This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Authentication is a process or protocol which enables an authority to gain access to areas and resources in a given facility or computer based information system. It ensures that a person or a computer is in fact, who he/it claims to be. The security system actually requires three separate elements identification, authentication and authorization which together make up what's called access control.
Here are some questions that any security system should answer before giving access to the computer in a network or in any kind of protected system.
Who are you? Do you belong here? What rights do you have? And how do I know you're who you say you are?
When we log into a system or network, the first thing we're asked for is a user name. But a user name offers little protection to the system. Therefore, the system also usually prompts you for a password, which is a form of authentication. The question, "How do I know you're who you say you are?" is in many ways; the most important one lays the step for a strong authentication process. Unless this question is answered properly identification is incomplete and no authorization takes place.
There are three factors that can be used to authenticate an individual and these have their problems or weaknesses:
Something the user knows - password, passphrase, PIN.
Anyone can enter a password and reusable passwords have been vulnerable to guessing by some attacks such as brute force and dictionary-based attacks.
Something the user has - a smart card, a token that can generate a one-time password.
This requires the user to possess an often difficult-to-replicate device. However this stronger protection also costs more and it requires contingency procedures in case a device is left at home, lost or stolen.
Something the user is - physical trait or characteristic often called biometrics such as finger prints, voice recognition.
It is the most difficult to defeat, but it has other problems. Here the biometric identification methods are subject to two types of errors: false positives which erroneously authenticate an individual who shouldn't be authenticated; and false negatives which denies an individual who should be authenticated. So, if the method is compromised, there's no way to give an individual a new identifying characteristic. We can issue a new password or security token, but we can't change his fingerprints or retina pattern.
It is called strong authentication which involves two or more factors authentication and is an extension of two-factor authentication. So every two-factor authentication is a multi-factor authentication and not the reverse.
Two/Three factor authentication:
When a user name and password are not sufficient to provide assurance of identity, strong authentication methods are required. Strong authentication is traditionally defined as two- and three-factor authentication. These additional forms of authentication add "something you have" and "something you are" to the "something you know" factor.
So the two factor authentication depicts the use of two independent factors of authentication to assert an entity. Therefore for example, password + a value from a token can be a basic scenario of two-factor authentication systems, the something you know + something you have. Some forms of "something you have" are smart cards, USB tokens, wireless tokens, biometrics-users can authenticate via their finger print.
The three factor authentication involves these three types something the user knows, something the user has and something the user is. As an example we can consider an user inserting a smart card into card reader (something the user has) and enter a password (something the user knows) and require a finger print (something the user is) via biometric finger print reader.
Four factor authentication:
The GPS technology also offers a form of authentication. And now GPS devices have become cheaper and smaller, so the something you have may become somewhere you are specifically somewhere it is. Suppose that we are authenticating with the bank from our home with the GPS device, it is used as a fourth factor further strengthening our identity. This technology uses the concept of authentication groups (Ex: secured military base, higher personnel in an organization) used in user and password systems because the geographic location can provide group association but not who the individual user is.
In Cryptography, the authentication is done through a small piece of message, ensures message integrity.
MAC (Message Authentication Code):
An authentication technique which involves two communicating parties shares a common secret key. MAC is a collection of algorithms through which it allows one entity to send message to the second entity in such a way that the second entity can be certain that the first entity in fact did originate the message. The sender runs a message through a MAC algorithm and with common secret key to produce a MAC tag and this message and message tag are then sent to a receiver. The receiver performs the same calculation through the same algorithm on the received message and produces another MAC tag and then compares.
If they are identical, the receiver can safely assert that the integrity of the message was not compromised and is from the alleged sender. And if the message contains a sequence number the receiver can be assured of exact sequence as the attacker cannot alter the sequence numbers.
