Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8

advertisement 
Security+ Guide to Network
Security Fundamentals, Third
Edition
Chapter 8
Authentication
Objectives
Define authentication.
Describe the different types of authentication
credentials.
List and explain the authentication models.
Define authentication servers and present Kerberos.
Security+ Guide to Network Security Fundamentals, Third Edition
2
Definition of Authentication
Authentication can be defined in two contexts:
– The first is viewing authentication as it relates to
access control.
– The second is to look at it as one of the three key
elements of security: Authentication, Authorization,
and Accounting.
Security+ Guide to Network Security Fundamentals, Third Edition
3
Authentication and Access Control
Terminology
Access control is the process by which resources or
services are granted or denied. It is composed of 4 steps:
1. Identification: The presentation of credentials or
identification.
2. Authentication : The verification of the credentials to
ensure that they are genuine (authentic) and not
fabricated.
3. Authorization: Granting permission for admittance
(permission to enter).
4. Access: is the right to use specific resources.
Security+ Guide to Network Security Fundamentals, Third Edition
4
Authentication, Authorization, and
Accounting (AAA)
Information security rests on three key pillars (AAA) that
determine who the user is: Authentication; what the user
can do: Authorization; and what the user did: Accounting.
•
•
Authentication
− Provides a way of identifying a user.
− Controls access by requiring valid user credentials.
Authorization (Access Control)
− Determines whether the user has the authority to carry out
certain tasks (e.g. resources or services a user is
permitted..).
− Often defined as the process of enforcing policies.
Security+ Guide to Network Security Fundamentals, Third Edition
5
Authentication, Authorization, and
Accounting (AAA)
•
Accounting (Auditing)
− Measures the resources a user “consumes” during
each network session (e.g. record session begins
and ends, services being used..)
− Recorded accounting information can then be
used in different ways:
• To find evidence of problems.
• For billing.
• For planning.
Security+ Guide to Network Security Fundamentals, Third Edition
6
Authentication, Authorization, and
Accounting (AAA) (continued)
AAA servers
– Servers dedicated to performing AAA functions.
– Can provide significant advantages in a network.
Security+ Guide to Network Security Fundamentals, Third Edition
7
Authentication Credentials
Types of authentication, or authentication credentials can
be classified into three main categories:
• What the user knows (passwords).
• What the user has (token, key, proximity card).
• What the user is (standard/behavioral/cognitive
biometrics).
Security+ Guide to Network Security Fundamentals, Third Edition
8
One-Time Passwords
Standard passwords are the most common form of
authentication credentials, and are typically static in nature.
One-time passwords (OTP)
– Dynamic passwords that change frequently.
– Systems using OTPs generate a unique password on
demand that is not reusable.
– The most common type is a time-synchronized OTP, and is
used in conjunction with a token (small device).
• The token and a corresponding authentication server
share the same algorithm.
• Each algorithm is different for each user’s token.
Security+ Guide to Network Security Fundamentals, Third Edition
9
One-Time Passwords (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
10
One-Time Passwords (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
11
One-Time Passwords (continued)
There are several variations of OTP systems such as
Challenge-based OTPs.
– Authentication server displays a challenge (a random
number) to the user.
– User then enters the challenge number into the token
• Which then executes a special algorithm to generate a
password.
– Because the authentication server has this same
algorithm, it can also generate the password and
compare it against that entered by the user.
Security+ Guide to Network Security Fundamentals, Third Edition
12
Standard Biometrics
Standard biometrics uses a person’s unique
characteristics (e.g. fingerprints, faces, hands,
retinas..)for authentication.
Fingerprint scanners are the most common type of
standard biometric device, and are of two types:
– Static fingerprint scanner
– Dynamic fingerprint scanner
Disadvantages of standard biometrics:
– Costs
– Readers are not always foolproof.
Security+ Guide to Network Security Fundamentals, Third Edition
13
Standard Biometrics (continued)
Static fingerprint scanner
Security+ Guide to Network Security
Fundamentals, 2e
14
Standard Biometrics (continued)
Dynamic fingerprint scanner
Security+ Guide to Network Security Fundamentals, Third Edition
15
Behavioral Biometrics
Behavioral biometrics authenticates by normal actions
that the user performs.
The most promising behavioral biometrics are:
− Keystroke dynamics
− Voice recognition
− Computer footprinting
Security+ Guide to Network Security Fundamentals, Third Edition
16
Behavioral Biometrics
Keystroke dynamics
– Attempt to recognize a user’s unique typing rhythm.
– Keystroke dynamics uses two unique typing variables:
• Dwell time: Time it takes for a key to be pressed an
then released.
• Flight time: Time between keystrokes (both “down”
when the key is pressed and “up” when the key is
released, are measured).
Security+ Guide to Network Security Fundamentals, Third Edition
17
Security+ Guide to Network Security Fundamentals, Third Edition
18
Behavioral Biometrics (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
19
Behavioral Biometrics (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
20
Behavioral Biometrics (continued)
Voice recognition
– Used to authenticate users based on the unique
characteristics of a person’s voice (e.g. user’s size of
the head and user’s age).
