Title: Authentication
1Authentication
2User Authentication - Defined
- The rapid spread of e-Business has necessitated
the securing of transactions - Authentication is a fundamental security
function. During authentication, credentials
presented by an individual are validated and
associated with the person's identity.This
binding between credentials and identity is
typically done for the purpose of granting (or
denying) authorization to perform some restricted
operation, like accessing secured files or
executing sensitive transactions - User authentication is commonly defined as the
process of identifying an individual, usually
based on a uusername and passwords - In security systems, authentication is distinct
from authorization, which is the process of
giving individuals access to system objects based
on their identity. Authentication merely ensures
that the individual is who he or she claims to
be, but says nothing about the access rights of
the individual. The process of identifying an
individual, usually based on a username and
password
3Strong User Authentication - Defined
- When a traditional business becomes an
e-Business, the access paths to corporate data
expand, and the need for an overall security
methodology increases greatly. A key part of this
methodology is authentication. Old authentication
methods such as passwords will no longer suffice
due to their inherent weaknesses as well as the
growing sophistication of the tools and people
attempting unauthorized access. Today, strong
user authenticationusing at least two methods of
identifying an individualis critical to
maintaining control over access to data - Essentially, Strong Authentication controls
access and gives non-repudiation, or conclusive
tracing of an action to an individual
4Existing User Authentication Techniques
The broad categories of user authentication,
their methods and properties are shown in the
following table
5Single Factor Authentication - Defined
- Single factor authentication has been
traditionally established by one of these
elements - Something you haveincluding keys or token cards
- Something you knowincluding passwords
- Something you areincluding fingerprints,
voiceprints or retinal scans (iris)
6Single Factor Authentication - Products
- Passwords are the most basic and most common
method of single factor authentication - Other stronger forms of single factor
authentication include - Password Authentication Protocol (PAP)
- Challenge Handshake Authentication Protocol
(CHAP) - Secure Socket Layer (SSL)
- Digital Signatures
- Kerberos
- Firewall
- Virtual Private Networks (VPNs)
7Single Factor Authentication Products Defined
- Password Authentication Protocol The most basic
access control protocol for logging onto a
network. A table of usernames and passwords is
stored on a serverwhen users log on, their
usernames and passwords are sent to the server
for verification - Challenge Handshake Authentication Protocol
Similar to PAP, CHAP also uses a randomly
generated challenge and requires a matching
response that depends on a cryptographic hash of
the challenge and a secret key - Secure Sockets Layer The leading security
protocol on the Internet. When an SSL session is
initiated, the browser sends its public key to
the server so that the server can securely send a
secret key to the browser. The browser and server
exchange data via secret key encryption during
that session. Originally developed by Netscape,
SSL has since been merged with other protocols
and authentication methods by the Internet
Engineering Task Force (IETF) into a new protocol
known as Transport Layer Security (TLS)
8Single Factor Authentication Products Defined
- Digital Signatures An electronic signature that
cannot be forged. It is a computed digest of the
text that is encrypted and sent with the text
message. The recipient decrypts the signature and
recomputes the digest from the received text. If
the digests match, the message is authenticated
and proved intact from the sender - Kerberos An MIT-developed user authentication
system. While it does not provide authorization
to services or databases, Kerberos does establish
identity at logon, which is used throughout the
session - Firewall A security barrier set up between a
company's internal systems and externally facing
systems that filters out unwanted data packets.
