Authentication

User authentication is the first step in accessing controlled system resources. Once the system knows who you are, it can provide you with the resources that you've been granted access to. This element of access control enables administrators to trace user activities and hold users responsible for their actions. A user name or identification, in conjunction with a password, is the most widely used method of authentication. User IDs must be unique on any given system for them to be effective. A user ID is not meant to be descriptive of a particular job function; it simply asserts one's identity and sets the stage for a system of access, accountability, and monitoring.

An individual can be identified on a system by entering a user ID and password, swiping a magnetic card, keying a code on a keypad, or by some physical trait unique to that user. Biometric authentication determines one's identity by a fingerprint or handprint, retina scan, facial scan, or voice recognition. Combining a physical trait or a possession (magnetic card, key, and so on) with a password or PIN (personal identification number) can further enhance security. This type of two-factor authentication is also known as Strong User Authentication (SUA). Remember, authentication itself does not determine the specific rights of a user; it's just the method of ensuring that the user is who they claim to be. Next, we will explore different types of authentication.

Passwords

Being the weakest link in any security system, it's important to know what makes passwords stand up well against brute force (or password guessing) attacks. Because many password-cracking programs use multilingual dictionaries and common name lists to get their ideas, words or names found in such references should never be used. The name of your company or organization should never be used. Too many repeating characters within a password should be avoided as well. A lengthy, nonsensical combination of mixed-case letters, numbers, and symbols (if allowed by the system) is your best bet. This makes a password easier to forget but there are a couple of tricks to help you remember. Examine these passwords: GreaterThan> therest; $tr0ngPa$S, Apri1inP@ris, and ParenTHETICALone(1). You get the idea. Make passwords as long as the system allows. Your password should also be changed on a regular basis. Most systems can be programmed to make users change their passwords at predetermined intervals but this should be done, regardless. The more complicated your password, the less often you will need to alter it. Most systems also keep track of unsuccessful log-on attempts and lock out user accounts after a certain number of failed tries. Don't ever write down passwords anywhere, especially under your keyboard!

In Law #5 of their 'Ten Immutable Laws of Security,' Microsoft™ states, 'Weak passwords trump strong security.' (This Microsoft quote can be found online at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/essays/10imlaws.asp.) In other words, no matter how sophisticated your server, a malicious user need only obtain your password to cause damage, steal sensitive data, or play 'you;' and you are exactly who will be held responsible.

User IDs are out there for the entire world to see and passwords can be guessed, cracked by software, or stolen. Although simple to administer, the future of enterprise security lies within the systems and devices that go beyond basic password authentication.

The following methods and criteria should be used to create strong passwords:

• A strong password should be a minimum of seven characters in length.

• The password should contain a combination of upper- and lowercase letters.

• There should be at least one number contained in the password.

• The password should contain at least one of the following characters: !@#$%^&*.

• A password should never be a word from a dictionary, a person's name, family name, phone number, birth date, or favorite phrase.

Here's a final note on passwords: All of the money that is spent by a company for security personnel, security mechanisms, and software can prove basically worthless if network users and company employees can't remember their network passwords and post them on computer monitors, under keyboards, or in desk drawers. Get the message? What good are all of the high-tech security mechanisms if basic security policies are not followed? We will discuss policies in Chapter 6.

Token-based Authentication

Token-based authentication is among the most widely used SUA systems. This method achieves a high level of security because the access information is carried in a portable unit. A perfect example of this technique in use is the ATM card. When you go to withdraw cash, you insert your card, which is always safe in your possession. You then enter a PIN, which stays safely tucked away in your mind. Automatic banking would have never gained the popularity it has if it weren't for this type of two-factor routine we go through to prove we are who we say we are. Can you imagine the nightmares it would create if all you needed were someone's name and PIN to empty their bank account? The ATM scenario is an example of a memory token, that is, the card holds data but does not process it. Many organizations are finding themselves in a situation where their data is as valuable, if not more valuable, than cash.

Another type of token-based system, such as the RSA SecurID®, uses a smart token-enabled, battery-operated device. Like the ATM, a PIN is entered into the system each time access is requested. The smart token system, however, contains access information and has the benefit of processing capabilities. These devices can contain internal clocks synchronized with their parent servers, adding another level to the security. The server compares its clock to the device clock, and if it gets a match, you get access. In addition to this time-synchronous routine, these devices share a uniformly updated seed (or random number) with the server introducing yet another step in the algorithm used for authentication. Again, if this random number matches, you're in. All of these steps equal a nearly foolproof method of identifying an individual. One of the advantages of this type of authentication is its potential portability. Smart token systems can be integrated into devices already in your pocket, such as a handheld device or mobile phone.

