of birth, or the pet’s nickname — the hacker gives the correct answer in 45 and 40 percent of cases, respectively. In addition, after 3 to 6 months, 49 participants asked to remember their answers, 16% forgot them [20]. Earlier in 2008, Ariel Rabkin conducted a similar study saying that many of the “secret questions” were or were not applicable to more than 15% of the general public, not remembered, ambiguous, easily guessed even without information about the victim, or easily guessed with minimal knowledge of the victim [21]. Similar work was carried out earlier in 1996 [22] and in 1990 [23]. They also investigated the ability to memorize and guess the answers to “secret questions”. And they showed similar results, namely: spouses and close friends could guess 33% -39% of responses, and 20% -22% forgot their answers within 3 months.
Interesting work was published the year before. Its purpose was to find out the cryptographic answers to the “secret questions” by themselves. To this end, the authors have collected a huge database (about 269 million) of names, surnames, pet names, dates, and birthplaces of users. When analyzing these data, it turned out, but it didn’t surprise me that they obey the Zipf distribution, a special case of which is the “Pareto law”, i.e. 20% of names and dates accounted for 80% of users. As a result, it turned out that the cryptographic resistance of the answers to these “secret questions” corresponds to the cryptographic strength of the encryption key with a length of 8 to 23 bits, depending on the prevalence of a particular name or surname [24].
In 2005, V. Griffin and M. Jacobson conducted a study that revealed that the answers to the most popular "secret questions" can be found in open sources. This was brilliantly confirmed in practice in 2008 during the US presidential election, when the account of Sarah Palin, the Republican candidate, was cracked with the help of a “secret question” [25].
The real factor (hardware authentication) is “what you own.” The second most popular authentication factor. First of all, this refers to hardware-software systems for identification and authentication (SIA) or input devices for identification features [26]. The SIA includes hardware identifiers, input-output devices (readers, contact devices, adapters, system board connectors, etc.) and the corresponding software. Identifiers are designed to store unique identification features. In addition, they can store and process sensitive data. I / O devices and software exchange data between the identifier and the protected system.
In electronic CIA, identification signs are represented as a digital code stored in the identifier's memory. According to the method of data exchange between the identifier and the input-output device, electronic SIA are divided into:
• contact:
o iButton - information button - information "tablet";
o smart cards - smart cards;
o USB keys or USB tokens (token is an identifying mark, a marker);
• contactless:
o RFID identifiers - radio-frequency identification - radio frequency identifiers;
o smart cards.
Contact reading implies direct contact of the identifier with an I / O device. The contactless (remote) exchange method does not require a clear positioning of the identifier and the I / O device. Reading or writing data occurs when an identifier is presented at a certain distance to an I / O device.
SIA based on smart cards and radio frequency identifiers can be attributed to the time of their creation to the older one, iButton to the middle one, and USB keys to the younger generation.
When discussing the reliability of an AIA, the most important and at the same time the weakest link in the system - the identifier - is usually considered. In turn, the reliability of identifiers is associated with the degree of their protection from mechanical effects, the effects of temperature, external electromagnetic fields, corrosive media, dust, moisture, as well as from attacks aimed at opening chips that store secret data.
The developers of iButton identifiers ensure the safety of the characteristics of their products during a mechanical shock of 500g, falling from a height of 1.5 m onto a concrete floor, a working temperature range from -40 to 70 ° C, exposure to electromagnetic fields and the atmosphere. This is facilitated by a sealed steel case identifier, which retains strength with a million contacts with an input-output device. Some identifiers (DS1991, DS1963S) memory is protected from access. The lifetime of the iButton ID is 10 years.
The disadvantages of an iButton-based SIA include the absence of cryptographic tools built into identifiers that implement data encryption during storage and transfer to a computer. Therefore, iButton is usually used in conjunction with other systems that are entrusted with encryption functions.
Of course, RFIDs, smart cards, and USB keys are inferior to the iButton in terms of their mechanical reliability. Plastic compete with steel is difficult. Card failure due to mechanical damage is not a rare event. The ten-year research conducted on the French GIE Carte Bancaire project over 22 million cards showed that the probability of their failure for a number of reasons (which also includes mechanical damage) is 0.022.
The bottleneck of USB keys is also the resource of their USB connectors. The developers of these identifiers even include this indicator in the technical specifications of the products. For example, for identifiers of the eToken family, the guaranteed number of connections is at least 5000 times.
The advantage of radio-frequency identifiers, smart cards and USB-keys is that they include a secure non-volatile memory and a cryptographic processor, which allows to increase the level of protection of devices. However, the attacking side does not sleep, coming up with various ways of revealing secret information.
