Members-only Printer-friendly version

2. Authentication

Identification is telling the system who you are, whereas authentication refers to the process of proving to a system that you are who you say you are. Authentication can be performed using one or more of the following:

• Something you know (i.e. a username and password).
• Something you have (i.e. a smartcard)
• Something you are (i.e. your finger print, hand writing, voice pattern)

If two or more authentication methods are used in conjunction, it is referred to as multi-factor authentication, which is logically the most secure type of authentication. Some of the most common authentication methods are described in the paragraphs below.

2.1. Username/Password

Providing a username and password combination is the most common method to identify and authenticate a client, but is also the weakest. It uses 'something you know'. Some of the vulnerabilities of the username and password authentication method are:

• Password guessing/Brute-force attacks. This is typically done with a password checker in combination with a password generator. Passwords are generated, based on a dictionary for example, and the password checker tries the password until it succeeds.
• Password aging. As a password gets older there's an increased chance of it getting disclosed. When a password is discovered by an attacker using a keystroke logger, or via 'shoulder-surfing', it may be exploited for a long time without anyone but the attacker knowing that security has been compromised.
• Cognitive passwords: your mother's last name, 'matrix' or 'qwerty'. When a person or password checker tries to guess the password, it will typically start with common words.

When a username/password-combination is the only authentication method being used, be sure to limit the maximum number of login attempts and to set a maximum password age to enforce users to change their password an a regular basis. Additionally, if the software supports it, enforce a policy that requires users to use a password that includes different type of characters and doesn't include actual words. A good example of a strong password is 8BsI$S#95i3.

2.2. CHAP

The Challenge Handshake Authentication Protocol (CHAP) is an authentication protocol that is primarily used for remote access PPP connections. CHAP is the successor of the Plain Authentication Protocol (PAP), which transmits the username and password in clear text over the network media. CHAP uses a more secure method, when a client wants to logon, the server sends a challenge request to the client, the client replies with a challenge response which is a hashed (one-way encrypted) value based on the username/password-combination and a random number. The server performs the same encryption and if the resulting value matches the response from the client, the client is authenticated. Although CHAP sends only a value based on the username/password-combination, it still isn't very secure, hence using strong passwords is still essential. Traditional versions of CHAP require a plain text version of the password on the authenticating server and the algorithm used to hash the client's response is publicly known and relatively simple. Because of this, CHAP authentication is particularly vulnerable to brute force and dictionary attacks.

2.3. Certificates

Certificates are widely used for several different types of security, including secure e-mail, IPSec, as well as client and server authentication for both local network and remote access connections. (More details about certificates in general and their purposes will be described in other TechNotes that cover the Public Key Infrastructure.) A certificate is an electronic document that typically contains a public key and personal user information. A Certification Authority (CA) issues certificates to entities such as users, organizations, web sites and other CAs. As long as the CA can be considered a trustworthy authority, the certificates (and the key and entity combination in it) issued by it can be trusted as well.

In the context of authentication, certificates can be used for clients to authenticate themselves to servers, and for servers to authenticate themselves to clients. Hence, they can be used to perform mutual authentication (see 2.5). A relatively new 'protocol' for remote access authentication that uses this process is EAP-TLS (Enhanced Authentication Protocol - Transport Layer Security). EAP-TLS is a mutual authentication method, which means that both the client and the server prove their identities to each other. During the EAP-TLS authentication process, the remote access client sends its user certificate and the remote access server sends its computer certificate. The connection won't be established if either certificate is not sent or is invalid.

The use of certificates to authenticate clients has become quite popular. They offer better security against brute-force or dictionary attacks and password guessing than username/password-based authentication methods.

2.4. Kerberos

Kerberos is a fairly secure, but also complex and comprehensive, authentication system developed by MIT. It increased in popularity over the last couple of years and is the default in modern Windows OS networks. Version 4 still runs in many networks, but V5 is considered to be standard Kerberos. Kerberos uses strong cryptography, DES, to provide secure method for carrying authentication data on an open network. There are three primary elements in a Kerberos system:

• Client, which is the Kerberos client application representing a principal (computer or user or software application).
• Target server, provides the service the client wants to access.
• Key Distribution Center (KDC), handles the distribution of keys and tickets.

