security+ guide to network security fundamentals, third ... · standard biometric device, ......
TRANSCRIPT
![Page 1: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/1.jpg)
Security+ Guide to Network
Security Fundamentals, Third
Edition
Chapter 8
Authentication
![Page 2: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/2.jpg)
Objectives
� Define authentication.
� Describe the different types of authentication
credentials.
� List and explain the authentication models.
Security+ Guide to Network Security Fundamentals, Third Edition
� List and explain the authentication models.
� Define authentication servers and present Kerberos.
2
![Page 3: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/3.jpg)
Definition of Authentication
� Authentication can be defined in two contexts:
– The first is viewing authentication as it relates to
access control.
– The second is to look at it as one of the three key
elements of security: Authentication, Authorization,
Security+ Guide to Network Security Fundamentals, Third Edition
elements of security: Authentication, Authorization,
and Accounting.
3
![Page 4: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/4.jpg)
Authentication and Access Control
Terminology
� Access control is the process by which resources or
services are granted or denied. It is composed of 4 steps:
1. Identification: The presentation of credentials or
identification.
Security+ Guide to Network Security Fundamentals, Third Edition
2. Authentication : The verification of the credentials to
ensure that they are genuine (authentic) and not
fabricated.
3. Authorization: Granting permission for admittance
(permission to enter).
4. Access: is the right to use specific resources.
4
![Page 5: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/5.jpg)
Authentication, Authorization, and
Accounting (AAA)
� Information security rests on three key pillars (AAA) that
determine who the user is: Authentication; what the user
can do: Authorization; and what the user did: Accounting.
• Authentication
− Provides a way of identifying a user.
Security+ Guide to Network Security Fundamentals, Third Edition
− Controls access by requiring valid user credentials.
• Authorization (Access Control)
− Determines whether the user has the authority to carry out
certain tasks (e.g. resources or services a user is
permitted..).
− Often defined as the process of enforcing policies.
5
![Page 6: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/6.jpg)
Authentication, Authorization, and
Accounting (AAA)
• Accounting (Auditing)
− Measures the resources a user “consumes” during
each network session (e.g. record session begins
and ends, services being used..)
− Recorded accounting information can then be
Security+ Guide to Network Security Fundamentals, Third Edition
− Recorded accounting information can then be
used in different ways:
• To find evidence of problems.
• For billing.
• For planning.
6
![Page 7: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/7.jpg)
Authentication, Authorization, and
Accounting (AAA) (continued)
� AAA servers
– Servers dedicated to performing AAA functions.
– Can provide significant advantages in a network.
Security+ Guide to Network Security Fundamentals, Third Edition
– Can provide significant advantages in a network.
7
![Page 8: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/8.jpg)
Authentication Credentials
� Types of authentication, or authentication credentials can
be classified into three main categories:
• What the user knows (passwords).
• What the user has (token, key, proximity card).
Security+ Guide to Network Security Fundamentals, Third Edition
• What the user is (standard/behavioral/cognitive
biometrics).
8
![Page 9: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/9.jpg)
One-Time Passwords
� Standard passwords are the most common form of
authentication credentials, and are typically static in nature.
� One-time passwords (OTP)
– Dynamic passwords that change frequently.
– Systems using OTPs generate a unique password on
Security+ Guide to Network Security Fundamentals, Third Edition
– Systems using OTPs generate a unique password on
demand that is not reusable.
– The most common type is a time-synchronized OTP, and is
used in conjunction with a token (small device).
• The token and a corresponding authentication server
share the same algorithm.
• Each algorithm is different for each user’s token.
9
![Page 10: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/10.jpg)
One-Time Passwords (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 10
![Page 11: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/11.jpg)
One-Time Passwords (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 11
![Page 12: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/12.jpg)
One-Time Passwords (continued)
� There are several variations of OTP systems such as
Challenge-based OTPs.
– Authentication server displays a challenge (a random
number) to the user.
– User then enters the challenge number into the token
Security+ Guide to Network Security Fundamentals, Third Edition
– User then enters the challenge number into the token
• Which then executes a special algorithm to generate a
password.