Source: Figure 3.1 Message Authentication Using a Message Authentication Code (MAC). Stallings, William. NETWORK SECURITY ESSENTIALS Applications and Standards
HMAC (Hash-based Message Authentication Code):
A technique for calculating MAC (Message Authentication Code) which involves a hash functions along with a secret key. It also verifies both the data integrity and authenticity of a message. These cryptographic hash functions are used to compress the length of a message to certain length called as hash codes or digital finger prints. The strength of algorithm depends on the strength of the functions. Hashed functions such as SHA-1 are used in calculating MAC, so the resulted algorithm may be termed as HMAC-SHA-1.
Also these cryptographic functions execute faster than any other conventional algorithms. HMAC has been issued as RFC 2104 and chosen as a mandatory to implement MAC for IP Security. So according to this RFC some objectives for HMAC are - use available hash functions without modifications, with this an existing implementation of hash function can be treated as a module and it can easily replaceable in case if faster hash functions are found.
Developers and administrators moved to a centralized authentication model, which uses a central authority system that can remotely authenticate users across large numbers of systems. So for this purpose some protocols were developed:
Kerberos is network authentication protocol which provides a single sign on (only the end users have to log on once for accessing the resources in the network), trusted third party (centralized authentication server) mutual authentication services. It is transparent, reliable and scalable. Here is how the Kerberos Works in client server architecture.
First the authentication exchange takes place. A client asks the AS (authentication server) for a ticket to the TGS (ticket-granting server) and then the AS checks the client's information in the database and generates a session key and are encrypted using the key derived from user's password.
And next in Ticket-granting service exchange, the client decrypts it and recovers the session key in the message and uses it to create an authenticator (contains the user's name, address of the network and the time to TGS) and then sends the ticket and authenticator to the TGS, then it decrypts ticket and authenticator (using the session key). It verifies and if everything matches, the TGS creates another new session key for the client, encrypts it using the first session key, also generates another new ticket having client's name , address and time stamp which are encrypted with server's secret key and sends to the client.
In client/server exchange, the client decrypts this message and gets the session key, creates another new authenticator encrypted with this session key. Now the client sends the ticket and the encrypted authenticator and the server decrypts, check the ticket, address, time stamp.
A secure communication is now established as the server knows that the client is who it claims to be and both the parties share a common encryption key.
Source: Figure 4.1 Overview of Kerberos, from Network Security Essentials Applications and Standards by Stallings, Williams.
RADIUS (Remote Access Dial-in User Service):
RADIUS is also a networking protocol which provides centralized Authentication, Authorization and Accounting - AAA for the systems that connects and uses a network service. This is often used by the internet service providers for managing the access to the internet, wireless networks and e-mail services.
Authentication - Verifies a person's/computer's identity.
Authorization - Set of templates and rules what a legitimate user should do on a system.
Accounting - Measures the system time or the data a user has sent/received during a session and documents the resources a user access.
Sequences in authorization:
Several types of methods in which the end user, the AAA server and the network communicates in a transaction.
Agent Sequence - The AAA server acts as a middle-man (agent) between the service equipment and the user.
Source: Figure 1.3 the agent sequence, from Radius by Hassell, Jonathan.
Pull Sequence - Here the user connects directly to the service equipment and then checks with an AAA server to check whether the request is granted.
Source: Figure 1.4 the pull sequence, from Radius by Hassell, Jonathan.
Push Sequence - Here the user is in between the AAA server and the service equipment. First the user connects to the AAA server and when the request to the server is authorized, and then the AAA server distributes a token to the user. Now the user pushes this token with his request to the service equipment and gets access.
Source: Figure 1.5 the push sequence, from Radius by Hassell, Jonathan.
The RADIUS is client/server protocol which runs in Application Layer by using UDP packets. The packet format contains Code, Identifier, Length, and Authenticator.
Source: Figure 2.1 a depiction of the RADIUS data packet structure from Radius by Hassell, Jonathan.
Code - Type of RADIUS message that is sent in the packet.
Identifier - Performs automated linking of the requests and subsequent replies.
Length - Specifies how long a message is and it is 2 octets long.
Authenticator - A field which is 16 octets long checks the integrity of the message's payload.