Authentication - secuguru/security-terms GitHub Wiki

Authentication is a crucial security process that verifies a user’s identity before granting access to resources. Various methods and systems contribute to secure authentication, each with unique features, applications, and potential vulnerabilities. Here’s a breakdown of key authentication concepts and mechanisms, including certificates, Trusted Platform Module (TPM), OAuth, auth cookies, sessions, authentication systems (such as SAML, OpenID, and Kerberos), biometrics, password management, and multi-factor authentication.

1. Certificates

  • Definition: Digital certificates are electronic documents used to verify the identity of an entity (e.g., a server, user, or device). They are essential in secure communications and digital signatures.
  • Information Contained:
    • Subject Information: The identity of the certificate owner (e.g., a website’s domain or an individual).
    • Public Key: The public key associated with the entity.
    • Issuer: Information about the Certificate Authority (CA) that issued the certificate.
    • Validity Period: The dates between which the certificate is valid.
    • Signature: A digital signature from the issuing CA, verifying authenticity.
  • Signing Process: Certificates are signed by a CA’s private key, making it verifiable by anyone who trusts the CA’s public key. The CA’s trustworthiness is critical in certificate-based authentication.
  • Example of a Breach - DigiNotar: DigiNotar was a Dutch CA that suffered a breach in 2011. Attackers issued fraudulent certificates, leading to a loss of trust in the CA. This incident underscored the importance of securing CAs and maintaining the integrity of certificates.

2. Trusted Platform Module (TPM)

  • Definition: A TPM is a hardware component in devices designed to securely store cryptographic keys, certificates, and authentication data.
  • Purpose: TPM provides trusted storage for sensitive authentication data and supports secure cryptographic operations, such as signing and encryption.
  • Use Cases:
    • Trusted Boot: Verifying the integrity of the boot process.
    • Secure Storage: Storing certificates, credentials, and keys securely on the device, making it difficult for attackers to access or tamper with authentication data.
  • Security Implications: TPMs enhance device security by isolating sensitive data from the main OS, reducing the risk of credential theft and tampering.

3. OAuth

  • Definition: OAuth is an open standard for access delegation commonly used for user authentication, allowing third-party services to access resources without exposing the user’s credentials.
  • Bearer Tokens:
    • OAuth uses bearer tokens, which are short-lived tokens issued after authentication. Bearer tokens are vulnerable to interception and can be used if stolen.
    • Like cookies, tokens do not inherently contain user credentials but allow access to resources during their validity period.
  • Security Considerations: OAuth implementations must protect tokens from theft or interception. Once stolen, a bearer token can be used until it expires or is revoked, similar to session cookies.

4. Authentication Cookies

  • Definition: Auth cookies store session information on the client’s side to maintain an authenticated state after login.
  • Usage:
    • Storage on Client-Side: Cookies are sent with each request to maintain authentication without repeatedly prompting the user.
    • Security Concerns: Vulnerable to theft via cross-site scripting (XSS) or interception if not protected by secure attributes (e.g., HttpOnly and Secure).
  • Importance: Cookies are essential in web authentication but need secure handling to prevent session hijacking.

5. Sessions

  • Definition: Sessions are temporary interactions between a user and server, often stored on the server side, that persist during a user’s login state.
  • How It Works: Upon login, the server creates a session ID, which is passed to the client as an identifier, often through cookies. This session ID is stored on the server, maintaining user context.
  • Security Concerns: Session hijacking can occur if attackers steal the session ID. Implementing session expiration and secure handling of session IDs helps mitigate this risk.

6. Authentication Systems

  • SAMLv2: Security Assertion Markup Language (SAML) is a protocol for Single Sign-On (SSO), allowing authentication across different services using assertions from a central identity provider (IdP).
  • OpenID: An open standard for SSO where users can authenticate once and use their identity across multiple platforms. Popular in social logins.
  • Kerberos:
    • Definition: Kerberos is a network authentication protocol that uses tickets issued by a central authentication server to authenticate users.
    • Gold & Silver Tickets:
      • Gold Ticket: A forged Ticket-Granting Ticket (TGT) allowing attackers unrestricted access within a domain.
      • Silver Ticket: A forged service ticket granting access to specific services.
    • Mimikatz: A tool commonly used to exploit Windows credentials and perform attacks like Pass-the-Hash and Pass-the-Ticket.
    • Pass-the-Hash: An attack where attackers reuse hashed passwords to authenticate, bypassing password requirements.

7. Biometrics

  • Definition: Biometrics use unique physical traits (e.g., fingerprints, facial recognition) for authentication.
  • Strengths and Weaknesses:
    • Strength: Biometrics are difficult to forge and convenient for users.
    • Weakness: Unlike passwords, biometric data cannot be easily changed or “rotated” if compromised, leading to privacy risks and the potential for abuse.

8. Password Management

  • Rotating Passwords:
    • Challenge: Frequent password rotation can lead to weaker security as users adopt predictable patterns or simpler passwords.
  • Password Lockers:
    • Secure storage solutions for managing complex passwords, enabling users to use unique passwords across accounts.
  • Security Implications: Password lockers help users manage complex passwords securely, reducing the risk of credential reuse.

9. U2F / FIDO (Universal 2nd Factor / Fast Identity Online)

  • Definition: U2F/FIDO is a multi-factor authentication standard that uses physical security keys (e.g., Yubikeys) for added security.
  • Purpose: Prevents phishing by requiring a physical device as a second authentication factor.
  • Benefits: U2F/FIDO devices add a layer of security that’s difficult for attackers to bypass remotely, as they require physical possession of the device.

10. Multi-Factor Authentication (MFA) Comparison

Method Type Strengths Weaknesses
Password + SMS Knowledge + Possession Easy to deploy; users are familiar with SMS Vulnerable to SIM-swapping and interception
Password + Auth App Knowledge + Possession More secure than SMS; resistant to interception App dependency; susceptible to phishing
Password + Biometrics Knowledge + Inherence Difficult to forge; user-friendly Cannot be easily changed; potential privacy risks
Password + U2F Key Knowledge + Possession Strong phishing resistance; physical possession Requires hardware (e.g., Yubikey); potential cost

Summary:

  • Certificates: Used for verifying identity, with trust anchored in Certificate Authorities (CAs).
  • TPM: Hardware-based secure storage for sensitive data, enhancing local security.
  • OAuth: Access delegation standard with bearer tokens for short-lived access, but vulnerable to token theft.
  • Auth Cookies and Sessions: Used to maintain state in web authentication, vulnerable to session hijacking if not secured.
  • Authentication Systems: SAML, OpenID, and Kerberos provide SSO and secure ticket-based authentication.
  • Biometrics: Provide strong security but are unchangeable, raising privacy concerns.
  • Password Management: Password rotation is generally discouraged, with password managers improving credential security.
  • U2F/FIDO: Physical second factors that protect against phishing.
  • MFA Comparison: Combining multiple authentication factors provides a layered security approach, with U2F being one of the most secure methods for phishing protection.

These authentication methods and standards play a crucial role in modern cybersecurity, each providing unique strengths suited to different security needs. Multi-factor authentication enhances security by combining multiple types, balancing user convenience with the risk level of specific applications.