Kerberos v5 Authentication

Developed by the Massachusetts Institute of Technology (MIT), Kerberos is a network authentication protocol that employs strong cryptography enabling secure client/server communications over an insecure connection. Known as a distributed authentication service, Kerberos allows users to identify themselves on a network without exchanging data (passwords) that a third party could intercept. This type of cryptographic authentication shields the identification process from prying eyes. It's important to understand that the Kerberos protocol does not protect all data exchanged between two systems. It encrypts only messages sent between 'Kerberized' applications or software that was built or modified to take advantage of this protocol. Think of Kerberos as simply another type of language used in the authentication process. It doesn't provide the authentication itself; rather, it provides a mechanism through which authentication information can be exchanged securely.

The Kerberos authentication protocol is outlined in detail in the Requests For Comments (RFC) 1510. It uses a string of encoded messages and the issuance of special tickets to verify the identification of the user in question and allow or disallow a user's access to objects. Appropriately named after the three-headed dog that guards the gates of Hades in ancient Greek mythology, Kerberos works as follows.

The first step in this process is, as always, the request for access. Using a password or smart card, the user attempts to access a service. The rest of what follows is transparent to the user. Upon receiving the request, the authentication server (AS) issues a ticket-granting ticket (TGT) to the client. This encrypted ticket includes the user's password and a random seed representing the requested network service. The client machine then returns the ticket to the ticket-granting server (TGS), which may or may not be the same machine as the AS. The TGS then issues a service ticket to the client. Once the client machine possesses this service ticket, the ticket can be used to request a service. The service ticket verifies the user's identity to the service. It is the credentials that the service uses to allow or deny access by a client machine. Furthermore, the TGS time-stamps service tickets enabling further requests to be made by the client without repeating the process. The expiration time is typically within five to10 hours of issuance. However, if the network is on a large scale and the user attempts to access resources maintained by a different AS, reauthorization will be necessary unless the system supports Single Sign-On.

More information regarding Kerberos and other Microsoft security related technical information can be found at the Microsoft MSDN Web site at the following URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/Security/using_security_packages.asp/.

Single Sign-On

Many networks today have multiple servers in different buildings, or indeed different cities, running several operating systems and providing users with tons of resources. The more passwords a user needs to remember in order to access all that data, the higher the likelihood of those passwords being recorded in places other than their heads; for instance, places such as beneath their keyboards (tsk, tsk). Also, users will select the same password for access on different systems. If just one of those systems has an insecure authentication method, an attacker can intercept the transmission, detect the password, and gain access to other 'secure' systems.

SSO provides a secure way for users to be authenticated just once while enabling enterprise-wide access to data. It also simplifies the administration of tasks such as disabling a user account. In an SSO environment, the network administrator, whose time is surely tight, can disable just one account and be assured that there's no lingering access on a machine somewhere in the network. There are many methods available to enable SSO in one form or another and many are costly and difficult to implement. They can benefit us by creating a more efficient authentication process but there are precautions to take to prevent hackers from exposing SSO weaknesses and killing many resources with one stone.

As we've discussed, strong passwords are a must. This is even more important to consider when one-stop authentication is in effect. Systems implementing SSO should enforce the selection of stronger passwords. They should demand alphanumeric, mixed-case passwords of at least seven characters. An SSO environment should also employ two-factor authentication because a compromise of security could be more damaging.

Exactly how SSO is implemented depends on whose product you use to deploy it. Novell®, Inc. and Passlogix®, Inc., for example, have combined their technologies to create what they call the Novell Single Sign-on (NSSO) 2.1 bundle. This implementation introduces a low overhead method of adding SSO to an existing Novell network. Novell claims that their process ensures secure SSO capabilities providing access to UNIX hosts, Web sites, desktop applications, and in-house applications while protecting passwords in a patented repository. Another system taking a public/private key approach to SSO is called SESAME (Secure European System for Applications in a Multi-vendor Environment). SESAME's development began with the open systems standards work of the ECMA (European Computer Manufacturers Association). This implementation is not a complete product but rather a foundation upon which vendors can develop other SSO technologies. Concepts within the SESAME project have been used to develop an expanded version of Kerberos that supports some of the ECMA's security architecture.

Biometrics

Character-based authentication methods allow or disallow access to systems, resources, or physical locations based on physical characteristics. Biometrics is a combination of science and technology that is used to gather and measure human characteristic information from a subject and use that information as a means to allow or disallow access. Some of the most popular characteristics that can be measured and used with scanning devices through the use of biometric technology are handwriting, hand imprints, fingerprints, and retina, iris, and voice patterns.

Biometric security is considered to be among the most secure methods to allow or disallow access. The high demand for this secure technology can be seen in just about every aspect of our daily lives. Bank and purchasing transactions can utilize this technology. Government, military, and corporate environments will employ this technology wherever the need for a reliable personal identification system is required. However, the use of biometrics is still considered to be in its infant stage of development.

Biometric authentication can currently be implemented into a network infrastructure to allow secure access to applications, domains, workstations, and servers. It can be used locally or as an authentication method for remote access. Biometric solutions can also be implemented with other access methods of authentication such as smart cards, encrypted keys, and digital signatures.

Most believe the future of network security lies within the biometric realm. Many police organizations already realize the benefit of using retina scanning as a means of identification.