Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
This section introduces the authentication attacks considered within this Guidance
and briefly discusses other counter measures.
Authentication attacks
Table 2 below lists generic attacks against authentication keys and the
authentication exchange. Attacks against the initial enrolment process,
management of authentication keys, etc., are not considered in this Guidance. The
list of attacks in Table 2 is not limited to the authentication key, as some
authentication keys can also be used for protecting the communication channel.
It is important to note that Table 2 is not intended to be complete, but does cover
the major attacks the authentication keys considered here can counter. Readers
may prefer to just briefly review the listed attacks now and refer back to Table 2 as
required. The listed attacks are not distinct, for example shoulder surfing attacks
are a type of social engineering attack.
Table 2 Authentication attacks
Table 2 Authentication attacks
Attack
Description
Key logger
attacks
Malicious
Attacks that are generally aimed at the customers
code attacks computing environment. They vary in their
sophistication from simple key loggers to advanced
Password
discovery
attacks
Phishing
attacks
Replay
attacks
Session
hijacking
attacks
Shouldersurfing
attacks
Social
engineering
attacks
Verifier
Where the attacker impersonates the verifier to the
impersonatio customer to obtain authentication keys or data, which
n attacks
then may be used to authenticate falsely to the
verifier.
Countermeasures
It is possible to implement a range of countermeasures to the authentication
attacks described above. While the choice of authentication key is important, the
use of an authentication key alone is not sufficient. Other measures, both technical
and non-technical, need to be in place:
Such countermeasures are important, but are not discussed in detail in this
Guidance.
Government agencies are required to comply with Security in the Government
Sector [3]. Annex A of that manual refers to the minimum standards for Internet
security. Further standards and references include [4, 8-14]. Agencies should also
refer to the NZ e-GIF authentication standards [2] for further requirements. General
issues relating to the selection of multi-factor authentication keys are covered later
in this Guidance.
How countermeasures relate to the authentication key can depend on the
authentication key used. For example, the cryptographic keys of software and
hardware tokens can be used to support additional protections, whereas passwords
do not offer such support.
authentication
multi-factor authentication