SECURTIY AND AUTHENTICATION

 INFORMATION SECURTIY AND AUTHENTICATION

                                         

     Security can be defined as state of freedom from a danger, risk or attack. Information security can be defined as the task of guarding information which is processed by a server, stored on a storage device, and transmitted over a network like Local Area Network or the public Internet. Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction

INTRODUCTION TO AAA

    AAA stands for Authentication, Authorization and Accounting. AAA are a set of primary concepts that aid in understanding computer and network security as well as access control. These concepts are used daily to protect property, data, and systems from intentional or even unintentional damage. AAA is used to support the Confidentiality, Integrity, and Availability (CIA) security concept.

Confidentiality: The term confidentiality means that the data which is confidential should remain confidential. In other words, confidentiality means secret should stay secret.

Integrity: The term integrity means that the data being worked with is the correct data, which is not tampered or altered.

Availability: The term availability means that the data you need should always be available to you.

Authentication provides a way of identifying a user, typically requiring a Userid/Password combo before granting a session.  Authentication process controls access by requiring valid user credentials.  After the Authentication process is completed successfully, a user must be given authorization (permission) for carrying out tasks within the server. Authorization is the process that determines whether the user has the authority to carry out a specific task. Authorization controls access to the resources after the user has been authenticated. The last one is accounting. Accounting keeps track of the activities the user has performed in the server.

AUTHENTICATION:

Authentication is the process which allows a sender and receiver of information to validate each other. If the sender and receiver of information cannot properly authenticate each other, there is no trust in the activities or information provided by either party.  Authentication can involve highly complex and secure methods or can be very simple.  The simplest form of authentication is the transmission of a shared password between entities wishing to authenticate each other. Today’s authentication methods uses some of the below factors.

1) What you know

An example of this type of Authentication is a "Password". The simple logic here is that if you know the secret password for an account, then you must be the owner of that account. The problems associated with this type of Authentication is that the password can be stolen, someone might read it if you wrote it somewhere. If anyone came to know your password, he might tell someone else. If you have a simple dictionary password, it is easy to crack it by using password cracking software.

2) What you have

Examples of this type of Authentication are smart cards, tokens etc.  The logic here is if you have the smart card with you, you must be the owner of the account. The problems associated with this type of authentication are you might lose the smart card, it can be stolen, or someone can duplicate the smart card etc.

3) What you are

Examples of this type of authentication are your fingerprint, handprint, retina pattern, voice, keystroke pattern etc. Problems associated with this type of authentication are that there is a chance of false positives and false negatives. Chances are there that a valid user is rejected and an invalid user is accepted. Often people are not comfortable with this type of authentication.

Network Authentication are usually based on Authentication protocols, Digital Certificates, Username/Password, smart card etc. Some of the most important authentication protocols which are used today are Kerberos, Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MSCHAP) etc.  We will learn about these protocols in coming lessons.

KERBEROS AUTHENTICATION

Kerberos was originally developed by Massachusetts Institute of Technology (MIT) Project Athena. It was published as a suite of free software by Massachusetts Institute of Technology (MIT) that implements this protocol. The name "Kerberos" is taken from the three-headed dog of Greek mythology, Kerberos is designed to work across the Internet, an inherently insecure environment.

The Kerberos protocol is a secure protocol, and it provides mutual authentication between a client and a server. In Kerberos protocol, the client authenticates against the server and also the server authenticates itself against the client. With mutual authentication, each computer or a user and computer can verify the identity of each other. Kerberos is extremely efficient for authenticating clients in large enterprise network environments. Kerberos uses secret key encryption for authentication traffic from the client.

The same secret key is also used by the Kerberos protocol on the server to decrypt the authentication traffic.

Kerberos protocol is built on top of a trusted third party, called as Key Distribution Center (KDC). Key Distribution Center (KDC)   acts as both an Authentication Server and as a Ticket Granting Server. When a client needs to access a resource on the server, the user credentials (password, Smart Card, biometrics) are presented to the Key Distribution Center (KDC) for authentication. If the user credentials are successfully verified in the Key Distribution Center (KDC), Key Distribution Center (KDC) issues a Ticket Granting Ticket (TGT) to the client. The Ticket Granting Ticket (TGT) is cached in the local machine for future use. The Ticket Granting Ticket (TGT) expires when the user disconnects or log off the network, or after it expires. The default expiry time is one day (86400 seconds).