Published many works that describe a variety of attacks on the chips identifiers.These studies are both theoretical and practical. Theoretical methods of dissection include, in particular, Bellcore attacks, differential analysis of distortions DFA (Differential Fault Analysis) and power DPA (Differential Power Analysis). Practical methods include glitching and physical attacks aimed at unpacking the chip and extracting the necessary information.
Developers of cryptographic processors seek, as far as possible, to adequately respond to attacks with the help of various external and internal protection mechanisms. The external protection mechanisms include the installation of sensors (capacitive or optical sensor), chip coating with a metal layer, special adhesives, etc., bus encryption, random clocking, repeated calculations, noise generation are internal.
In general, due to the cost of hardware identifiers, they are used mainly in business, where convenience, reliability and high cryptographic strength are required. There are only two main disadvantages: they can be taken away or lost and they can break.
Biofactor (Biometric Authentication)- “what is a part of you.” Biometric data, for removal of which, as a rule, special software and hardware are necessary - so-called biometric scanners, which differ in the nature of the read data.
Static based biometric scanners:
• Fingerprint recognition. This is the most common static method of biometric identification, which is based on the uniqueness for each person of the pattern of papillary patterns on the fingers. A fingerprint image obtained using a special scanner is converted into a digital code (convolution) and compared with a previously entered pattern (reference) or a set of templates;
• Recognition by hand geometry. This static method is based on the recognition of hand geometry, which is also a unique biometric characteristic of a person. Using a special device that allows you to get a three-dimensional image of the hand (some manufacturers scan the shape of several fingers), you get the measurements necessary to obtain a unique digital convolution that identifies a person;
• Iris recognition. This recognition method is based on the uniqueness of the iris pattern. To implement the method, a camera is needed, which allows to obtain an image of a human eye with sufficient resolution, and specialized software that allows to isolate the image of the iris of the eye from the resulting image, which is used to build a digital code to identify a person.
Biometric scanners based on dynamic methods:
• Handwriting recognition. As a rule, his signature (sometimes writing a code word) is used for this dynamic method of identifying a person. The digital identification code is formed according to the dynamic characteristics of the spelling, that is, a convolution is built to identify, which includes information on the graphic parameters of the signature, the time characteristics of applying the signature and the dynamics of pressure on the surface, depending on the capabilities of the equipment (graphics tablet, handheld screen, etc.) .)
• Recognition by handwriting. The method is generally similar to the above, but instead of a signature, it uses a certain code word, and only the standard keyboard is required from the hardware. The main characteristic by which the convolution is constructed for identification is the dynamics of the codeword set;
• Recognition by voice. Currently, the development of this one of the oldest technologies has accelerated, since it is expected to be widely used in the construction of intelligent buildings. There are many ways to build a voice identification code: as a rule, these are various combinations of frequency and statistical characteristics of the latter.
In general, for many of the above methods, you need fairly expensive equipment and equally expensive software. There are quite good developments in this area, but they will not soon become the same standard as the above listed methods. Moreover, with the development of technology, the role of biometrics as a means of authentication will decrease, as it becomes easier for an attacker to access such data. You can record a voice, take a picture of your face and eyes, and scan your fingerprints. Then create a computer model, and print the mask on a 3D printer. As a result, biometrics will become more a means of identification.
Social Factor (Social Authentication)- "those who know you." As a last factor, you can use someone who knows you, but of course not you, but a legal user. Such a system can be called based on trusted authentication. For example, in organizations, the responsibility for authenticating a user who has forgotten or lost a password is often transferred to the system administrator, security, or other technical personnel. Microsoft has long used an account-based account recovery form for its own employees: if an employee forgot his credentials, his manager or colleagues could request a temporary password on his behalf [27]. Such a mechanism, by definition, requires the intervention of another person, and is applicable, often, in small systems of small and medium-sized companies,where the system administrator can find the time to generate a new password. In large companies and corporations, there are entire departments dealing with similar problems. Therefore, this authentication method is currently one of the most expensive. However, Facebook is a pioneer in this area. They were the first to introduce an automated social authentication system called “trusted friends”, which probably saved a lot of money for those support.under the name "trusted friends", which certainly saved a lot of money for those support.under the name "trusted friends", which certainly saved a lot of money for those support.
I hope someone this article will seem useful.
REFERENCES
1. M. Just. Designing authentication systems with challenge questions. In the LF Cranor and the Security Corp., editors, Security & Usability, Sebastopol, CA, 2005. O'Reilly Media, Inc.
