Authentication Fundamentals

Authentication is the process in which a subject proves that they are who they claim to be. Whether it involves a key card and PIN or a username and password, this process is composed of two steps: identification and confirmation. Identification is the first step of claiming to be a certain person, and confirmation is the second step, which allows a subject to prove that claim. Both online and offline, authentication is ubiquitous. You’re required to prove your identity when doing all sorts of things whether it’s picking up concert tickets, checking into a hotel, or disputing a charge on your latest cell phone bill.

When I log in to my online bank, I go through the authentication process by entering a username and password. Entering a username is how I identify myself; it’s the first step; it’s how I claim to be me. Of course, the application doesn’t take this at face value. It must confirm that I am who I say I am. In order to prove my claim, I must confirm by entering the password associated with the username. The assumption is that only I should know my password, so when the application verifies that the username and password match, it confirms my identity.

Continuing with our online banking example, I am required to authenticate to the banking application so that only authorized individuals (that is, myself) are allowed to access protected data (for example, account balances) and sensitive functionality (for example, transfers). In general, if an application doesn’t perform proper authentication, then anyone with my username could impersonate me. If someone were able to arbitrarily access my bank account, they may be disappointed to learn how little book writing pays.

We can also define authentication in another way. Instead of proving that we are ourselves, sometimes we want to be able to prove that we’re allowed to act on behalf of someone else. For example, you may want to allow your better half to access your bank account. This can be useful when you’re in the hospital with a burst appendix and the electricity bill needs to be paid.

LINGO

Authentication is the process of proving that an entity is who it claims to be. We have been using “you” throughout this chapter so far, but keep in mind that the definition of “you” really includes persons, machines, code, or any other actors. Here’s an example: When one computer system or application wants to communicate with another, they can authenticate themselves to one another. In this case, the actor isn’t a person but rather a computer. Often we will use the term “subject” or “principal” as a more generic version of “you.”

Also, authentication is commonly discussed together with authorization, but the two concepts are distinct. Authentication is commonly abbreviated as AuthN or A1 in contrast to authorization, which is referred to as AuthZ or A2.

As we mentioned earlier, the process of authentication is the first step in any access control mechanism. Authentication is important because without it we wouldn’t have confirmation of a subject’s identity. As a result, we wouldn’t be able to conduct authorization, which relies on proper authentication, to determine whether or not a subject had been given the rights to access certain data or perform specific operations. A well-designed access control mechanism will first perform authentication and then perform authorization whenever access is requested to any protected resource.

Proving Your Identity

So we know that authentication is important, but how do we go about proving our identity? There are three classes into which we can group the different factors that can be used to prove identity:

image Something you know

image Something you are

image Something you have

The first class of factors involves providing the authentication mechanism with something that you know. The most common example of something you know is a password but also includes things such as a PIN or pass phrase. In the real world, you have to prove your identity to a customer support representative by providing them with something you know, such as your account password or the last four digits of your Social Security number.

The second class of factors is based on providing the authentication mechanism with something that you have, such as a digital certificate, smart card, or a security token (for example, RSA SecurID). In the physical world, this is like having a key. To get past the locked door (access control system) on the front of your house, you need to use the right key to unlock the door. A key is something you have, or possess, and therefore it’s how you authenticate yourself to the lock on the door. Simple, but effective.

A security token (see Figure 3-3) is a popular “have” factor because it doesn’t require specialized client-side hardware such as a smart card reader, and its use is easily understood by users.

image

Figure 3-3 RSA SecurID security token

ImageNote

Security tokens work by generating authentication codes at fixed intervals. By design, these authentication codes are not easily predicted because they’re cryptographically generated based on a unique seed value for each token. A successful attack against such a token usually requires either physical possession of the token or access to the token’s seed value. To make an attack against the security token more difficult, a PIN is often required in addition to the authentication code.

The third class of authentication factors is based on something that’s part of who you are, such as a fingerprint, retinal pattern, hand geometry, or even the topography of your face. These factors are commonly referred to as biometrics because they’re based on a person’s intrinsic physical qualities or behavioral characteristics. In recent years, biometric authentication has become more common, especially as most major laptop vendors now offer fingerprint scanners (see Figure 3-4) and some even offer facial recognition packages.

image

Figure 3-4 Fingerprint scanner

Budget Note

Security tokens can be relatively pricey because they depend on specialized hardware that communicates with a proprietary back-end server that must be kept in sync with all the deployed tokens. In addition to the cost of initial deployment, the ongoing maintenance of these devices can prove to be challenging as they’re bound to be lost, destroyed, or otherwise rendered inoperable. Revocation of a security token can also be much more difficult than other forms of authentication such as resetting a password. So when you’re considering using security tokens, remember that it’s more than a single upfront investment; it also requires a considerable amount of time and money to develop and sustain a process to manage these devices. As a result of these challenges, many vendors are also offering “soft token” versions that run as software on a computer or mobile devices.

In Actual Practice

RSA, the largest vendor of security tokens, was recently hacked and the cryptographic information related to the security of their tokens was compromised. Subsequently, Lockheed Martin was breached, and the compromise was attributed in part to stolen SecurID information from RSA. Since then RSA has offered to replace all of their customers’ security tokens.

Microsoft’s Kinect device utilizes facial recognition to automatically identify you to the Xbox 360 gaming console. Its tracking camera will also follow you around as you move about in front of it. (Queue the Cylon revolution!)

With biometric factors, the assumption is that each person possesses unique fingerprints and retinal patterns that nobody else should have. Because of this, they act both to identify and confirm identity. In our examples that follow, this may not always be the case.

Academic research has found that some fingerprint scanners can be fooled by using gummy bears. For more information, see “Impact of Artificial ‘Gummy’ Fingers on Fingerprint Systems” at http://cryptome.org/gummy.htm. In Japan, cigarette vending machines perform facial analysis to determine whether or not the buyer is old enough to purchase cigarettes. Unfortunately, underage kids are simply holding up photographs to fool the devices. (This attack has been around since at least Space Quest 2.)

Another problem with biometric factors is when they’re stolen. When a security token or smart card has been compromised, it’s just a matter of invalidating the token, reclaiming the device (if it hasn’t been stolen), and issuing a new authentication factor. Although revocation of the biometric record in the authentication database is straightforward, it’s difficult to re-issue a new biometric factor, and trying to reclaim a biometric factor will undoubtedly be met with tremendous user resistance.

As attackers have become more sophisticated in their attempts to break or bypass authentication mechanisms, it has become popular among many organizations to require two-factor authentication. The most common example of two-factor authentication is the use of a security token and a PIN to authenticate. This approach of using both something you have and something you know is normally found on high-security web sites whose access control systems safeguard very sensitive information or important functionality. In Hong Kong, laws require that any online banking application require two-factor authentication. As a result, it is quite common to see key chains with security tokens that are used to log in to web-based banking applications. Other examples include the use of smart cards and fingerprints, which combines something you have and something you are.

LINGO

I.D. validation with two factors from any of the know/have/are categories is considered two-factor authentication. A system that requires one from each of the know/have/are categories is considered three-factor authentication.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset