4.2 Qualifying authentication


The security quality of an authentication infrastructure largely depends on the following two factors: the security protocol and the authentication method.

From a protocol point of view, it always better to use a proven open security standard than a proprietary authentication protocol. This is because open standards tend to be better tested; this means tested by a larger community of vendor-neutral people. Open standards also tend to be supported on multiple platforms; proprietary protocols tend to be bound to a single platform. A well-known example of a proven open authentication protocol is the Kerberos protocol [defined in Request for Comments (RFC) 1510]. An example of a proprietary protocol is Microsoft’s NTLM (NT– LAN Manager) authentication protocol.

Table 4.1 gives an overview of common authentication protocols used in IT today. Note that this list is not exhaustive.

Table 4.1: Common IT Authentication Protocols

Authentication Protocol

Comment/References

Basic Authentication

Basic authentication is the authentication protocol defined in the HTTP standard. It uses a base64 user ID-password authentication exchange.

Digest Authentication

Digest authentication is another HTTP-based authentication protocol. Digest uses a challenge-response–based protocol. Like basic authentication, the credentials are user ID-password–based. Unlike basic authentication, the credentials are not sent across the network.

SSL/TLS

SSL stands for Secure Sockets Layer; TLS stands for Transport Layer Security and is the follow-up protocol to SSL that has been standardized by the IETF. SSL/TLS operates on the OSI transport layer and uses certificates to authenticate both the client side and the server side. It can be used to add strong authentication to SMTP, HTTP, NNTP, and other application-level protocols.

Kerberos

Defined in RFC 1510, Kerberos is the default authentication protocol in a Windows 2000 and Windows Server 2003 domain.

NTLM

Proprietary authentication protocol developed by Microsoft, NTLM is the default authentication protocol of Microsoft Windows NT4.

The quality of the authentication method mainly depends on the number of factors (or credentials) it considers when authenticating a user. One of the most used authentication methods—user ID and password—is a one-factor authentication method. It uses a single “factor”—knowledge— to authenticate a user.

Multifactor authentication methods authenticate a user based on multiple factors. That is why they will also offer higher security quality than single-factor authentication methods. A good example of a multifactor authentication system is a smart card: It combines possession (of the card) and knowledge (of the card’s PIN code). Table 4.2 gives an overview of different authentication methods and the number of authentication factors they support.

Table 4.2 : Overview of Authentication Methods

Authentication Method

Authentication Factor

Password/ PIN

Smart card/token

Biometric device

Biometric and smart card

Dial-back

Knowledge

X

X

X

Possession

X

X

Biometric Data

X

X

Location

X

So far we have only discussed password-based credentials (see Chapter 2) as a means to authenticate users against a Windows authentication authority. You can obviously also provide stronger authentication methods to your Windows users. Table 4.3 shows some of the stronger and/or multifactor authentication solutions that are available for Windows (note that this list is not exhaustive).

Table 4.3: Strong and Multifactor Authentication Options for Windows

Strong Authentication Option (Authentication Factors)

Sample venDors (More Info At…)

Smart card (knowledge and possession)

Built-in support with Windows 2000 and later OSs (more details are provided in Chapters 5 and 17)

Security token (knowledge and possession)

RSA Security SecurID (http://www.rsasecurity.com/products/securid/index.html)

Fingerprint (biometric data)

Identix Biologon (http://www.identix.com/products/pro_info_biologon.html)

Iris scan (biometric data)

Iridian Technologies Iris Recognition (http://www.iridiantechnologies.com)

Facial scan (biometric data)

Biovisec Nemesis (http://www.biovisec.com)

The number of authentication factors is not the only quality-related element of an authentication method. Much also depends on how the authentication method is implemented and how applications are using the authentication method. For example, a fingerprint-based authentication solution will not bring much extra security if the fingerprint image is sent in the clear to an authentication server after it has been recorded by a bio- metric device.

Many IT environments require the authentication infrastructure to support multiple authentication methods and protocols. This may be necessary because the environment supports internal and external users who are using a variety of methods and protocols to access resources. Another reason why different authentication methods and protocols may be needed is because resources have different value or contain more sensitive information. Access to confidential information, for example, may require a stronger authentication method than access to information published on the corporate Inter- net Web site. In some authentication infrastructures, this feature is known as “graded authentication.” This simply means that the resources and information a user is allowed to access will vary depending on the strength of the authentication protocol and method the user used to authenticate. An example of a product providing this kind of functionality is Novell’s Modular Authentication Service (NMAS).

When implementing a security solution, you should not just look at the quality of the authentication solution. Perhaps the most important factor to take into account is risk: The strength of the authentication solution that is required for a particular IT environment depends on the security risks that are associated with that environment. The higher the risk, the stronger security solutions are required. Security risks are a function of the probability that a security incident will occur and the cost of a security incident for your organization.




Windows Server 2003 Security Infrastructures. Core Security Features of Windows. NET
Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)
ISBN: 1555582834
EAN: 2147483647
Year: 2003
Pages: 137
Authors: Jan De Clercq

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net