Difference between revisions of "Security+ - Authentication and Identity Verification"
(New page: In the preceding chapter of Security+ Essentials we looked in detail at the various levels of access control used to govern access to system resources once a user has logged into a sys...) |
(→Challenge Handshake Authentication Protocol (CHAP)) |
||
| Line 18: | Line 18: | ||
== Challenge Handshake Authentication Protocol (CHAP) == | == Challenge Handshake Authentication Protocol (CHAP) == | ||
| + | |||
| + | Approaches to authentication such username and password outline previously perform authentication once at the point that the user logs into the system. An alternative to this approach is provided by the Challenge Handshake Authentication Protocol (CHAP) which repeats an authentication procedure at random intervals during an ongoing connection between a client and a service. | ||
| + | |||
| + | The CHAP authentication scheme is used primarily by Point to Point Protocol (PPP) servers as a way to validate the identity of remote clients (perhaps most commonly used by internet service providers). At random time intervals, CHAP verifies the identity of the client by using something known as a three-way handshake. This verification is performed using a credential which is nown to both the client and the service (typically the user's password). | ||
| + | |||
| + | After the link between the client and the server (also known as the ''authenticator'') has been established it sends a ''challenge'' message to the peer. The peer subsequently responds to the authenticator with a hashed value calculated using the Message Digest (MD%) hashing algorithm. The authenticator checks the client response against its own calculation of the expected hash value. If the two values match, the authenticator acknowledges the authentication. If the values do not match, the connect is terminated. These steps are repeated at random intervals. | ||
| + | |||
| + | It is important to note that Microsoft has implemented two variants of the Challenge Handshake Authentication Protocol, called MS-CHAP and MS-CHAP-v2. | ||
Revision as of 17:23, 11 February 2008
In the preceding chapter of Security+ Essentials we looked in detail at the various levels of access control used to govern access to system resources once a user has logged into a system. While access control provides a high level of control over what a user can do once they are on the system, it does nothing to prevent unauthorized users from logging onto the system in the first place. As mentioned previously, any comprehensive IST security strategy must consist of multiple layers of security. One of the cornerstones of a good strategy involves the use of authentication and identity verification. In this chapter the various methods of authentication will be covered.
What is Authentication?
Authentication involves the preventing access to computer systems and networks to unauthorized users. Authentication takes a number of different forms, ranging from verifying account credentials (using a, amongst other things, a login name and password) to physical identity verification (using biometrics such as finger print scanning technology) to identifying that the client system form which a user is attempting to connect to a server is really the authorized client system.
Username and Password
Perhaps the most rudimentary and least secure level of authentication involves the use of a username and password to access a system. This approach simply involves presenting a user with prompts for a username and password, which if entered corrected will permit access to the system. For many year this was the primary source of authentication control.
The weakest from of username and password authentication uses plain text communication where both credentials are transmitted to the server in an unencrypted format allowing anyone eavesdropping on the connection using sniffing technology to easily identify the user name and password and use them to gain unauthorized system access. Technology such telnet use plain text when presenting authentication credentials. For this reason alone the use of telnet for providing remote access to systems has been largely discontinued in favor of encrypted alternatives.
Technologies such as Secure Shell (ssh) still use a username and password with the exception that the username and password are encrypted, making it harder for the eavesdropper to intercept and utilize these credentials.
Even with encryption, the username and password approach to authentication has a number of inherent weakness. Firstly, it identifies only and account and does nothing to verify that the person accessing the account is an authorized user. As such, the username and password can fall into the wrong hands (it is amazing how many people have their username and password written on a piece of paper stuck to their monitor) and the authentication will have no waying of knowing the wrong person is logging in.
Secondly, username and password security is only as secure as the choice of password. If a weak password is chosen it increases the chance that the password may be guessed, cracked using automated passowrd cracking technology. This problem is generally mitigated through the implementation of strict rules on passwords where users are prevented from setting up weak passwords. Password cracking may also be easily prevented by disabling an account after a specified number of invalid password entries.
Challenge Handshake Authentication Protocol (CHAP)
Approaches to authentication such username and password outline previously perform authentication once at the point that the user logs into the system. An alternative to this approach is provided by the Challenge Handshake Authentication Protocol (CHAP) which repeats an authentication procedure at random intervals during an ongoing connection between a client and a service.
The CHAP authentication scheme is used primarily by Point to Point Protocol (PPP) servers as a way to validate the identity of remote clients (perhaps most commonly used by internet service providers). At random time intervals, CHAP verifies the identity of the client by using something known as a three-way handshake. This verification is performed using a credential which is nown to both the client and the service (typically the user's password).
After the link between the client and the server (also known as the authenticator) has been established it sends a challenge message to the peer. The peer subsequently responds to the authenticator with a hashed value calculated using the Message Digest (MD%) hashing algorithm. The authenticator checks the client response against its own calculation of the expected hash value. If the two values match, the authenticator acknowledges the authentication. If the values do not match, the connect is terminated. These steps are repeated at random intervals.
It is important to note that Microsoft has implemented two variants of the Challenge Handshake Authentication Protocol, called MS-CHAP and MS-CHAP-v2.
