1 / 43

Authentication Applications

University of Palestine. Information Security Principles. Authentication Applications. Supervised By: Ms. Eman Alajrami. Prepared By Mahmoud Dalloul Wisam Abu Karsh Nidal El-Borbar. Out Lines:. Part “01” By ( Nidal El- Borbar ) Introduction Types of Authentication

chelsey
Download Presentation

Authentication Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. University of Palestine Information Security Principles Authentication Applications Supervised By: Ms. Eman Alajrami Prepared By Mahmoud Dalloul Wisam Abu Karsh Nidal El-Borbar

  2. Out Lines: Part “01” By (Nidal El-Borbar ) • Introduction • Types of Authentication • Applications and Authentication Part “02” By (Mahmoud Dalloul) • Kerberos • Introduction to Kerberos • Why Kerberos is needed ? • Requirements for KERBEROS • Versions of KERBEROS Part “03” By (Wisam Abu Karsh) • Authentication web site

  3. Part “01”:Introduction: • Authentication is the act of establishing identity via the presentation of information that allows the verifier to know the presenter is who or what it claims. This identity could be any number of things, including: • People • Systems • Applications • Messages

  4. Types of Authentication There are many different types of authentication that can be used in an application. The selection of the most appropriate type of authentication will depend on the needs of the application; use this guide to determine which makes the most sense for your application. • Basic, single-factor authentication • Multi-factor authentication • Cryptographic authentication

  5. Basic authentication Basic authentication is a commonly used term that most people probably understand already. It refers to password-based authentication. A password can be any information that is used to verify the identity of a presenter. Common examples that fall into this category are: • The common password • Host or system names • Application names • Numerical IDs

  6. Multi-Factor Authentication • Multi-factor authentication is the use of a combination of authentication methods to validate identity. The most commonly used description of multi-factor authentication is the use of information that is known only by the person, combined with something in his or her possession. These are typically: • The name and password • Some form of token

  7. Note/ Some form of token A token is a hardware component that is used during the authentication process; it typically provides another piece of information that cannot be ascertained without physical control of the token. Different types of tokens used in multi-factor authentication are: • Smart cards • One-time password/phrases • Single-use PINs or pseudo-random numbers • Biometric information • Multi-factor authentication provides the following additional benefits: • Difficult to spoof and impersonate • Easy to use

  8. Cryptographic Authentication • The final form of authentication outlined here is that which utilizes cryptography. This includes the following forms: • Public Key Authentication • Digital Signatures • Message Authentication Code • Password permutation

  9. Applications and Authentication • Now that the overview of various authentication methods has been outlined, you can take a look at its use in the applications. The following application-specific areas will be covered: • Identifying what needs authentication • Choosing the appropriate authentication method(s) • Guidelines for implementing authentication

  10. Identifying the Need for Authentication • The following questions help the application designer and developer understand whether there is a need for authentication within their application: • Are there multiple users or applications that will interact with the application in question? • If multiple entities are expected, will they all access exactly the same data, configuration, and information, or will each have its own set of information, regardless of how small? • Is the application running in a completely closed and trusted area, wherein there is no person, system, or application that will access it from untrusted parts—such as the Internet, other networks, or unknown applications? • Is there a concept of privileged information or functionality and the separation or isolation of this within the application? • If the answer to any of these questions is "yes," authentication is needed within the application.

  11. Choosing the Appropriate Authentication Methods • Internal or local service-based authentication • Local Authentication • There are several reasons, or combinations of reasons, that may warrant implementation of local, internal authentication within an application: • Stand-alone application • No or intermittent communication capabilities • Limited, small, or embedded applications • Restricted application resources

  12. External service-based authentication and integration It is often desirable that an application co-exist with other applications and share common information, including authentication information. These include: • LDAP :Lightweight Directory Access • Active Directory • NIS/NIS+ : Network Information Services • Kerberos(That will “Mahmoud Dalloul “ Take About)

  13. Guidelines for Implementation • This section covers some general guidelines that are helpful during implementation of authentication services. The guidelines are organized into the following sections: • Approaches to sensitive data • Security strength versus business factors • Usability

  14. When deciding on an authentication mechanism, the natural pressures of deliverables, schedules, and customers can cause difficult decisions that often leave security out of the picture. The following table provides an easy comparison of the following aspects: • Ease of implementation: This is how simple or complex the implementation can be, taking into consideration the availability of libraries and standards. • Ease of management: The complexity of managing the authentication environment, considering users, addition, and removal of users, updating of credentials. • Ease of deployment: The complexity of deploying the authentication technology across simple and advanced environments, considering hardware and software requirements.