– Because the authentication server has this same
algorithm, it can also generate the password and
compare it against that entered by the user.
12
![Page 13: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/13.jpg)
Standard Biometrics
� Standard biometrics uses a person’s unique
characteristics (e.g. fingerprints, faces, hands,
retinas..)for authentication.
� Fingerprint scanners are the most common type of
standard biometric device, and are of two types:
Security+ Guide to Network Security Fundamentals, Third Edition
standard biometric device, and are of two types:
– Static fingerprint scanner
– Dynamic fingerprint scanner
� Disadvantages of standard biometrics:
– Costs
– Readers are not always foolproof.
13
![Page 14: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/14.jpg)
Standard Biometrics (continued)
� Static fingerprint scanner
Security+ Guide to Network Security
Fundamentals, 2e
14
![Page 15: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/15.jpg)
Standard Biometrics (continued)
� Dynamic fingerprint scanner
15Security+ Guide to Network Security Fundamentals, Third Edition
![Page 16: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/16.jpg)
Behavioral Biometrics
� Behavioral biometrics authenticates by normal actions
that the user performs.
� The most promising behavioral biometrics are:
− Keystroke dynamics
Security+ Guide to Network Security Fundamentals, Third Edition
− Keystroke dynamics
− Voice recognition
− Computer footprinting
16
![Page 17: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/17.jpg)
Behavioral Biometrics
� Keystroke dynamics
– Attempt to recognize a user’s unique typing rhythm.
– Keystroke dynamics uses two unique typing variables:
• Dwell time: Time it takes for a key to be pressed an
Security+ Guide to Network Security Fundamentals, Third Edition
• Dwell time: Time it takes for a key to be pressed an
then released.
• Flight time: Time between keystrokes (both “down”
when the key is pressed and “up” when the key is
released, are measured).
17
![Page 18: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/18.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition 18
![Page 19: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/19.jpg)
Behavioral Biometrics (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 19
![Page 20: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/20.jpg)
Behavioral Biometrics (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 20
![Page 21: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/21.jpg)
Behavioral Biometrics (continued)
� Voice recognition
– Used to authenticate users based on the unique
characteristics of a person’s voice (e.g. user’s size of
the head and user’s age).
Security+ Guide to Network Security Fundamentals, Third Edition
– Phonetic cadence
• Speaking two words together in a way that one
word “bleeds” into the next word.
• Becomes part of each user’s speech pattern.
� Computer footprint
– When and from where a user normally accesses a
system.21
![Page 22: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/22.jpg)
Cognitive Biometrics
� Cognitive biometrics is related to the perception,
thought process, and understanding of the user.
– Considered to be much easier for the user to
remember because it is based on the user’s life
experiences, and make it very difficult for an attacker
Security+ Guide to Network Security Fundamentals, Third Edition
experiences, and make it very difficult for an attacker
to imitate.
� Examples of cognitive biometrics:
– One example of cognitive biometrics is based on a life
experience that the user remembers.
– Another example of cognitive biometrics requires the
user to identify specific faces.
22
![Page 23: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/23.jpg)
Security+ Guide to Network Security Fundamentals, Third Edition 23
![Page 24: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/24.jpg)
Authentication Models
� Authentication credentials can be combined to provide
extended security, hence creating different
authentication models.
� Single and multi-factor authentication
– One-factor authentication
• Using only one authentication credential.
– Two-factor authentication
• Enhances security, particularly if different types of
authentication methods are used.
– Three-factor authentication
• Requires that a user present three different types of
authentication credentials.
Security+ Guide to Network Security Fundamentals 24
![Page 25: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/25.jpg)
Authentication Models (continued)
� Single sign-on
– Identity management
• Using a single authenticated ID to be shared across
multiple networks.
Security+ Guide to Network Security Fundamentals, Third Edition
multiple networks.
– Federated identity management (FIM)
• When those networks are owned by different
organizations.
