Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ......

Security+ Guide to Network

Security Fundamentals, Third

Edition

Chapter 8

Authentication

Objectives

� Define authentication.

� Describe the different types of authentication

credentials.

� List and explain the authentication models.

Security+ Guide to Network Security Fundamentals, Third Edition

� List and explain the authentication models.

� Define authentication servers and present Kerberos.

2

Definition of Authentication

� Authentication can be defined in two contexts:

– The first is viewing authentication as it relates to

access control.

– The second is to look at it as one of the three key

elements of security: Authentication, Authorization,


elements of security: Authentication, Authorization,

and Accounting.

3

Authentication and Access Control

Terminology

� Access control is the process by which resources or

services are granted or denied. It is composed of 4 steps:

1. Identification: The presentation of credentials or

identification.


2. Authentication : The verification of the credentials to

ensure that they are genuine (authentic) and not

fabricated.

3. Authorization: Granting permission for admittance

(permission to enter).

4. Access: is the right to use specific resources.

4

Authentication, Authorization, and

Accounting (AAA)

� Information security rests on three key pillars (AAA) that

determine who the user is: Authentication; what the user

can do: Authorization; and what the user did: Accounting.

• Authentication

− Provides a way of identifying a user.


− Controls access by requiring valid user credentials.

• Authorization (Access Control)

− Determines whether the user has the authority to carry out

certain tasks (e.g. resources or services a user is

permitted..).

− Often defined as the process of enforcing policies.

5


Accounting (AAA)

• Accounting (Auditing)

− Measures the resources a user “consumes” during

each network session (e.g. record session begins

and ends, services being used..)

− Recorded accounting information can then be


− Recorded accounting information can then be

used in different ways:

• To find evidence of problems.

• For billing.

• For planning.

6


Accounting (AAA) (continued)

� AAA servers

– Servers dedicated to performing AAA functions.

– Can provide significant advantages in a network.


– Can provide significant advantages in a network.

7

Authentication Credentials

� Types of authentication, or authentication credentials can

be classified into three main categories:

• What the user knows (passwords).

• What the user has (token, key, proximity card).


• What the user is (standard/behavioral/cognitive

biometrics).

8

One-Time Passwords

� Standard passwords are the most common form of

authentication credentials, and are typically static in nature.

� One-time passwords (OTP)

– Dynamic passwords that change frequently.

– Systems using OTPs generate a unique password on


– Systems using OTPs generate a unique password on

demand that is not reusable.

– The most common type is a time-synchronized OTP, and is

used in conjunction with a token (small device).

• The token and a corresponding authentication server

share the same algorithm.

• Each algorithm is different for each user’s token.

9

One-Time Passwords (continued)

Security+ Guide to Network Security Fundamentals, Third Edition 10


� There are several variations of OTP systems such as

Challenge-based OTPs.

– Authentication server displays a challenge (a random

number) to the user.

– User then enters the challenge number into the token


– User then enters the challenge number into the token

• Which then executes a special algorithm to generate a

password.

– Because the authentication server has this same

algorithm, it can also generate the password and

compare it against that entered by the user.

12

Standard Biometrics

� Standard biometrics uses a person’s unique

characteristics (e.g. fingerprints, faces, hands,

retinas..)for authentication.

� Fingerprint scanners are the most common type of

standard biometric device, and are of two types:


standard biometric device, and are of two types:

– Static fingerprint scanner

– Dynamic fingerprint scanner

� Disadvantages of standard biometrics:

– Costs

– Readers are not always foolproof.

13

Standard Biometrics (continued)

� Static fingerprint scanner

Security+ Guide to Network Security

Fundamentals, 2e

14

Standard Biometrics (continued)

� Dynamic fingerprint scanner

15Security+ Guide to Network Security Fundamentals, Third Edition

Behavioral Biometrics

� Behavioral biometrics authenticates by normal actions

that the user performs.

� The most promising behavioral biometrics are:

− Keystroke dynamics


− Keystroke dynamics

− Voice recognition

− Computer footprinting

16

Behavioral Biometrics

� Keystroke dynamics

– Attempt to recognize a user’s unique typing rhythm.

– Keystroke dynamics uses two unique typing variables:

• Dwell time: Time it takes for a key to be pressed an


• Dwell time: Time it takes for a key to be pressed an

then released.

