Authentication and session v4

Authentication and Session
Management
Bob Laskowski
IT 6873
Southern Polytechnic State
University

Authentication Defined
 Authentication – when applied to
network security we want to make
sure who the entity/data claims they
are is factual

Threats to authentication
 Hackers are always looking for ways into a
network. If they can acquire your method to
gain access they save themselves hours of
research
 Keep in mind that different accounts have
different levels of access, as well if they can
gain any foot hold into a network it gives
them an advantage when looking for more
vulnerabilities.
 Also if they use accounts already within the
system it actually helps to mask their actions
because the account they are using will
already have been granted authentication
rights to one degree or another

Why is this important?
 Authentication-based attacks factored
into about four of every five breaches
involving hacking in 2012
 After Celebrity Photo Hack, How Safe Is
the Cloud?
◦ The real question is less about how good
iCloud security is and more about how strong
(and how unique) a user's password is.
• If you can masquerade as another
person, there are no limits on how much
you can compromise the privacy and
integrity of anyone's online data

Weakness for authentication
 Most developers build their own
authentication and session management
schemes
 Authentication and session management
schemes are complex and these custom
built ones tend to have flaws
 Since there is no standard for this and
each point of development is different at
times these flaws are difficult to find
when they are not being looked for, such
as when a hacker finally does find them

Some Common Authentication
Methods
 Use of user ID’s
◦ Standard first initial.Last name, or something more
complex
 Passwords
◦ complexity, length, age, timeout, re-tries,
• Multifactor authentication
◦ something you know, have, are
 Encryption
◦ PGP, Public-Key Cryptography, SSL, S-HTTP and
S/MIME
 One Time Passwords
◦ Hardware/software tokens
 Digital Signatures

Common Authentication Method
examples:
 Use of user ID’s
◦ Common methods revolve around first initial
and last name. ex: r.smith
◦ However this could give an attacker an edge
on finding new accounts. Brute force attack
with every letter of alphabet and #.smith
◦ Possible new method to add protection.
 Use of initials and numbers ex. rs1234@spsu.edu
 Or in some cases fully different alias’s ex.
ws1289@spsu.edu can actually be
rs1234@spsu.edu
 Think in terms of being as obscure so no correlation
can be made to actual data aka. Data Obfuscation
which is used in electronic health records

examples:
 Passwords
 We want a password to have certain complexity to
thwart dictionary and brute force attacks
 A good method for solid passwords is the Schneier
scheme
◦ WIw7,mstmsritt... = When I was seven, my sister threw my
stuffed rabbit in the toilet.
◦ Wow...doestcst = Wow, does that couch smell terrible.
◦ Ltime@go-inag~faaa! = Long time ago in a galaxy not far
away at all.
◦ uTVM,TPw55:utvm,tpwstillsecure = Until this very moment,
these passwords were still secure.
 Here we take a phrase and break it down into one word
or smaller supposed nonsensical phrase much more
difficult to crack

examples:
 Passwords
In the next slide we see a method to
make sure the password entered is
actually valid

What is it?
 Whenever we have data entered in a
form we want to make sure that it is valid
and not corrupted in any way. Here we
are looking at checking the password
someone enters
* Note, while I am using this method here
for my report, you should not do this, a
more secure method would be to email a
token to a person and have them enter a
password there. Having someone enter a
password and gaining access directly

Application
 Password validation ranges from
checking regular expressions, to
length and complexity. This is used as
a pre curser to defend against brute
force attacks

examples:
 Multifactor authentication
 Something you know – password
 Have – security token
 Are – a biometric feature, finger print, eye scan
and so on
It is a combination of two or more things, thus
giving a layered defense
Typical scenarios
use of a card, or pins, VPN and use of digital
certificates, finger prints, hard or soft tokens

examples:
 Encryption
◦ PGP – uses hashes, and compression,
along with symmetric key(one key to
encrypt/decrypt) to protect data
◦ Public-Key Cryptography – use of
asymmetric encryption( one key encrypt,
other decrypt)
◦ SSL, S-HTTP – use of certificates
◦ S/MIME – securing of email

