Chapter V Authentication
Definition of Authentication
• Authentication can be defined in two contexts
– The first is viewing authentication as it relates to access control
– The second is to look at it as one of the three key elements of security—authentication, authorization, and accounting
Authentication and Access Control Terminology
• Access control is the process by which resources or services are granted or denied
• Identification
– The presentation of credentials or identification
• Authentication
– The verification of the credentials to ensure that they are genuine and not fabricated
• Authorization
– Granting permission for admittance
• Access is the right to use specific resources
Authentication, Authorization, and Accounting (AAA)
• Authentication in AAA provides a way of identifying a user
– Typically by having them enter a valid password before granting access
• Authorization is the process that determines whether the user has the authority to carry out certain tasks
– Often defined as the process of enforcing policies
• Accounting measures the resources a user “consumes” during each network session
• The information can then be used in different ways:
– To find evidence of problems
– For billing
– For planning
• AAA servers
– Servers dedicated to performing AAA functions
– Can provide significant advantages in a network
Authentication Credentials
• Types of authentication, or authentication credentials
– Passwords
– One-time passwords
– Standard biometrics
– Behavioral biometrics
– Cognitive biometrics
One-Time Passwords
• Standard passwords are typically static in nature
• One-time passwords (OTP)
– Dynamic passwords that change frequently
– Systems using OTPs generate a unique password on demand that is not reusable
• The most common type is a time-synchronized OTP
– Used in conjunction with a token
• The token and a corresponding authentication server share the same algorithm
– Each algorithm is different for each user’s token
• There are several variations of OTP systems
• Challenge-based OTPs
– Authentication server displays a challenge (a random number) to the user
– User then enters the challenge number into the token
• Which then executes a special algorithm to generate a password
– Because the authentication server has this same algorithm, it can also generate the password and compare it against that entered by the user
Standard Biometrics
• Standard biometrics
– Uses a person’s unique characteristics for authentication (what he is)
– Examples: fingerprints, faces, hands, irises, retinas
• Types of fingerprint scanners
– Static fingerprint scanner
– Dynamic fingerprint scanner
• Disadvantages
– Costs
– Readers are not always foolproof
Behavioral Biometrics
• Behavioral biometrics
– Authenticates by normal actions that the user performs
• Keystroke dynamics
– Attempt to recognize a user’s unique typing rhythm
– Keystroke dynamics uses two unique typing variables
• Dwell time
• Flight time
• Voice recognition
– Used to authenticate users based on the unique characteristics of a person’s voice
– Phonetic cadence
• Speaking two words together in a way that one word “bleeds” into the next word
• Becomes part of each user’s speech pattern
• Computer footprint
– When and from where a user normally accesses a system
Cognitive Biometrics
• Cognitive biometrics
– Related to the perception, thought process, and understanding of the user
– Considered to be much easier for the user to remember because it is based on the user’s life experiences
• One example of cognitive biometrics is based on a life experience that the user remembers
• Another example of cognitive biometrics requires the user to identify specific faces
Authentication Models
• Single and multi-factor authentication
– One-factor authentication
• Using only one authentication credential
– Two-factor authentication
• Enhances security, particularly if different types of authentication methods are used
– Three-factor authentication
• Requires that a user present three different types of authentication credentials
• Single sign-on
– Identity management
• Using a single authenticated ID to be shared across multiple networks
– Federated identity management (FIM)
• When those networks are owned by different organizations
– One application of FIM is called single sign-on (SSO)
• Using one authentication to access multiple accounts or applications
• Windows Live ID
– Originally introduced in 1999 as .NET Passport
– Requires a user to create a standard username and password
– When the user wants to log into a Web site that supports Windows Live ID
• The user will first be redirected to the nearest authentication server
– Once authenticated, the user is given an encrypted time-limited “global” cookie
• Windows CardSpace
– Feature of Windows that is intended to provide users with control of their digital identities while helping them to manage privacy
– Types of cards
• Manage cards
• Personal cards
• OpenID
– A decentralized open source FIM that does not require specific software to be installed on the desktop
– A uniform resource locator (URL)-based identity system
• An OpenID identity is only a URL backed up by a username and password
• OpenID provides a means to prove that the user owns that specific URL
Authentication Servers
• Authentication can be provided on a network by a dedicated AAA or authentication server
• The most common type of authentication and AAA servers are
– RADIUS, Kerberos, TACACS+, and generic servers built on the Lightweight Directory Access Protocol (LDAP)
RADIUS
• RADIUS (Remote Authentication Dial in User Service)
– Developed in 1992
– Quickly became the industry standard with widespread support
– Suitable for what are called “high-volume service control applications”
• With the development of IEEE 802.1x port security for both wired and wireless LANs
– RADIUS has recently seen even greater usage
• A RADIUS client is typically a device such as a dial-up server or wireless access point (AP)
