Authentication Authentication ApplicationsApplications

Prepared ByPrepared By

Mahmoud Mahmoud DalloulDalloul

Wisam Abu Wisam Abu KarshKarsh

Nidal El-BorbarNidal El-Borbar

Supervised By:Supervised By:Ms. Eman Alajrami

Information Security Principles

University of Palestine

Out Lines:Out Lines:Part “01”Part “01” By (By (Nidal El-Borbar )Nidal El-Borbar )

IntroductionIntroduction

Types of AuthenticationTypes of Authentication

Applications and AuthenticationApplications and Authentication

Part “02”Part “02” By ( By (Mahmoud Dalloul)Mahmoud Dalloul)

KerberosKerberos• Introduction to KerberosIntroduction to Kerberos• Why Kerberos is needed ?Why Kerberos is needed ?• Requirements for KERBEROSRequirements for KERBEROS• Versions of KERBEROSVersions of KERBEROS

Part “03”Part “03” By ( By (Wisam Abu Karsh)Wisam Abu Karsh)

AuthenticationAuthentication web site web site

Part “01”:Part “01”:Introduction:Introduction:

Authentication is the act of establishing Authentication is the act of establishing identity via the presentation of identity via the presentation of information that allows the verifier to information that allows the verifier to know the presenter is who or what it know the presenter is who or what it claims. This identity could be any claims. This identity could be any number of things, including:number of things, including:• PeoplePeople• SystemsSystems• ApplicationsApplications• MessagesMessages

Types of AuthenticationTypes of Authentication

There are many different types of There are many different types of authentication that can be used in an authentication that can be used in an application. The selection of the most application. The selection of the most appropriate type of authentication will appropriate type of authentication will depend on the needs of the application; depend on the needs of the application; use this guide to determine which use this guide to determine which makes the most sense for your makes the most sense for your application.application.1.1. Basic, single-factor authenticationBasic, single-factor authentication

2.2. Multi-factor authenticationMulti-factor authentication

3.3. Cryptographic authenticationCryptographic authentication

1.1. Basic authenticationBasic authentication

Basic authentication is a commonly used Basic authentication is a commonly used term that most people probably term that most people probably understand already. It refers to understand already. It refers to password-based authentication. A password-based authentication. A password can be any information that is password can be any information that is used to verify the identity of a used to verify the identity of a presenter. Common examples that fall presenter. Common examples that fall into this category are:into this category are:• The common passwordThe common password• Host or system namesHost or system names• Application namesApplication names• Numerical IDsNumerical IDs

2.2. Multi-Factor AuthenticationMulti-Factor Authentication

Multi-factor authentication is the use of a Multi-factor authentication is the use of a combination of authentication methods to combination of authentication methods to validate identity. The most commonly used validate identity. The most commonly used description of multi-factor authentication is description of multi-factor authentication is the use of information that is known only by the use of information that is known only by the person, combined with something in his the person, combined with something in his or her possession. These are typically:or her possession. These are typically:• The name and passwordThe name and password• Some form of tokenSome form of token

Note/ Note/ Some form of tokenSome form of token

A token is a hardware component that is used A token is a hardware component that is used during the authentication process; it typically during the authentication process; it typically provides another piece of information that provides another piece of information that cannot be ascertained without physical cannot be ascertained without physical control of the token. Different types of tokens control of the token. Different types of tokens used in multi-factor authentication are:used in multi-factor authentication are:• Smart cardsSmart cards• One-time password/phrasesOne-time password/phrases• Single-use PINs or pseudo-random numbersSingle-use PINs or pseudo-random numbers• Biometric informationBiometric information

Multi-factor authentication provides the Multi-factor authentication provides the following additional benefits:following additional benefits:• Difficult to spoof and impersonateDifficult to spoof and impersonate• Easy to useEasy to use

3.3. Cryptographic Cryptographic AuthenticationAuthentication

The final form of authentication outlined The final form of authentication outlined here is that which utilizes cryptography. here is that which utilizes cryptography. This includes the following forms:This includes the following forms:• Public Key AuthenticationPublic Key Authentication• Digital SignaturesDigital Signatures• Message Authentication CodeMessage Authentication Code• Password permutationPassword permutation

Applications and Applications and AuthenticationAuthentication

Now that the overview of various Now that the overview of various authentication methods has been authentication methods has been outlined, you can take a look at its use outlined, you can take a look at its use in the applications. The following in the applications. The following application-specific areas will be application-specific areas will be covered:covered:1)1) Identifying what needs authenticationIdentifying what needs authentication

2)2) Choosing the appropriate authentication Choosing the appropriate authentication method(s)method(s)

3)3) Guidelines for implementing authenticationGuidelines for implementing authentication

1.1. Identifying the Need for Identifying the Need for AuthenticationAuthentication

The following questions help the application designer The following questions help the application designer and developer understand whether there is a need and developer understand whether there is a need for authentication within their application:for authentication within their application:• Are there multiple users or applications that will interact with Are there multiple users or applications that will interact with

the application in question?the application in question?• If multiple entities are expected, will they all access exactly If multiple entities are expected, will they all access exactly

the same data, configuration, and information, or will each the same data, configuration, and information, or will each have its own set of information, regardless of how small?have its own set of information, regardless of how small?

• Is the application running in a completely closed and trusted Is the application running in a completely closed and trusted area, wherein there is no person, system, or application that area, wherein there is no person, system, or application that will access it from untrusted parts—such as the Internet, will access it from untrusted parts—such as the Internet, other networks, or unknown applications?other networks, or unknown applications?

• Is there a concept of privileged information or functionality Is there a concept of privileged information or functionality and the separation or isolation of this within the application?and the separation or isolation of this within the application?

If the answer to any of these questions is "yes," If the answer to any of these questions is "yes," authentication is needed within the application.authentication is needed within the application.

2.2. Choosing the Appropriate Choosing the Appropriate Authentication MethodsAuthentication Methods

Internal or local service-based Internal or local service-based authenticationauthentication

• Local AuthenticationLocal Authentication• There are several reasons, or combinations There are several reasons, or combinations

of reasons, that may warrant of reasons, that may warrant implementation of local, internal implementation of local, internal authentication within an application:authentication within an application:

• Stand-alone applicationStand-alone application• No or intermittent communication No or intermittent communication

capabilitiescapabilities• Limited, small, or embedded applicationsLimited, small, or embedded applications• Restricted application resourcesRestricted application resources

External service-based authentication External service-based authentication and integrationand integration

It is often desirable that an application co-It is often desirable that an application co-exist with other applications and share exist with other applications and share common information, including common information, including authentication information. These authentication information. These include:include:

• LDAP LDAP ::LLightweight ightweight DDirectory irectory AAccess ccess • Active DirectoryActive Directory• NIS/NIS+ : NIS/NIS+ : NNetwork etwork IInformation nformation SServiceservices • KerberosKerberos ((That will “That will “Mahmoud Dalloul “Mahmoud Dalloul “ Take Take

About)About)

3.3. Guidelines for Guidelines for ImplementationImplementation

This section covers some general This section covers some general guidelines that are helpful during guidelines that are helpful during implementation of authentication implementation of authentication services. The guidelines are organized services. The guidelines are organized into the following sections:into the following sections:• Approaches to sensitive dataApproaches to sensitive data• Security strength versus business factorsSecurity strength versus business factors• UsabilityUsability

When deciding on an authentication When deciding on an authentication mechanism, the natural pressures of mechanism, the natural pressures of deliverables, schedules, and customers can deliverables, schedules, and customers can cause difficult decisions that often leave cause difficult decisions that often leave security out of the picture. The following table security out of the picture. The following table provides an easy comparison of the following provides an easy comparison of the following aspects:aspects:• Ease of implementation: Ease of implementation: This is how simple or This is how simple or

complex the implementation can be, taking into complex the implementation can be, taking into consideration the availability of libraries and consideration the availability of libraries and standards.standards.

• Ease of management: Ease of management: The complexity of managing The complexity of managing the authentication environment, considering users, the authentication environment, considering users, addition, and removal of users, updating of addition, and removal of users, updating of credentials.credentials.

• Ease of deployment: Ease of deployment: The complexity of deploying The complexity of deploying the authentication technology across simple and the authentication technology across simple and advanced environments, considering hardware advanced environments, considering hardware and software requirements.and software requirements.

• Strength:Strength: The overall security strength, The overall security strength, considering methods of attack and compromise considering methods of attack and compromise and inherent weaknesses, scalability over large and inherent weaknesses, scalability over large environments.environments.

End Of Part “01”

Part “02”Part “02”Introduction to KerberosIntroduction to Kerberos

An authentication An authentication service developed for service developed for Project Athena at MITProject Athena at MIT

Provides Provides strong security on physically insecure networkstrong security on physically insecure network

a centralized authentication server which a centralized authentication server which authenticates authenticates

Users to serversUsers to servers

Servers to usersServers to users

Relies on conventional encryption rather than Relies on conventional encryption rather than public-key encryptionpublic-key encryption

Why Kerberos is needed ?Why Kerberos is needed ?