examples:
 One Time Passwords
◦ Use of challenges and responses for
users
◦ Only good for that session and then times
out
◦ Can be a hard or soft token, emailed or
texted password
 Users can be tricked into giving these up with
social engineering and hackers can use that
info to devise a pattern
 Possibly subjected to man in middle attacks
due to transmission methods

examples:
 Digital Signatures
• helps to prove that data sent is from a
reliable source
• gives reassurance
• confirms message wasn’t tampered with

examples:
 In the next slide we see an example of
hashing a password
 And we will see extra security applied
to it with a salt
 These are examples of defense in
depth, no one method or layer is
100% reliable

The One-Way Password
Hashing Algorithm

What is it?
 A hash is a method in which we take a
password in this case and apply a
mathematical algorithm, this algorithm
takes the fixed length password and
turns it into a fixed length binary value.

Application
 Hash's tend to be used as digital
signatures for software to ensure it
hasn’t been tampered with or
corrupted when downloaded. However
in this case we can use it to protect
our passwords for our users that
attempt to log into our site.

What is it?
 It is random data that is applied to a
one way function then is added to the
hash of a password

Application
 Salts when combined with password
hash's help to add a new level of
difficulty in defending against
dictionary attacks

Actual Authentication Threats
 Confidence Tricks
◦ Various phishing methods
• Remote Technical Tricks
◦ Spoof, proxy exploits, sniffing, old exploits to technology
• Local Technical Tricks
◦ Software vulnerabilities, Trojans, viruses, hardware attacks
• Victim Mistakes
◦ Weak passwords, written down sensitive data, user errors
• Implementation oversights
◦ Replays, trusting bad data, sensitive data remembered in
forms
• Denial of service attacks
◦ Lock outs for authorized users
• Enrollment errors
◦ new set of credentials created

Authentication attacks
Attack types Attack description
Brute Force Allows an attacker to guess a
person's user name, password,
credit card number, or
cryptographic key by using an
automated process of trial and
error.
Insufficient Authentication Allows an attacker to access a
website that contains sensitive
content or functions without having
to properly authenticate with the
website.
Weak Password Recovery
Validation
Allows an attacker to access a
website that provides them with
the ability to illegally obtain,
change, or recover another user's
password.

Repercussions from
Authentication attacks
 Accounts can be locked out, or the
entire user database can be locked
out
 Outages can occur if there are
accounts that do batch work
 There can a loss of confidence in the
business if such an attack is
publicized

Prevention Methods
 First and foremost proper code
development
◦ Think like a hacker, look for what can go
wrong instead of waiting for it
 Have informed users
◦ Over inform on proper security procedures,
automate the mundane
• User access lattices
◦ Only access to what they need access to
• Security in layers
◦ Never assume one layer will do it all

Session management Defined
 Session Management – the practice of
overseeing a transfer of data between
two or more entities
 Session management focuses on an
already authenticated user
 This authenticated user has their
information bound to an actual session
token/ID

Threats to Session
management
 We've already authenticated properly to
a connection and we begin to do what it
is we do, work, shopping, surfing the
web, our banking…etc
 There will be a session identifier for what
you are doing, similar to a tracking
cookie if you will, this id ties you to what
you are actually doing
 In essence your leaving a sort of digital
bread crumb trail

Why is this important?
 Crack in Internet’s foundation of
trust allows HTTPS session
hijacking
◦ “Once the session cookie is decrypted, hackers
can exploit it to gain unauthorized access to the
user account the session cookie is designed to
authenticate. The process from start to finish
takes "a few minutes,“
 Yahoo session hijacking likely
culprit of Android spam

Weakness for session
management
 Most developers build their own
authentication and session management
schemes
 Authentication and session management
schemes are complex and these custom
built ones tend to have flaws
 Since there is no standard for this and
each point of development is different at
times these flaws are difficult to find
when they are not being looked for, such
as when a hacker finally does find them

