4. Simplest type of authentication
Least secure method of authentication
Attacks: Shoulder surfing, Keylogging, Sniffing
Attacks: Brute force and dictionary
Attacks: Phishing and Social
Something you
know -
Passwords
5. Simple passwords easy to exploit
Long passwords hard to remember
Passphrases may help
Use strong and complex passwords
Don’t write passwords down
Change often – 90 days or less
Never give someone your password
Consider enforcing a password policy and lockout
controls
Something you
know -
Passwords
8. Alternative or addition to passwords
Requires a physical device and PKI environment
Examples: Smart cards, proximity cards, hardware
tokens
Usually requires an additional factor – Pin #
One-Time passwords – key fobs
Attack: Steal the card
Attack: Hack the authentication server
Something you
have
9. Biometrics – measures something unique about
your body
Impossible to lose or forget
Examples: Fingerprints, voice recognition, iris and
retina scans, handwriting analysis
Attacks: persuasion, collusion or force
Attacks: Mimicry
Challenge: Potential for errors
Something you
are
10. Biometric Accuracy
False Rejection Rate – FRR
- Type 1 Error
- Percentage system falsely rejects a known user
False Accept Rate – FAR
- Type 2 Error
- Percentage system falsely identity's unknown user as
known
Crossover Error Rate - CER
- Point where FAR and FRR are balanced
- Lower CER, better performing biometric system
- Retina, iris, fingerprint, voice
False Accept
Rate (FAR)
False Reject Rate (FRR)
Crossover
Error Rate
(CER)
Sensitivity
Errors
11. The combination of two or more factors
Password and smart card – something you know,
something you have
Password and hardware token – something you
know, something you have
Pin and smart card – something you know,
something you have
Password and fingerprint – something you know,
something you are
Password and signature – something you know,
something you are
Multifactor
Authentication
12. Single Sign-on
Decentralized Authentication
- Hard to manage
- Hard to backup
Centralized Authentication
- Easy to manage
- Easy to backup
Single Sign-on
- Requires centralized authentication
- Minimizes the number of passwords to remember
- Single compromise can affect a lot of systems
SSO
Resources
13. Developed at MIT for UNIX realms
Windows domains use Kerberos beginning with
Windows Server 2000
Supports mutual authentication – Client
authenticates Server, Server authenticates Client
Requires synchronized clocks – for time stamped
symmetric encryption
Secure European System for Applications in a
Multivendor Environment (SESAME) - is similar
Components:
Key Distribution Center (KDC)
Authentication Server (AS)
Ticket Granting Server (TGS)
Kerberos
14. TGS
AS
Simplified Kerberos Process
Client
KDC
Client presents credentials to
Authentication Server (AS) and requests
Ticket Granting Ticket (TGT)
Sends TGT and session key for TGS
Client uses TGT to request Service Ticket
for App server
App
TGS responds with Service Ticket
Client uses Service ticket to App server
15. Federated Access
SSO for different networks and operating systems owned and managed
by different organizations
Radius – Remote Authentication Dial In Service
Works with PPP, CHAP,PAP,EAP
UDP ports 1812, 1813
Not encrypted, susceptible to sniffing, replay attacks, denial of service
Use IPSEC to encrypt and unique secrets
TACAS+- Terminal Access Controller Access Control
System
Authentication,, authorization and accounting
Encrypts passwords and entire payload
TCP port 49
TACAS and XTACAS– Older – don’t use
LDAP – Lightweight Directory Access Protocol
Not an authentication service
X.500 objects and attributes
TCP/UDP port 389
Others