CS406 Study Guide

Unit 5: Identification and Authentication

5a. Explain identification and authentication, and the methods used for each, such as passwords, tokens, and biometrics

  • What are the differences between identification, authentication, and authorization?
  • What is the most common form of authentication?
  • What are some drawbacks with tokens and biometrics?

Identification is evidence of who a subject claims to be. Identification may be provided by a username or an identifying number such as an account number. Authentication means proving that the identification is valid. For example, a user may authenticate using a password or pin number. Authorization is one the subject has identified and authenticated, then access is given or authorized.

Passwords are the most common form of authentication and are typically characters used to identify a subject. To be secure methods of authentication, passwords should be properly managed. One way to manage passwords is to limit sign-on attempts, and when stored on a system, passwords should be encrypted and hashed. Most importantly, passwords should be kept secret and should not be shared.

Tokens and biometrics are very secure but are also costly. Tokens require a lot of overhead to manage, the employees must be trained on how to use them, and tokens are often lost and must be replaced. Biometrics cannot be lost like a token but are more costly to maintain. Biometrics also have the issue of privacy as some feel that their privacy is invaded by providing biometric data to be used as a method of authentication.

To review, see Identification, Authentication, and Authorization, Password Security, Biometrics, Authentication and Authorization Basics, Tokens and Biometrics, and Security and Accuracy of Biometrics.

 

5b. Discuss human authentication factors: something you know, something you have, something you are

  • What are three common methods of authentication?
  • What are some common factors that represent something you are?
  • How can the three authentication factors be made more secure?

The three methods of authentication are something you know, something you are, and something you have. Something you know can be a password. Something you are can be your fingerprints. Something you have can be a token or smart card.

Biometric data represents the factor of something you are and is the most secure of the three factors. The most common biometric used today is fingerprints. As technology has developed, some other methods that are becoming more common are DNA, voice recognition, facial recognition, and retinal patterns.

 Using a combination of the factors, or using multifactor authentication is more secure than the use of one factor alone. For instance, using a token and a pin is something you have and something you know. Multifactor authentication is the use of two or more factors and should not be confused with using two of the same factor such as a pin and a password.

To review, see Human Factors Used in Authentication, Methods of Authentication, and Authentication Factor Descriptions.

 

5c. Differentiate between single-factor, two-factor, multi-factor, and mutual authentication

  • What is the purpose of multifactor authentication?
  • What is the weakest level of authentication?
  • What level of authentication is the most secure?

Multifactor authentication increases the level of security. For instance, if an attacker knows a user's login information, they can log into a system as that user. But if multifactor authentication is in use the system may send a one-time passcode to the user's cell phone. This would prevent the attacker from accessing the system even when the username and password were known.

Single-factor authentication using a username and password is the weakest level of security. As stated previously, if an attacker knows the username and password they can log in as the user. When the password is unknown an attacker can use methods such as brute force or a dictionary attack to guess the password.

The most secure authentication method is two-factor or multifactor authentication. Two-factor authentication is authenticating twice using two different human authentication methods. Multifactor authentication is using two or more different authentication methods. For instance, using two passwords or a password and a pin are both something you know and do not qualify as two-factor or multifactor authentication. A password and a token are something you know and something you have, so together they qualify as two-factor or multifactor authentication.

To review, see Multifactor Authentication, Authentication Forms, Authentication, and Mutual Authentication.

 

5d. Explain the purpose, advantages, and disadvantages of single sign-on (SSO)

  • Why would a user want to use single sign-on (SSO) technology?
  • What are some limitations of single sign-on (SSO) technology?
  • What is a disadvantage of single sign-on (SSO) technology?

Users often have many systems to log into with different passwords and password requirements. When this happens and employees cannot remember the passwords, they often bend the rules and write their passwords down. To alleviate trying to remember passwords, single sign-on can be implemented so that users log into one system and access is granted to all authorized systems.

Single sign-on is a good tool to alleviate the need for remembering passwords and for decreasing the amount of time needed to log into multiple systems, but it has limitations. To log into applications using single sign-on the applications must accept the same credential format and interpret the format the same. Otherwise, the user will log into the application using the credentials provided by the application without the benefit of using a single sign-on.

Even though there are advantages to using single sign-on technology and users prefer it, there are disadvantages. When using one password to access many systems the vulnerability increases. This means that if an attacker gains access to the single sign-on password the attacker will have access to all the systems that grant access via single sign-on. Another problem can be when a user forgets their single sign-on password access to all systems may be prohibited.

To review, see Kerberos, Kerberos History, Single Sign-On (SSO), Kerberos Facts, and Kerberos Weaknesses.

 

5e. Explain Kerberos-based authentication and its dependency on the key distribution center (KDC)

  • What makes the key distribution center an important part of Kerberos?
  • What are the five keys used in Kerberos?
  • What are some weaknesses of Kerberos?

Every time a user logs into a system by entering a password, that password is sent over the internet. Kerberos uses encryption and the key distribution center to avoid sending the password over the internet. When a user authenticates, Kerberos stores a session ticket on the user's machine that is used for authentication.