Some Common Session
Management Methods
 Validate Session ID values coming from clients
◦ Have checks in place to confirm who's who
 Hard-to-Guess Cookie Values
◦ Match cookies values to session variables to complicate things
 User Authentication
◦ Good authentication always helps
 SSL Encryption
◦ Encryption always complicates things for hackers
 Use of trusted third parties
◦ Use a third party session management implementation to offset risk
 Use sufficient session Id length
◦ Same as passwords longer equals more secure
 Ensuring no patterns become evident
◦ You don’t want your patterns to be found in your session id’s thy
could be susceptible to brute force attacks
• Associate session id with ip address
◦ Extra layers of security

Common Session Management
Method in depth
 Hard-to-Guess Cookie Values
 Cookies are related to HTTP headers and allow
control over token expiration, time and other
granular features, this is why it’s the most
common method used
 The session uses the cookie to maintain the
connection, much like when you authenticate,
the cookie keeps your credentials active over
the session
 Making sure cookie values are not easily
guessable prevents a hacker from using the
values and trying to guess a new one and
establish a connection

Common Session Management
Method in depth
 SSL Encryption
 Since cookies are the most common method to
establish and maintain the connection we
should also look at a layered protection
 Making sure the cookies are sent over a secure
connection
 This will enable one to prevent a successful
man in the middle attack and gain useable data
from a cookie

Actual Session Management
threats
 Session hijacking attacks, targeted or generic
◦ Targeted goal to impersonate a specific user
◦ Generic they look for any user
 Session fixation attack
◦ Attacker hijacks a valid session
 Brute force
◦ Finding valid id’s through brute force searches
 Cross-site script attack
◦ Use of web applications to gain info
 Man-in-the-middle attack/Man-in-the-browser
attack
◦ Actively/passively gaining info from unsuspecting
people
• Prediction attacks
◦ Here a good ID is known and a next valid one is

Repercussions from Session
Management attacks
 Users can be impersonated and
damage can be masked
 Fraud and or theft can occur
dependent upon system access
 Worst case elevation of privileges
granted
 Best case comprised account is
locked out

Prevention Methods
 User of cookies
◦ Use of secure flag in header, makes them un-
sniffable, use of restrictions
• Don’t allow users to determine session ids
◦ Make sure they cant reuse old session info
• Each user should get a new identifier to your
site
• Time-out session identifiers
◦ Creates smaller window for attacker
• Allow clean log outs
◦ User logs out session invalidates on client and
server
• Use of secure channels for session cookies
◦ Encryption always hampers things for attackers

Summary
 Never assume you are hack proof
however make sure you mitigate your
risk, by prioritizing your levels correctly
 Take into consideration of what needs
to be protected the most and what the
damage will be if there was a issue
with it
 Always make sure to use security in
layers and never put all your eggs in
one basket

This article covers some of the principals
laid out earlier in my slide deck
Securing PHP User Authentication,
Login, and Sessions
http://blackbe.lt/php-secure-sessions/
We see use of hashing, linking to ip
addresses, a password validation, length,
complexity, used to make the password and
session id more difficult to discover

References and readings
 https://www.owasp.org/index.php/Session_Management_Cheat_She
et
 http://en.wikipedia.org/wiki/Session_%28computer_science%29
 http://blackbe.lt/php-secure-sessions/
 http://www.zdnet.com/hackers-favor-authentication-based-attacks-
report-shows-7000014426/
 https://www.owasp.org/index.php/Comprehensive_list_of_Threats_to
_Authentication_Procedures_and_Data
 http://searchsecurity.techtarget.com/feature/State-based-attacks-
Session-management
 https://www.owasp.org/index.php/Session_Management
 http://www.securityninja.co.uk/secure-development/session-
management/
 https://www.google.com/search?q=obstrufucation+of+data&ie=utf-
8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-
a&channel=np&source=hp#rls=org.mozilla:en-
US:official&channel=np&q=obsufucation+of+data

Authentication and session v4

More Related Content

What's hot (20)

Viewers also liked (8)

Similar to Authentication and session v4 (20)

Recently uploaded (20)

Authentication and session v4