security+ guide to network security fundamentals, third ... · standard biometric device, ......
TRANSCRIPT
Security+ Guide to Network
Security Fundamentals, Third
Edition
Chapter 8
Authentication
Objectives
� Define authentication.
� Describe the different types of authentication
credentials.
� List and explain the authentication models.
Security+ Guide to Network Security Fundamentals, Third Edition
� List and explain the authentication models.
� Define authentication servers and present Kerberos.
2
Definition of Authentication
� Authentication can be defined in two contexts:
– The first is viewing authentication as it relates to
access control.
– The second is to look at it as one of the three key
elements of security: Authentication, Authorization,
Security+ Guide to Network Security Fundamentals, Third Edition
elements of security: Authentication, Authorization,
and Accounting.
3
Authentication and Access Control
Terminology
� Access control is the process by which resources or
services are granted or denied. It is composed of 4 steps:
1. Identification: The presentation of credentials or
identification.
Security+ Guide to Network Security Fundamentals, Third Edition
2. Authentication : The verification of the credentials to
ensure that they are genuine (authentic) and not
fabricated.
3. Authorization: Granting permission for admittance
(permission to enter).
4. Access: is the right to use specific resources.
4
Authentication, Authorization, and
Accounting (AAA)
� Information security rests on three key pillars (AAA) that
determine who the user is: Authentication; what the user
can do: Authorization; and what the user did: Accounting.
• Authentication
− Provides a way of identifying a user.
Security+ Guide to Network Security Fundamentals, Third Edition
− Controls access by requiring valid user credentials.
• Authorization (Access Control)
− Determines whether the user has the authority to carry out
certain tasks (e.g. resources or services a user is
permitted..).
− Often defined as the process of enforcing policies.
5
Authentication, Authorization, and
Accounting (AAA)
• Accounting (Auditing)
− Measures the resources a user “consumes” during
each network session (e.g. record session begins
and ends, services being used..)
− Recorded accounting information can then be
Security+ Guide to Network Security Fundamentals, Third Edition
− Recorded accounting information can then be
used in different ways:
• To find evidence of problems.
• For billing.
• For planning.
6
Authentication, Authorization, and
Accounting (AAA) (continued)
� AAA servers
– Servers dedicated to performing AAA functions.
– Can provide significant advantages in a network.
Security+ Guide to Network Security Fundamentals, Third Edition
– Can provide significant advantages in a network.
7
Authentication Credentials
� Types of authentication, or authentication credentials can
be classified into three main categories:
• What the user knows (passwords).
• What the user has (token, key, proximity card).
Security+ Guide to Network Security Fundamentals, Third Edition
• What the user is (standard/behavioral/cognitive
biometrics).
8
One-Time Passwords
� Standard passwords are the most common form of
authentication credentials, and are typically static in nature.
� One-time passwords (OTP)
– Dynamic passwords that change frequently.
– Systems using OTPs generate a unique password on
Security+ Guide to Network Security Fundamentals, Third Edition
– Systems using OTPs generate a unique password on
demand that is not reusable.
– The most common type is a time-synchronized OTP, and is
used in conjunction with a token (small device).
• The token and a corresponding authentication server
share the same algorithm.
• Each algorithm is different for each user’s token.
9
One-Time Passwords (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 10
One-Time Passwords (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 11
One-Time Passwords (continued)
� There are several variations of OTP systems such as
Challenge-based OTPs.
– Authentication server displays a challenge (a random
number) to the user.
– User then enters the challenge number into the token
Security+ Guide to Network Security Fundamentals, Third Edition
– User then enters the challenge number into the token
• Which then executes a special algorithm to generate a
password.
– Because the authentication server has this same
algorithm, it can also generate the password and
compare it against that entered by the user.
12
Standard Biometrics
� Standard biometrics uses a person’s unique
characteristics (e.g. fingerprints, faces, hands,
retinas..)for authentication.
� Fingerprint scanners are the most common type of
standard biometric device, and are of two types:
Security+ Guide to Network Security Fundamentals, Third Edition
standard biometric device, and are of two types:
– Static fingerprint scanner
– Dynamic fingerprint scanner
� Disadvantages of standard biometrics:
– Costs
– Readers are not always foolproof.
13
Standard Biometrics (continued)
� Static fingerprint scanner
Security+ Guide to Network Security
Fundamentals, 2e
14
Standard Biometrics (continued)
� Dynamic fingerprint scanner
15Security+ Guide to Network Security Fundamentals, Third Edition
Behavioral Biometrics
� Behavioral biometrics authenticates by normal actions
that the user performs.
� The most promising behavioral biometrics are:
− Keystroke dynamics
Security+ Guide to Network Security Fundamentals, Third Edition
− Keystroke dynamics
− Voice recognition
− Computer footprinting
16
Behavioral Biometrics
� Keystroke dynamics
– Attempt to recognize a user’s unique typing rhythm.
– Keystroke dynamics uses two unique typing variables:
• Dwell time: Time it takes for a key to be pressed an
Security+ Guide to Network Security Fundamentals, Third Edition
• Dwell time: Time it takes for a key to be pressed an
then released.
• Flight time: Time between keystrokes (both “down”
when the key is pressed and “up” when the key is
released, are measured).
