Identification, Authentication, and Authorization
Identification, authentication, and authorization are three of the core concepts of access control. Together these items determine who gets into the network and what they have access to. A failure of any of these services can have detrimental results to the security of the organization. Identification is the process of identifying yourself to an authentication service. Authentication is the process of determining whether a user is who he or she claims to be. Authorization is the process of determining whether a user has the right to access a requested resource. These concepts are tied to one additional item: accountability, which is discussed in subsequent chapters. Accountability is the capability to relate specific actions and operations to a unique individual.
Authentication
In network security, authentication is the process of determining the legitimacy of a user or process. Various authentication schemes have been developed over the years. These are some common authentication methods:
- Usernames and passwords Typically a name and an alphanumeric password.
- Tokens A hardware-based device used for authentication.
- Smart cards An intelligent token that been embedded with an integrated circuit chip. It provides not only memory capacity, but computational capability as well.
- Magnetic stripe cards A widely used standard that became established in the 1970s. The magnetic strip contains information used to authenticate the user.
- Certificates Some authentication methods, such as Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol (EAP), can use certificates for authentication of computers and users. Certificates can reside on a smart card or can be used by IPSec and Secure Sockets Layer (SSL) for web authentication.
- Biometrics Systems that make use of something you are, such as a fingerprint, retina scan, or voice print.
A quick review of this list should illustrate that all these forms of authentication can be distilled into three distinct types:
- Something you know passwords
- Something you have tokens, smart cards, and certificates
- Something you are biometrics
Some experts actually list four categories of authentication: something you know, something you have, something you are, and where you are. |
Passwords
Of these three types, probably the most widely used are usernames and passwords. The problem with this method is that passwords as a form of authentication are also one of the easiest to crack. Using passwords makes the network even more vulnerable because most individuals make passwords easy to remember, such as a birthday, an anniversary, or a child's name. Also, people have a limited memory, so the same password is often used to gain access to several different systems. With valid usernames and easily guessed passwords, a network is very close to losing two of the three items that ensure security, confidentiality, and integrity. Programs such as John the Ripper can quickly cycle through huge dictionary files looking for a match. This makes password security an important topic for anyone studying access control: Many times, it is all that stands between an intruder and account access. If you can't make the change to a more robust form of authentication, password policy should at least follow some basic guidelines:
- Passwords should not use personal information.
- Passwords should be 7 or 14 characters.
- Passwords should expire at least every 30 days.
- Passwords should never consist of common words or names.
- Passwords should be complex and should use upper- and lowercase letters and characters (such as !@#$%^&).
- Logon attempts should be limited to a small number of times, such as three to five successive attempts.
A logon limit is also known as a clipping level in CISSP terminology. Remember that a clipping level is the threshold or limit that must be reached before action is taken. |
Cognitive Passwords
Cognitive passwords are another interesting password mechanism that has gained popularity. For example, three to five questions might be asked, such as these:
- What country were you born in?
- What department do you work for?
- What's your pet's name?
- What is your mother's maiden name?
If you answer all the questions correctly, you are authenticated. Cognitive passwords are widely used during enrollment processes and when individuals call help desks or request other services that require authentication. Cognitive passwords are not without their problems. For example, if your name is Paris Hilton and the cognitive password you're prompted for by T-Mobil is "What's your pet's name?" anyone who knows that your pet's name is Tinkerbell can easily access your account.
One-Time Passwords
One-time passwords are used only once and are valid for only a short period of time. One-time passwords are usually provided through a token device that displays the time-limited password on an LCD screen.
A passphrase is a type of virtual password. Passphrases function by having someone enter the phrase into the computer. Software converts or hashes that phrase into a stronger virtual password that is harder for an attacker to crack. |
Token Device
The tokens described in the previous sections can be synchronous dynamic password tokens or asynchronous password devices. These devices use a Poloniums challenge-response scheme and are form-factored as smart cards, USB plugs, key fobs, or keypad-based units. These devices generate authentication credentials that are often used as one-time passwords. Another great feature of token-based devices is that they can be used for two-factor authentication.
