Security+ 601
lesson (18)
Authentication,
Authorization, Accounting
Accounts and AAA
• Each user has at least one account, is only accessible to
• Four key concepts are:
1) • Identification. Users claim an identity with an identifier
such as a username.
2) • Authentication. Users prove their identity using an
authentication method such as a password.
3) • Authorization. Users are authorized access to
resources, based on their proven identity.
4) • Accounting. Logs record activity using the users’
claimed identity
2
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Understanding Identity and
Access Management
• Account management policies often dictate that
personnel should not use shared or generic accounts.
• Access control systems
— include multiple security controls to ensure that users can
access resources they’re authorized to use, but no more.
• User’s credentials refer to both a claimed identity
and an authentication mechanism.
• At least two entities know the credentials
1) One entity, such as a user, presents the credentials.
2) The other entity is the authenticator that verifies
the credentials
3
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Understanding Identity and
Access Management
• If everyone is anonymous, then everyone has the same
access to all resources.
• All use authentication to prove their identities.
• Authentication is needed for:
1. Users
2. Services,
3. Processes,
4. workstations,
5. Servers,
6. All network devices.
—Many computers use mutual authentication, where
both parties authenticate to each other
4
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Identification and AAA
• Accounting methods track user activity and record the
activity in logs.
— As an example, audit logs track activity and administrators
use these to create an audit trail.
• Audit trail allows security professionals to re-create
the events that preceded a security incident.
• Effective access control
— starts with strong authentication mechanisms, such as
the use of robust passwords, smart cards, or biometrics.
—If users can bypass the authentication process, the
authorization and accounting processes are
ineffective.
5
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Authentication Factors
• Authentication is often simplified as types, or factors, of
authentication.
• To support authentication require administrators to implement
1) One factor of authentication for basic authentication,
2) Two factors for more secure authentication, or more
factors for higher security.
• As an introduction, the factors are:
1) Something you know, such as a password or personal identification
number (PIN)
2) Something you have, such as a smart card or USB token
3) Something you are, such as fingerprint or other biometric
identification
4) Somewhere you are, such as your location using geolocation
technologies
5) Something you do, such as gestures on a touch screen
6
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Authentication Factors
Something You Know
• Something you know authentication factor typically
refers to shared secret, such as password or even a PIN
• This factor is the least secure form of authentication.
• You can increase the security of a password by following some
simple guidelines.
7
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Something You Have
• The something you have authentication factor
refers to something you can physically hold.
• (1) Smart Cards
—• Provides confidentiality, integrity, authentication,
and non-repudiation.
• (2) Personal Identity Verification (PIV) card
—PIV is a specialized type of smart card used by U.S.
federal agencies.
—PIV includes photo identification and provides
confidentiality, integrity, authentication, and nonrepudiation for the users
8
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Something You Are
• The something you are authentication factor uses
biometrics for authentication.
— Biometric methods are the strongest form of authentication
because they are the most difficult for an attacker to falsify.
— Passwords are the weakest form of authentication.
• Biometric Methods
—Biometrics use a physical characteristic, such as a fingerprint, for
authentication.
—Biometric systems use a two-step process.
1) Fingerprint scanner
2) Retina scanner Iris scanner
3) Voice recognition
4) Facial recognition
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
9
Somewhere You Are
• The somewhere you are authentication factor identifies
a user’s location.
• Geolocation is a group of technologies used to identify a
user’s location and is the most common method used in
this factor.
• Many authentication systems use the Internet Protocol
(IP) address for geolocation. The IP address provides
information on the country, region, state, city, and
sometimes even the zip code.
• Location-based policies restrict access based on the
location of the user.
• geolocation technologies can often detect a location
using the IP address, and block any traffic from
10
unacceptable addresses,
such
as
from
foreign
countries.
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Something You Do
• The something you do authentication factor refers
to actions you can take such as gestures on a touch
screen.
• Other examples of something you do include how you
write or how you type.
• As an example, Microsoft Windows 10 supports picture
passwords.
1.
2.
3.
4.
5.
Users first select a picture,
and then they can add three gestures as their picture password.
Gestures include tapping in specific places on the picture, drawing
lines between items with a finger, or drawing a circle around an item
such as someone’s head.
After registering the picture and their gestures,
users repeat these gestures to log on again later.
11
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Dual-Factor and Multifactor
Authentication
• Dual-factor authentication (sometimes called two-factor
authentication) In each case, the user must have something and
know something.
1. uses two different factors of authentication, such as
something you have and something you know.
2. Dual-factor authentication often uses a smart card and a PIN,
a USB token and a PIN, or combines a smart card or hardware
token with a password.
• Multifactor authentication uses two or more factors of
authentication.
— For example, you can combine the something you are factor with one
or more other factors of authentication
• Technically you can call an authentication system using two
different factors either dual-factor authentication or multifactor
authentication.
12
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Identity and Access Services
• An important step when implementing a VPN is to
ensure only authorized entities can access it.
—Authorization begins with authentication, and
VPNs support multiple methods of
authentication.
