LESSON 7 Authentication User management ♦ Authentication - Xác nhận người sử dụng ♦ Authorization - Kiểm soát quyền của người sử dụng ♦ Accounting - Theo dõi thống kê hành động What is authentication? ♦ Identification – Dấu hiệu, công cụ nhận dạng, nhận biết. ♦ Quá trình kiểm tra dấu hiệu nhận biết gọi là xác thực - Authentication. ♦ 3 Categories: – What you know – What you have – Who you are What you know ♦ Password ♦ Passphrase ♦ PIN ♦ Challenge/Response PASSWORD ♦ Ưu điểm - Đơn giản - Dễ sử dụng và quản lý ♦ Nhược điểm - Phải nhớ - Không an toàn Độ an toàn của Password ♦ Alphabet ♦ Recommend - Độ dài không nhỏ hơn 8 - Tổ hợp chữ hoa, chữ thường, số, các ký tự đặc biệt ♦ Các phương pháp tấn công - Từ điển - Lựa chọn - Vét cạn What you have ♦ One time password ♦ Keys Exchange ♦ Digital authentication – physical devices to aid authentication ♦ Common examples: – eToken – smart cards – RFID One Time Password ♦ Pseudo-random Generator ♦ Session time ♦ Synchronization eToken ♦ Can be implemented on a USB key fob or a smart card ♦ Data physically protected on the device itself ♦ On the client side, the token is accessed via password ♦ Successful client-side authentication with the password invokes the token to generate a stored or generated passcode, which is sent to the server- side for authentication. eToken ♦ May store credentials such as passwords, digital signatures and certificates, and private keys ♦ Can offer on-board authentication and digital signing [...]... and what you have • Can be stolen or forgotten • Susceptible to replay attacks – Who you are • Unique biometrics that hinder replay attacks and imposters • Privacy issues arise Authentication Token Formats ♦ A security token (authentication token) is a representation of security-related data (not to be confused with an eToken) ♦ Examples: – X.509 certificates – Kerberos tickets – Custom security tokens... orientation ♦ Position – X,Y location relative to some fixed points Algorithms ♦ Image-based ♦ Pattern-based ♦ Minutia-based Fingerprint Scanners Digital Persona U.are.U Pro HP IPAQ IBM Thinkpad T42 Biometric Authentication Terms ♦ False Acceptance Rate (FAR) – False Match Rate (FMR) – Percentage of access attempts by unauthorized individuals which are nevertheless successful ♦ False Rejection Rate (FRR) –... support ♦ May communicate with a variety of transponders (ISO15693, ISO14443 Type A & B, TagIt, Icode, etc.) ♦ Reader is controlled via PCMCIA interface using an ASCII protocol Who you are ♦ Biometric authentication – Use of a biometric reading to confirm that a person is who he/she claims to be ♦ Biometric reading – A recording of some physical or behavioral attribute of a person Physical Biometrics... that the certificate is valid) ♦ The recipient may confirm the identity of the sender with the Certificate Authority Kerberos Tickets ♦ Clients share secret symmetric key with server ♦ Clients login to authentication server ♦ Server returns a Ticket-Granting Ticket (TGT) encrypted with client’s key ♦ Client sends decrypted TGT to Ticket Granting Service ♦ TGS sends ticket authorizing network access and... Message Authorizing Application by User Secure Channel Custom Security Tokens ♦ May contain additional context information: – Access method • wired, local terminal • wired remote terminal • wireless PDA – Authentication method • Password • e-Token • Fingerprint – Trust level Trust Level Extension ♦ Different trust levels for devices with different levels of implementation reliability ♦ Still very abstract . LESSON 7 Authentication User management ♦ Authentication - Xác nhận người sử dụng ♦ Authorization - Kiểm soát quyền của người sử dụng ♦ Accounting - Theo dõi thống kê hành động What is authentication? ♦ Identification. chọn - Vét cạn What you have ♦ One time password ♦ Keys Exchange ♦ Digital authentication – physical devices to aid authentication ♦ Common examples: – eToken – smart cards – RFID One Time Password ♦ Pseudo-random. password ♦ Successful client-side authentication with the password invokes the token to generate a stored or generated passcode, which is sent to the server- side for authentication. eToken ♦ May