Authentication
Objectives
v
Define authentication
v
Authentication credentials
v
Authentication models
v
Authentication servers
v
Extended authentication protocols
v
Virtual Private Network (VPN)
Password-Guessing Attacks Surge
v
Slow guessing and botnets conceal the attacks
v
Countermeasures
v
Strong password policy, restricting access to server by
source IP, two-factor authentication
Definition of Authentication
v
Authentication can be defined in two contexts
v
The first is viewing authentication as it relates to access
control
v
The second is to look at it as one of the three key
elements of security:
v Authentication
v Authorization
v Accounting
Authentication & Access Control
Terminology
v
Access control is the process by which resources or
services are granted or denied
v
Identification
v The presentation of credentials or identification
v
Authentication
v The verification of the credentials to ensure that they are
genuine and not fabricated
v
Authorization
v Granting permission for admittance
v
Access is the right to use specific resources
Authentication, Authorization, and
Accounting
v
Short term: AAA
v
Authentication in AAA provides a way of identifying a
user
v Typically with a password
v
Authorization determines whether the user has the
authority to carry out certain tasks
v The process of enforcing policies
v
Accounting measures the resources a user “consumes”
during each network session
Uses of Accounting DATA
v
To find evidence of problems
v
For billing
v
For planning
v
AAA servers
v Servers dedicated to performing AAA functions
v Can provide significant advantages in a network
Objectives
v
Define authentication
v
Authentication credentials
v
Authentication models
v
Authentication servers
v
Extended authentication protocols
v
Virtual Private Network (VPN)
Authentication Credentials
v
Credentials are something you have, something you are,
or something you know
v
Types of authentication credentials
v Passwords
v One-time passwords
v Standard biometrics
v Behavioral biometrics
v Cognitive biometrics
One-Time Passwords
v
Standard passwords are typically static in nature
v
One-time passwords (OTP)
v Dynamic passwords that change frequently
v Systems using OTPs generate a unique password on
demand that is not reusable
v
The most common type is a time-synchronized OTP
v Used in conjunction with a token
v
The token and a corresponding authentication server
share the same algorithm
v Each algorithm is different for each user’s token
One-Time Passwords
One-Time Passwords
Challenge-Based OTPs
v
Authentication server displays a challenge (a random
number) to the user
v
User then enters the challenge number into the token
v Which then executes a special algorithm to generate a
password
v
Because the authentication server has this same
algorithm, it can also generate the password and compare
it against that entered by the user
Standard Biometrics
v
Uses a person’s unique characteristics for authentication
(what he is)
v
Examples: fingerprints, faces, hands, irises, retinas
v
Types of fingerprint scanners
v Static fingerprint scanner
v Dynamic fingerprint scanner (more secure)
v
Disadvantages
v Costs
v Readers are not always foolproof
v How can you change your password if it's your fingerprint?
Dynamic Fingerprint Scanner
Behavioral Biometrics
v
Authenticates by normal actions that the user performs
v
Keystroke dynamics
v Attempt to recognize a user’s unique typing rhythm
v Keystroke dynamics uses two unique typing variables
v
Dwell time
v
Flight time
Keystroke Dynamics
Keystroke Dynamics
Behavioral Biometrics
v
Voice recognition
v Uses unique characteristics of a person’s voice
v Phonetic cadence
v
Speaking two words together in a way that one word “bleeds”
into the next word
v Becomes part of each user’s speech pattern
v
Computer footprint
v When and from where a user normally accesses a system
Computer Footprinting in Online
Banking
v
A simple form of two-factor authentication
v
Required by the US now
Cognitive Biometrics
v
Related to the perception,
understanding of the user
thought
process,
and
v
Easier for the user to remember because it is based on the
user’s life experiences
v
One example of cognitive biometrics is based on a life
experience that the user remembers
v
Another example of cognitive biometrics requires the user
to identify specific faces
Cognitive Biometrics
Objectives
v
Define authentication
v
Authentication credentials
v
Authentication models
v
Authentication servers
v
Extended authentication protocols
v
Virtual Private Network (VPN)
Single and multi-factor authentication
v
One-factor authentication
v Using
only one authentication credential, such as a
password
v
Two-factor authentication
v Enhances
security, particularly if different types
authentication methods are used (password and token)
v
of
Three-factor authentication
v Requires that a user present three different types of
authentication credentials
Single sign-on
v
Identity management
v Using a single authenticated ID to be shared across multiple
networks
v
Federated identity management (FIM)
v When those networks are owned by different organizations
v
One application of FIM is called single sign-on (SSO)
v Using one authentication to access multiple accounts or
applications