Kerberos uses a principal key, a session key, the ticket-granting service (TGS), the service key, and the service session key. The important keys to understand are the principal key which is the user's password, and the session key that is created by the key distribution center (KDC). One other key that should be understood is the session key used to encrypt communication during the initiated session.

Kerberos is a tool that can provide more system security, but it also has its weaknesses. If the key distribution center (KDC) fails all users will be prohibited from accessing the system. In addition, Kerberos is not immune to attackers. If a dictionary attack is successful Kerberos will authenticate to the attacker.

To review, see Kerberos, Kerberos History, Kerberos Facts, and Kerberos Weaknesses.

 

5f. Discuss the use and functionality of Lightweight Directory Access Protocol (LDAP)

  • What is a directory service?
  • What is the protocol structure of lightweight directory access protocol (LDAP)?
  • What is the purpose of lightweight directory access protocol (LDAP)?

Directory services store and organize data and can be used for lookups and searches, like an address book. The first directory service program containing information on users' accounts was the X.500 that defined a directory access protocol (DAP) based on the open systems interconnection (OSI) network protocols. The lightweight directory access protocol (LDAP) was developed from DAP and the transmission control protocol/internet protocol (TCP/IP) internet protocols. Some of the features of DAP are included in LDAP, but not all, and there are some new features as well.

Lightweight directory access protocol (LDAP) has a tree-like structure called a directory information tree (DIT). The top of the tree is the root, representing the owner of the directory. Other entries are called objects and have a designated place in the tree. The path to an entry is called the distinguished name (DN). The tree structure allows for users and applications to interact with the directory.

The purpose of using lightweight directory access protocol (LDAP) is to store usernames and passwords in one location. Users can be authenticated by using the directory to validate credentials. Do not confuse active directory with LDAP, LDAP is a protocol that communicates with active directory.

To review, see Lightweight Directory Access Protocol (LDAP), Directory Services Overview, and Kerberos and Lightweight Directory Access Protocol (LDAP).

 

5g. Compare and contrast the characteristics, advantages, and limitations of authentication protocols like Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System (TACACS+), and Diameter

  • What is the first step in the system authorization process?
  • What services are provided by an authentication service?
  • What does remote authentication dial-in user service (RADIUS), and terminal access controller access control system (TACACS) encrypt?
  • What are some advantages to using Diameter as an authentication protocol?

The first step in the system authorization process is authentication. Users provide credentials to prove their identity and then the credentials are compared to a database. If the credentials are accepted, either the authorization is granted by the system, or the credentials are sent to an authorization service.

An authentication service is a protocol that provides authentication, authorization, and accounting services. Authentication is validating a user's identity, authorization is providing authorized access to authenticated users, and accounting is logging usage activity. 

Remote authentication dial-in user service (RADIUS) is an authentication protocol with robust accounting features. RADIUS encrypts the end user's password. Terminal access controller access control system (TACACS+) is an authentication protocol, and the accounting features are less robust than RADIUS. TACACS+ encrypts all transmissions that occur between devices.

Diameter was designed to overcome the limitations of RADIUS as it provides end-to-end security. Although RADIUS uses encryption, Diameter is more secure because it is protected by the transport layer security (TLS).

To review, see Authentication Protocols, Diameter, and Authentication Services.

 

5h. Explain public-key infrastructure (PKI) and the use of digital certificates

  • What is the role of the certificate authority (CA) in public-key infrastructure?
  • What is a digital certificate?
  • How does a registration authority (RA) differ from a certificate authority (CA)?

Public-key infrastructure relies on certificate authorities (CA) to issue digital certificates. The private key is used in digital certificates, and the CA verifies the owner of the public key. The CA is the third party that is trusted by both the sender and the receiver.

A digital signature proves that the message was from the sender, meaning it provides for non-repudiation. A digital certificate is a hashed message encrypted with the sender's private key. The receiver knows that the message was signed by the sender and the message has not been altered.

The CA verifies and publishes the user's public keys using the CA's private key. A registration authority (RA) is also a trusted third party like the CA. The RA registers and deletes users from the PKI database, and verifies the identity of users to be entered into the database.

To review, see Certificate and Registration Authorities, Digital Certificate Defined, Certificate Authorities, and Digital Certificate.

 

Unit 5 Vocabulary

This vocabulary list includes the terms you will need to know to successfully complete the final exam.

  • authentication
  • authorization
  • biometric
  • certificate authority (CA)
  • digital certificate
  • directory access protocol (DAP)
  • directory information tree
  • distinguished name (DN)
  • encrypt
  • facial recognition
  • fingerprint
  • identification
  • internet protocol (IP)
  • Kerberos
  • key distribution center (KDC)
  • lightweight directory access protocol (LDAP)
  • limitation
  • multifactor
  • one-time passcode
  • pin
  • principal key
  • private key
  • public key
  • public-key infrastructure (PKI)
  • registration authority (RA)
  • remote authentication dial-in user service (RADIUS)
  • retinal patterns
  • service key
  • session key
  • sign on
  • single-factor
  • terminal access controller access control system (TACACS+)
  • third-party
  • token
  • transmission control protocol (TCP)
  • two-factor
  • voice recognition