• Flight time: Time between keystrokes (both “down”

when the key is pressed and “up” when the key is

released, are measured).

17

Behavioral Biometrics (continued)



� Voice recognition

– Used to authenticate users based on the unique

characteristics of a person’s voice (e.g. user’s size of

the head and user’s age).


– Phonetic cadence

• Speaking two words together in a way that one

word “bleeds” into the next word.

• Becomes part of each user’s speech pattern.

� Computer footprint

– When and from where a user normally accesses a

system.21

Cognitive Biometrics

� Cognitive biometrics is related to the perception,

thought process, and understanding of the user.

– Considered to be much easier for the user to

remember because it is based on the user’s life

experiences, and make it very difficult for an attacker


experiences, and make it very difficult for an attacker

to imitate.

� Examples of cognitive biometrics:

– One example of cognitive biometrics is based on a life

experience that the user remembers.

– Another example of cognitive biometrics requires the

user to identify specific faces.

22

Authentication Models

� Authentication credentials can be combined to provide

extended security, hence creating different

authentication models.

� Single and multi-factor authentication

– One-factor authentication

• Using only one authentication credential.

– Two-factor authentication

• Enhances security, particularly if different types of

authentication methods are used.

– Three-factor authentication

• Requires that a user present three different types of

authentication credentials.

Security+ Guide to Network Security Fundamentals 24

Authentication Models (continued)

� Single sign-on

– Identity management

• Using a single authenticated ID to be shared across

multiple networks.


multiple networks.

– Federated identity management (FIM)

• When those networks are owned by different

organizations.

• One application of FIM is called single sign-on

(SSO). It consists in using one authentication to

access multiple accounts or applications.

25


� Windows Live ID

– Originally introduced in 1999 as .NET Passport.

– Requires a user to create a standard username and

password.


password.

– When the user wants to log into a Web site that supports

Windows Live ID, the user will first be redirected to the

nearest authentication server.

– Once authenticated, the user is given an encrypted time-

limited “global” cookie.

26


� Windows CardSpace

– Feature of Windows that is intended to provide users

with control of their digital identities while helping them

to manage privacy.


to manage privacy.

– It allows users to create and use virtual business cards

that contain information that identifies the user.

27

Authentication Servers

� Authentication can be provided on a network by a

dedicated AAA or authentication server.

� The most common type of authentication server is

Kerberos.


Kerberos

� Kerberos Definition

– An authentication system developed by the

Massachusetts Institute of Technology (MIT), to provide

authentication between networked users (clients) and

services (e.g. File system server, remote login server).

– Authentication is achieved through a central server called


– Authentication is achieved through a central server called

“Key Distribution Center” (KDC). It consists of two

parts:

• Authentication Server (AS): It issues “Ticket Granting Tickets”

TGT.

• Ticket Granting Server (TGS): It issues service tickets.

– Tickets contain specific user information, and restrict what a

user can do.

– Tickets expire after a few hours or a day.

30

Kerberos

� Kerberos Architecture

Kerberos KDC

TGSAS Mail Server


TGSAS

Client

Mail Server

Printer ServerTicket Ticket

Kerberos


Kerberos (you may remove this slide if

you wish)

� Advantages

− Strong authentication.

− Single Sign-on (SSO) capability.

� Disadvantages


� Disadvantages

− Single point of failure (Centralized KDC).

− Authentication Server could be compromised.

− TGT could be stolen to access network services.

− Subject to password guessing.

Summary

• Access control is the process by which resources or

services are denied or granted.

• AAA are the basic pillars of security:

– Authentication: verifying that a person requesting


– Authentication: verifying that a person requesting

access to a system is who he claims to be.

– Access control: regulating what a subject can do with

an object.

– Auditing: review of the security settings.

34

Summary

• There are three types of authentication methods

(what the user knows, has, and is).

• Authentication credentials can be combined to

provide extended security.


provide extended security.

• Authentication can be provided on a network by a

dedicated AAA or authentication server (e.g.

Kerberos).

35

References

• Derek Konigsberg, Kerberos: The Network Authentication Protocol, Linux Enthusiasts and

Professionals. [Online]

Available:


Available:

http://www.logicprobe.org/~octo/pres/pres_kerberos.pdf

36

Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ......

Documents

Transcript of Security+ Guide to Network Security Fundamentals, Third ... · standard biometric device, ......