Authentication

  authentication.ppt (Size: 455.5 KB / Downloads: 0)
User Authentication - Defined
The rapid spread of e-Business has necessitated the securing of transactions
Authentication is a fundamental security function. During authentication, credentials presented by an individual are validated and associated with the person's identity.This binding between credentials and identity is typically done for the purpose of granting (or denying) authorization to perform some restricted operation, like accessing secured files or executing sensitive transactions
User authentication is commonly defined as the process of identifying an individual, usually based on a uusername and passwords
In security systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. The process of identifying an individual, usually based on a username and password
Strong User Authentication - Defined
When a traditional business becomes an e-Business, the access paths to corporate data expand, and the need for an overall security methodology increases greatly. A key part of this methodology is authentication. Old authentication methods such as passwords will no longer suffice due to their inherent weaknesses as well as the growing sophistication of the tools and people attempting unauthorized access. Today, strong user authentication—using at least two methods of identifying an individual—is critical to maintaining control over access to data
Essentially, Strong Authentication controls access and gives non-repudiation, or conclusive tracing of an action to an individual
Single Factor Authentication - Defined
Single factor authentication has been traditionally established by one of these elements:
Something you have—including keys or token cards
Something you know—including passwords
Something you are—including fingerprints, voiceprints or retinal scans (iris)
Single Factor Authentication - Products
Passwords are the most basic and most common method of single factor authentication
Other stronger forms of single factor authentication include:
Password Authentication Protocol (PAP)
Challenge Handshake Authentication Protocol (CHAP)
Secure Socket Layer (SSL)
Digital Signatures
Kerberos
Firewall
Virtual Private Networks (VPNs)
Single Factor Authentication – Products Defined
Password Authentication Protocol: The most basic access control protocol for logging onto a network. A table of usernames and passwords is stored on a server—when users log on, their usernames and passwords are sent to the server for verification
Challenge Handshake Authentication Protocol: Similar to PAP, CHAP also uses a randomly generated challenge and requires a matching response that depends on a cryptographic hash of the challenge and a secret key
Secure Sockets Layer: The leading security protocol on the Internet. When an SSL session is initiated, the browser sends its public key to the server so that the server can securely send a secret key to the browser. The browser and server exchange data via secret key encryption during that session. Originally developed by Netscape, SSL has since been merged with other protocols and authentication methods by the Internet Engineering Task Force (IETF) into a new protocol known as Transport Layer Security (TLS)
Single Factor Authentication – Products Defined
Digital Signatures: An electronic signature that cannot be forged. It is a computed digest of the text that is encrypted and sent with the text message. The recipient decrypts the signature and recomputes the digest from the received text. If the digests match, the message is authenticated and proved intact from the sender
Kerberos: An MIT-developed user authentication system. While it does not provide authorization to services or databases, Kerberos does establish identity at logon, which is used throughout the session
Firewall: A security barrier set up between a company's internal systems and externally facing systems that filters out unwanted data packets. It can be implemented in a single router, or it may use a combination of technologies in routers and hosts
Virtual Private Networks: VPNs use encryption in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet. VPNs are generally cheaper than real private networks using private lines, but do require that the same encryption system be at both ends. Encryption may be performed by firewall software or by routers
Two Factor Authentication - Defined
Given the limitations of single-factor authentication, the logical alternative is two-factor authentication, in which two of the methods are applied in tandem. A perfect example is the system employed to authenticate automated teller machine (ATM) users, which blends a magnetic-strip card (what you have) with a multi-digit PIN (what you know)
Any one type of authentication may authorize access, but using two types moves toward the control concept of non-repudiation; not only can you prove your identity and gain access to a resource, but you cannot deny accessing the resource at a later time. We define "strong user authentication" as the two-factor method described above
Need for Strong Authentication
There are three essential reasons why an organization my decide to use strong authentication:
The cost associated with loss of unauthorized data is usually the most compelling reason to use strong authentication. Strong authentication should be used in the case of high risk data while it may not pay to use strong authentication for low risk data
A corporation could be held liable for an attack by a hacker. The loss of money and public confidence in this scenario will be great. Use of strong authentication techniques greatly minimizes this risk
The authentication tool should be capable of evolving as technology and threat changes. Therefore, in investing in a strong authentication tool it is essential to acquire one that can change as technology advances
Strong Authentication – Smart Cards
Smart cards are one way to provide strong authentication of users. The card itself is the item that the user must possess. The second factor may be a PIN, a password, or even a thumbprint. Various existing systems have used all of these
Authentication becomes even more rigorous by requiring a functional correlation between the two factors. The contents of the smart card cannot be accessed unless the value of the second factor is read by the smart card from the reading device. Specifically, when a user presents a smart card to a reading device such as a computer, the computer reads the PIN (or other second factor) and writes it to the smart card. Only if the PIN matches will the smart card allow the other information it contains to be accessed by the computer
The most important information passed by the smart card to the computer is, of course, the identity of the user. When the computer receives that identity, the authentication is complete
Strong Authentication – Digital Certificates
One of the core enabling security technologies is public key infrastructure (PKI). PKI is based on certificates provided to individuals through a registration process. The validity of stored information is consistently validated and supported by the infrastructure
One of the biggest obstacles to e-commerce expansion is how to prove the identity of an individual over networks and electronic services.  Electronic service providers and financial institutions are embracing strong authentication and PKI technology as a key enabler
Certificates allow individual users, workstations and servers to identify themselves to each other, by digital signing of e-mail messages, software source files, secure Web communications, and Web site. This key enabling technology allows for strong authentication
Strong Authentication – Biometrics
Automated biometrics in general, and fingerprint technology in particular, can provide a much more accurate and reliable user authentication method
Biometrics is a rapidly advancing field that is concerned with identifying a person based on his or her physiological or behavioral characteristics. Examples of automated biometrics include fingerprint, face, iris scan, and speech recognition (voice print)
As a biometric property is an intrinsic property of an individual, it is difficult to duplicate and nearly impossible to share
Finally, a biometric property of an individual can be lost only in case of serious accident
User Authentication - Summary
The security of e-Business depends upon the ability to both prevent malicious attacks and track unintentionally unauthorized acts
Many e-Business leaders assume that their systems are secure because they are using a security product such as firewalls within their infrastructure. This is a false sense of security
Information security is only as strong as its weakest link. Implementing simple security or no authentication, may provide hackers a weak "backdoor" from which to compromise network defenses
User authentication,especially strong user authentication, in combination with the other technologies, can help create user accountability, confidentiality and a reliable audit trail, and help ensure the security of e-Business