During a night attack, you may have the enemy follow you and get into the ranks of your allies. To prevent this, have a prearranged policy—a way to identify your allies.
—Yoshimori Hyakushu #27
Imagine the following historical scenario: after dispatching a large group of troops on a night raid, a military commander must open the gates to allow them back inside their fortification. Night raids helped win battles, but they also presented opportunities for a counterattack. An enemy shinobi could forge or steal a uniform from the attacking troops and blend into their formation as they returned to their base.
To combat this threat, commanders implemented a onetime password for the raiders to use before they could pass through the gate—but this password was easily defeated: the disguised shinobi would overhear the password when it was spoken by the soldier ahead of them in line. So commanders tried other identification methods. Some required the raiders to all wear underwear of a certain secret color that could be inspected upon their return, but clever shinobi would carry or wear undergarments in multiple colors, then selectively pull back layers of underwear so only the correct color would be visible during inspection. Additional countermeasures included changing passwords multiple times per day (which still didn’t prevent a shinobi from overhearing the current password) and unique uniform insignia or tokens (which a shinobi could steal from the corpse of a dead soldier after the raid).
The shinobi categorized these techniques as either the art of open disguise (yo-nin, which translates literally to “light shinobi”) or the art of hidden infiltration (in-nin, which translates literally to “dark shinobi”). In this case, open refers to being plainly visible; for example, the attacker could wear the uniform of a defending soldier, fully expecting to be seen. Hidden, on the other hand, refers to trying not be seen, such as by using camouflage or blending into the shadows. Many of the assorted open disguise techniques described in Bansenshūkai could be used both offensively and defensively. Shinobi knew not only how to use these techniques for their own attacks but also how to spot enemy infiltrators. It was common for spies to replicate uniforms and crests or overhear passwords, so shinobi developed identification countermeasures to distinguish their allies from enemies.
One such identification technique was matched pairs, word combination challenges used to authenticate allies.1 This technique is also known as countersigns or challenge-response authentication. The matched-pairs technique worked as follows: an unidentified person approached a guard at the gate of a castle and requested entry. The guard first checked to ensure that the stranger was wearing the correct uniform and bearing the proper crest. If they were, then the guard uttered a word—“tree,” for example. If the stranger did not respond with the correct prearranged match—“forest”—the guard knew they were dealing with an enemy. While the Bansenshūkai states that matched-pair phrases should be simple enough that “lower-rank” people can remember them, it advises against using common associations that an adversary might guess. So, instead of “snow” and “mountain,” a more desirable pair might be “snow” and “Mount Fuji.” The scroll recommends that shinobi work with commanders to generate 100 different pairs of matching words every 100 days and use a new pair every day.2 This large number of matching pairs would allow a sentry to rotate randomly through the list (if necessary) as each troop approached, making it unlikely that a disguised enemy could overhear the answer to the challenge word they would receive.
Matched pairs were used to reveal possible infiltrators. If the stranger answered the challenge incorrectly, they were quickly detained, interrogated, and possibly killed. Knowing these consequences, Bansenshūkai recommends that shinobi attempting to infiltrate an enemy camp style their appearance, behavior, and speech as that of a slovenly or lower-class soldier. This way, if they were asked to answer a matched-pair challenge they didn’t know, they could convincingly claim ignorance.3 Some readers may note that their financial institution has started implementing matched-word or image pairs for online authentication, but it should be noted that these websites do not require 100 different pairs and do not update them frequently, if at all. A small pool of static matched pairs makes it possible for an adversary to observe all the pairs and then perform unauthorized actions with the stolen authentication responses.
These historical examples underscore the challenges in trying to safeguard authentication from an advanced and dynamic adversary. In this chapter, we will touch on how difficult it can be to prove your identity, along with the various factors used in information assurance (IA) to authenticate someone’s identity. I will mention some of the techniques that modern cyber threat actors use to thwart the best efforts to authenticate only the correct people and highlight analogous shinobi tactics that illustrate why authentication will be a challenge for the foreseeable future. I will also provide readers with guidance on how they might apply shinobi authentication techniques to modern applications. The overall goal of this chapter is to help readers grasp the essential issues involved in this identification problem rather than getting lost in the expansive knowledge domain that authentication and cryptography have become.
Authentication is the process of confirming a user’s identity before granting access to information systems, data, networks, physical grounds, and other resources. Authentication processes confirm user identities by asking for something the user knows, something the user has, or something the user is. For example, an authenticator might ask for a password (something the user knows), a token (something the user has), or a biometric (something the user is). Depending on the level of security necessary, organizations require single-factor, two-factor, or multifactor authentication.