  15. Strength: The overall security strength, considering methods of attack and compromise and inherent weaknesses, scalability over large environments. End Of Part “01”

  16. Part “02”Introduction to Kerberos • An authentication service developed for Project Athena at MIT • Provides • strong security on physically insecure network • a centralized authentication server which authenticates • Users to servers • Servers to users • Relies on conventional encryption rather than public-key encryption

  17. Why Kerberos is needed ? Problem: Not trusted workstation to identify their users correctly in an open distributed environment 3 Threats: • Pretending to be another user from the workstation • Sending request from the impersonated workstation • Replay attack to gain service or disrupt operations

  18. Why Kerberos is needed ? Cont. Solution: • Building elaborate authentication protocols at each server • A centralized authentication server (Kerberos)

  19. Requirements for KERBEROS • Secure: • An opponent does not find it to be the weak link • Reliable: • The system should be able to back up another • Transparent: • An user should not be aware of authentication • Scalable: • The system supports large number of clients and severs

  20. Versions of KERBEROS • Two versions are in common use • Version 4 is most widely used version • Version 4 uses of DES • Version 5 corrects some of the security deficiencies of Version 4 • Version 5 has been issued as a draft Internet Standard (RFC 1510)

  21. Kerberos 4 Overview • a basic third-party authentication scheme • uses DES buried in an elaborate protocol • Authentication Server (AS) • user initially negotiates with AS to identify self • AS provides a non-corruptible authentication credential (ticket-granting ticket TGT) • Ticket Granting server (TGS) • users subsequently request access to other services from TGS on basis of users TGT

  22. Kerberos 4 Overview

  23. Kerberos Realms • a Kerberos environment consists of: • a Kerberos server • a number of clients, all registered with server • application servers, sharing keys with server • this is termed a realm • typically a single administrative domain • if have multiple realms, their Kerberos servers must share keys and trust

  24. Kerberos Version 5 • developed in mid 1990’s • provides improvements over v4 • addresses environmental shortcomings • encryption algorithm, network protocol, byte order, ticket lifetime, authentication forwarding, inter-realm authentication • and technical deficiencies • double encryption, non-standard mode of use, session keys, password attacks • specified as Internet standard RFC 1510 End Of Part “02”

  25. Part “03”: Authenticationweb site

  26. introduction Authentication web site contain tow part:- 1. internet information server (IIs) . 2. asp.net .

  27. internet information server (IIs) • authentication IIS -: software programs server, There are four types of mechanisms use Authentication IIS Server. 1.Anonymous authentication 2.Basic authentication 3.Integrated windows authentication 4.Digest authentication

  28. Anonymous authentication 1-A Default mechanisms to use iis server. 2- allow to user browser applications web even enter user name and password .

  29. Basic authentication this from Authentication need user name and password but seىd password don't encryption Resulting don't secure or easy Penetrable .

  30. Integrated windows authentication • this from Authentication need that the user have the right to enter with the scope of windows 2000. • Preferably be used in Web applications (B2B)Application where the user is relatively small.

  31. Digest authentication This mechanism Likeq uite Basic authentication but this secure because send password is encrypted.

  32. ASP.net • Forms authentication • Passport authentication • Windows authentication

  33. Forms authentication  Rtkz this mechanism on the registration form and one can access it at any time when the user needs to sign in. But when it requires the use of more privacy if you want to buy something from the application will be redirected to the model to be your login and after login is successful will be redirected to the model I visited the first time

  34. Passport authentication A service provided by Microsoft for web sites such as MSN and Hotmail can Alstrak after the signing of a contract with the company and the use of this documentation is as follows: • When the application requests the user authentication required to be directed to the Passport login service are also included details of the application asks the user to the service automatically . • After the successful re-entry registration of such a mechanism used to the original application, which he requested, here is the steps similar to the Forms authentication mechanism, but differs from that that the service may pass the encrypted user authentication for the application of ASP.netTo use this service should be lowered by one Passport SDK programs

  35. Windows authentication Authentication is a mechanism in which user authentication based on the scope of the rights of entry (Windows 2000).

  36. Authentication

  37. Authentication

  38. Authentication Procedures: • Three alternative authentication procedures: • One-Way Authentication • Two-Way Authentication • Three-Way Authentication • All use public-key signatures

  39. One-Way Authentication: • 1 message ( A->B) used to establish • the identity of A and that message is from A • message was intended for B • integrity & originality of message A B 1-A {ta,ra,B,sgnData,KUb[Kab]} Ta-timestamp rA=nonce B =identity sgnData=signed with A’s private key

  40. Two-Way Authentication • 2 messages (A->B, B->A) which also establishes in addition: • the identity of B and that reply is from B • that reply is intended for A • integrity & originality of reply A 1-A {ta,ra,B,sgnData,KUb[Kab]} B 2-B {tb,rb,A,sgnData,KUa[Kab]}

  41. Three-Way Authentication • 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks 1- A {ta,ra,B,sgnData,KUb[Kab]} A B 2 -B {tb,rb,A,sgnData,KUa[Kab]} 3- A{rb} End Of Part “03”

  42. References • http://www.developer.com/design/article.php/10925_3600351_2 • Prentice Hall Cryptography and Network Security 4th Edition Nov 2005. • http://nosheep.net/story/authentication-definition/

  43. Thank You With Our Best wishes.

More Related