CHAP AUTHENTICATION

Challenge Handshake Authentication Protocol (CHAP) is a remote access authentication protocol used in conjunction with Point to Point Protocol (PPP) to provide security and authentication to users of remote resources. CHAP is described in RFC 1994, which can be viewed from http://www.rfc-editor.org/. Challenge Handshake Authentication Protocol (CHAP) uses a challenge method for authentication. Challenge Handshake Authentication Protocol (CHAP) doesn’t use a user ID/password mechanism. In Challenge Handshake Authentication Protocol (CHAP), the initiator sends a logon request to the server. The server sends a challenge back to the client. The challenge is encrypted and then sent back to the server. The server compares the value from the client and, if the information matches, grants the session. If the response fails, the session is denied, and the request phase starts over.

Challenge Handshake Authentication Protocol (CHAP) periodically verify the identity of the peer using a three-way handshake. The verification the identity of the peer is done initially, and may be repeated any time after the link has been established.

BIO-METRIC AUTHENTICATION

Each person has a set of unique characteristics that can be used for authentication. Biometrics uses these unique characteristics for authentication. Today’s Biometric systems examine retina patterns, iris patterns, fingerprints, handprints, voice patterns, keystroke patterns etc for authentication. But most of the biometric devices which are available on the market, only retina pattern, iris patterns, fingerprint and handprint systems are properly classified as biometric systems. Others are more classified as behavioral systems.

Biometric identification systems normally work by obtaining unique characteristics from you, like a handprint, a retina pattern etc. The biometric system then compares that to the specimen data stored in the system.

Biometrics authentication is much better when compared with other types of authentication methods. But the users are reluctant in using biometric authentication. For example, many users feel that retina scanner biometric authentication system may cause loss of their vision. False positives and false negatives are a serious problem with Biometric authentication.

RETINA PATTERN BIO-METRIC SYSTEMS

Everybody has a unique retinal vascular pattern. Retina Pattern Biometric system uses an infrared beam to scan your retina. Retina pattern biometric systems examine the unique characteristics of user’s retina and compare that information with stored pattern to determine whether user should be allowed access. Some other bio metric systems also perform iris and pupil measurements. Retina Pattern Bio-metric Systems are highly reliable. Users are often worried in using retina scanners because they fear that retina scanners will blind or injure their eyes.

IRIS SCANS BIO-METRIC SYSTEMS

Iris scan verify the identity by scanning the colored part of the front of the eye. Iris scan is is much easier and very accurate.

FINGERPRINTS BIO-METRIC SYSTEMS

Fingerprints are used in forensic and identification for long time. Fingerprints of each individual are unique. Fingerprint Biometric Systems examine the unique characteristics of your fingerprints and use that information to determine whether or not you should be allowed access.

The theoretical working of the fingerprint scanner is as described below. The user’s finger is placed on the scanner surface. Light flashes inside the machine, and the reflection is captured by a scanner, and it is used for analysis and then verified against the original specimen stored in the system. The user is allowed or denied based on the result of this verification.

HAND-PRINTS BIO-METRIC SYSTEMS

As in the case of finger print, everybody has unique hand-prints. A handprint Biometric Systems scans hand and finger sand the data is compared with the specimen stored for you in the system. The user is allowed or denied based on the result of this verification

VOICE PATTERNS BIOMETRIC SYSTEMS

Voice Patterns Biometric Systems can also be used for user authentication. Voice Patterns Biometric Systems examine the unique characteristics of user’s voice.

KEYSTROKES BIOMETRIC SYSTEMS

Keystroke Biometric Systems examine the unique characteristics of user’s keystrokes and use that information to determine whether the user should be allowed access. 

TOKEN AUTHENTICATION

Token technology is another method that can be used to authenticate users. Tokens are physical devices used for the randomization of a code that can be used to assure the identity of the user. Tokens provide an extremely high level of authentication. 

There are different types of tokens. A particular type token is a small device with a keypad to key in values. The server issues a challenge with a number when the user try to login. The user keys this number into the token card, and the card displays a response.  

The user inputs this response and sends it to the server, which calculates the same result it expects to see from the token. If the numbers match, the user is authenticated.

Another type of token is based on time. This type of token display numbers at different intervals of time. The user who needs the authentication should key in this time based values also at the time of authentication. If the value from the token matches a value the server has calculated, the account is authenticated, the user is allowed access.

MULTI FACTOR AUTHENTICATION

In multi-factor authentication, we expand on the traditional requirements that exist in a single factor authentication. To accomplish this, multi-factor authentication will use another factor for authentication in addition to the traditional password authentication. For example, most password-based single authentication methods use a password. In multi-factor authentication methods, we can tighten the authentication by adding a finger print biometric scanner system also. Multi-factor authentication is more secure single factor authentication, because it adds steps that increase the layers of security.