Problem:Problem: Not trusted workstation to Not trusted workstation to identifyidentify

their users correctly in an open distributed their users correctly in an open distributed environmentenvironment

3 Threats3 Threats::Pretending to be another user from Pretending to be another user from the workstationthe workstation

Sending request from the Sending request from the impersonated workstationimpersonated workstation

Replay attack to gain service or Replay attack to gain service or disrupt operationsdisrupt operations

Why Kerberos is needed ? Why Kerberos is needed ? Cont.Cont. Solution:Solution:

Building elaborate authentication Building elaborate authentication protocols at each serverprotocols at each server

A centralized authentication server A centralized authentication server (Kerberos)(Kerberos)

Requirements for KERBEROS Requirements for KERBEROS Secure: Secure:

An opponent does not find it to be An opponent does not find it to be the weak linkthe weak link

Reliable:Reliable:The system should be able to back The system should be able to back up anotherup another

Transparent:Transparent:An user should not be aware of An user should not be aware of authenticationauthentication

Scalable:Scalable:The system supports large number The system supports large number of clients and seversof clients and severs

Versions of KERBEROSVersions of KERBEROS

Two versions are in common useTwo versions are in common use

Version 4 is most widely used versionVersion 4 is most widely used version

Version 4 uses of DESVersion 4 uses of DES

Version 5 corrects some of the Version 5 corrects some of the security deficiencies of Version 4security deficiencies of Version 4

Version 5 has been issued as a draft Version 5 has been issued as a draft Internet Standard (RFC 1510) Internet Standard (RFC 1510)

Kerberos 4 OverviewKerberos 4 Overview

a basic third-party authentication schemea basic third-party authentication schemeuses DES buried in an elaborate protocoluses DES buried in an elaborate protocol

Authentication Server (AS)Authentication Server (AS) user initially negotiates with AS to identify self user initially negotiates with AS to identify self

AS provides a non-corruptible authentication AS provides a non-corruptible authentication credential (ticket-granting ticket TGT) credential (ticket-granting ticket TGT)

Ticket Granting server (TGS)Ticket Granting server (TGS)users subsequently request access to other users subsequently request access to other services from TGS on basis of users TGTservices from TGS on basis of users TGT

Kerberos 4 OverviewKerberos 4 Overview

Kerberos RealmsKerberos Realms

a Kerberos environment consists of:a Kerberos environment consists of:a Kerberos servera Kerberos server

a number of clients, all registered with servera number of clients, all registered with server

application servers, sharing keys with serverapplication servers, sharing keys with server

this is termed a realmthis is termed a realmtypically a single administrative domaintypically a single administrative domain

if have multiple realms, their Kerberos if have multiple realms, their Kerberos servers must share keys and trustservers must share keys and trust

Kerberos Version 5Kerberos Version 5

developed in mid 1990’sdeveloped in mid 1990’s

provides improvements over v4provides improvements over v4addresses environmental shortcomingsaddresses environmental shortcomings

encryption algorithm, network protocol, byte order, ticket encryption algorithm, network protocol, byte order, ticket lifetime, authentication forwarding, inter-realm lifetime, authentication forwarding, inter-realm authenticationauthentication

and technical deficienciesand technical deficienciesdouble encryption, non-standard mode of use, session double encryption, non-standard mode of use, session keys, password attackskeys, password attacks

specified as Internet standard RFC 1510specified as Internet standard RFC 1510

End Of Part “02”

Part “03”: Part “03”: AuthenticationAuthentication

web site web site

introductionintroduction

Authentication web site contain tow Authentication web site contain tow part:- part:-

1. internet information server (IIs) 1. internet information server (IIs) ..

2. asp.net .2. asp.net .

internet information server internet information server (IIs)(IIs)

authentication IISauthentication IIS -: -:

software programs server, software programs server, There are four There are four types of mechanisms use Authentication IIS types of mechanisms use Authentication IIS Server. Server.

1.Anonymous authentication 1.Anonymous authentication 2.Basic authentication 2.Basic authentication 3.Integrated windows authentication 3.Integrated windows authentication 4.Digest authentication 4.Digest authentication

Anonymous authenticationAnonymous authentication

1-A Default mechanisms to use iis server.1-A Default mechanisms to use iis server.

2- allow to user browser applications web 2- allow to user browser applications web even enter user name and password .even enter user name and password .

