Security – Principles of Authentification
The broadest definition of authentication within computing systems encompasses identity verification, message origin authentication, and message content authentication.
The concept of identity verification specifically applies to principals with information processing and decision making capabilities, including human users, computing systems and processes executing on those systems.
Reliable authentication mechanisms are critical to the security of any automated information system. If the identity of legitimate users can be verified with an acceptable degree of accuracy, those attempting to gain access without proper authorization can be denied permission to use the system.
When a legitimate user’s identity is verified, access control techniques are applied to mediate that user’s access to system resources. If a computer system cannot verify the identity of users and other computers, the system will not be able to protect itself against unauthorized access. A variety of methods are available for performing user authentication, and these methods form the basis for access control systems .
The three generally accepted categories of methods for verifying the identity of a user are based:
- on something the user KNOWS, such as a password; something
- the user POSSESSES, such as an authentication token;
- some PHYSICAL CHARACTERISTIC of the user, such as a fingerprint or voice pattern
In the past, it was relatively easy to protect computer systems because they were typically installed in a centralized computing facility. With the proliferation of networked computer systems, however, this level of physical access control is no longer viable. The design of open computing systems permits access to more systems, and some of these access attempts may not be by legitimate users.
Users may be able to access network-connected computers from any physical location on the network, and the logical connection which supports a session between the user and a given computer may travel through many communications circuits.
The increasing level of interconnection between computer systems has made it possible to distribute and process information far more easily than in the past. However, it has also become significantly more difficult to identify system users based on physical location, since the pathway between a user and the computing resources accessed by that user may be impossible to trace.
Attackers often take advantage of the anonymity provided by communications networks when attempting to break into a target machine. A significant amount of effort is usually required to locate and prosecute these attackers, primarily because of the difficulty of tracing an attacker’s access routes through communications networks which may span international boundaries.
Networking not only makes it more difficult to identify system users, it also increases the opportunities for unauthorized parties to intercept authentication data passing through the network during the course of a legitimate session between a user and a remote host computer. User passwords are sometimes transmitted through a network in plaintext form. If an attacker is able to monitor the user’s session, the attacker may be able to record the user’s password or other critical authenticationdata.
This would allow the attacker to pose as a valid user by initiating a login on the remote host and submitting the user’s authentication data when the host requests it. Software is readily available for monitoring network traffic, primarily for the purpose of performance management and problem diagnosis.Unfortunately, the same software is often quite effective at capturing passwords as they are transmitted through a network.
Some systems apply a cryptographic algorithm to scramble (encrypt) passwords before they are transmitted, so that the plaintext password is not exposed. However, an attacker may still be able to record the encrypted password, and gain access to the host computer by submitting the encrypted value. In either case, the host computer will be unable to distinguish between the attacker and a valid user, and will grant access to the attacker.
In a modern automated information system, processes running on one computer may interact with other computers in order to transfer information or access common resources. These interactions may take place across networks and involve machines which are not located in the same facility. It is therefore necessary to consider situations where one computer needs to verify the identity of another computer, with or without intervention from a human user.
It is usually desirable in these cases to implement some form of mutual authentication, whereby the identity of each computer is verified simultaneously. Fortunately, computers are capable of implementing cryptographic authentication protocols which provide an efficient and securemeans for performing mutual authentication .
Human users often access multiple services on multiple host computers in modern automated information systems. Separate authentication events may be required for each service a user wishes to access, particularly if these services are resident on separate host machines. Users might, for example, be required to demonstrate possession of a physical authentication token for each service.
In some cases, services or host computers may even use different authentication techniques which would, for example, force users to memorize passwords for some services and carry tokens or provide biometric scans for others. This situation quickly becomes an unreasonable burden for users, and can lead to poor security practices.
To address the problems described above, logon authentication schemes have been developed that only require users to authenticate once during a session. These approaches are commonly referred to as unitary logon or single sign-on. Unitary logon is generally a two-step process, in which the user first authenticates to a principal.
The principal may be the user’s workstation, a physical authentication token, or some other device. Then, as the user requests access to various services,
the principal is responsible for authenticating the user to each service. Conceptually, the principal acts as a proxy for the user in conveying the original authentication event and automates subsequent authentications with little or no intervention from the user.
These subsequent authentications are usually based on strong cryptographic protocols which are secure across communications networks. It should be noted that each service accessed by a user must understand the protocol for interacting with the principal responsible for authenticating the user. Also, the principal must be responsible for determining the point at which a given user’s current authentication terminates. This termination point is often tied to the end of a user’s loginsession.
16 Responses to “Security – Principles of Authentification”
What are the topologies of networks ?
Mesh
Tree
Bus
Star
Ring
What OSI means ?
Open System Interconnection
What are the layers of an OSI model ?
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
What is S/MIME ?
S/MIME (Secure Multipurpose Internet Mail Extensions) is a specification for
secure electronic messaging. In 1995 several software vendors got together and created the S/MIME specification.
What are FIPS ?
Federal Information Processing Standards (FIPS) are National Institute of Standards
and Technology (NIST)-approved standards for advanced encryption.
What is SSL ?
Secure Sockets Layer (SSL) is an encryption standard for most Web transactions. In fact, it is becoming the most popular type of e-commerce encryption.
What is a Hardware Key Generation ?
Hardware-based random-number generators are generally small devices that employ some physical process to produce random numbers.
The degree to which the output is random is easily subjected to independent tests, and several such devices have been employed to create cryptographic keys.
What is X.509 Certificate ?
X.509 client certificate is a digital identification card or key. Using this security mechanism, users need to have their X.509 client certificates as part of a Public-Key Infrastructure (PKI)
interesting post
a very good article about Security – Principles of Authentification