AUTHENTICATION:
Authentication is the
process which allows a sender and receiver of information to validate each
other. If the sender and receiver of information cannot properly authenticate
each other, there is no trust in the activities or information provided by
either party. Authentication can involve highly complex and secure
methods or can be very simple. The simplest form of authentication is the
transmission of a shared password between entities wishing to authenticate each
other. Today’s authentication methods uses some of the below factors.
1) What you know
An example of this type of
Authentication is a "Password". The simple logic here is that if you
know the secret password for an account, then you must be the owner of that
account. The problems associated with this type of Authentication is that the
password can be stolen, someone might read it if you wrote it somewhere. If
anyone came to know your password, he might tell someone else. If you have a
simple dictionary password, it is easy to crack it by using password cracking
software.
2) What you have
Examples of this type of Authentication are smart cards, tokens etc. The
logic here is if you have the smart card with you, you must be the owner of the
account. The problems associated with this type of authentication are you might
lose the smart card, it can be stolen, or someone can duplicate the smart card
etc.
3) What you are
Examples of this type of
authentication are your fingerprint, handprint, retina pattern, voice,
keystroke pattern etc. Problems associated with this type of authentication are
that there is a chance of false positives and false negatives. Chances are
there that a valid user is rejected and an invalid user is accepted. Often
people are not comfortable with this type of authentication.
Network Authentication are
usually based on Authentication protocols, Digital Certificates, Username/Password,
smart card etc. Some of the most important authentication protocols which are
used today are Kerberos, Challenge Handshake Authentication Protocol (CHAP),
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) etc. We
will learn about these protocols in coming lessons.
KERBEROS AUTHENTICATION
Kerberos was originally
developed by Massachusetts Institute of Technology (MIT) Project Athena. It was
published as a suite of free software by Massachusetts Institute of Technology
(MIT) that implements this protocol. The name "Kerberos" is taken
from the three-headed dog of Greek mythology, Kerberos is designed to work
across the Internet, an inherently insecure environment.
The Kerberos protocol is a
secure protocol, and it provides mutual authentication between a client and a
server. In Kerberos protocol, the client authenticates against the server and
also the server authenticates itself against the client. With mutual
authentication, each computer or a user and computer can verify the identity of
each other. Kerberos is extremely efficient for authenticating clients in large
enterprise network environments. Kerberos uses secret key encryption for
authentication traffic from the client.
The same secret key is also used by the Kerberos protocol on the server to decrypt
the authentication traffic.
Kerberos protocol is built
on top of a trusted third party, called as Key Distribution Center (KDC). Key
Distribution Center (KDC) acts as both an Authentication Server and
as a Ticket Granting Server. When a client needs to access a resource on the
server, the user credentials (password, Smart Card, biometrics) are presented
to the Key Distribution Center (KDC) for authentication. If the user
credentials are successfully verified in the Key Distribution Center (KDC), Key
Distribution Center (KDC) issues a Ticket Granting Ticket (TGT) to the client.
The Ticket Granting Ticket (TGT) is cached in the local machine for future use.
The Ticket Granting Ticket (TGT) expires when the user disconnects or log off
the network, or after it expires. The default expiry time is one day (86400
seconds).
CHAP AUTHENTICATION
Challenge Handshake
Authentication Protocol (CHAP) is a remote access authentication protocol used
in conjunction with Point to Point Protocol (PPP) to provide security and
authentication to users of remote resources. CHAP is described in RFC 1994,
which can be viewed from http://www.rfc-editor.org/. Challenge Handshake
Authentication Protocol (CHAP) uses a challenge method for authentication.
Challenge Handshake Authentication Protocol (CHAP) doesn’t use a user
ID/password mechanism. In Challenge Handshake Authentication Protocol (CHAP),
the initiator sends a logon request to the server. The server sends a challenge
back to the client. The challenge is encrypted and then sent back to the server.
The server compares the value from the client and, if the information matches,
grants the session. If the response fails, the session is denied, and the
request phase starts over.
Challenge Handshake
Authentication Protocol (CHAP) periodically verify the identity of the peer
using a three-way handshake. The verification the identity of the peer is done
initially, and may be repeated any time after the link has been established.