Synchronous
Tokens that are said to be synchronous are synchronized to the authentication server. Each individual passcode is valid for only a short period of time. Even if an attacker were able to intercept a token-based password, it would be valid for only a limited time. After that small window of opportunity, it would have no value to an attacker. As an example, RSA's SecurID changes user passwords every 60 seconds.
Asynchronous
Asynchronous token devices are not synchronized to the authentication server. These devices use a challenge-response mechanism. These devices work as follows:
- The server sends the user a value.
- The value is entered into the token.
- The user is prompted to enter a secret passphrase.
- The token performs a hashing process on the entered value.
- The new value is displayed on the LCD screen of the token device.
- The user enters the displayed value into the computer for authentication.
Biometrics
Biometrics is a means of authentication that is based on a behavioral or physiological characteristic that is unique to an individual. Biometrics is a most accurate means of authentication, but it is also more expensive than the other methods discussed. Biometric authentication systems have been slow to mature because many individuals are adverse to the technology. Issues such as privacy are typically raised, although things have started to change somewhat after 9-11. More companies have felt the need for increased security, and biometric authentication systems have been one way to meet the challenge. Biometric systems work by recording information that is very minute and individual to the person. When the biometric system is first used, the system must develop a database of information about the user. This is considered the enrollment period. When enrollment is complete, the system is ready for use. So, if an employee then places his hand on the company's new biometric palm scanner, the scanner compares the ridges and creases found on the employee's palm to the one that is identified as that individual's in the device's database. Whether the employee gains access depends on the accuracy of the system.
Different biometric systems have varying levels of accuracy. The accuracy of a biometric device is measured by the percentage of Type I and Type II errors it produces. Type I errors (false rejection rate) are a measurement of the percentage of individuals who should have gotten in but were not allowed access. Type II errors (false acceptance rate) are the percentage of individuals who got in and should not have been allowed access. Together these two values determine the accuracy of the system. This is determined by mapping the point at which Type I errors equal Type II errors. This point is known as the crossover error rate (CER). The lower the CER, the betterfor example, if system A had a CER of 4 and system B had a CER of 2, system B would be the system with the greatest accuracy. Some of the most widely used types of biometric systems include these:
- Finger scan Distinguishes one fingerprint from another by examining the configuration of the peaks, valleys, and ridges of the fingerprint. It is the most common type of biometric system used.
- Hand geometry Uses the unique geometry of a user's fingers and hand in identification.
- Palm scan Uses the creases and ridges of a user for identification.
- Retina pattern Uses the person's eye for identification; very accurate.
- Iris recognition Another eye-recognition system that matches the person's blood vessels on the back of the eye; also very accurate.
- Voice recognition Uses voice analysis for identification.
- Keyboard dynamics Analyzes the speed and pattern of typing.
Before attempting the CISSP exam, make sure you understand the difference between Type I and Type II errors and the CER. Type II values are considered to be the most critical error rate to examine, while the CER is considered to be the best measurement of biometric systems accuracy. |
Other considerations must be made before deploying a biometric system:
- Employee buy-in Users might not like or want to interact with the system. If so, the performance of the system will suffer. For example, a retina scan requires individuals to look into a cuplike device, whereas an iris scanner requires only a quick look into a camera.
- Age, gender, or occupation of the user Users who perform physical labor or work in an unclean environment might find finger scanners frustrating.
- The physical status of the user Users who are physically challenged or handicapped might find the placement of eye scanners difficult to reach. Those without use of their hands or fingers will be unable to use fingerprint readers, palm scanners, or hand geometry systems.
Strong Authentication
To make authentication stronger, you can combine several of the methods discussed previously. This combination is referred to as multifactor or strong authentication. The most common form of strong authentication is known as two-factor authentication. Tokens combined with passwords form an effective and strong authentication. If you have a bank card, you are familiar with two-factor authentication. Bank cards require two items to successfully access an account: something you have and something you know. These two items, your card and your PIN, grant you access to the account.
The decision to use strong authentication depends on your analysis of the value of the assets being protected. What are the dollar values of the assets being protected? What might it cost the organization in dollars, lost profit, potential public embarrassment, or liability if unauthorized access is successful?