Understand AAA (3A)
Create strong passwords and store them
securely
Understand the Kerberos authentication
process
Understand how CHAP works
Understand what mutual authentication is and
why it is necessary
Understand how digital certificates are created
and why they are used
ATHENA
Understand what tokens are and how they
function
Understand biometric authentication processes
and their strengths and weaknesses
Understand the benefits of multifactor
authentication
Three-step process (AAA)
• Authentication
–Positive identification of person/system seeking
access to secured information/services
(verifying that a person requesting access to a
system is who he claims to be)
• Authorization
–Predetermined level of access to resources
(regulating what a subject can do with an object)
• Accounting
–Logging use of each asset (review of the security
settings)
55 trang |
Chia sẻ: candy98 | Lượt xem: 498 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Security + Certification - Chapter 2: Authentication - Athena, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Chapter 2:Authentication
Objectives in this chapter
Understand AAA (3A)
Create strong passwords and store them
securely
Understand the Kerberos authentication
process
Understand how CHAP works
Understand what mutual authentication is and
why it is necessary
Understand how digital certificates are created
and why they are used
ATHENA
Learning Objectives
Understand what tokens are and how they
function
Understand biometric authentication processes
and their strengths and weaknesses
Understand the benefits of multifactor
authentication
ATHENA
Security of System Resources
Three-step process (AAA)
• Authentication
–Positive identification of person/system seeking
access to secured information/services
(verifying that a person requesting access to a
system is who he claims to be)
• Authorization
–Predetermined level of access to resources
(regulating what a subject can do with an object)
• Accounting
–Logging use of each asset (review of the security
settings)
ATHENA
Security of System Resources
Identifying who is
responsible for
Information security
ATHENA
Authentication
Positive identification of person/system seeking
access to secured information/services
Based on:
• Something you know (password)
• Something you have (smartcard)
• Something you are (biometrics)
• Or a combination (multi-factor)
ATHENA
Authentication Techniques
Usernames and passwords
Kerberos
Challenge Handshake Authentication Protocol
(CHAP)
Mutual authentication
Digital certificates
Tokens
Biometrics
Multifactor authentication
ATHENA
Authentication: The Big Issue
The central problem to be solved in all cases is
how to send something securely across the
network to the authenticator such that the
something can’t be read or decrypted,etc. and
can’t be successfully replayed later from
captured packets.
ATHENA
Usernames and Passwords
Username
• Unique alphanumeric identifier used to
identify an individual when logging onto a
computer/network
Password
• Secret combination of keystrokes that, when
combined with a username, authenticates a
user to a computer/network
ATHENA
Username + Password
Most common form of authentication
Username/password validated against Access
Server
ATHENA
Basic Rules for Password Protection
1. Memorize passwords; do not write them down
2. Use different passwords for different
functions
3. Use at least 6 characters
4. Use mixture of uppercase and lowercase
letters, numbers, and other characters
5. Change periodically
ATHENA
Strong Password Creation Techniques
Easy to remember; difficult to recognize
Examples:
• First letters of each word of a simple phrase;
add a number and punctuation
–Asb4M?
• Combine two dissimilar words and place a
number between them
–SleigH9ShoE
• Substitute numbers for letters (not obviously)
ATHENA
Techniques to Use Multiple Passwords
Group Web sites or applications requiring
passwords by appropriate level of security
• Use a different password for each group
• Cycle more complex passwords down the
groups, from most sensitive to least
ATHENA
Storing Passwords
Written
• Keep in a place you are not likely to lose it
• Use small type
• Develop a personal code to apply to the list
Electronic
• Use a specifically designed application
(encrypts data)
ATHENA
Challenge Handshake Authentication
Protocol (CHAP)
PPP mechanism used by an authenticator to
authenticate a peer
Uses an encrypted challenge-and-response
sequence
ATHENA
CHAP Challenge-and-Response
Sequence
ATHENA
CHAP Security Benefits
Multiple authentication sequences throughout
Network layer protocol session
• Limit time of exposure to any single attack
Variable challenge values and changing
identifiers
• Provide protection against playback attacks
ATHENA
CHAP Security Issues
Passwords should not be the same in both
directions
Not all implementations of CHAP terminate the
link when authentication process fails, but
instead limit traffic to a subset of Network layer
protocols
• Possible for users to update passwords
ATHENA
Kerberos
Provides secure and convenient way to
access data and services through:
• Session keys
• Tickets
• Authenticators
• Authentication servers
• Ticket-granting tickets
• Ticket-granting servers
• Cross-realm authentication
ATHENA
Kerberos in a Simple Environment
Session key
• Secret key used during logon session between client
and a service
Ticket
• Set of electronic information used to authenticate
identity of a principal to a service
Authenticator
• Device (eg, PPP network server) that requires
authentication from a peer and specifies
authentication protocol used in the configure request
during link establishment phase
ATHENA
continued
Kerberos in a Simple Environment
Checksum
• Small, fixed-length numerical value
• Computed as a function of an arbitrary
number of bits in a message
• Used to verify authenticity of sender
ATHENA
Kerberos in a Simple Environment
ATHENA
Kerberos in a More Complex
Environment
Ticket-granting ticket (TGT)
• Data structure that acts as an authenticating
proxy to principal’s master key for set period
of time
Ticket-granting server (TGS)
• Server that grants ticket-granting tickets to a
principal
ATHENA
Kerberos in a More Complex
Environment
ATHENA
Kerberos in Very Large
Network Systems
Cross-realm authentication
• Allows principal to authenticate itself to gain
access to services in a distant part of a
Kerberos system
ATHENA
Security Weaknesses of Kerberos
Does not solve password-guessing attacks
Must keep password secret
Does not prevent denial-of-service attacks
Internal clocks of authenticating devices must
be loosely synchronized
Authenticating device identifiers must not be
recycled on a short-term basis
ATHENA
Mutual Authentication
Process by which each
party in an electronic
communication verifies
the identity of the other
party
Not only the user, but
the server is
authenticated.