17
Security+ Guide to Network Security Fundamentals, Third Edition 18
Behavioral Biometrics (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 19
Behavioral Biometrics (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 20
Behavioral Biometrics (continued)
� Voice recognition
– Used to authenticate users based on the unique
characteristics of a person’s voice (e.g. user’s size of
the head and user’s age).
Security+ Guide to Network Security Fundamentals, Third Edition
– Phonetic cadence
• Speaking two words together in a way that one
word “bleeds” into the next word.
• Becomes part of each user’s speech pattern.
� Computer footprint
– When and from where a user normally accesses a
system.21
Cognitive Biometrics
� Cognitive biometrics is related to the perception,
thought process, and understanding of the user.
– Considered to be much easier for the user to
remember because it is based on the user’s life
experiences, and make it very difficult for an attacker
Security+ Guide to Network Security Fundamentals, Third Edition
experiences, and make it very difficult for an attacker
to imitate.
� Examples of cognitive biometrics:
– One example of cognitive biometrics is based on a life
experience that the user remembers.
– Another example of cognitive biometrics requires the
user to identify specific faces.
22
Security+ Guide to Network Security Fundamentals, Third Edition 23
Authentication Models
� Authentication credentials can be combined to provide
extended security, hence creating different
authentication models.
� Single and multi-factor authentication
– One-factor authentication
• Using only one authentication credential.
– Two-factor authentication
• Enhances security, particularly if different types of
authentication methods are used.
– Three-factor authentication
• Requires that a user present three different types of
authentication credentials.
Security+ Guide to Network Security Fundamentals 24
Authentication Models (continued)
� Single sign-on
– Identity management
• Using a single authenticated ID to be shared across
multiple networks.
Security+ Guide to Network Security Fundamentals, Third Edition
multiple networks.
– Federated identity management (FIM)
• When those networks are owned by different
organizations.
• One application of FIM is called single sign-on
(SSO). It consists in using one authentication to
access multiple accounts or applications.
25
Authentication Models (continued)
� Windows Live ID
– Originally introduced in 1999 as .NET Passport.
– Requires a user to create a standard username and
password.
Security+ Guide to Network Security Fundamentals, Third Edition
password.
– When the user wants to log into a Web site that supports
Windows Live ID, the user will first be redirected to the
nearest authentication server.
– Once authenticated, the user is given an encrypted time-
limited “global” cookie.
26
Authentication Models (continued)
� Windows CardSpace
– Feature of Windows that is intended to provide users
with control of their digital identities while helping them
to manage privacy.
Security+ Guide to Network Security Fundamentals, Third Edition
to manage privacy.
– It allows users to create and use virtual business cards
that contain information that identifies the user.
27
Authentication Models (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 28
Authentication Servers
� Authentication can be provided on a network by a
dedicated AAA or authentication server.
� The most common type of authentication server is
Kerberos.
Security+ Guide to Network Security Fundamentals, Third Edition 29
Kerberos
� Kerberos Definition
– An authentication system developed by the
Massachusetts Institute of Technology (MIT), to provide
authentication between networked users (clients) and
services (e.g. File system server, remote login server).
– Authentication is achieved through a central server called
Security+ Guide to Network Security Fundamentals, Third Edition
– Authentication is achieved through a central server called
“Key Distribution Center” (KDC). It consists of two
parts:
• Authentication Server (AS): It issues “Ticket Granting Tickets”
TGT.
• Ticket Granting Server (TGS): It issues service tickets.
– Tickets contain specific user information, and restrict what a
user can do.
– Tickets expire after a few hours or a day.
30
Kerberos
� Kerberos Architecture
Kerberos KDC
TGSAS Mail Server
Security+ Guide to Network Security Fundamentals, Third Edition 31
TGSAS
Client
Mail Server
Printer ServerTicket Ticket
Kerberos
Security+ Guide to Network Security Fundamentals, Third Edition 32
Kerberos (you may remove this slide if
you wish)
� Advantages
− Strong authentication.
− Single Sign-on (SSO) capability.
� Disadvantages
Security+ Guide to Network Security Fundamentals, Third Edition 33
� Disadvantages
− Single point of failure (Centralized KDC).
− Authentication Server could be compromised.
− TGT could be stolen to access network services.
− Subject to password guessing.
Summary
• Access control is the process by which resources or
services are denied or granted.
• AAA are the basic pillars of security:
– Authentication: verifying that a person requesting
Security+ Guide to Network Security Fundamentals, Third Edition
– Authentication: verifying that a person requesting
access to a system is who he claims to be.
– Access control: regulating what a subject can do with
an object.
– Auditing: review of the security settings.
34
Summary
• There are three types of authentication methods
(what the user knows, has, and is).
• Authentication credentials can be combined to
provide extended security.
Security+ Guide to Network Security Fundamentals, Third Edition
provide extended security.
• Authentication can be provided on a network by a
dedicated AAA or authentication server (e.g.
Kerberos).
35
References
• Derek Konigsberg, Kerberos: The Network Authentication Protocol, Linux Enthusiasts and
Professionals. [Online]
Available:
Security+ Guide to Network Security Fundamentals, Third Edition
Available:
http://www.logicprobe.org/~octo/pres/pres_kerberos.pdf
36