Mature organizations might also use strong authentication, which uses multiple layers of multifactor credentials. For example, the first step of strong authentication might require a username, password, and fingerprint, while the second step authenticates with a token and a onetime code sent over SMS. Increasingly, industry professionals are contemplating the feasibility of a fourth factor, such as a trusted person in the organization who would confirm the user’s identity. Interestingly, the matched-pair shinobi scenario starts with this test; the challenge is used only if no one in the area can validate the stranger’s identity.
Authentication failure is a critical security flaw. Users’ authenticated identities are tied to permissions that allow them to perform specific, often privileged, actions. An adversary who successfully piggybacks on a valid user’s authenticated connection has free access to the user’s resources and can conduct malicious activities on information systems, data, and networks.
Unfortunately, the authentication process is imperfect. Despite a slew of cyber authentication measures, it’s currently not possible to verify the identity of a user or process with complete certainty, as nearly every existing verification test can be spoofed (spoofing is the use of false data to impersonate another entity) or compromised. Adversaries use numerous techniques to steal passwords, intercept tokens, copy authentication hashes or tickets, and forge biometrics. If attackers gain unauthorized access to identity management systems, such as domain controllers, they can create and authenticate to fraudulently forged accounts. After users authenticate, their identities are rarely challenged during a session, unless password reentry is required to conduct privileged tasks. Similarly, shinobi in disguise could wander around the inside of a castle without being challenged—in both cases, it’s assumed those inside have been authenticated.
Security technologies are evolving to fight authentication threats. One emerging solution, called continuous authentication or active authentication, constantly verifies user identities after the initial login. However, because continuous authentication dialogs might hinder the user experience, techniques are also being developed to monitor authentication through typing style, mouse movement, or other behavioral traits associated with user identities. Such techniques would catch adversaries who were physically accessing logged-in systems that had been left unattended, locking them out. This would also work with unauthorized remote access methods, such as Remote Desktop Protocol (RDP) sessions. Such techniques could identify attackers even if they used valid credentials and authenticators to log in. Of course, a person’s behavior may change. Moreover, even specific behaviors can be mimicked or simulated by sophisticated adversaries by incorporating user behavior reconnaissance into their attacks.
One possible implementation of the matched-pair model involves a human-machine interface that uses passive brainwave sensors connected to a system that verifies identity based on how the user thinks. Research demonstrates that humans generate unique brain patterns when they see an object with which they have interacted before or have a specific thought association. As such, showing a user controlled stimuli (such as matched-pair word or image combinations), monitoring the brain’s electrical responses, and matching them to a user profile could accurately authenticate the user. With enough unique challenge pairs dynamically generated with stylized permutations, it’s unlikely that adversaries could replay or simulate a user’s brainwave activity when prompted.
In the next section, we’ll discuss some techniques you can use for matched-pair authentications.
Following are a few suggestions for developing matched-pair authenticators and ideas for applying them.
An ideal product uses two forms of matched-pair challenges: daily and user preset. The daily challenge, disseminated nondigitally in areas that are visible only to authorized personnel, challenges on-premise authentication requests with a word or image and asks the user to respond with the match. All other employees, including remote/VPN employees, establish a large set of matching word pairs that are not likely to be forgotten or misinterpreted. The organization chooses the pairs at random or rotates them to quickly pinpoint unauthorized users that have been authenticated on the network. (Note that to prevent an adversary from inserting their own matched pairs for compromised or spoofed credentials, there must be secured transmission, storage, and auditing of new matched pairs to the active challenge system.) Consider using a one-way interface to insert matched pairs in a secure controlled information facility (SCIF) or segmented room that requires manual authentication and authorization to enter and use. Other mechanisms could allow organizations to ambush an unidentified user by requiring access to their microphone, camera, location, running processes, running memory or cache, desktop screenshot, and other information on their connecting system, thereby better identifying the origin and identity of the threat.
Where relevant, recommendations are presented with an applicable security control from the NIST 800-53 standard. Each should be evaluated in the context of matched-pair identification and authentication challenge responses.
This chapter highlighted the challenges faced by commanders who needed to verify the identity of their troops to prevent disguised shinobi from infiltrating their fortifications. You learned about the matched-pair identification technique, both how it was used by shinobi to detect enemies and what safeguards shinobi took against the technique when on the offensive. You also saw the modern analogs of this technique in computer security authentication and identification.
In the next chapter, you will use your understanding of authentication factors and historical challenge response to learn how two-step authentication is different from but complementary to matched pairs. I will discuss a concealed shinobi authentication technique, the double-sealed password, which can be used to detect sophisticated infiltrators.