2.4 Authentication and Authorization Design Flashcards
common data repository for maintaining information about network users and resources as part of their Identity Security strategy.
• Keep all of an organization’s usernames and passwords
in a single database
– Also contains computers, printers, and other devices
• Large distributed database
– Constantly replicated
• All authentication requests reference this directory
– Each user only needs one set of credentials
– One username and password for all services
• Access via Kerberos or LDAP
Directory services
different computing entities adhering to a certain standard of operations in a collective manner to facilitate communication. It also describes operations between two distinct formally disconnected telecommunication networks with distinct internal structures.
• Provide network access to others
– Not just employees - Partners, suppliers, customers, etc.
– Provides SSO and more
• Third-parties can establish a [this] network
– Authenticate and authorize between the
two organizations
– Login with your Facebook credentials
• The third-parties must establish a trust relationship
– And the degree of the trust
Federation
a mechanism for software to prove its identity. The goal of attestation is to prove to a remote party that your operating system and application software are intact and trustworthy. The verifier trusts that [this] data is accurate because it is signed by a TPM whose key is certified by the CA.
• Prove the hardware is really yours
– A system you can trust
• Easy when it’s just your computer
– More difficult when there are 1,000
• Remote attestation
– Device provides an operational report to a
verification server
– Encrypted and digitally signed with the TPM
– An IMEI or other unique hardware component can be
included in the report
Attestation
the most basic communications technology for mobile data transfer and is characterized by the exchange of short alphanumeric text messages between digital line and mobile devices. [this] messaging's key influential factor is affordability. • Text messaging – Includes more than text these days • Login factor can be sent via SMS to a predefined phone number – Provide username and password – Phone receives an SMS – Input the SMS code into the login form • Security issues exist – Phone number can be reassigned to a different phone – SMS messages can be intercepted
Short message service (SMS)
the delivery of information from a software application to a computing device without a specific request from the client.
• Similar process to an SMS notification
– Authentication factor is pushed to a specialized app
– Usually on a mobile device
• Security challenges
– Applications can be vulnerable
– Some push apps send in the clear
• Still more secure than SMS
– Multiple factors are better than one factor
Push notification
generate a one-time code that you use to confirm that it’s you logging in to a website or service; they provide the second part of what’s called two-factor authentication (2FA).
• Pseudo-random token generators
– A useful authentication factor
• Carry around a physical hardware token generator
– Where are my keys again?
• Use software-based token generator on your phone
– Powerful and convenient
Authentication apps
temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors.
• [this] algorithm
– Use a secret key and the time of day
– No incremental counter
• Secret key is configured ahead of time
– Timestamps are synchronized via NTP
• Timestamp usually increments every 30 seconds
– Put in your username, password, and [this] code
• One of the more common OTP methods
– Used by Google, Facebook, Microsoft, etc.
Time-based One-Time Password algorithm (TOTP)
a one-time password algorithm that uses hash-based message authentication codes (HMAC). Its a freely available open standard. It was developed by the Initiative for Open Authentication (OATH)
• One-time passwords
– Use them once, and never again
– Once a session, once each authentication attempt
• [This]
– Keyed-hash message authentication code (HMAC)
– The keys are based on a secret key and a counter
• Token*-based authentication - a device that employs an encrypted key for which the encryption algorithm—the method of generating an encrypted password—is known to a network’s authentication server.
– The hash is different every time
• Hardware and software tokens available
– You’ll need additional technology to make this work
HMAC-based One-Time Password algorithm (HOTP)
• A voice call provides the token – The computer is talking to you – “Your code is 1-6-2-5-1-7.” • Similar disadvantages to SMS – [this] can be intercepted or forwarded – Phone number can be added to another phone
Phone call
a method of computer program debugging that is done by examining the code without executing the program. The process provides an understanding of the code structure and can help ensure that the code adheres to industry standards.
• Authentication factors that don’t change
– You just have to remember
• Personal Identification Number (PIN)
– Your secret numbers
• Can also be alphanumeric
– A password or passphrase
Static codes
a physical electronic authorization device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip.
• Integrated circuit card - Contact or contactless
• Common on credit cards - Also used for access control
• Must have physical card to provide digital access
– A digital certificate
• Multiple factors
– Use the card with a PIN or fingerprint
Smart cards
biological measurements — or physical characteristics — that can be used to identify individuals. • Fingerprint scanner – Phones, laptops, door access • Retinal scanner – Unique capillary structure in the back of the eye • Iris scanner – Texture, color • Voice recognition – Talk for access • Facial recognition – Shape of the face and features • Gait analysis - to assess and treat individuals with conditions affecting their ability to walk. It is also commonly used in sports biomechanics to help athletes run more efficiently and to identify posture-related or movement-related problems in people with injuries. – Identify a person based on how they walk – Many unique measurements • Veins – Vascular scanners – Match the blood vessels visible from the surface of the skin
Biometric factors
• False acceptance rate (FAR)*
– Likelihood that an unauthorized user will be accepted
– Not sensitive enough
• False rejection rate (FRR)*
– Likelihood that an authorized user will be rejected
– Too sensitive
• Crossover error rate (CER)*
– Defines the overall accuracy of a biometric system
– The rate at which FAR and FRR are equal
– Adjust sensitivity to equalize both values
Biometric acceptance rates
a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. • Identification – This is who you claim to be – Usually your username • Authentication – Prove you are who you say you are – Password and other authentication factors • Authorization – Based on your identification and authentication, what access do you have? • Accounting – Resources used: Login time, data sent and received, logout time
AAA framework
• Cloud-based security
– Third-party can manage the platform
– Centralized platform
– Automation options with API integration
– May include additional options (for a cost)
• On-premises authentication system
– Internal monitoring and management
– Need internal expertise
– External access must be granted and managed
Cloud vs. on-premises authentication