• One application of FIM is called single sign-on
(SSO). It consists in using one authentication to
access multiple accounts or applications.
25
![Page 26: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/26.jpg)
Authentication Models (continued)
� Windows Live ID
– Originally introduced in 1999 as .NET Passport.
– Requires a user to create a standard username and
password.
Security+ Guide to Network Security Fundamentals, Third Edition
password.
– When the user wants to log into a Web site that supports
Windows Live ID, the user will first be redirected to the
nearest authentication server.
– Once authenticated, the user is given an encrypted time-
limited “global” cookie.
26
![Page 27: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/27.jpg)
Authentication Models (continued)
� Windows CardSpace
– Feature of Windows that is intended to provide users
with control of their digital identities while helping them
to manage privacy.
Security+ Guide to Network Security Fundamentals, Third Edition
to manage privacy.
– It allows users to create and use virtual business cards
that contain information that identifies the user.
27
![Page 28: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/28.jpg)
Authentication Models (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 28
![Page 29: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/29.jpg)
Authentication Servers
� Authentication can be provided on a network by a
dedicated AAA or authentication server.
� The most common type of authentication server is
Kerberos.
Security+ Guide to Network Security Fundamentals, Third Edition 29
![Page 30: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/30.jpg)
Kerberos
� Kerberos Definition
– An authentication system developed by the
Massachusetts Institute of Technology (MIT), to provide
authentication between networked users (clients) and
services (e.g. File system server, remote login server).
– Authentication is achieved through a central server called
Security+ Guide to Network Security Fundamentals, Third Edition
– Authentication is achieved through a central server called
“Key Distribution Center” (KDC). It consists of two
parts:
• Authentication Server (AS): It issues “Ticket Granting Tickets”
TGT.
• Ticket Granting Server (TGS): It issues service tickets.
– Tickets contain specific user information, and restrict what a
user can do.
– Tickets expire after a few hours or a day.
30
![Page 31: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/31.jpg)
Kerberos
� Kerberos Architecture
Kerberos KDC
TGSAS Mail Server
Security+ Guide to Network Security Fundamentals, Third Edition 31
TGSAS
Client
Mail Server
Printer ServerTicket Ticket
![Page 32: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/32.jpg)
Kerberos
Security+ Guide to Network Security Fundamentals, Third Edition 32
![Page 33: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/33.jpg)
Kerberos (you may remove this slide if
you wish)
� Advantages
− Strong authentication.
− Single Sign-on (SSO) capability.
� Disadvantages
Security+ Guide to Network Security Fundamentals, Third Edition 33
� Disadvantages
− Single point of failure (Centralized KDC).
− Authentication Server could be compromised.
− TGT could be stolen to access network services.
− Subject to password guessing.
![Page 34: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/34.jpg)
Summary
• Access control is the process by which resources or
services are denied or granted.
• AAA are the basic pillars of security:
– Authentication: verifying that a person requesting
Security+ Guide to Network Security Fundamentals, Third Edition
– Authentication: verifying that a person requesting
access to a system is who he claims to be.
– Access control: regulating what a subject can do with
an object.
– Auditing: review of the security settings.
34
![Page 35: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/35.jpg)
Summary
• There are three types of authentication methods
(what the user knows, has, and is).
• Authentication credentials can be combined to
provide extended security.
Security+ Guide to Network Security Fundamentals, Third Edition
provide extended security.
• Authentication can be provided on a network by a
dedicated AAA or authentication server (e.g.
Kerberos).
35
![Page 36: Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ... Security+ Guide to Network Security Fundamentals, Third Edition – When the user wants](https://reader034.vdocuments.site/reader034/viewer/2022051601/5ad5edc67f8b9a48398e2edc/html5/thumbnails/36.jpg)
References
• Derek Konigsberg, Kerberos: The Network Authentication Protocol, Linux Enthusiasts and
Professionals. [Online]
Available:
Security+ Guide to Network Security Fundamentals, Third Edition
Available:
http://www.logicprobe.org/~octo/pres/pres_kerberos.pdf
36