Basic authenticationBasic authentication

this from Authentication need user name this from Authentication need user name and password but seand password but seىىd password don't d password don't encryption Resulting don't secure or encryption Resulting don't secure or easy Penetrableeasy Penetrable . .

Integrated windows Integrated windows authenticationauthentication

this from Authentication need that the this from Authentication need that the user have the right to enter with the user have the right to enter with the scope of windows 2000.scope of windows 2000.

Preferably be used in Web applications Preferably be used in Web applications (B2B)Application where the user is (B2B)Application where the user is relatively small.relatively small.

Digest authenticationDigest authentication

This mechanism LikeThis mechanism Likeq q uite Basic uite Basic authentication but this secure because authentication but this secure because send password is encryptedsend password is encrypted..

ASP.netASP.net

Forms authentication Forms authentication

Passport authenticationPassport authentication

Windows authenticationWindows authentication

Forms authentication Forms authentication

  Rtkz this mechanism on the registration Rtkz this mechanism on the registration form and one can access it at any time form and one can access it at any time when the user needs to sign in. But when the user needs to sign in. But when it requires the use of more when it requires the use of more privacy if you want to buy something privacy if you want to buy something from the application will be redirected from the application will be redirected to the model to be your login and after to the model to be your login and after login is successful will be redirected to login is successful will be redirected to the model I visited the first timethe model I visited the first time

Passport authenticationPassport authentication

A service provided by Microsoft for web sites such as A service provided by Microsoft for web sites such as MSN and Hotmail can Alstrak after the signing of a MSN and Hotmail can Alstrak after the signing of a contract with the company and the use of this contract with the company and the use of this documentation is as follows: documentation is as follows:

1.1. When the application requests the user When the application requests the user authentication required to be directed to the authentication required to be directed to the Passport login service are also included details of the Passport login service are also included details of the application asks the user to the service automatically application asks the user to the service automatically ..

2.2. After the successful re-entry registration of such a After the successful re-entry registration of such a mechanism used to the original application, which he mechanism used to the original application, which he requested, here is the steps similar to the Forms requested, here is the steps similar to the Forms authentication mechanism, but differs from that that authentication mechanism, but differs from that that the service may pass the encrypted user the service may pass the encrypted user authentication for the application of ASP.net authentication for the application of ASP.net To use this service should be lowered by one To use this service should be lowered by one Passport SDK programsPassport SDK programs

Windows authenticationWindows authentication

Authentication is a mechanism in which Authentication is a mechanism in which user authentication based on the scope user authentication based on the scope of the rights of entry (Windows 2000)of the rights of entry (Windows 2000)..

AuthenticationAuthentication

AuthenticationAuthentication

Authentication Procedures:Authentication Procedures:

Three alternative authentication Three alternative authentication procedures: procedures:

One-Way Authentication One-Way Authentication

Two-Way Authentication Two-Way Authentication

Three-Way Authentication Three-Way Authentication

All use public-key signaturesAll use public-key signatures

One-Way Authentication:One-Way Authentication:

1 message ( A->B) used to establish 1 message ( A->B) used to establish the identity of A and that message is from the identity of A and that message is from A A

message was intended for B message was intended for B

integrity & originality of message integrity & originality of message

A B1-A {ta,ra,B,sgnData,KUb[Kab]}

Ta-timestamp rA=nonce B =identitysgnData=signed with A’s private key

Two-Way AuthenticationTwo-Way Authentication

2 messages (A->B, B->A) which also 2 messages (A->B, B->A) which also establishes in addition:establishes in addition:

the identity of B and that reply is from B the identity of B and that reply is from B

that reply is intended for A that reply is intended for A

integrity & originality of replyintegrity & originality of reply

A B

1-A {ta,ra,B,sgnData,KUb[Kab]}

2-B {tb,rb,A,sgnData,KUa[Kab]}

Three-Way AuthenticationThree-Way Authentication

3 messages (A->B, B->A, A->B) which 3 messages (A->B, B->A, A->B) which enables above authentication without enables above authentication without synchronized clocks synchronized clocks

A B

1- A {ta,ra,B,sgnData,KUb[Kab]}

2 -B {tb,rb,A,sgnData,KUa[Kab]}

3- A{rb}

End Of Part “03”

ReferencesReferences

1) http://www.developer.com/design/article.php/10925_3600351_2

2)2) Prentice Hall Cryptography and Network Prentice Hall Cryptography and Network Security 4Security 4thth Edition Nov 2005. Edition Nov 2005.

3) http://nosheep.net/story/authentication-definition/

Thank YouThank You

With Our Best With Our Best

wishes.wishes.