– Phonetic cadence
• Speaking two words together in a way that one
word “bleeds” into the next word.
• Becomes part of each user’s speech pattern.
Computer footprint
– When and from where a user normally accesses a
system.
Security+ Guide to Network Security Fundamentals, Third Edition
21
Cognitive Biometrics
Cognitive biometrics is related to the perception,
thought process, and understanding of the user.
– Considered to be much easier for the user to
remember because it is based on the user’s life
experiences, and make it very difficult for an attacker
to imitate.
Examples of cognitive biometrics:
– One example of cognitive biometrics is based on a life
experience that the user remembers.
– Another example of cognitive biometrics requires the
user to identify specific faces.
Security+ Guide to Network Security Fundamentals, Third Edition
22
Security+ Guide to Network Security Fundamentals, Third Edition
23
Authentication Models
Authentication credentials can be combined to provide
extended security, hence creating different
authentication models.
Single and multi-factor authentication
– One-factor authentication
• Using only one authentication credential.
– Two-factor authentication
• Enhances security, particularly if different types of
authentication methods are used.
– Three-factor authentication
• Requires that a user present three different types of
authentication credentials.
Security+ Guide to Network Security Fundamentals
24
Authentication Models (continued)
Single sign-on
– Identity management
• Using a single authenticated ID to be shared across
multiple networks.
– Federated identity management (FIM)
• When those networks are owned by different
organizations.
• One application of FIM is called single sign-on
(SSO). It consists in using one authentication to
access multiple accounts or applications.
Security+ Guide to Network Security Fundamentals, Third Edition
25
Authentication Models (continued)
Windows Live ID
– Originally introduced in 1999 as .NET Passport.
– Requires a user to create a standard username and
password.
– When the user wants to log into a Web site that supports
Windows Live ID, the user will first be redirected to the
nearest authentication server.
– Once authenticated, the user is given an encrypted timelimited “global” cookie.
Security+ Guide to Network Security Fundamentals, Third Edition
26
Authentication Models (continued)
Windows CardSpace
– Feature of Windows that is intended to provide users
with control of their digital identities while helping them
to manage privacy.
– It allows users to create and use virtual business cards
that contain information that identifies the user.
Security+ Guide to Network Security Fundamentals, Third Edition
27
Authentication Models (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
28
Authentication Servers
Authentication can be provided on a network by a
dedicated AAA or authentication server.
The most common type of authentication server is
Kerberos.
Security+ Guide to Network Security Fundamentals, Third Edition
29
Kerberos
Kerberos Definition
– An authentication system developed by the
Massachusetts Institute of Technology (MIT), to provide
authentication between networked users (clients) and
services (e.g. File system server, remote login server).
– Authentication is achieved through a central server called
“Key Distribution Center” (KDC). It consists of two
parts:
• Authentication Server (AS): It issues “Ticket Granting Tickets”
TGT.
• Ticket Granting Server (TGS): It issues service tickets.
– Tickets contain specific user information, and restrict what a
user can do.
– Tickets expire after a few hours or a day.
Security+ Guide to Network Security Fundamentals, Third Edition
30
Kerberos
Kerberos Architecture
Kerberos KDC
AS
Ticket
Mail Server
TGS
Ticket
Printer Server
Client
Security+ Guide to Network Security Fundamentals, Third Edition
31
Kerberos
Security+ Guide to Network Security Fundamentals, Third Edition
32
Kerberos (you may remove this slide if
you wish)
Advantages
− Strong authentication.
− Single Sign-on (SSO) capability.
Disadvantages
− Single point of failure (Centralized KDC).
− Authentication Server could be compromised.
− TGT could be stolen to access network services.
− Subject to password guessing.
Security+ Guide to Network Security Fundamentals, Third Edition
33
Summary
• Access control is the process by which resources or
services are denied or granted.
• AAA are the basic pillars of security:
– Authentication: verifying that a person requesting
access to a system is who he claims to be.
– Access control: regulating what a subject can do with
an object.
– Auditing: review of the security settings.
Security+ Guide to Network Security Fundamentals, Third Edition
34
Summary
• There are three types of authentication methods
(what the user knows, has, and is).
• Authentication credentials can be combined to
provide extended security.
• Authentication can be provided on a network by a
dedicated AAA or authentication server (e.g.
Kerberos).
Security+ Guide to Network Security Fundamentals, Third Edition
35
References
• Derek Konigsberg, Kerberos: The Network
Authentication Protocol, Linux Enthusiasts and
Professionals. [Online]
Available:
http://www.logicprobe.org/~octo/pres/pres_kerberos.pdf
Security+ Guide to Network Security Fundamentals, Third Edition
36
Related documents
CS 2813 - Loyola College
CS 2813 - Loyola College
CCNA Security - Skill Exam 2012
CCNA Security - Skill Exam 2012
Chapter 11 HW
Chapter 11 HW
Chapter 1:
Chapter 1:
Powerpoint
Powerpoint
I think that public-key`s authentication process and symmetric key`s
I think that public-key`s authentication process and symmetric key`s
Download
advertisement