Authentication: Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Let's pick up with Part 2 authentication
00:00
>> and here we're going to look at the idea of
00:00
>> something you have can authenticate you.
00:00
We'll talk about,
00:00
>> all the different forms of authentication.
00:00
>> We'll look at token devices,
00:00
we'll look at smart cards versus memory cards.
00:00
Really, we have a list of at least a partial list
00:00
>> of all those things we can have that authenticate us.
00:00
>> Today, we're seeing our smartphones being used
00:00
for authentication as something we have.
00:00
When you go to log on to a site,
00:00
they'll send you a one-time password to your phone,
00:00
and the fact that I know that
00:00
one-time password proves I have my phone,
00:00
which proves I am who I say I am,
00:00
because really,
00:00
>> how often do you let your phone out of your sight?
00:00
>> I will leave my kids at Walmart
00:00
>> before I forget my phone.
00:00
>> So that winds up being a good, cheap,
00:00
>> or already in place system for authentication.
00:00
>> Now, token devices,
00:00
these token devices are the devices
00:00
>> that generate the one-time passwords.
00:00
>> If you go back to what we talked about in cryptography
00:00
and talk about the idea of the Vernam Cipher,
00:00
and I know you all remember the Vernam Cipher,
00:00
but just to refresh your memory,
00:00
the Vernam cipher was the one-time pad.
00:00
One of the things that made the Vernam Cipher
00:00
unbreakable is the fact that you
00:00
only use that one-time pad,
00:00
one time, and then you destroyed it.
00:00
So that one-time nature provides additional security.
00:00
Now we would love to use
00:00
a different password every single time a user logs in,
00:00
but there would be mutiny
00:00
>> if we ask our users to do that.
00:00
>> What do we do instead?
00:00
We give them devices
00:00
like asynchronous devices and synchronous devices.
00:00
If you look down at the bottom left,
00:00
many people have seen these RSA token devices,
00:00
and every 30 seconds, 60 seconds,
00:00
whatever the password on the front changes,
00:00
and you'll be prompted to enter that set of numbers.
00:00
The fact that you know the right set of numbers,
00:00
the right password, so to speak,
00:00
that proves you have the device.
00:00
Now the RSA devices are synchronous,
00:00
so they're synced up with the authentication server.
00:00
So at 10:01 and 30 seconds,
00:00
that authentication server knows,
00:00
not just what token device I have,
00:00
but knows that at 10:01 and 30 seconds,
00:00
this is the password
00:00
>> that token device should be providing.
00:00
>> That winds up being
00:00
pretty good authentication but don't forget,
00:00
we want to combine this something I have
00:00
>> with something I know or something I am
00:00
>> to get really much better authentication.
00:00
>> Multifactors the way to go.
00:00
Now there are also asynchronous devices,
00:00
and these are ones that aren't based on time
00:00
but they're based on more of a challenge response.
00:00
I'm going to log into the server
00:00
>> and my username is sent to the server and we come back,
00:00
>> or we receive a challenge back.
00:00
I type out that challenge,
00:00
with just string of numbers into my little device,
00:00
looks like a calculator.
00:00
Press "Enter"
00:00
>> and it spits out the appropriate response.
00:00
>> Only the correct device
00:00
could provide the correct response.
00:00
Once again, I'm proving I have something,
00:00
through the use of a password.
00:00
Now, memory cards also are things
00:00
>> that we have that prove we are who we say we are.
00:00
>> I hate that word prove because
00:00
>> I think it's better to say support.
00:00
>> Prove sounds so strong and so firm
00:00
>> and anybody can spoof.
00:00
>> Now we started out with memory cards,
00:00
which were just like we see,
00:00
it's the card with just the magnetic stripe on the back
00:00
>> and that's where our account number is stored.
00:00
>> It's not encrypted, it's not transferred,
00:00
it's just simply you swipe the card
00:00
and the account number is transmitted.
00:00
Now, of course,
00:00
the problem with that is that attackers very
00:00
frequently can fit credit card machines
00:00
>> with these little shims that sit down
00:00
>> on top of the credit card machine,
00:00
and as you swipe your card,
00:00
then it captures that information.
00:00
That information is then transmitted off-site
00:00
and credit card fraud thrives this way.
00:00
So easy to create a fraudulent or imposter credit card
00:00
>> just by siphoning off legitimate account numbers.
00:00
>> Well, the problem with that is that we're
00:00
storing that account number on a magnetic strip,
00:00
it's not encrypted,
00:00
>> it's there for all the world to see
00:00
>> and it doesn't change.
00:00
>> So what we want to move
00:00
towards is the chip and PIN system.
00:00
When we talk about the chip and PIN system,
00:00
it uses an EMV chip,
00:00
which stands for Europay, MasterCard, and Visa.
00:00
They came together and said,
00:00
"We've got to do better than this magnetic strip."
00:00
They've created these cards that have RFID chips inside
00:00
and the chip goes into a chip reader
00:00
>> and it transmits an encrypted fashion,
00:00
>> the account number to be verified.
00:00
Now the problem with this
00:00
is that if the chip reader isn't working,
00:00
then you just go back to swiping your card.
00:00
That has the magnetic strip with
00:00
the account number that's not protected.
00:00
It's so easy to bypass.
00:00
As matter of fact, there's certain types of attacks
00:00
like exposing the card.
00:00
If I put that little shim over the card reader.
00:00
Some of the more sophisticated ones will
00:00
actually zap the processor
00:00
with a little bit of electricity,
00:00
causing it to fail and then
00:00
forcing users to swipe their card.
00:00
So this is a step.
00:00
This chip is not going to work without a pin.
00:00
So you have the chip,
00:00
you know the pin, that's multi-factor
00:00
>> and then the theory is it becomes triple factor
00:00
>> authentication as opposed to just double factor.
00:00
>> When you sign the back of the card,
00:00
now, there's something you are
00:00
because that's biometrics, your signature.
00:00
The chip is something you have
00:00
>> and the pin is something you know,
00:00
>> but, of course, we know that that doesn't work
00:00
>> because nobody ever looks at the signature
00:00
>> and compares it against what's on your receipt,
00:00
>> it's just taken for granted.
00:00
We talked about in this section, Type 2 authentication.
00:00
It's something I have.
00:00
Then we looked at our token devices
00:00
>> that were synchronous or asynchronous.
00:00
>> We looked at memory cards and smart cards.
00:00
Don't forget in other chapters we've talked about
00:00
how keys provide authentication for us.
00:00
We talked about certificates.
00:00
Lot of that was in the cryptography domain
00:00
because with cryptography,
00:00
we talked about how we could get authenticity.
00:00
So we focus in on the types of devices
00:00
>> we haven't really talked about,
00:00
>> but don't forget the digital means
00:00
of authentication as well.
Up Next