Authentication

advertisement
Authentication
User Authentication - Defined
•
The rapid spread of e-Business has necessitated the securing of transactions
•
Authentication is a fundamental security function. During authentication,
credentials presented by an individual are validated and associated with the
person's identity.This binding between credentials and identity is typically
done for the purpose of granting (or denying) authorization to perform
some restricted operation, like accessing secured files or executing
sensitive transactions
•
User authentication is commonly defined as the process of identifying an
individual, usually based on a uusername and passwords
– In security systems, authentication is distinct from authorization, which
is the process of giving individuals access to system objects based on
their identity. Authentication merely ensures that the individual is who
he or she claims to be, but says nothing about the access rights of the
individual. The process of identifying an individual, usually based on a
username and password
Strong User Authentication - Defined
•
When a traditional business becomes an e-Business, the access paths to
corporate data expand, and the need for an overall security methodology
increases greatly. A key part of this methodology is authentication. Old
authentication methods such as passwords will no longer suffice due to
their inherent weaknesses as well as the growing sophistication of the tools
and people attempting unauthorized access. Today, strong user
authentication—using at least two methods of identifying an individual—is
critical to maintaining control over access to data
•
Essentially, Strong Authentication controls access and gives nonrepudiation, or conclusive tracing of an action to an individual
Existing User Authentication Techniques
The broad categories of user authentication, their methods and properties
are shown in the following table
Method
Examples
Properties
What you know
User Ids,
Shared
PINs
Easy to guess
Passwords
Usually forgotten
Cards
Shared
Badges
Can be Duplicated
Keys
Lost or Stolen
What you know and what
you have
ATM + PIN
Shared
Something unique about
user
Fingerprint, face,
voiceprint, iris scan
What you have
PIN is weak (written on
back, easy to guess or
forget)
Not possible to share
Repudiation unlikely
Forging difficult
Cannot be lost or stolen
Single Factor Authentication - Defined
•
Single factor authentication has been traditionally established by one of
these elements:
– Something you have—including keys or token cards
– Something you know—including passwords
– Something you are—including fingerprints, voiceprints or retinal scans
(iris)
Single Factor Authentication - Products
•
Passwords are the most basic and most common method of single factor
authentication
•
Other stronger forms of single factor authentication include:
– Password Authentication Protocol (PAP)
– Challenge Handshake Authentication Protocol (CHAP)
– Secure Socket Layer (SSL)
– Digital Signatures
– Kerberos
– Firewall
– Virtual Private Networks (VPNs)
Single Factor Authentication – Products
Defined
•
Password Authentication Protocol: The most basic access control
protocol for logging onto a network. A table of usernames and passwords is
stored on a server—when users log on, their usernames and passwords are
sent to the server for verification
•
Challenge Handshake Authentication Protocol: Similar to PAP, CHAP
also uses a randomly generated challenge and requires a matching response
that depends on a cryptographic hash of the challenge and a secret key
•
Secure Sockets Layer: The leading security protocol on the Internet.
When an SSL session is initiated, the browser sends its public key to the
server so that the server can securely send a secret key to the browser. The
browser and server exchange data via secret key encryption during that
session. Originally developed by Netscape, SSL has since been merged
with other protocols and authentication methods by the Internet
Engineering Task Force (IETF) into a new protocol known as Transport
Layer Security (TLS)
Single Factor Authentication – Products
Defined
•
Digital Signatures: An electronic signature that cannot be forged. It is a
computed digest of the text that is encrypted and sent with the text
message. The recipient decrypts the signature and recomputes the digest
from the received text. If the digests match, the message is authenticated
and proved intact from the sender
•
Kerberos: An MIT-developed user authentication system. While it does
not provide authorization to services or databases, Kerberos does establish
identity at logon, which is used throughout the session
•
Firewall: A security barrier set up between a company's internal systems
and externally facing systems that filters out unwanted data packets. It can
be implemented in a single router, or it may use a combination of
technologies in routers and hosts
•
Virtual Private Networks: VPNs use encryption in the lower protocol
layers to provide a secure connection through an otherwise insecure
network, typically the Internet. VPNs are generally cheaper than real
private networks using private lines, but do require that the same
encryption system be at both ends. Encryption may be performed by
firewall software or by routers
Single Factor Authentication – Drawbacks
•
Individually, any one of these approaches has its limitations. "Something
you have" can be stolen, while "Something you know" can be guessed,
shared or lost to other methods. "Something you are" is generally the
strongest approach, but can be costly to implement and remains vulnerable
to attack
Two Factor Authentication - Defined
•
Given the limitations of single-factor authentication, the logical alternative
is two-factor authentication, in which two of the methods are applied in
tandem. A perfect example is the system employed to authenticate
automated teller machine (ATM) users, which blends a magnetic-strip card
(what you have) with a multi-digit PIN (what you know)
•
Any one type of authentication may authorize access, but using two types
moves toward the control concept of non-repudiation; not only can you
prove your identity and gain access to a resource, but you cannot deny
accessing the resource at a later time. We define "strong user
authentication" as the two-factor method described above
Need for Strong Authentication
•
There are three essential reasons why an organization my decide to use
strong authentication:
1.