2. B. Sullivan. 'forgot your password?' may be weakest link. MSNBC Red Tape Chronicles, Aug. 26, 2008. URL: redtape.msnbc.com/2008/08/almost-everyone.html
3. M. Jakobsson, E. Stolterman, S. Wetzel, and L. Yang. Love and authentication. In CHI '08: Proceeding of the Twenty-Sixth Annual Conference on Computing Systems, pages 197–200, New York, NY, USA, 2008. ACM.
4. Identifying Close Friendship on the Internet - Randy Baden, Neil Spring, Bobby Bhattacharjee
5. FaceTrust: Assessing the Online Personas via Social Networks - Michael Sirivianos, Kyungbaek Kim, Xiaowei Yang
6. Social Authentication. Alex Rice URL: blog.facebook.com/blog.php?post=486790652130 (accessed January 2011).
7. T. Pullar-Strecker. NZ bank adds security online. Sidney Morning Herald, 8 November 2004. Referenced 2006 AT www.smh.com.au THE .
8. CommonwealthBank. NetBank NetCode SMS, 2008. URL: www.commbank.com.au/netbank/netcodesms .
9. CREDANT Technologies. New York Cabs, 16th of May 2008. URL:www.credant.com/mountains-of-mobiles-left-in-the-back-of-new-york-cabs.html .
10. S. Schechter, S. Egelman, and RW Reeder. It’s a social approach to last-resort authentication. In CHI '09: ProMedings of the ACM SIGCHI Conference on Human Factors in Computing Systems, Boston, MA, 2009. ACM.
11. J. Kremer. Happy 10th birthday, Yahoo! Mail, Oct. 2007. URL: ycorpblog.com/2007/10/08/happy-10th-birthday-yahoo-mail .
12. Microsoft Corporation. Windows live hotmail fact sheet, May 2007. URL: www.microsoft.com/presspass/newsroom/msn/factsheet/hotmail.mspx .
13. KD Mitnick and WL Simon. The Art of Deception: Controlling the Human Element of Security. Wiley, 2002.
14. DV Klein. Foiling the cracker: In UNIX Security II: USENIX Workshop Proceedings, pages 5–14, Berkeley, CA, 1990.
15. SafeNet, Inc. 2004 annual password survey results, 2005. URL: www.safenet-inc.com/news/view.asp?news ID = 239.
16. K.-PL Vu, RW Proctor, A. Bhargav-Spantzel, B.-LB Tai, J. Cook, and EE Schultz. Improving password security and organizational information. Int. J. Hum.-Comput. Stud., 65 (8): 744–757, 2007.
17. S. Brostoff and AM Sasse. Increasing the number of attempts to improve the password usability. In Proceedings of CHI 2003 Workshop on HCI and Security Systems, 2003.
18. J. Leyden. Office workers give away passwords for a cheap pen. The Register, 18 April 2003. Referenced 2006 at www.theregister.co.uk .
19. HP Ltd. Top 20 websites, 2008. URL: www.hitwise.com/datacenter/rankings.php .
20. S. Schechter, AJB Brush, and S. Egelman. It's no secret: Measuring the security and reliability of authentication via `secret 'questions. In IEEE Security and Privacy. IEEE, 2009.
21. Rabkin. Fallback questions. In SOUPS '08: Proceedings of the 4th Symposium on Usable Privacy Policy, pages 13–23, New York, NY, USA, 2008. ACM.
22. J. Podd, J. Bunnell, and R. Henderson. Cost-effective computer security: Cognitive and associative passwords. In OZCHI '96: Proceedings of the 6th Australian Conference on Computer-Human Interaction (OZCHI '96), page 304, Washington, DC, USA, 1996. IEEE Computer Society.
23. M. Zviran and WJ Haga. User authentication by cognitive passwords: an empirical assessment. In JCIT: Jerusalem Conference on Information Technology, pages 137–144, Los Alamitos, CA, USA, 1990. IEEE Computer Society Press.
24. Joseph Bonneau, University of Cambridge, Mike Just, Greg Matthews, What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. In Financial Cryptography and Data Security '10
25. T. Bridis. Hacker impersonated Palin, stole e-mail password, Sept. 18, 2008. Associated Press.
26. GOST R 51241-98
27. S. Schechter, S. Egelman, and RW Reeder. It’s a social approach to last-resort authentication. In CHI '09: ProMedings of the ACM SIGCHI Conference on Human Factors in Computing Systems, Boston, MA, 2009. ACM.
Source: https://habr.com/ru/post/177551/
All Articles