This article has also been published on Emmas blog.
The most inspiring talk was about Fairytale Protocols (in German) – describing different authentication schemes with help from Arabian Nights and the Grimm brothers. Security pedagogics is a field that still has a lot of room for improvement, and I think this was a great way of bettering the mental picture of different authentication schemes.
Inspired by this, I will attempt to explain some important concepts in security testing: identification, authentication and authorization. Even security applications have a hard time differentiating between these concepts, and if you don’t fully understand them it’s very hard to test whether they work as intended.
Access Control Systems at the Border
Going home from GPN18 by train, I crossed two borders: Germany/Denmark and Denmark/Sweden. Both these borders are between Schengen countries, but they have an Access Control System nonetheless.
The happy path of a border check is supposed to go down as follows:
- I identify myself with a document
- The police authenticates me
- I am authorized to enter the country.
If I have no document, or the picture on the document doesn’t plausibly match me, I am denied (Identification failure). If I can present a document, but the document is not issued in a way that the border police accepts, I am denied (Authentication failure). If I can successfully authenticate, but am on a criminal watchlist, I can be denied entry (Authorization failure).
As I have travelled between Germany and Sweden by land many times, I know that they don’t always enforce the Access Control Protocol to the letter. There are other ways than just documents or tokens to be authorized. We authenticate and authorize people all the time without thinking of it – you only tell your darkest secrets to your closest friends, and you do different small talk with your colleagues that with the cashier in the supermarket.
Sometimes the fact that I speak Swedish without an accent is enough to let me through a border check. In that case I haven’t identified myself at all, but I have passed a challenge that only a citizen of the Nordic Passport Union is likely to pass. This only works if the police officer I speak to has heard a sufficient amount of Swedish or Swedish German accents before to be able to identify it as such. This type of authentication is based on behavior, and as a single factor it is a weaker form of authentication.
Last time I passed the German/Danish border I only had to show the cover of my passport. The combination of my Nordic features (something that I am) and my laidback behavior (also something that I am), and the fact that I have something that looks like the cover of a Swedish passport (something that I have), is enough to plausibly authenticate me as a Swedish citizen without having to know my full identity.
Another time I presented the German police with my driver’s license and was harshly yelled at. A Nordic driver’s license is accepted at the Danish border, but not at the German. That time I was travelling by long distance bus, and in my experience the authentication scheme is much more harshly enforced on cheap buses than on expensive trains.
In hacker lingo all of the above methods can be labeled downgrade attacks. I negotiate with the authenticating server (police officer) to use a protocol of lesser security. This is usually successful because the threat model the police is working with is that they don’t want to let in asylum seekers. It also works because of the notion, or prejudice, that women are unlikely to be in an Interpol database.
Access Control Systems add a lot of overhead and cause annoyance and delays. This is a general critique against all type of security – there’s a notion that security cannot be done in a seamless way. Indeed this time it did – border checks added about half an hour to my travel time! In contrast, flying to Germany the security check took about seven minutes, and I didn’t have to show my passport once.
How to test
From a tester’s perspective, I think these are the most important questions to work with when dealing with Access Control:
1. How does the system treat identification, authentication and authorization?
2. How well does the chosen authentication scheme match the threat model?
3. How can the User Experience of the Access Control Management be improved?