Bài giảng Authentication

AuthenticationObjectivesDefine authenticationAuthentication credentialsAuthentication modelsAuthentication serversExtended authentication protocolsVirtual Private Network (VPN)Password-Guessing Attacks SurgeSlow guessing and botnets conceal the attacksCountermeasuresStrong password policy, restricting access to server by source IP, two-factor authenticationDefinition of AuthenticationAuthentication can be defined in two contextsThe first is viewing authentication as it relates to access controlThe second is to look at it as one of the three key elements of security:AuthenticationAuthorizationAccountingAuthentication & Access Control TerminologyAccess control is the process by which resources or services are granted or deniedIdentificationThe presentation of credentials or identificationAuthenticationThe verification of the credentials to ensure that they are genuine and not fabricatedAuthorizationGranting permission for admittanceAccess is the right to use specific resourcesAuthentication, Authorization, and AccountingShort term: AAAAuthentication in AAA provides a way of identifying a userTypically with a passwordAuthorization determines whether the user has the authority to carry out certain tasksThe process of enforcing policiesAccounting measures the resources a user “consumes” during each network sessionUses of Accounting DATATo find evidence of problemsFor billingFor planningAAA serversServers dedicated to performing AAA functionsCan provide significant advantages in a networkObjectivesDefine authenticationAuthentication credentialsAuthentication modelsAuthentication serversExtended authentication protocolsVirtual Private Network (VPN)Authentication CredentialsCredentials are something you have, something you are, or something you knowTypes of authentication credentialsPasswordsOne-time passwordsStandard biometricsBehavioral biometricsCognitive biometricsOne-Time PasswordsStandard passwords are typically static in natureOne-time passwords (OTP)Dynamic passwords that change frequentlySystems using OTPs generate a unique password on demand that is not reusableThe most common type is a time-synchronized OTPUsed in conjunction with a tokenThe token and a corresponding authentication server share the same algorithmEach algorithm is different for each user’s tokenOne-Time PasswordsOne-Time PasswordsChallenge-Based OTPsAuthentication server displays a challenge (a random number) to the userUser then enters the challenge number into the token Which then executes a special algorithm to generate a passwordBecause the authentication server has this same algorithm, it can also generate the password and compare it against that entered by the userStandard BiometricsUses a person’s unique characteristics for authentication (what he is)Examples: fingerprints, faces, hands, irises, retinasTypes of fingerprint scannersStatic fingerprint scannerDynamic fingerprint scanner (more secure)DisadvantagesCostsReaders are not always foolproofHow can you change your password if it's your fingerprint?Dynamic Fingerprint ScannerBehavioral BiometricsAuthenticates by normal actions that the user performsKeystroke dynamicsAttempt to recognize a user’s unique typing rhythmKeystroke dynamics uses two unique typing variablesDwell timeFlight timeKeystroke DynamicsKeystroke DynamicsBehavioral BiometricsVoice recognitionUses unique characteristics of a person’s voicePhonetic cadenceSpeaking two words together in a way that one word “bleeds” into the next wordBecomes part of each user’s speech patternComputer footprintWhen and from where a user normally accesses a systemComputer Footprinting in Online BankingA simple form of two-factor authenticationRequired by the US nowCognitive BiometricsRelated to the perception, thought process, and understanding of the userEasier for the user to remember because it is based on the user’s life experiencesOne example of cognitive biometrics is based on a life experience that the user remembersAnother example of cognitive biometrics requires the user to identify specific facesCognitive BiometricsObjectivesDefine authenticationAuthentication credentialsAuthentication modelsAuthentication serversExtended authentication protocolsVirtual Private Network (VPN)Single and multi-factor authenticationOne-factor authenticationUsing only one authentication credential, such as a passwordTwo-factor authenticationEnhances security, particularly if different types of authentication methods are used (password and token)Three-factor authenticationRequires that a user present three different types of authentication credentialsSingle sign-onIdentity managementUsing a single authenticated ID to be shared across multiple networksFederated identity management (FIM)When those networks are owned by different organizationsOne application of FIM is called single sign-on (SSO)Using one authentication to access multiple accounts or applicationsWindows Live IDOriginally introduced in 1999 as .NET PassportWhen the user wants to log into a Web site that supports Windows Live IDThe user will first be redirected to the nearest authentication serverOnce authenticated, the user is given an encrypted time-limited “global” cookieNever became widely usedWindows CardSpaceNew Windows featureUsers control digital identities with digital ID cardsTypes of cardsManaged cardsPersonal cardsOpenIDA decentralized open source FIMDoes not require specific software to be installed on the desktopAn OpenID identity is only a URL backed up by a username and passwordOpenID provides a means to prove that the user owns that specific URLNot very secure--dependent on DNSObjectivesDefine authenticationAuthentication credentialsAuthentication modelsAuthentication serversExtended authentication protocolsVirtual Private Network (VPN)Authentication ServersAuthentication can be provided on a network by a dedicated AAA or authentication serverThe most common type of authentication and AAA servers areRADIUSKerberosTACACS+Generic servers built on the Lightweight