It can be implemented in a single router, or it
may use a combination of technologies in routers
and hosts - Virtual Private Networks VPNs use encryption in
the lower protocol layers to provide a secure
connection through an otherwise insecure network,
typically the Internet. VPNs are generally
cheaper than real private networks using private
lines, but do require that the same encryption
system be at both ends. Encryption may be
performed by firewall software or by routers
9Single Factor Authentication Drawbacks
- Individually, any one of these approaches has its
limitations. "Something you have" can be stolen,
while "Something you know" can be guessed, shared
or lost to other methods. "Something you are" is
generally the strongest approach, but can be
costly to implement and remains vulnerable to
attack
10Two Factor Authentication - Defined
- Given the limitations of single-factor
authentication, the logical alternative is
two-factor authentication, in which two of the
methods are applied in tandem. A perfect example
is the system employed to authenticate automated
teller machine (ATM) users, which blends a
magnetic-strip card (what you have) with a
multi-digit PIN (what you know) - Any one type of authentication may authorize
access, but using two types moves toward the
control concept of non-repudiation not only can
you prove your identity and gain access to a
resource, but you cannot deny accessing the
resource at a later time. We define "strong user
authentication" as the two-factor method
described above
11Need for Strong Authentication
- There are three essential reasons why an
organization my decide to use strong
authentication - The cost associated with loss of unauthorized
data is usually the most compelling reason to use
strong authentication. Strong authentication
should be used in the case of high risk data
while it may not pay to use strong authentication
for low risk data - A corporation could be held liable for an attack
by a hacker. The loss of money and public
confidence in this scenario will be great. Use
of strong authentication techniques greatly
minimizes this risk - The authentication tool should be capable of
evolving as technology and threat changes.
Therefore, in investing in a strong
authentication tool it is essential to acquire
one that can change as technology advances
12Strong Authentication Smart Cards
- Smart cards are one way to provide strong
authentication of users. The card itself is the
item that the user must possess. The second
factor may be a PIN, a password, or even a
thumbprint. Various existing systems have used
all of these - Authentication becomes even more rigorous by
requiring a functional correlation between the
two factors. The contents of the smart card
cannot be accessed unless the value of the second
factor is read by the smart card from the reading
device. Specifically, when a user presents a
smart card to a reading device such as a
computer, the computer reads the PIN (or other
second factor) and writes it to the smart card.
Only if the PIN matches will the smart card allow
the other information it contains to be accessed
by the computer - The most important information passed by the
smart card to the computer is, of course, the
identity of the user. When the computer receives
that identity, the authentication is complete
13Strong Authentication Digital Certificates
- One of the core enabling security technologies is
public key infrastructure (PKI). PKI is based on
certificates provided to individuals through a
registration process. The validity of stored
information is consistently validated and
supported by the infrastructure - One of the biggest obstacles to e-commerce
expansion is how to prove the identity of an
individual over networks and electronic
services. Electronic service providers and
financial institutions are embracing strong
authentication and PKI technology as a key
enabler - Certificates allow individual users, workstations
and servers to identify themselves to each other,
by digital signing of e-mail messages, software
source files, secure Web communications, and Web
site. This key enabling technology allows for
strong authentication
14Strong Authentication Biometrics
- Automated biometrics in general, and fingerprint
technology in particular, can provide a much more
accurate and reliable user authentication method - Biometrics is a rapidly advancing field that is
concerned with identifying a person based on his
or her physiological or behavioral
characteristics. Examples of automated biometrics
include fingerprint, face, iris scan, and speech
recognition (voice print) - As a biometric property is an intrinsic property
of an individual, it is difficult to duplicate
and nearly impossible to share - Finally, a biometric property of an individual
can be lost only in case of serious accident
15Authentication Selection process
- In selecting a method of authentication an
organization has to bear in mind the following
four aspects - the desired level of security (of importance in
case of a dispute, based on the value of the data
to be protected) - the complexity of the used techniques (necessary
computer power, speed, maturity of technology,
scalability of technology) - the practicality of the used methods (cumbersome
update, key distribution) - the assumption underlying the solution
- failure rates
16User Authentication - Summary
- The security of e-Business depends upon the
ability to both prevent malicious attacks and
track unintentionally unauthorized acts - Many e-Business leaders assume that their systems
are secure because they are using a security
product such as firewalls within their
infrastructure. This is a false sense of security - Information security is only as strong as its
weakest link. Implementing simple security or no
authentication, may provide hackers a weak
"backdoor" from which to compromise network
defenses - User authentication,especially strong user
authentication, in combination with the other
technologies, can help create user
accountability, confidentiality and a reliable
audit trail, and help ensure the security of
e-Business
17eds.com
Contact information for Global Information
Assurance Services Katherine Hollis
703-736-4156