company logo xundong user authentication threat modelling from user and social perspective...
TRANSCRIPT
Company LOGO
http://cs.york.ac.uk/~xundong
User Authentication Threat Modelling from User and Social
Perspective
“Defending the Weakest Link: Intrusion via Social Engineering” EPSRC Grant EP/D051819/1
All Hands Meeting Edinburgh 2008
Xun Dong ( [email protected] ) , John A. Clark and Jeremy L. JacobUniversity of York
Company LOGO
http://www.cs.york.ac.uk/~xundong
Motivation: Attacking Trend ShiftGrid users may become the focus of attack:
– The technical barrier to hack the systems has been increased significantly; protection for users is less well developed.
– Valuable information such as authentication credentials sought by attackers are possessed by users as well.
– Many system designs do not help the general user to achieve security goals.
• Existing threat modelling techniques do not deal with users (though general purpose e.g. Microsoft’s TM, and various domain specific threat modelling techniques and models have been developed)
• The complexity of identifying user side vulnerabilities is significant, however, there is no method designers can rely on.
Company LOGO
http://www.cs.york.ac.uk/~xundong
Simple Attack Taxonomy
Passive attacks:They do not require active victim involvement, often
achieving their goal by analysing information available to
attackers (e.g. that from public databases or websites, or
even rubbish bin contents). Many are launched by
insiders or people who have close relationships with the
victims.
Active attacks:
They exploit the user’s difficulty in authenticating External Entities (EEs), requesting the user’s authentication credentials whilst posing as trustworthy parties. Typical examples are phishing and pharming attacks.
Company LOGO
http://www.cs.york.ac.uk/~xundong
Overview
Threat Modelling
Passive Attacks
Active Attacks
Identify AC Properties
Check the Exposure Level
Identify the Dependency
Relationships
Identify the Lifecycle
of AC
Identify the Impersonating
Targets
Entry Points Analysis
Company LOGO
http://www.cs.york.ac.uk/~xundong
Dependency Relationships
The authentication systems may be designed and implemented independently, but the choices of the user authentication credentials may connect different systems into complex and unpredictable networks.
Examples: Access to an secondary email account is used to recover/reset the password.
Institutional photo ID such as student card is accepted as authentication credentials to prove one’s identity.
Company LOGO
http://www.cs.york.ac.uk/~xundong
Dependency Relationships
Compromise of the security of the current
authentication system:
– The security of the current system is equal to the security of the weakest system reachable in the graph.
– Obtaining authentication credentials to the weakest system propagates access back up the chain.
Company LOGO
http://www.cs.york.ac.uk/~xundong
Dependency RelationshipsIdentify its existence by the properties of user authentication credentials:
– users have access to;– assigned by third parties;
Represent them in graph:– Three Components in the graph
• Node : represents a system• Directed Edges: an edge from Node ‘A’ to Node ‘B’ means Node
‘A’ depends on Node ‘B’. • Special symbol ‘R’ : Represent random systems, and edge
towards R from Node ‘A’ means the system which A is depends on is unpredictable.
– The start node of the graph is the system being designed.
Company LOGO
http://www.cs.york.ac.uk/~xundong
Impersonating Targets
May be wider than the system being considered:• the entities that the user has shared
authentication credentials with; • the entities that are entitled to request users’
authentication credentials or initiate user-to-EE authentication;
• and the entities that exist in the authentication dependency graph.
Company LOGO
http://www.cs.york.ac.uk/~xundong
Lifecycle of Authentication Credentials
Company LOGO
http://www.cs.york.ac.uk/~xundong
Attack Entry Points
Active attacks can only obtain user’s authentication
credentials when they are exchanged. By using the lifecycle
analysts can identify in which states and in which transitions
this occurs:
1. Synchronisation State;
2. Operation State;
3. State transition from operation to assignment;
4. State transition from operation to synchronisation;
5. State transition from suspension to assignment;
6. State transition from suspension to operation.
Company LOGO
http://www.cs.york.ac.uk/~xundong
Entry Points Analysis
Reliability and Sufficiency of Authentication Information: The successful EE-to-user authentication users must have reliable and sufficient authentication credentials.
Knowledge: Users need both technical and contextual knowledge to decide whether to release the credentials requested by an external entity.
Assumptions: The security of EE-to-user authentication depends on the strength of the assumption on users can perform certain required actions correctly and consistently.
Company LOGO
http://www.cs.york.ac.uk/~xundong
Communication Channels (CC)
Active attacks need to engage user victims on a
communication channel, and the trust, expectation
and perception constructed in communications
could reduce users’ ability to authenticate the EE
in the following authentication session.
Analysts should identify and analyse the
vulnerabilities within the CC with the same method
as used in analysis for the attack entry points.
Company LOGO
http://www.cs.york.ac.uk/~xundong
Conclusion
• User–side threat modelling is as important as system–side threat modelling, but it is much less well studied.
• Our method is an initial effort towards developing a threat modelling method that can be used by system designers with moderate security knowledge.
• Your suggestions are appreciated.
An extended version will be delivered at ICICS 2008: Birmingham 20-22 October 2008
Company LOGO
http://www.cs.york.ac.uk/~xundong
Questions & Answers
If you have a system that would like us to study, we are very happy to hear from you!
Defending the Weakest LinkIntrusion via Social Engineering
EPSRC Grant EP/D051819/1