Authentication Attacks and Counter-measures

This section introduces the authentication attacks considered within this Guidance
and briefly discusses other counter measures.
Authentication attacks
Table 2 below lists generic attacks against authentication keys and the
authentication exchange. Attacks against the initial enrolment process,
management of authentication keys, etc., are not considered in this Guidance. The
list of attacks in Table 2 is not limited to the authentication key, as some
authentication keys can also be used for protecting the communication channel.
It is important to note that Table 2 is not intended to be complete, but does cover
the major attacks the authentication keys considered here can counter. Readers
may prefer to just briefly review the listed attacks now and refer back to Table 2 as
required. The listed attacks are not distinct, for example shoulder surfing attacks
are a type of social engineering attack.
Table 2 Authentication attacks
Table 2 Authentication attacks
Attack

Description

Where the customer deliberately compromises his or

Customer
her authentication key or computing environment to
fraud attacks enable them to deny subsequent authentication
events.
Where an attacker obtains information from an
Eavesdropper authentication exchange and recovers data, such as
attacks
authentication key values, which then may be used to
authenticate.
Insider
attacks

Where verifiers or systems managers deliberately

compromise the authentication system or steal
authentication keys or related data.

Key logger
attacks

Malicious code or hardware attacks that capture

keystrokes of a customer with the intention of
obtaining any password typed in by the customer or
other manually entered authentication key data.
Screen logger attacks are variants that capture
keystrokes along with display information to
circumvent screen-based security protections.

Malicious
Attacks that are generally aimed at the customers
code attacks computing environment. They vary in their
sophistication from simple key loggers to advanced

Trojan programs that can gain control of the

customers computer. Malicious code attacks may also
be aimed at verifier systems.
Man-in-themiddle
attacks

Where an attacker inserts himself between the

customer and the verifier in an authentication
exchange. The attacker attempts to authenticate by
posing as the customer to the verifier and the verifier
to the customer.

Password
discovery
attacks

This covers a variety of attacks, such as brute force,

common password and dictionary attacks, which aim
to determine a password. The attacker may try to
guess a specific customers password, try a few
commonly used passwords (such as Pa$$word)
against all customers, or use a pre-composed list of
passwords to match against the password file (if they
can recover it), in their attempt to discover a
legitimate password.

Phishing
attacks

Social engineering attacks that use forged web pages,

emails, or other electronic communications to
convince the customer to reveal their password or
other sensitive information to the attacker.

Replay
attacks

Where the attacker records the data of a successful

authentication and replays this information to attempt
to falsely authenticate to the verifier.

Session
hijacking
attacks

Where the attacker takes over (hijacks) a session

following successful authentication.

Shouldersurfing
attacks

Social engineering attacks specific to password

systems where the attacker covertly observes the
password when the customer enters it.

Social
engineering
attacks

Attacks that are aimed at obtaining authentication

keys or data by fooling the customer into using an
insecure authentication protocol, or into loading
malicious code onto the customers computer. Attacks
may also be aimed at the verification process, for
example by trying to trick help desk staff into
accepting a false story.

Verifier
Where the attacker impersonates the verifier to the
impersonatio customer to obtain authentication keys or data, which
n attacks
then may be used to authenticate falsely to the

verifier.
Countermeasures
It is possible to implement a range of countermeasures to the authentication
attacks described above. While the choice of authentication key is important, the
use of an authentication key alone is not sufficient. Other measures, both technical
and non-technical, need to be in place:

Some relate to managing the authentication key including policies and

procedures for distribution, lifecycle and storage protection, etc.

Others are completely separate of authentication key considerations such

as anomaly detection, customer education, enrolment procedures, etc.

Such countermeasures are important, but are not discussed in detail in this
Guidance.
Government agencies are required to comply with Security in the Government
Sector [3]. Annex A of that manual refers to the minimum standards for Internet
security. Further standards and references include [4, 8-14]. Agencies should also
refer to the NZ e-GIF authentication standards [2] for further requirements. General
issues relating to the selection of multi-factor authentication keys are covered later
in this Guidance.
How countermeasures relate to the authentication key can depend on the
authentication key used. For example, the cryptographic keys of software and
hardware tokens can be used to support additional protections, whereas passwords
do not offer such support.

authentication

multi-factor authentication