- Directions and priorities
- Access to government services
- Access to government data
- Services to government employees
- Aligning agency applications
- Standardising enterprise applications
- Defining and reusing authoritative data
- Integrating workflow across government
- Unifying communications and networking
- Securing government information
- Aligning management of commodity software
- Building operational foundations
- Roadmap Overview Key
- Common capabilities
- COE Reference Architecture
- Benefits Realisation
- Checklist for agencies
- Enterprise Architecture
- Communication technologies
- Information and data
- Procurement and ICT contracts
- Trust and security
- Standards / compliance
- Web publishing
- Records Management
- Financial management
- Security and privacy
- Authentication standards
- Guide to Authentication Standards for Online Services
- Authentication Key Strengths Standard
- Password Standard
- Data Formats for Identity Records Standard
- Guidance on Multi-factor Authentication
- New Zealand Security Assertion Messaging Standard
- Security Assertion Messaging Framework
- Amendments to Authentication Standards
- NZ Government CIQ Profiles
- Agency Guides
- Government Cloud Business Case 2011 FAQs
- Pre-2009 research
- Previous e-Government Strategy 2006
- The GCIO
Online Authentication Threats and Attacks
This section gives a brief review of the threats and attacks to online authentication, focusing on those that are important to section 6.
5.1 The factors of authentication: threats and attacks
Authentication will fail when the customer forgets, loses or damages his or her authentication key. This affects the reliability and management of the authentication system and so must be considered with respect to the online service requirements. Each of the factors of authentication (know, have, are) can be attacked by:
- know – discovering what the customer knows
- have – obtaining or copying what the customer has
- are – replicating the customer’s characteristic or attribute that is being compared (for example, fingerprints, typing patterns, etc.).
Using multiple factors can improve security because multiple methods must be subverted. Using a hardware device (something you have) that is not easily copied also reduces the scope of an attack, as it is expected that the owner will notice the loss of the device. Authentication keys based on software or hardware tokens may be combined with activation data (such as a password or biometric) so that authentication is not reliant on possession of the token alone. This is multi-factor authentication.
A customer may subvert the authentication system by deliberately divulging their one-factor authentication key to an accomplice and then denying it later, with the aim of repudiating subsequent successful authentications. The use of multiple authentication factors makes such a denial less credible and may deter such attacks.
5.2 Authentication protocols: threats and attacks
Authentication protocols differ in the protections they provide against attack. The primary attacks considered in this Standard are: eavesdropper, man-in-the-middle, replay, session hijacking and verifier impersonation attacks. These attacks may be mitigated in the following ways:
- Requiring an element of freshness for each authentication counters replay attacks.
- Eavesdropper and session hijacking attacks may be countered by using cryptography to protect the channel (channel encryption) used for the authentication exchange (for example, TLS in anonymous mode).
- Man-in-the-middle and verifier impersonation attacks can be resisted in a limited way by using similar protections as described above for eavesdropper and session hijacking attacks. Combining the channel encryption with additional cryptographic techniques improves protection against these attacks (for example, using a mutual handshake exchange based around cryptography and cryptographic keys held by the customer and the verifier, such as TLS in authentication mode, achieves ‘strong’ mutual authentication).
Channel encryption provides only limited resistance to man-in-the-middle and verifier impersonation attacks, as security of the exchange can be compromised without breaking the encryption. For example, a customer may be deceived into accepting an authentication exchange as being from the verifier when it is not. When cryptographic methods become available (as with software and hardware tokens), cryptographic-based mutual authentication techniques can be used between the customer and the verifier.
5.3 Other threats
The authentication process may be subverted in a number of other ways not specifically dealt with in this Standard. For example, this Standard does not specifically cover customer fraud, insider, malicious code and social engineering attacks.
Education and advice for the customer are methods to combat malicious code and social engineering attacks. Auditing and anomaly detection are commonly used to counter customer fraud attacks. Using multiple authentication factors can deter customer fraud attacks. Insider attacks may be countered through personnel vetting, auditing and (where appropriate) using separation of duties and dual control.
This list of attacks is not intended to be complete and attacks continue to evolve and be developed. Agencies implementing online services are advised to contact the Centre for Critical Infrastructure Protection, or the GCSB, in addition to referring to SIGS, NZSIT 400, AS/NZS ISO/IEC 17799:2006, AS/NZS ISO/IEC 27001:2006 and SAA/SNZ HB 231:2004. Appendix A contains more information on advice for online service customers.