The cost associated with loss of unauthorized data is usually the most
compelling reason to use strong authentication. Strong
authentication should be used in the case of high risk data while it
may not pay to use strong authentication for low risk data
2.
A corporation could be held liable for an attack by a hacker. The loss
of money and public confidence in this scenario will be great. Use of
strong authentication techniques greatly minimizes this risk
3.
The authentication tool should be capable of evolving as technology
and threat changes. Therefore, in investing in a strong authentication
tool it is essential to acquire one that can change as technology
advances
Strong Authentication – Smart Cards
•
Smart cards are one way to provide strong authentication of users.
The card itself is the item that the user must possess. The second
factor may be a PIN, a password, or even a thumbprint. Various
existing systems have used all of these
•
Authentication becomes even more rigorous by requiring a
functional correlation between the two factors. The contents of the
smart card cannot be accessed unless the value of the second factor is
read by the smart card from the reading device. Specifically, when a
user presents a smart card to a reading device such as a computer, the
computer reads the PIN (or other second factor) and writes it to the
smart card. Only if the PIN matches will the smart card allow the
other information it contains to be accessed by the computer
•
The most important information passed by the smart card to the
computer is, of course, the identity of the user. When the computer
receives that identity, the authentication is complete
Strong Authentication – Digital Certificates
•
One of the core enabling security technologies is public key
infrastructure (PKI). PKI is based on certificates provided to
individuals through a registration process. The validity of stored
information is consistently validated and supported by the
infrastructure
•
One of the biggest obstacles to e-commerce expansion is how to
prove the identity of an individual over networks and electronic
services. Electronic service providers and financial institutions are
embracing strong authentication and PKI technology as a key enabler
•
Certificates allow individual users, workstations and servers to
identify themselves to each other, by digital signing of e-mail
messages, software source files, secure Web communications, and
Web site. This key enabling technology allows for strong
authentication
Strong Authentication – Biometrics
•
Automated biometrics in general, and fingerprint technology in
particular, can provide a much more accurate and reliable user
authentication method
•
Biometrics is a rapidly advancing field that is concerned with
identifying a person based on his or her physiological or behavioral
characteristics. Examples of automated biometrics include
fingerprint, face, iris scan, and speech recognition (voice print)
•
As a biometric property is an intrinsic property of an individual, it is
difficult to duplicate and nearly impossible to share
•
Finally, a biometric property of an individual can be lost only in case
of serious accident
Authentication – Selection process
•
In selecting a method of authentication an organization has to bear in
mind the following four aspects
1.
the desired level of security (of importance in case of a dispute,
based on the value of the data to be protected)
2.
the complexity of the used techniques (necessary computer
power, speed, maturity of technology, scalability of technology)
3.
the practicality of the used methods (cumbersome update, key
distribution)
4.
the assumption underlying the solution
5.
failure rates
User Authentication - Summary
•
The security of e-Business depends upon the ability to both prevent
malicious attacks and track unintentionally unauthorized acts
•
Many e-Business leaders assume that their systems are secure
because they are using a security product such as firewalls within
their infrastructure. This is a false sense of security
•
Information security is only as strong as its weakest link.
Implementing simple security or no authentication, may provide
hackers a weak "backdoor" from which to compromise network
defenses
•
User authentication,especially strong user authentication, in
combination with the other technologies, can help create user
accountability, confidentiality and a reliable audit trail, and help
ensure the security of e-Business
eds.com
Contact information for Global Information Assurance Services:
Katherine Hollis
703-736-4156
Download