User Authentication Threat Modelling from User and Social Perspective

1
User Authentication Threat Modelling from User
and Social PerspectiveDefending the Weakest
Link Intrusion via Social Engineering EPSRC
Grant EP/D051819/1All Hands Meeting Edinburgh
2008

• Xun Dong(xundong_at_cs.york.ac.uk), John A. Clark
  and Jeremy L. Jacob
• University of York

2
Motivation Attacking Trend Shift

• Grid users may become the focus of attack
• The technical barrier to hack the systems has
  been increased significantly protection for
  users is less well developed.
• Valuable information such as authentication
  credentials sought by attackers are possessed by
  users as well.
• Many system designs do not help the general user
  to achieve security goals.
• Existing threat modelling techniques do not deal
  with users (though general purpose e.g.
  Microsofts TM, and various domain specific
  threat modelling techniques and models have been
  developed)
• The complexity of identifying user side
  vulnerabilities is significant, however, there is
  no method designers can rely on.

3
Simple Attack Taxonomy

• Passive attacks
• They do not require active victim involvement,
  often
• achieving their goal by analysing information
  available to
• attackers (e.g. that from public databases or
  websites, or
• even rubbish bin contents). Many are launched by
• insiders or people who have close relationships
  with the
• victims.
• Active attacks
• They exploit the users difficulty in
  authenticating External Entities (EEs),
  requesting the users authentication credentials
  whilst posing as trustworthy parties. Typical
  examples are phishing and pharming attacks.

4
Overview
5
Dependency Relationships

• The authentication systems may be designed and
  implemented independently, but the choices of the
  user authentication credentials may connect
  different systems into complex and unpredictable
  networks.
• Examples Access to an secondary email account is
  used to recover/reset the password.
• Institutional photo ID such as student card
  is accepted as authentication credentials to
  prove ones identity.

6
Dependency Relationships

• Compromise of the security of the current
• authentication system
• The security of the current system is equal to
  the security of the weakest system reachable in
  the graph.
• Obtaining authentication credentials to the
  weakest system propagates access back up the
  chain.

7
Dependency Relationships

• Identify its existence by the properties of user
  authentication
• credentials
• users have access to
• assigned by third parties
• Represent them in graph
• Three Components in the graph
• Node represents a system
• Directed Edges an edge from Node A to Node B
  means Node A depends on Node B.
• Special symbol R Represent random systems,
  and edge towards R from Node A means the system
  which A is depends on is unpredictable.
• The start node of the graph is the system being
  designed.

8
Impersonating Targets

• May be wider than the system being considered
• the entities that the user has shared
  authentication credentials with
• the entities that are entitled to request users
  authentication credentials or initiate user-to-EE
  authentication
• and the entities that exist in the authentication
  dependency graph.

9
Lifecycle of Authentication Credentials
10
Attack Entry Points

• Active attacks can only obtain users
  authentication
• credentials when they are exchanged. By using the
  lifecycle
• analysts can identify in which states and in
  which transitions
• this occurs
• Synchronisation State
• Operation State
• State transition from operation to assignment
• State transition from operation to
  synchronisation
• State transition from suspension to assignment
• State transition from suspension to operation.

11
Entry Points Analysis

• Reliability and Sufficiency of Authentication
  Information The successful EE-to-user
  authentication users must have reliable and
  sufficient authentication credentials.
• Knowledge Users need both technical and
  contextual knowledge to decide whether to release
  the credentials requested by an external entity.
• Assumptions The security of EE-to-user
  authentication depends on the strength of the
  assumption on users can perform certain required
  actions correctly and consistently.

12
Communication Channels (CC)

• Active attacks need to engage user victims on a
• communication channel, and the trust,
  expectation
• and perception constructed in communications
• could reduce users ability to authenticate the
  EE
• in the following authentication session.
• Analysts should identify and analyse the
• vulnerabilities within the CC with the same
  method
• as used in analysis for the attack entry points.

13
Conclusion

• Userside threat modelling is as important as
  systemside threat modelling, but it is much less
  well studied.
• Our method is an initial effort towards
  developing a threat modelling method that can be
  used by system designers with moderate security
  knowledge.
• Your suggestions are appreciated.

An extended version will be delivered at ICICS
2008 Birmingham 20-22 October 2008
14

• Questions Answers
• If you have a system that would like us to study,
  we are very happy to hear from you!

Defending the Weakest LinkIntrusion via Social
Engineering EPSRC Grant EP/D051819/1