ATHENA
Electronic Encryption and
Decryption Concepts
Encryption
• Converts plain text message into secret
message
Decryption
• Converts secret message into plain text
message
Symmetric cipher
• Uses only one key
Asymmetric cipher
• Uses a key pair (private key and public key)
ATHENA
Symmetric Key Cryptography
Single key – works in both directions (the same
key used to encrypt will also decrypt the
ciphertext).
Short key length – 128 up to 448 bits
(currently).
Very fast encryption/decryption.
Key used for a short time and discarded
(session key).
ATHENA
Asymmetric Key Cryptography
Two keys – one made public and one kept
securely private.
One-way – a ciphertext encrypted with one of
the keys can only be decrypted with the other
key.
Long length – 1024, 2048, or more bits.
Slow encryption/decryption.
Used to encrypt small amounts of data (session
keys, for example)
ATHENA
Electronic Encryption and
Decryption Concepts
Certificate Authority (CA)
• Trusted, third-party entity that verifies the
actual identity of an organization/individual
before providing a digital certificate
Nonrepudiation
• Practice of using a trusted, third-party entity
to verify the authenticity of a party who sends
a message
ATHENA
Digital Certificates
Electronic means of verifying identity of an
individual/organization
Contains the public key of the
individual/organization
Digital signature
• Piece of data that claims that a specific,
named individual wrote or agreed to the
contents of an electronic document to which
the signature is attached
ATHENA
ATHENA
How Much Trust
Should One Place in a CA?
Reputable CAs have several levels of
authentication that they issue based on the
amount of data collected from applicants
Example: VeriSign
ATHENA
Security Tokens
Authentication devices assigned to specific user
Small, credit card-sized physical devices
Incorporate two-factor authentication methods
Utilize base keys that are much stronger than
short, simple passwords a person can
remember
ATHENA
Types of Security Tokens
Passive
• Act as a storage device for the base key
• Do not emit, or otherwise share, base tokens
Active
• Actively create another form of a base key or
encrypted form of a base key that is not
subject to attack by sniffing and replay
• Can provide variable outputs in various
circumstances
ATHENA
One-Time Passwords
Used only once for limited period of time; then
is no longer valid
Uses shared keys and challenge-and-response
systems, which do not require that the secret be
transmitted or revealed
Strategies for generating one-time passwords
• Counter-based tokens
• Clock-based tokens
ATHENA
Biometrics
Biometric authentication
• Uses measurements of physical or behavioral
characteristics of an individual
• Generally considered most accurate of all
authentication methods
• Traditionally used in highly secure areas
• Expensive
ATHENA
How Biometric Authentication Works
1. Biometric is scanned after identity is verified
2. Biometric information is analyzed and put
into an electronic template
3. Template is stored in a repository
4. To gain access, biometric is scanned again
5. Computer analyzes biometric data and
compares it to data in template
6. If data from scan matches data in template,
person is allowed access
7. Keep a record, following AAA model
ATHENA
False Positives and False Negatives
False positive
• Occurrence of an unauthorized person being
authenticated by a biometric authentication
process
False negative
• Occurrence of an authorized person not
being authenticated by a biometric
authentication process when they are who
they claim to be
ATHENA
Different Kinds of Biometrics
Physical characteristics
• Fingerprints
• Hand geometry
• Retinal scanning
• Iris scanning
• Facial scanning
Behavioral characteristics
• Handwritten signatures
• Voice
ATHENA
Fingerprint Biometrics
ATHENA
Hand Geometry Authentication
ATHENA
Retinal Scanning
ATHENA
Iris Scanning
ATHENA
Signature Verification
ATHENA
General Trends in Biometrics
Authenticating large numbers of people over a
short period of time (eg, smart cards)
Gaining remote access to controlled areas
ATHENA
Multifactor Authentication
Identity of individual is verified using at least
two of the three factors of authentication
• Something you know (eg, password)
• Something you have (eg, smart card)
• Something about you (eg, biometrics)
ATHENA
Authentication techniques Summary
• Usernames and passwords
• Kerberos
• CHAP
• Mutual authentication
• Digital certificates
• Tokens
• Biometrics
• Multifactor authentication
ATHENA
Authorization
Controlling Access to Computer Systems
• Restrictions to user access are stored in an
access control list (ACL)
• An ACL is a table in the operating system
that contains the access rights each subject (a
user or device) has to a particular system
object (a folder or file)
ATHENA
Mandatory Access Control (MAC)
A more restrictive model
The subject is not allowed to give access to
another subject to use an object
ATHENA
Role Based Access Control (RBAC)
Instead of setting permissions for each user or
group, you can assign permissions to a position
or role and then assign users and other objects
to that role
Users and objects inherit all of the permissions
for the role
ATHENA
Discretionary Access Control (DAC)
Least restrictive model
One subject can adjust the permissions for
other subjects over objects
Type of access most users associate with their
personal computers
ATHENA
Auditing Information
Security Schemes
Two ways to audit a security system
• Logging records which user performed a specific
activity and when
• System scanning to check permissions assigned to a
user or role; these results are compared to what is
expected to detect any differences
ATHENA
Summary
Authentication
• Usernames and passwords
• Kerberos
• CHAP
• Mutual authentication
• Digital certificates
• Tokens
• Biometrics
• Multifactor authentication
Authorization
• MAC, RBAC, DAC
Accounting
ATHENA