Directory Access Protocol (LDAP)RADIUSRADIUS: Remote Authentication Dial in User ServiceDeveloped in 1992The industry standard with widespread supportSuitable for what are called “high-volume service control applications”With the development of IEEE 802.1x port security for both wired and wireless LANsRADIUS has recently seen even greater usageRADIUSA RADIUS client is typically a device such as a dial-up server or wireless access point (AP)Responsible for sending user credentials and connection parameters in the form of a RADIUS message to a RADIUS serverThe RADIUS server authenticates and authorizes the RADIUS client requestSends back a RADIUS message responseRADIUS clients also send RADIUS accounting messages to RADIUS serversRADIUSKerberosAn authentication system developed by the Massachusetts Institute of Technology (MIT)Used to verify the identity of networked usersKerberos authentication server issues a ticket to the userThe user presents this ticket to the network for a serviceThe service then examines the ticket to verify the identity of the userTACACS+Terminal Access Control Access Control System (TACACS+)Developed by Cisco to replace RADIUSMore secure and reliable than RADIUSThe centralized server can either be a TACACS+ databaseOr a database such as a Linux or UNIX password file with TACACS protocol supportLightweight Directory Access Protocol (LDAP)Directory serviceA database stored on the network itself that contains information about users and network devicesCan be used with RADIUSX.500A standard for directory servicesCreated by ISOWhite-pages serviceCapability to look up information by nameYellow-pages serviceBrowse and search for information by categoryLightweight Directory Access Protocol (LDAP)The information is held in a directory information base (DIB)Entries in the DIB are arranged in a tree structure called the directory information tree (DIT)Directory Access Protocol (DAP)Protocol for a client application to access an X.500 directoryDAP is too large to run on a personal computerLightweight Directory Access Protocol (LDAP)Lightweight Directory Access Protocol (LDAP)Sometimes called X.500 LiteA simpler subset of DAPPrimary differencesLDAP was designed to run over TCP/IPLDAP has simpler functionsLDAP encodes its protocol elements in a less complex way than X.500LDAP is an open protocolObjectivesDefine authenticationAuthentication credentialsAuthentication modelsAuthentication serversExtended authentication protocolsVirtual Private Network (VPN)Extended Authentication Protocols (EAP)In IEEE 802.1x, EAP is the "envelope" that carries data used for authenticationThree EAP protocol categories:Authentication legacy protocolsEAP weak protocolsEAP strong protocolsExtended Authentication Protocols (EAP)Authentication Legacy ProtocolsNo longer extensively used for authenticationPassword Authentication Protocol (PAP)Sends passwords in the clearChallenge-Handshake Authentication Protocol (CHAP)Safer than PAP, but vulnerableMicrosoft Challenge-Handshake Authentication Protocol (MS-CHAP)EAP Weak ProtocolsStill used but have security vulnerabilitiesExtended Authentication Protocol–MD5 (EAP-MD5)Vulnerable to offline dictionary attacksLightweight EAP (LEAP)Also vulnerable to offline dictionary attacksCan be cracked faster than WEPEAP Strong ProtocolsEAP with Transport Layer Security (EAP-TLS)Uses certificates for both client and serverUsed in large Windows networksEAP with Tunneled TLS (EAP-TTLS) and Protected EAP (PEAP)No client-side certificateEasier to implement than EAP-TLSObjectivesDefine authenticationAuthentication credentialsAuthentication modelsAuthentication serversExtended authentication protocolsVirtual Private Network (VPN)Remote Authentication and SecurityImportant to maintain strong security for remote communicationsTransmissions are routed through networks or devices that the organization does not manage and secureManaging remote authentication and security usually includes:Using remote access servicesInstalling a virtual private networkMaintaining a consistent remote access policyRemote Access Services (RAS)Any combination of hardware and software that enables access to remote users to a local internal networkProvides remote users with the same access and functionality as local usersVirtual Private Networks (VPNs)One of the most common types of RASUses an unsecured public network, such as the Internet, as if it were a secure private networkEncrypts all data that is transmitted between the remote device and the networkCommon types of VPNsRemote-access VPN or virtual private dial-up network (VPDN)Site-to-site VPNVirtual Private Networks (VPNs)Virtual Private Networks (VPNs)VPN transmissions are achieved through communicating with endpointsEndpointEnd of the tunnel between VPN devicesVPN concentratorAggregates hundreds or thousands of multiple connectionsDepending upon the type of endpoint that is being used, client software may be required on the devices that are connecting to the VPNVirtual Private Networks (VPNs)VPNs can be software-based or hardware-basedSoftware-based VPNs offer the most flexibility in how network traffic is managedHardware-based VPNs generally tunnel all traffic they handle regardless of the protocolGenerally, software based VPNs do not have as good performance or security as a hardware-based VPNVPN AdvantagesCost savings (no long-distance phone call)Scalability (easy to add more users)Full protection (all traffic is encrypted)Speed (faster than direct dial-up)Transparency (invisible to the user)Authentication (only authorized users can connect)Industry standardsVPN Disadvantages ManagementAvailability and performanceInteroperabilityAdditional protocolsPerformance impactExpenseRemote Access PoliciesEstablishing strong remote access policies is importantSome recommendations for remote access policies:Remote access policies should be consistent for all usersRemote access should be the responsibility of the IT departmentForm a working group and create a standard that all departments will agree to