Lecture Security+ Certification: Chapter 2 - Trung tâm Athena

Chapter 2 - Authentication. After studying this chapter you will be able to: Understand AAA (3A),create strong passwords and store them securely, understand the Kerberos authentication process, understand how CHAP works, understand what mutual authentication is and why it is necessary, understand how digital certificates are created and why they are used,...

Chapter 2:Authentication

Objectives in this chapter

 Create strong passwords and store them

securely

 Understand the Kerberos authentication

process

 Understand what mutual authentication is and

 Create strong passwords and store them

securely

 Understand the Kerberos authentication

process

 Understand what mutual authentication is and

Security of System Resources

 Three-step process ( AAA )

– Predetermined level of access to resources

 Three-step process ( AAA )

Security of System Resources

 Identifying who is

responsible for

Information security

ATHENA

 Positive identification of person/system seekingaccess to secured information/services

 Based on:

• Something you know (password)

• Something you have (smartcard)

• Something you are (biometrics)

• Or a combination (multi-factor)

 Positive identification of person/system seekingaccess to secured information/services

 Based on:

• Something you know (password)

• Something you have (smartcard)

• Something you are (biometrics)

• Or a combination (multi-factor)

Authentication: The Big Issue

 The central problem to be solved in all cases ishow to send something securely across the

network to the authenticator such that thesomething can’t be read or decrypted,etc andcan’t be successfully replayed later from

captured packets

Usernames and Passwords

• Unique alphanumeric identifier used toidentify an individual when logging onto acomputer/network

• Secret combination of keystrokes that, whencombined with a username, authenticates auser to a computer/network

ATHENA

• Unique alphanumeric identifier used toidentify an individual when logging onto acomputer/network

• Secret combination of keystrokes that, whencombined with a username, authenticates auser to a computer/network

Username + Password

 Username/password validated against AccessServer

Basic Rules for Password Protection

2. Use different passwords for different

functions

3. Use at least 6 characters

4. Use mixture of uppercase and lowercase

letters, numbers, and other characters

5. Change periodically

ATHENA

2. Use different passwords for different

functions

3. Use at least 6 characters

4. Use mixture of uppercase and lowercase

letters, numbers, and other characters

5. Change periodically

Strong Password Creation Techniques

 Easy to remember; difficult to recognize

• First letters of each word of a simple phrase;

add a number and punctuation

• Combine two dissimilar words and place a

number between them

 Easy to remember; difficult to recognize

• First letters of each word of a simple phrase;

add a number and punctuation

• Combine two dissimilar words and place a

number between them

Techniques to Use Multiple Passwords

 Group Web sites or applications requiring

passwords by appropriate level of security

• Use a different password for each group

• Cycle more complex passwords down thegroups, from most sensitive to least

ATHENA

 Group Web sites or applications requiring

passwords by appropriate level of security

• Use a different password for each group

• Cycle more complex passwords down thegroups, from most sensitive to least

Storing Passwords

• Keep in a place you are not likely to lose it

• Use small type

• Develop a personal code to apply to the list

 Electronic

• Use a specifically designed application(encrypts data)

• Keep in a place you are not likely to lose it

• Use small type

• Develop a personal code to apply to the list

 Electronic

• Use a specifically designed application(encrypts data)

Challenge Handshake Authentication Protocol (CHAP)

 PPP mechanism used by an authenticator toauthenticate a peer

 Uses an encrypted challenge-and-response

CHAP Challenge-and-Response Sequence

CHAP Security Benefits

 Multiple authentication sequences throughoutNetwork layer protocol session

• Limit time of exposure to any single attack

 Variable challenge values and changing

• Limit time of exposure to any single attack

 Variable challenge values and changing

identifiers

• Provide protection against playback attacks

CHAP Security Issues

 Passwords should not be the same in both

• Possible for users to update passwords

 Passwords should not be the same in both

Kerberos in a Simple Environment

Kerberos in a Simple Environment

• Small, fixed-length numerical value

• Computed as a function of an arbitrarynumber of bits in a message

• Used to verify authenticity of sender

ATHENA

• Small, fixed-length numerical value

• Computed as a function of an arbitrarynumber of bits in a message

• Used to verify authenticity of sender

Kerberos in a Simple Environment

Kerberos in a More Complex

Kerberos in a More Complex Environment

Kerberos in Very Large

Security Weaknesses of Kerberos

 Does not solve password-guessing attacks

 Must keep password secret

 Does not prevent denial-of-service attacks

 Internal clocks of authenticating devices must

be loosely synchronized

 Authenticating device identifiers must not berecycled on a short-term basis

 Does not solve password-guessing attacks

 Must keep password secret

 Does not prevent denial-of-service attacks

 Internal clocks of authenticating devices must

be loosely synchronized

 Authenticating device identifiers must not berecycled on a short-term basis

Electronic Encryption and

Symmetric Key Cryptography

 Single key – works in both directions (the samekey used to encrypt will also decrypt the

ciphertext)

