Chapter 2 - Authentication. After studying this chapter you will be able to: Understand AAA (3A),create strong passwords and store them securely, understand the Kerberos authentication process, understand how CHAP works, understand what mutual authentication is and why it is necessary, understand how digital certificates are created and why they are used,...
Chapter 2:Authentication Objectives in this chapter ATHENA Understand AAA (3A) Create strong passwords and store them securely Understand the Kerberos authentication process Understand how CHAP works Understand what mutual authentication is and why it is necessary Understand how digital certificates are created and why they are used Learning Objectives ATHENA Understand what tokens are and how they function Understand biometric authentication processes and their strengths and weaknesses Understand the benefits of multifactor authentication Security of System Resources Three-step process (AAA) • Authentication – Positive identification of person/system seeking access to secured information/services (verifying that a person requesting access to a system is who he claims to be) • Authorization – Predetermined level of access to resources (regulating what a subject can with an object) • Accounting – Logging use of each asset (review of the security settings) ATHENA Security of System Resources Identifying who is responsible for Information security ATHENA Authentication Positive identification of person/system seeking access to secured information/services Based on: • • • • ATHENA Something you know (password) Something you have (smartcard) Something you are (biometrics) Or a combination (multi-factor) Authentication Techniques ATHENA Usernames and passwords Kerberos Challenge Handshake Authentication Protocol (CHAP) Mutual authentication Digital certificates Tokens Biometrics Multifactor authentication Authentication: The Big Issue ATHENA The central problem to be solved in all cases is how to send something securely across the network to the authenticator such that the something can’t be read or decrypted,etc and can’t be successfully replayed later from captured packets Usernames and Passwords Username • Unique alphanumeric identifier used to identify an individual when logging onto a computer/network Password • Secret combination of keystrokes that, when combined with a username, authenticates a user to a computer/network ATHENA Username + Password ATHENA Most common form of authentication Username/password validated against Access Server Different Kinds of Biometrics Physical characteristics • Fingerprints • Hand geometry • Retinal scanning • Iris scanning • Facial scanning Behavioral characteristics • Handwritten signatures • Voice ATHENA Fingerprint Biometrics ATHENA Hand Geometry Authentication ATHENA Retinal Scanning ATHENA Iris Scanning ATHENA Signature Verification ATHENA General Trends in Biometrics ATHENA Authenticating large numbers of people over a short period of time (eg, smart cards) Gaining remote access to controlled areas Multifactor Authentication Identity of individual is verified using at least two of the three factors of authentication • Something you know (eg, password) • Something you have (eg, smart card) • Something about you (eg, biometrics) ATHENA Authentication techniques Summary • Usernames and passwords • Kerberos • CHAP • Mutual authentication • Digital certificates • Tokens • Biometrics • Multifactor authentication ATHENA Authorization Controlling Access to Computer Systems • Restrictions to user access are stored in an access control list (ACL) • An ACL is a table in the operating system that contains the access rights each subject (a user or device) has to a particular system object (a folder or file) ATHENA Mandatory Access Control (MAC) ATHENA A more restrictive model The subject is not allowed to give access to another subject to use an object Role Based Access Control (RBAC) ATHENA Instead of setting permissions for each user or group, you can assign permissions to a position or role and then assign users and other objects to that role Users and objects inherit all of the permissions for the role Discretionary Access Control (DAC) ATHENA Least restrictive model One subject can adjust the permissions for other subjects over objects Type of access most users associate with their personal computers Auditing Information Security Schemes Two ways to audit a security system • Logging records which user performed a specific activity and when • System scanning to check permissions assigned to a user or role; these results are compared to what is expected to detect any differences ATHENA Summary Authentication • Usernames and passwords • Kerberos • CHAP • Mutual authentication • Digital certificates • Tokens • Biometrics • Multifactor authentication Authorization • MAC, RBAC, DAC ATHENA Accounting ... • Voice ATHENA Fingerprint Biometrics ATHENA Hand Geometry Authentication ATHENA Retinal Scanning ATHENA Iris Scanning ATHENA Signature Verification ATHENA General Trends in Biometrics ATHENA. .. part of a Kerberos system ATHENA Security Weaknesses of Kerberos ATHENA Does not solve password-guessing attacks Must keep password secret Does not prevent denial-of-service attacks Internal... (encrypts data) ATHENA Challenge Handshake Authentication Protocol (CHAP) ATHENA PPP mechanism used by an authenticator to authenticate a peer Uses an encrypted challenge-and-response sequence