BIO-METRIC
AUTHENTICATION
Each person has a set of
unique characteristics that can be used for authentication. Biometrics uses
these unique characteristics for authentication. Today’s Biometric systems
examine retina patterns, iris patterns, fingerprints, handprints, voice
patterns, keystroke patterns etc for authentication. But most of the biometric
devices which are available on the market, only retina pattern, iris patterns,
fingerprint and handprint systems are properly classified as biometric systems.
Others are more classified as behavioral systems.
Biometric identification
systems normally work by obtaining unique characteristics from you, like a
handprint, a retina pattern etc. The biometric system then compares that to the
specimen data stored in the system.
Biometrics authentication
is much better when compared with other types of authentication methods. But
the users are reluctant in using biometric authentication. For example, many
users feel that retina scanner biometric authentication system may cause loss
of their vision. False positives and false negatives are a serious problem with
Biometric authentication.
RETINA PATTERN BIO-METRIC SYSTEMS
Everybody has a unique
retinal vascular pattern. Retina Pattern Biometric system uses an infrared beam
to scan your retina. Retina pattern biometric systems examine the unique
characteristics of user’s retina and compare that information with stored
pattern to determine whether user should be allowed access. Some other bio metric systems also perform iris and pupil measurements. Retina Pattern Bio-metric Systems are highly reliable. Users are often worried in using retina
scanners because they fear that retina scanners will blind or injure their
eyes.
IRIS SCANS BIO-METRIC SYSTEMS
Iris scan verify the
identity by scanning the colored part of the front of the eye. Iris scan is is
much easier and very accurate.
FINGERPRINTS BIO-METRIC SYSTEMS
Fingerprints are used in
forensic and identification for long time. Fingerprints of each individual are
unique. Fingerprint Biometric Systems examine the unique characteristics of
your fingerprints and use that information to determine whether or not you
should be allowed access.
The theoretical working of
the fingerprint scanner is as described below. The user’s finger is placed on
the scanner surface. Light flashes inside the machine, and the reflection is
captured by a scanner, and it is used for analysis and then verified against
the original specimen stored in the system. The user is allowed or denied based
on the result of this verification.
HAND-PRINTS BIO-METRIC SYSTEMS
As in the case of finger
print, everybody has unique hand-prints. A handprint Biometric Systems scans
hand and finger sand the data is compared with the specimen stored for you in
the system. The user is allowed or denied based on the result of this
verification
VOICE PATTERNS BIOMETRIC SYSTEMS
Voice Patterns Biometric
Systems can also be used for user authentication. Voice Patterns Biometric
Systems examine the unique characteristics of user’s voice.
KEYSTROKES BIOMETRIC SYSTEMS
Keystroke Biometric
Systems examine the unique characteristics of user’s keystrokes and use that
information to determine whether the user should be allowed access.
TOKEN AUTHENTICATION
Token technology is
another method that can be used to authenticate users. Tokens are physical
devices used for the randomization of a code that can be used to assure the
identity of the user. Tokens provide an extremely high level of
authentication.
There are different types
of tokens. A particular type token is a small device with a keypad to key in
values. The server issues a challenge with a number when the user try to login.
The user keys this number into the token card, and the card displays a
response.
The user inputs this response and sends it to the server, which calculates the
same result it expects to see from the token. If the numbers match, the user is
authenticated.
Another type of token is
based on time. This type of token display numbers at different intervals of
time. The user who needs the authentication should key in this time based
values also at the time of authentication. If the value from the token matches
a value the server has calculated, the account is authenticated, the user is
allowed access.
MULTI
FACTOR AUTHENTICATION
|
|
In multi-factor authentication, we expand on the traditional
requirements that exist in a single factor authentication. To accomplish
this, multi-factor authentication will use another factor for authentication
in addition to the traditional password authentication.
For example, most password-based single authentication methods
use a password. In multi-factor authentication methods, we can tighten the authentication
by adding a finger print biometric scanner system also.
Multi-factor authentication is more secure single factor
authentication, because it adds steps that increase the layers of security.
|
