Identification, authentication, and authorization are three of the core concepts of access control. Together these items determine who gets into the network and what they have access to. A failure of any of these services can have detrimental results to the security of the organization. Identification is the process of identifying yourself to an authentication service. Authentication is the process of determining whether a user is who he or she claims to be. Authorization is the process of determining whether a user has the right to access a requested resource. These concepts are tied to one additional item: accountability, which is discussed in subsequent chapters. Accountability is the capability to relate specific actions and operations to a unique individual.
In network security, authentication is the process of determining the legitimacy of a user or process. Various authentication schemes have been developed over the years. These are some common authentication methods:
A quick review of this list should illustrate that all these forms of authentication can be distilled into three distinct types:
Some experts actually list four categories of authentication: something you know, something you have, something you are, and where you are.
Of these three types, probably the most widely used are usernames and passwords. The problem with this method is that passwords as a form of authentication are also one of the easiest to crack. Using passwords makes the network even more vulnerable because most individuals make passwords easy to remember, such as a birthday, an anniversary, or a child's name. Also, people have a limited memory, so the same password is often used to gain access to several different systems. With valid usernames and easily guessed passwords, a network is very close to losing two of the three items that ensure security, confidentiality, and integrity. Programs such as John the Ripper can quickly cycle through huge dictionary files looking for a match. This makes password security an important topic for anyone studying access control: Many times, it is all that stands between an intruder and account access. If you can't make the change to a more robust form of authentication, password policy should at least follow some basic guidelines:
A logon limit is also known as a clipping level in CISSP terminology. Remember that a clipping level is the threshold or limit that must be reached before action is taken.
Cognitive passwords are another interesting password mechanism that has gained popularity. For example, three to five questions might be asked, such as these:
If you answer all the questions correctly, you are authenticated. Cognitive passwords are widely used during enrollment processes and when individuals call help desks or request other services that require authentication. Cognitive passwords are not without their problems. For example, if your name is Paris Hilton and the cognitive password you're prompted for by T-Mobil is "What's your pet's name?" anyone who knows that your pet's name is Tinkerbell can easily access your account.
One-time passwords are used only once and are valid for only a short period of time. One-time passwords are usually provided through a token device that displays the time-limited password on an LCD screen.
A passphrase is a type of virtual password. Passphrases function by having someone enter the phrase into the computer. Software converts or hashes that phrase into a stronger virtual password that is harder for an attacker to crack.
The tokens described in the previous sections can be synchronous dynamic password tokens or asynchronous password devices. These devices use a Poloniums challenge-response scheme and are form-factored as smart cards, USB plugs, key fobs, or keypad-based units. These devices generate authentication credentials that are often used as one-time passwords. Another great feature of token-based devices is that they can be used for two-factor authentication.
Tokens that are said to be synchronous are synchronized to the authentication server. Each individual passcode is valid for only a short period of time. Even if an attacker were able to intercept a token-based password, it would be valid for only a limited time. After that small window of opportunity, it would have no value to an attacker. As an example, RSA's SecurID changes user passwords every 60 seconds.
Asynchronous token devices are not synchronized to the authentication server. These devices use a challenge-response mechanism. These devices work as follows:
Biometrics is a means of authentication that is based on a behavioral or physiological characteristic that is unique to an individual. Biometrics is a most accurate means of authentication, but it is also more expensive than the other methods discussed. Biometric authentication systems have been slow to mature because many individuals are adverse to the technology. Issues such as privacy are typically raised, although things have started to change somewhat after 9-11. More companies have felt the need for increased security, and biometric authentication systems have been one way to meet the challenge. Biometric systems work by recording information that is very minute and individual to the person. When the biometric system is first used, the system must develop a database of information about the user. This is considered the enrollment period. When enrollment is complete, the system is ready for use. So, if an employee then places his hand on the company's new biometric palm scanner, the scanner compares the ridges and creases found on the employee's palm to the one that is identified as that individual's in the device's database. Whether the employee gains access depends on the accuracy of the system.
Different biometric systems have varying levels of accuracy. The accuracy of a biometric device is measured by the percentage of Type I and Type II errors it produces. Type I errors (false rejection rate) are a measurement of the percentage of individuals who should have gotten in but were not allowed access. Type II errors (false acceptance rate) are the percentage of individuals who got in and should not have been allowed access. Together these two values determine the accuracy of the system. This is determined by mapping the point at which Type I errors equal Type II errors. This point is known as the crossover error rate (CER). The lower the CER, the betterfor example, if system A had a CER of 4 and system B had a CER of 2, system B would be the system with the greatest accuracy. Some of the most widely used types of biometric systems include these:
Before attempting the CISSP exam, make sure you understand the difference between Type I and Type II errors and the CER. Type II values are considered to be the most critical error rate to examine, while the CER is considered to be the best measurement of biometric systems accuracy.
Other considerations must be made before deploying a biometric system:
To make authentication stronger, you can combine several of the methods discussed previously. This combination is referred to as multifactor or strong authentication. The most common form of strong authentication is known as two-factor authentication. Tokens combined with passwords form an effective and strong authentication. If you have a bank card, you are familiar with two-factor authentication. Bank cards require two items to successfully access an account: something you have and something you know. These two items, your card and your PIN, grant you access to the account.
The decision to use strong authentication depends on your analysis of the value of the assets being protected. What are the dollar values of the assets being protected? What might it cost the organization in dollars, lost profit, potential public embarrassment, or liability if unauthorized access is successful?