• The following are the different remote
access authentication mechanisms:
• (1)• Challenge Handshake Authentication Protocol
(CHAP). CHAP uses a handshake process where the
server challenges the client. The client then responds with
appropriate authentication information.
• (-)• Microsoft CHAP (MS-CHAP). This is the Microsoft
implementation of CHAP, which is used only by Microsoft
clients.
13
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Identity and Access Services
• The following are the different remote
access authentication mechanisms:
• (-)• MS-CHAPv2. MS-CHAP is deprecated in favor of MSCHAPv2. It includes several improvements, including the
ability to perform mutual authentication.
• (2)• Remote Authentication Dial-In User Service
(RADIUS). RADIUS provides a centralized method of
authentication for multiple remote access servers. RADIUS
encrypts the password packets, but not the entire
authentication process.
• (3)• Terminal Access Controller Access-Control
System Plus (TACACS+). TACACS+ is an alternative
to RADIUS, but it is proprietary to Cisco systems.
TACACS+ encrypts the entire authentication process,
whereas RADIUS encrypts only the password
14
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Challenge Handshake
Authentication Protocol (CHAP)
• The goal of CHAP is to allow the client to pass
credentials over a public network (such as a phone or
the Internet) without allowing attackers to intercept
the data and later use it in an attack.
• The client and server both know a shared secret
(similar to a password) used in the authentication
process.
• The client hashes the shared secret after combining it with a nonce
(number used once) provided by the server.
• This handshake process is used when the client initially tries to
connect to the server, and at different times during the connection.
15
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Challenge Handshake
Authentication Protocol (CHAP)
16
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Microsoft Challenge Handshake
Authentication Protocol (MS-CHAP)
• MS-CHAP as improvement over CHAP for Microsoft clients.
• MS-CHAP supported clients as old as Windows 95. Later, Microsoft
improved MS-CHAP with MS-CHAPv2.
• A significant improvement of MS-CHAPv2 over MSCHAP is the ability to perform mutual authentication.
• With CHAP:::::Not only does client authenticate to the
server, but the server also authenticates to the client.
• Mutual authentication provides assurances of the
server’s identity before the client transmits data, which
reduces the risk of a client sending sensitive data to a
rogue server.
17
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Remote Authentication Dial-In
User Service (RADIUS)
• RADIUS is a centralized authentication service.
• Instead of each individual VPN server needing a separate database
to identify who can authenticate, the VPN servers forward the
authentication requests to a central RADIUS server.
• RADIUS can be used as 802.1x server with WPA2
Enterprise mode
• the company could use a centralized RADIUS server, as shown in Figure,
instead. Each VPN server is configured with a shared secret (similar to a
password) and the RADIUS server is configured with a matching shared
secret for each of the VPN servers
18
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Remote Authentication Dial-In
User Service (RADIUS)
• The centralized RADIUS server could hold a centralized
database of user accounts.
• It is more common for RADIUS server to access an
LDAP server that holds the users‘ accounts.
— For example, in a Microsoft domain, the RADIUS server
would pass the credentials to a domain controller.
— A significant benefit is that only one account for a user
— If a user changes his password, the domain controller
knows the new password.
• RADIUS uses UDP, which provides a best-effort delivery
mechanism
— As a result, RADIUS includes logic to detect communication problems.
19
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Remote Authentication Dial-In
User Service (RADIUS)
• RADIUS disadvantages:
—(1) In contrast, RADIUS alternatives use TCP, which
provides guaranteed delivery. These alternatives allow
TCP to detect and handle communication issues
—(2) Also, RADIUS only encrypts the password, while
alternatives encrypt the entire authentication process.
20
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
Remote Authentication Dial-In
User Service (RADIUS)
21
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
‫‪RADIUS: Client to Server action‬‬
‫‪22‬‬
‫د‪ /‬عزالدين سويسي ‪/‬كلية تقنية المعلومات‪--‬جامعة طرابلس‬
Terminal Access Controller AccessControl System Plus (TACACS+)
• TACACS+ is the Cisco alternative to RADIUS.
• TACACS+ provides two important security benefits over
RADIUS.
1) TACACS+ encrypts the entire authentication process, whereas
RADIUS encrypts only the password.
2) TACACS+ uses multiple challenges and responses between the
client and the server
• Although TACACS+ is proprietary to Cisco, it can interact with
Kerberos. This allows a Cisco VPN concentrator to interact in a
Microsoft Active Directory environment.
• Microsoft Active Directory uses Kerberos for authentication
• Organizations also use TACACS+ as authentication
service for network devices.
• TACACS+ can be used to authenticate users before they are
able to access a configuration page for a router or a switch
• The network devices must be TACACS+ enabled, and a TACACS+ server
provides the authentication services.
23
‫جامعة طرابلس‬--‫كلية تقنية المعلومات‬/ ‫ عزالدين سويسي‬/‫د‬
‫‪24‬‬
‫د‪ /‬عزالدين سويسي ‪/‬كلية تقنية المعلومات‪--‬جامعة طرابلس‬