Security+ Guide to Network

Security Fundamentals

Authentication
 Definition of Authentication

 Authentication can be defined in two contexts:

– The first is viewing authentication as it relates to
access control.
– The second is to look at it as one of the three key
elements of security: Authentication, Authorization,
and Accounting.

2
 Authentication and Access Control
Terminology
 Access control is the process by which resources or
services are granted or denied. It is composed of 4 steps:
1. Identification: The presentation of credentials or
identification.
2. Authentication : The verification of the
credentials to ensure that they are genuine
(authentic) and not fabricated.
3. Authorization: Granting permission for
admittance (permission to enter).
4. Access: is the right to use specific resources.

3
 Authentication, Authorization, and
Accounting (AAA)
 Information security rests on three key pillars (AAA) that determine who the
user is: Authentication; what the user can do: Authorization; and what the
user did: Accounting.
• Authentication
− Provides a way of identifying a user.
− Controls access by requiring valid user credentials.
• Authorization (Access Control)
− Determines whether the user has the authority to carry out certain
tasks (e.g. resources or services a user is permitted..).
− Often defined as the process of enforcing policies.
• Accounting (Auditing)
− Measures the resources a user “consumes” during each network
session (e.g. record session begins and ends, services being used..)

4
 Authentication, Authorization, and
Accounting (AAA) (continued)
• Accounting information can then be used in
different ways:
– To find evidence of problems
– For Billing
– For Planning
 AAA servers
– Servers dedicated to performing AAA functions.
– Can provide significant advantages in a network.

5
 Authentication Credentials
• Types of authentication, or authentication credentials
– Passwords
– One-time passwords
– Standard biometrics
– Behavioral biometrics
– Cognitive biometrics

6
 One-Time Passwords
 Standard passwords are the most common form of
authentication credentials, and are typically static in
nature.
 One-time passwords (OTP)
– Dynamic passwords that change frequently.
– Systems using OTPs generate a unique password on
demand that is not reusable.
– The most common type is a time-synchronized OTP, and
is used in conjunction with a token (small device).
• The token and a corresponding authentication server
share the same algorithm.
• Each algorithm is different for each user’s token.
7
One-Time Passwords (continued)

8
9
 One-Time Passwords (continued)
 There are several variations of OTP systems such as Challenge-
based OTPs.
– Authentication server displays a challenge (a random number)
to the user.
– User then enters the challenge number into the token
• Which then executes a special algorithm to generate a
password.
– Because the authentication server has this same algorithm, it
can also generate the password and compare it against that
entered by the user.

10
Cards
 Standard Biometrics
 Standard biometrics uses a person’s unique
characteristics (e.g. fingerprints, faces, hands,
retinas..)for authentication.
 Fingerprint scanners are the most common type of
standard biometric device, and are of two types:
– Static fingerprint scanner
– Dynamic fingerprint scanner
 Disadvantages of standard biometrics:
– Costs
– Readers are not always foolproof.
12
 Standard Biometrics
(continued)

 Static fingerprint scanner

14
Standard Biometrics (continued)

 Dynamic fingerprint scanner

14
 Behavioral Biometrics

 Behavioral biometrics authenticates by normal

actions that the user performs.
 The most promising behavioral biometrics are:
− Keystroke dynamics
− Voice recognition
− Computer footprinting

15
 Behavioral
Biometrics
 Keystroke dynamics
– Attempt to recognize a user’s unique typing rhythm.
– Keystroke dynamics uses two unique typing variables:
• Dwell time: Time it takes for a key to be pressed an
then released.
• Flight time: Time between keystrokes (both “down”
when the key is pressed and “up” when the key is
released, are measured).
Keystroke Dynamics
 Behavioral Biometrics (continued)

 Voice recognition
– Used to authenticate users based on the unique characteristics
of a person’s voice (e.g. user’s size of the head and user’s age).
– Phonetic cadence
• Speaking two words together in a way that one word “bleeds”
into the next word.
• Becomes part of each user’s speech pattern.
 Computer footprint
– When and from where a user normally accesses a
system.
 Geo Location
– Where does Alice normally access her bank website?
– It is typically from her computer on night or weekends.
16
 Cognitive Biometrics
 Cognitive biometrics is related to the perception,
thought process, and understanding of the user.
– Considered to be much easier for the user to
remember because it is based on the user’s life
experiences, and make it very difficult for an attacker
to imitate.
 Examples of cognitive biometrics:
– One example of cognitive biometrics is based on a life
experience that the user remembers.
– Another example of cognitive biometrics requires the
user to identify specific faces.
18
 Authentication Models
 Authentication credentials can be combined to provide
extended security, hence creating different
authentication models.
 Single and multi-factor authentication
– One-factor authentication
• Using only one authentication credential.
– Two-factor authentication
• Enhances security, particularly if different types of
authentication methods are used.
– Three-factor authentication
• Requires that a user present three different types of
authentication credentials.

24
 Three factor authentication
Three Factor Authentication – YouTube (Face, Finger, Smart Card)
 Authentication Models
(continued)
 Single sign-on
– Identity management
• Using a single authenticated ID to be shared across
multiple networks.
– Federated identity management (FIM)
• When those networks are owned by different
organizations.
• One application of FIM is called single sign-on
(SSO). It consists in using one authentication to
access multiple accounts or applications.

2
 Authentication Models
(continued)
 Microsoft Account/Windows Live ID
– Originally introduced in 1999 as .NET Passport.
– Requires a user to create a standard username and
password.
– When the user wants to log into a Web site that supports
Windows Live ID, the user will first be redirected to the
nearest authentication server.

2
 Tugas

• Jelaskan secara ringkas server authentikasi berikut

(Kerberos dan Radius)
• Cara kerja
• Beserta kelebihan dan kekurangan masing-masing
Server

• Dikerjakan maksimum 2 orang.

•Format pengiriman:
Tugas_authentication_nim1_nim2.pdf

22