Company LOGO

http://cs.york.ac.uk/~xundong

User Authentication Threat Modelling from User and Social

Perspective

“Defending the Weakest Link: Intrusion via Social Engineering” EPSRC Grant EP/D051819/1

All Hands Meeting Edinburgh 2008

Xun Dong （ xundong@cs.york.ac.uk ） , John A. Clark and Jeremy L. JacobUniversity of York

Company LOGO

http://www.cs.york.ac.uk/~xundong

Motivation: Attacking Trend ShiftGrid users may become the focus of attack:

– The technical barrier to hack the systems has been increased significantly; protection for users is less well developed.

– Valuable information such as authentication credentials sought by attackers are possessed by users as well.

– Many system designs do not help the general user to achieve security goals.

• Existing threat modelling techniques do not deal with users (though general purpose e.g. Microsoft’s TM, and various domain specific threat modelling techniques and models have been developed)

• The complexity of identifying user side vulnerabilities is significant, however, there is no method designers can rely on.

Company LOGO

http://www.cs.york.ac.uk/~xundong

Simple Attack Taxonomy

Passive attacks:They do not require active victim involvement, often

achieving their goal by analysing information available to

attackers (e.g. that from public databases or websites, or

even rubbish bin contents). Many are launched by

insiders or people who have close relationships with the

victims.

Active attacks:

They exploit the user’s difficulty in authenticating External Entities (EEs), requesting the user’s authentication credentials whilst posing as trustworthy parties. Typical examples are phishing and pharming attacks.

Company LOGO

http://www.cs.york.ac.uk/~xundong

Overview

Threat Modelling

Passive Attacks

Active Attacks

Identify AC Properties

Check the Exposure Level

Identify the Dependency

Relationships

Identify the Lifecycle

of AC

Identify the Impersonating

Targets

Entry Points Analysis

Company LOGO

http://www.cs.york.ac.uk/~xundong

Dependency Relationships

The authentication systems may be designed and implemented independently, but the choices of the user authentication credentials may connect different systems into complex and unpredictable networks.

Examples: Access to an secondary email account is used to recover/reset the password.

Institutional photo ID such as student card is accepted as authentication credentials to prove one’s identity.

Company LOGO

http://www.cs.york.ac.uk/~xundong

Dependency Relationships

Compromise of the security of the current

authentication system:

– The security of the current system is equal to the security of the weakest system reachable in the graph.

– Obtaining authentication credentials to the weakest system propagates access back up the chain.

Company LOGO

http://www.cs.york.ac.uk/~xundong

Dependency RelationshipsIdentify its existence by the properties of user authentication credentials:

– users have access to;– assigned by third parties;

Represent them in graph:– Three Components in the graph

• Node : represents a system• Directed Edges: an edge from Node ‘A’ to Node ‘B’ means Node

‘A’ depends on Node ‘B’. • Special symbol ‘R’ : Represent random systems, and edge

towards R from Node ‘A’ means the system which A is depends on is unpredictable.

– The start node of the graph is the system being designed.

Company LOGO

http://www.cs.york.ac.uk/~xundong

Impersonating Targets

May be wider than the system being considered:• the entities that the user has shared

authentication credentials with; • the entities that are entitled to request users’

authentication credentials or initiate user-to-EE authentication;

• and the entities that exist in the authentication dependency graph.

Company LOGO

http://www.cs.york.ac.uk/~xundong

Lifecycle of Authentication Credentials

Company LOGO

http://www.cs.york.ac.uk/~xundong

Attack Entry Points

Active attacks can only obtain user’s authentication

credentials when they are exchanged. By using the lifecycle

analysts can identify in which states and in which transitions

this occurs:

1. Synchronisation State;

2. Operation State;

3. State transition from operation to assignment;

4. State transition from operation to synchronisation;

5. State transition from suspension to assignment;

6. State transition from suspension to operation.

Company LOGO

http://www.cs.york.ac.uk/~xundong

Entry Points Analysis

Reliability and Sufficiency of Authentication Information: The successful EE-to-user authentication users must have reliable and sufficient authentication credentials.

Knowledge: Users need both technical and contextual knowledge to decide whether to release the credentials requested by an external entity.

Assumptions: The security of EE-to-user authentication depends on the strength of the assumption on users can perform certain required actions correctly and consistently.

Company LOGO

http://www.cs.york.ac.uk/~xundong

Communication Channels (CC)

Active attacks need to engage user victims on a

communication channel, and the trust, expectation

and perception constructed in communications

could reduce users’ ability to authenticate the EE

in the following authentication session.

Analysts should identify and analyse the

vulnerabilities within the CC with the same method

as used in analysis for the attack entry points.

Company LOGO

http://www.cs.york.ac.uk/~xundong

Conclusion

• User–side threat modelling is as important as system–side threat modelling, but it is much less well studied.

• Our method is an initial effort towards developing a threat modelling method that can be used by system designers with moderate security knowledge.

• Your suggestions are appreciated.

An extended version will be delivered at ICICS 2008: Birmingham 20-22 October 2008

Company LOGO

http://www.cs.york.ac.uk/~xundong

Questions & Answers

If you have a system that would like us to study, we are very happy to hear from you!

Defending the Weakest LinkIntrusion via Social Engineering

EPSRC Grant EP/D051819/1