– Responsible for sending user credentials and connection parameters in the form of a RADIUS message to a RADIUS server
• The RADIUS server authenticates and authorizes the RADIUS client request
– Sends back a RADIUS message response
• RADIUS clients also send RADIUS accounting messages to RADIUS servers
Kerberos
• Kerberos
– An authentication system developed by the Massachusetts Institute of Technology (MIT)
– Used to verify the identity of networked users
• Kerberos process
– User is provided a ticket that is issued by the Kerberos authentication server
– The user presents this ticket to the network for a service
– The service then examines the ticket to verify the identity of the user
Terminal Access Control Access Control System (TACACS+)
• Terminal Access Control Access Control System (TACACS+)
– An industry standard protocol specification that forwards username and password information to a centralized server
• The centralized server can either be a TACACS+ database
– Or a database such as a Linux or UNIX password file with TACACS protocol support
Lightweight Directory Access Protocol (LDAP)
• Directory service
– A database stored on the network itself that contains information about users and network devices
• X.500
– A standard for directory services
– Created by ISO
• White-pages service
– Capability to look up information by name
• Yellow-pages service
– Browse and search for information by category
• The information is held in a directory information base (DIB)
• Entries in the DIB are arranged in a tree structure called the directory information tree (DIT)
• Directory Access Protocol (DAP)
– Protocol for a client application to access an X.500 directory
– DAP is too large to run on a personal computer
• Lightweight Directory Access Protocol (LDAP)
– Sometimes called X.500 Litea
– A simpler subset of DAP
• Primary differences
– LDAP was designed to run over TCP/IP
– LDAP has simpler functions
– LDAP encodes its protocol elements in a less complex way than X.500
• LDAP is an open protocol
Extended Authentication Protocols (EAP)
• Extensible Authentication Protocol (EAP)
– Management protocol of IEEE 802.1x that governs the interaction between the system, authenticator, and RADIUS server
– An “envelope” that can carry many different kinds of exchange data used for authentication
• The EAP protocols can be divided into three categories:
– Authentication legacy protocols, EAP weak protocols, and EAP strong protocols
Authentication Legacy Protocols
• No longer extensively used for authentication
• Three authentication legacy protocols include:
– Password Authentication Protocol (PAP)
– Challenge-Handshake Authentication Protocol (CHAP)
– Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP)
EAP Weak Protocols
• Still used but have security vulnerabilities
• EAP weak protocols include:
– Extended Authentication Protocol–MD5 (EAP-MD5)
– Lightweight EAP (LEAP)
EAP Strong Protocols
• EAP strong protocols include:
– EAP with Transport Layer Security (EAP-TLS)
– EAP with Tunneled TLS (EAP-TTLS) and Protected EAP (PEAP)
Remote Authentication and Security
• Important to maintain strong security for remote communications
– Transmissions are routed through networks or devices that the organization does not manage and secure
• Managing remote authentication and security usually includes:
– Using remote access services
– Installing a virtual private network
– Maintaining a consistent remote access policy
Remote Access Services (RAS)
• Remote Access Services (RAS)
– Any combination of hardware and software that enables access to remote users to alocal internal network
– Provides remote users with the same access and functionality as local users
Virtual Private Networks (VPNs)
• Virtual private network (VPN)
– One of the most common types of RAS
– Uses an unsecured public network, such as the Internet, as if it were a secure private network
– Encrypts all data that is transmitted between the remote device and the network
• Common types of VPNs
– Remote-access VPN or virtual private dial-up network (VPDN)
– Site-to-site VPN
• VPN transmissions are achieved through communicating with endpoints
• Endpoint
– End of the tunnel between VPN devices
• VPN concentrator
– Aggregates hundreds or thousands of multiple connections
• Depending upon the type of endpoint that is being used, client software may be required on the devices that are connecting to the VPN
• VPNs can be software-based or hardware-based
• Software-based VPNs offer the most flexibility in how network traffic is managed
– Hardware-based VPNs generally tunnel all traffic they handle regardless of the protocol
• Generally, software based VPNs do not have as good of performance or security as a hardware-based VPN
• Advantages of VPN technology:
– Cost savings
– Scalability
– Full protection
– Speed
– Transparency
– Authentication
– Industry standards
• Disadvantages to VPN technology:
– Management
– Availability and performance
– Interoperability
– Additional protocols
– Performance impact
Remote Access Policies
• Establishing strong remote access policies is important
• Some recommendations for remote access policies:
– Remote access policies should be consistent for all users
– Remote access should be the responsibility of the IT department
– Form a working group and create a standard that all departments will agree to
Summary
- Access control is the process by which resources or services are denied or granted
- There are three types of authentication methods
- Authentication credentials can be combined to provide extended security
- Authentication can be provided on a network by a dedicated AAA or authentication server
- The management protocol of IEEE 802.1x that governs the interaction between the system, authenticator, and RADIUS server is known as the Extensible Authentication Protocol (EAP)
- Organizations need to provide avenues for remote users to access corporate resources as if they were sitting at a desk in the office
Thanks ..........