2.4 - Summarize authentication and authorization design concepts. Flashcards
- Directory services
*
Keep all of an organization’s usernames and passwords
in a single database
– Also contains computers, printers, and other devices
*
Large distributed database
– Constantly replicated
*
All authentication requests reference this directory
– Each user only needs one set of credentials
– One username and password for all services
*
Access via Kerberos or LDAP
- Federation
*
Provide network access to others
– Not just employees - Partners, suppliers, customers, etc.
– Provides SSO and more
*
Third-parties can establish a federated network
– Authenticate and authorize between the
two organizations
– Login with your Facebook credentials
*
The third-parties must establish a trust relationship
– And the degree of the trust
- Attestation
*
Prove the hardware is really yours
– A system you can trust
*
Easy when it’s just your computer
– More difficult when there are 1,000
*
Remote attestation
– Device provides an operational report to a
verification server
– Encrypted and digitally signed with the TPM
– An IMEI or other unique hardware component can be
included in the report
- Time-based one- time password (TOTP)
*
Time-based One-Time Password algorithm
– Use a secret key and the time of day
– No incremental counter
*
Secret key is configured ahead of time
– Timestamps are synchronized via NTP
*
Timestamp usually increments every 30 seconds
– Put in your username, password, and TOTP code
*
One of the more common OTP methods
– Used by Google, Facebook, Microsoft, etc.
- HMAC-based one-time password (HOTP)
*
One-time passwords
– Use them once, and never again
– Once a session, once each authentication attempt
*
HMAC-based One-Time Password algorithm
– Keyed-hash message authentication code (HMAC)
– The keys are based on a secret key and a counter
*
Token-based authentication
– The hash is different every time
*
Hardware and software tokens available
– You’ll need additional technology to make this work
- Short message service (SMS)
- Token key
- Static codes
*
Authentication factors that don’t change
– You just have to remember
*
Personal Identification Number (PIN)
– Your secret numbers
*
Can also be alphanumeric
– A password or passphrase
- Authentication applications
*
Pseudo-random token generators
– A useful authentication factor
*
Carry around a physical hardware token generator
– Where are my keys again?
*
Use software-based token generator on your phone
– Powerful and convenient
- Push notifications
*
Similar process to an SMS notification
– Authentication factor is pushed to a specialized app
– Usually on a mobile device
*
Security challenges
– Applications can be vulnerable
– Some push apps send in the clear
*
Still more secure than SMS
– Multiple factors are better than one factor
- Phone call
*
A voice call provides the token
– The computer is talking to you
– “Your code is 1-6-2-5-1-7.”
*
Similar disadvantages to SMS
– Phone call can be intercepted or forwarded
– Phone number can be added to another phone
- Smart card authentication
Integrated circuit card - Contact or contactless
*
Common on credit cards - Also used for access control
*
Must have physical card to provide digital access
– A digital certificate
*
Multiple factors
– Use the card with a PIN or fingerprint
Chapple 231
Weiss 324
Gibson 41
- Fingerprint
Chapple
Weiss
Gibson
- Retina
Chapple
Weiss
Gibson
- Iris
Chapple
Weiss
Gibson
- Facial
Chapple
Weiss
Gibson
- Voice
Chapple
Weiss
Gibson
- Vein
Chapple
Weiss
Gibson
- Gait analysis
- the way you walk
- Efficacy rates
- False acceptance
False acceptance rate (FAR)
– Likelihood that an unauthorized user will be accepted
– Not sensitive enough
- False rejection
False rejection rate (FRR)
– Likelihood that an authorized user will be rejected
– Too sensitive
- Crossover error rate
– Defines the overall accuracy of a biometric system
– The rate at which FAR and FRR r equal
– Adjust sensitivity to equalize both values
AAA - (Authentication, authorization, and accounting)
*
Identification
– This is who you claim to be
– Usually your username
*
Authentication
– Prove you are who you say you are
– Password and other authentication factors
*
Authorization
– Based on your identification and authentication,
what access do you have?
*
Accounting
– Resources used: Login time, data sent
and received, logout time
Cloud vs. on-premises requirements
*
Cloud-based security
– Third-party can manage the platform
– Centralized platform
– Automation options with API integration
– May include additional options (for a cost)
*
On-premises authentication system
– Internal monitoring and management
– Need internal expertise
– External access must be granted and managed
- Somewhere you are (MFA Attributes)
Provide a factor based on ur location
- The transaction only completes if u r in a
particular geography
IP address
– Not perfect, but can help provide more info
– Works wth IPv4, NOT so much wth IPv6
Mobile device location services
– Geolocation to a specific area
– Must be in a location that can receive GPS info/near an identified mobile/802.11 net
– Still not a perfect identifier of location
- Something you can do (MFA Attributes)
-A personal way of doing things
Handwriting analysis
– Signature comparison
– Writing technique
V similar to biometrics
– Close to something you are
- Something you exhibit (MFA Attributes)
– unique trait, personal to u
-> Gait analysis - the way you walk
->Typing analysis - the way u hit the enter key too hard
- Someone you know (MFA Attributes)
– A social factor
-> not what you know…
– Web of trust
– Digital signature
- Something you know (MFA Factors)
Password
– Secret word/phrase, string of characters
– v common auth factor
PIN
– Personal identification #
– Not typically contained anywhere on a smart card/ATM card
Pattern
– Complete a series of patterns
– Only u know the right format
- Something you have ( MFA Factors)
Smart card
– Integrates with devices
– May require a PIN
USB token
- Certificate is on the USB device
Hardware/software tokens
– Generates pseudo-random auth codes
Your phone
-SMS a code to your phone
- Something you are (MFA Factors)
Biometric authentication
– Fingerprint, iris scan, voice print
Usually stores a mathematical representation of your biometric
– ur actual fingerprint isn’t usually saved
Difficult to change
– u can change ur pswd
– u can’t change ur fingerprint
Used in very specific situations
– Not foolproof