Authentication

Authentication is the process of verifying the identity of any entity requesting access to network resources. Authentication encompasses server and host authentication, router or wireless access point authentication (where applicable), process authentication, and user authentication.

Authentication and authorization are not exactly the same thing, though in some cases such as legal or technical requirements, they are often paired or confused with each other. However, authentication is the process of making sure you are who you say you are, and authorization allows access based on that identity.

Your project plan should dig into your authentication security to determine how effectively you've implemented authentication systems, where your vulnerabilities lie, where and how an attacker might strike, and what you need to do to improve security. While ever-changing, the list presented here shouldn't change too dramatically in the near-term, unless some major event or discovery obliterates previous authentication solutions.

■ Basic Authentication Users signing into a guest account have to know the guest account name and password.

■ Two-factor Authentication The username and password are two factors required to log onto a network. This is similar to entering a credit card number and the expiration date for an online transaction.

■ Multi-factor Authentication The username, password, and pin number are all part of multi-factor authentication. Many banks use multi-factor authentication to prevent theft based on URL spoofing. Multi-factor authentication includes entering a user name and then being presented with a unique key such as a picture or key word, and then entering your password only after the correct key is presented to you.This prevents specific types of attacks, such as man-in-the-middle (MITM) attacks.

■ Public Key Infrastructure (PKI) PKI is a form of cryptography that is implemented as part of a security project. PKI allows users to communicate securely through the use of a pair of cryptographic keys. One of the keys is the "public" key and one is the "private" key, and they are related to one another mathematically.

■ Geo-location Geo-location is a method of determining where in the world a particular computer resides. It's used for a number of legitimate purposes, but it can also be used for illegitimate purposes. Many companies sell IP address geo-location databases that can locate the city and the street Justas well as the country of an IP address. Anonymous traffic can help deter geo-location efforts, but many Internet companies will not accept or forward anonymous traffic.

■ Kerberos An Internet security protocol that prevents eavesdropping and replay attacks, and ensures the integrity of the data. It is implemented between clients and servers and provides mutual authentication.

■ Secure Shell (SSH) SSH is one implementation of public key cryptography that provides for mutual authentication of user to a remote server. It also provides data confidentiality and integrity.

■ Secure Remote Password (SRP) Protocol The Secure Remote Password Protocol is a password-authentication system that allows users to authenticate with a server. This method is resistant to dictionary attacks and does not require a trusted third party.

■ Closed-loop Authentication Closed loop authentication is a means by which one party verifies him or herself to another party by requiring the use of a token transmitted from a trusted point of contact.

■ Remote Authentication Dial-In User Service (RADIUS)

RADIUS is a protocol that provides authentication, authorization, and accounting (AAA) for network access and mobility. It works in both local and roaming situations.

■ DIAMETER DIAMETER is an AAA protocol that is purported to be the "upgrade" to RADIUS, although it is not backward compatible.

■ Hashed Message Authentication Code (HMAC) HMAC is a type of message authentication code that uses a cryptographic hash function in combination with a secret key.

■ Extensible Authentication Protocol (EAP) EAP is a fairly universal authentication mechanism that is often used to secure wireless networks and point-to-point connections.There are variations of the EAP protocol that are incorporated into recent Wireless Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) standards for wireless networking security.

■ Biometrics Biometrics are used in computer security through fingerprint, retinal, and facial recognition, among others. Recent studies have shown that some of these methods are easily spoofed.

■ Completely Automated Public Turning Test to Tell Computers and Humans Apart (CAPTCHA) You may have run into this type of authentication without knowing its name. It's used to tell humans apart from machines by preventing automated responses. It falls into the category of challenge-response authentication. Typically, a word or set of numbers and letters are presented that are obscured or modified in some manner to prevent computers from responding to a prompt. Figure 10.2 shows an example of a CAPTCHA.

Figure 10.2 Sample of CAPTCHA Used to Prevent Automated Responses

Figure 10.2 Sample of CAPTCHA Used to Prevent Automated Responses

Authentication can be accomplished in a number of ways.This section is not meant to teach you about authentication as much as it is meant to get you thinking about the kinds of authentication you may have or may want to research as you begin developing your IT security project plan. We discuss cryptography in a later chapter, with an eye toward developing individual security area project plans.

Business Intelligence...

CAPTCHA

You may not need to know about CAPTCHA to develop your authentication and authorization assessments, audits, and recommendations, but it's a very interesting concept that's worth knowing about. This is one of those areas that you'll learn about sooner or later if you have your staff actively looking for innovations in the security world. Developed by the brilliant folks at the School of Computer Science at Carnegie Mellon University, the CAPTCHA can be used in a variety of applications, among them thwarting automated responses. There are several iterations of this method. The most basic is called "Gimpy," which distorts text so that

Continued human eyes can still recognize and read the text, but computers cannot use automated programs to discern the letters in the text image. "Bongo" is a system where the user is shown visual images and asked to determine where a third image should be placed. "Pix" relies on a large database of labeled images. The database then pulls four (or some number) of related images together and asks the user to identify the unifying element (e.g., it might show a picture of a lake, an ocean, a sailboat, and a glass of water). The unifying element can be selected from a long list that includes the word "water." CAPTCHA uses a sound file to say or spell a word, and then the listener must type in the word he or she heard.

CAPTCHA's are good for a lot of things, but keep in mind that they're not friendly to those who have sight or hearing problems (e.g., visually impaired people often use screen readers to determine what's on their computer screen. Clearly, visually based CAPTCHA's can be problematic, because aurally based CAPTCHA's would exclude people who are hearing impaired. While this may be a small portion of your population, it is something to consider before implementing this type of system. For more information on CAPTCHA, go to www.captcha.net.

Project Management Made Easy

Project Management Made Easy

What you need to know about… Project Management Made Easy! Project management consists of more than just a large building project and can encompass small projects as well. No matter what the size of your project, you need to have some sort of project management. How you manage your project has everything to do with its outcome.

Get My Free Ebook


Post a comment