A complete Kerberos authentication process involves three major steps in which a series of encrypted messages are exchanged:

1. Authentication Service (AS) Exchange - When the client logs on, the KDC issues a logon session key and a Ticket-Granting Ticket to the client, after the KDC has verified the client's encrypted user credentials.
2. Ticket-Granting Service (TGS) Exchange - The client utilizes the TGT and the logon session key to request a new session key and ticket to be used between the client and the target server.
3. Client-Server (CS) Exchange - The client sends the new ticket, including the new session key, to the target server to authenticate itself and to provide the target server with the session key. Optionally, the target server uses the new session key to authenticate itself to the client.

The session keys are used to secure the communication between the client and the KDC, or the client and the target server. The tickets are encrypted by the KDC with the master key of the KDC, in case of a Ticket-Granting Ticket, or with the master key of the target server, in case of a Ticket for the target server. The tickets are used to distribute the session keys.

In addition to Kerberos being relatively secure, another major advantage is that it lends itself for Single Sign On because of it's distributed character. Single Sign On allows a user to logon only once and be able to access all different resources in the network, such as e-mail, file servers, Intranet, etc. A typical example of this is a Windows 2000 networks with only Windows 2000/XP clients, in which Kerberos is the default authentication protocol.

2.5. Mutual Authentication

Mutual authentication is an additional security feature in which a client authenticates to a service, and the service authenticates to the client, before any application traffic is exchanged. Mutual authentication can be implemented using simple authentication protocols or more advanced solutions such as Kerberos. For example, two Cisco routers with remote access connection can be configured to perform mutual authentication using PAP or CHAP. Microsoft's Active Directory Services in combination with a Kerberos KDC also allows a client to authenticate a service after the client has logged on. Mutual authentication is also commonly used in SSL connections.

2.6. Biometrics

Obviously, this is a very secure type of authentication, but can be made even more secure by using it in a multi-factor authentication system in conjunction with other authentication methods such as username/password-combination. Two important terms in biometrics are False Accept Rate, which measures the likelihood that a user will claim a false identity and be accepted, and False Reject Rate, which measures the likelihood that a system will incorrectly deny the user.
A mentionable disadvantage of some biometrics systems is that it may require a lot of storage media because of the detailed information generated by prints or scans. It typically also requires a lot of processing power, i.e. a multi-processor system, to complete the authentication in a timely fashion.
Also, the circumstances in which the authentication takes place must be optimal, for example, when using one of the scan systems it is very important the camera has been properly placed, no direct sunlight shines into its aperture, and the subject is standing still.

2.7. Tokens

In the context of authentication, there are two types of tokens:

• Software tokens are generated by the authenticating system when a user logs on successfully. The token is carried along with access request the client sends to servers (i.e. file-, database-, e-mail servers). Software tokens are somewhat similar to certificates and tickets, which both carry keys that provide access to resources.
• Hardware tokens, come in many forms, including magnetic-strip cards and USB devices. The most common example of a hardware token, is probably the one you use for electronic banking. Tokens usually contain a symmetric key that is used for one-way hashing of a pin code or time stamp, the results are shown on the display and can be used by a user to authenticate itself.
  
  This example shows that multi-factor authentication is used. The user needs the token (something you have) and a pin code (something you know).

2.8 Smart Cards

A smart card is today's most common example of a 'something-you-have' authentication method. A smart card contains information about who you are, typically in the form of a private key but can also store public keys, account numbers, passwords and other sensitive information. Generally, there are three types of cards of which only the third is the actual 'smart' card, the others are considered hardware tokens.

• Magnetic strip card. This type of card stores a small amount of data (username, access key, algorithms) on a magnetic strip, similar to how data is stored on tapes. A common example is an ATM or credit card.
• IC memory card. This type of card is equipped with an integrated circuit that can store much more data, typically between 1 Kb and 4 KB, than a magnetic strip card. A common example of a memory card is a prepaid telephone card.
• IC microprocessor card. This type of card is the true smart card, it is equipped with an actual microprocessor allowing data to be stored and processed. Smart cards are typically equipped with an 8 or 32-bit processor, and at least 16 KB ROM and 512 bytes RAM. The processor allows for operations such as data compression, encryption/decryption, calculations, and generating digital signatures, without the direct need of a computer. Here lies the strength of using smart cards for authentication. Modern smart cards are also equipped with EEPROM which allow applications to store data. Smart card applications are typically written in the platform independent language Java.

The use of smart cards requires smart card readers. When the smart card is used to authenticate a user to a computer or network system, the reader is usually a device attached to a port on a computer. In case smart cards are used to provide physical access to areas the reader is typically placed besides the door. Most smart cards have to be brought in physical contact with the reader to allow them to communicate, but 'contactless' readers, using wireless technologies such as Bluetooth, are becoming more popular every day.