 Short key length – 128 up to 448 bits

(currently)

 Very fast encryption/decryption

 Key used for a short time and discarded

 Very fast encryption/decryption

 Key used for a short time and discarded

(session key)

Asymmetric Key Cryptography

 Two keys – one made public and one kept

securely private

 One-way – a ciphertext encrypted with one ofthe keys can only be decrypted with the otherkey

 Long length – 1024, 2048, or more bits

 Long length – 1024, 2048, or more bits

 Slow encryption/decryption

Electronic Encryption and

Decryption Concepts

 Certificate Authority (CA)

• Trusted, third-party entity that verifies theactual identity of an organization/individualbefore providing a digital certificate

• Practice of using a trusted, third-party entity

to verify the authenticity of a party who sends

• Practice of using a trusted, third-party entity

to verify the authenticity of a party who sends

a message

 Electronic means of verifying identity of an

ATHENA

How Much Trust

Should One Place in a CA?

 Reputable CAs have several levels of

authentication that they issue based on theamount of data collected from applicants

 Example: VeriSign

 Reputable CAs have several levels of

authentication that they issue based on theamount of data collected from applicants

 Example: VeriSign

Security Tokens

 Authentication devices assigned to specific user

 Small, credit card-sized physical devices

 Incorporate two-factor authentication methods

 Utilize base keys that are much stronger thanshort, simple passwords a person can

remember

ATHENA

 Authentication devices assigned to specific user

 Small, credit card-sized physical devices

 Incorporate two-factor authentication methods

 Utilize base keys that are much stronger thanshort, simple passwords a person can

remember

Types of Security Tokens

 Passive

• Act as a storage device for the base key

• Do not emit, or otherwise share, base tokens

• Act as a storage device for the base key

• Do not emit, or otherwise share, base tokens

 Strategies for generating one-time passwords

 Strategies for generating one-time passwords

• Counter-based tokens

• Clock-based tokens

How Biometric Authentication Works

1. Biometric is scanned after identity is verified

2. Biometric information is analyzed and put

into an electronic template

3. Template is stored in a repository

4. To gain access, biometric is scanned again

5. Computer analyzes biometric data and

compares it to data in template

6. If data from scan matches data in template,

person is allowed access

7. Keep a record, following AAA model

ATHENA

1. Biometric is scanned after identity is verified

2. Biometric information is analyzed and put

into an electronic template

3. Template is stored in a repository

4. To gain access, biometric is scanned again

5. Computer analyzes biometric data and

compares it to data in template

6. If data from scan matches data in template,

person is allowed access

7. Keep a record, following AAA model

False Positives and False Negatives

 False positive

• Occurrence of an unauthorized person beingauthenticated by a biometric authenticationprocess

Different Kinds of Biometrics

Fingerprint Biometrics

Hand Geometry Authentication

ATHENA

Retinal Scanning

Iris Scanning

ATHENA

Signature Verification

General Trends in Biometrics

 Authenticating large numbers of people over ashort period of time (eg, smart cards)

 Gaining remote access to controlled areas

ATHENA

Multifactor Authentication

 Identity of individual is verified using at leasttwo of the three factors of authentication

• Something you know (eg, password)

• Something you have (eg, smart card)

• Something about you (eg, biometrics)

 Identity of individual is verified using at leasttwo of the three factors of authentication

• Something you know (eg, password)

• Something you have (eg, smart card)

• Something about you (eg, biometrics)

Authentication techniques Summary

 Controlling Access to Computer Systems

• Restrictions to user access are stored in anaccess control list (ACL)

• An ACL is a table in the operating systemthat contains the access rights each subject (auser or device) has to a particular system

object (a folder or file)

 Controlling Access to Computer Systems

• Restrictions to user access are stored in anaccess control list (ACL)

• An ACL is a table in the operating systemthat contains the access rights each subject (auser or device) has to a particular system

object (a folder or file)

Mandatory Access Control (MAC)

 A more restrictive model

 The subject is not allowed to give access toanother subject to use an object

ATHENA

Role Based Access Control (RBAC)

 Instead of setting permissions for each user orgroup, you can assign permissions to a position

or role and then assign users and other objects

Discretionary Access Control (DAC)

 Least restrictive model

 One subject can adjust the permissions for

other subjects over objects

 Type of access most users associate with theirpersonal computers

ATHENA

 Least restrictive model

 One subject can adjust the permissions for

other subjects over objects

 Type of access most users associate with theirpersonal computers

Auditing Information

Security Schemes

 Two ways to audit a security system

• Logging records which user performed a specific activity and when

• System scanning to check permissions assigned to a user or role; these results are compared to what is expected to detect any differences

 Two ways to audit a security system

• Logging records which user performed a specific activity and when

• System scanning to check permissions assigned to a user or role; these results are compared to what is expected to detect any differences