Security+ - Authentication and Identity Verification

From Techotopia
Revision as of 15:28, 11 February 2008 by Neil (Talk | contribs) (New page: In the preceding chapter of Security+ Essentials we looked in detail at the various levels of access control used to govern access to system resources once a user has logged into a sys...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

In the preceding chapter of Security+ Essentials we looked in detail at the various levels of access control used to govern access to system resources once a user has logged into a system. While access control provides a high level of control over what a user can do once they are on the system, it does nothing to prevent unauthorized users from logging onto the system in the first place. As mentioned previously, any comprehensive IST security strategy must consist of multiple layers of security. One of the cornerstones of a good strategy involves the use of authentication and identity verification. In this chapter the various methods of authentication will be covered.

What is Authentication?

Authentication involves the preventing access to computer systems and networks to unauthorized users. Authentication takes a number of different forms, ranging from verifying account credentials (using a, amongst other things, a login name and password) to physical identity verification (using biometrics such as finger print scanning technology) to identifying that the client system form which a user is attempting to connect to a server is really the authorized client system.

Username and Password

Perhaps the most rudimentary and least secure level of authentication involves the use of a username and password to access a system. This approach simply involves presenting a user with prompts for a username and password, which if entered corrected will permit access to the system. For many year this was the primary source of authentication control.

The weakest from of username and password authentication uses plain text communication where both credentials are transmitted to the server in an unencrypted format allowing anyone eavesdropping on the connection using sniffing technology to easily identify the user name and password and use them to gain unauthorized system access. Technology such telnet use plain text when presenting authentication credentials. For this reason alone the use of telnet for providing remote access to systems has been largely discontinued in favor of encrypted alternatives.

Technologies such as Secure Shell (ssh) still use a username and password with the exception that the username and password are encrypted, making it harder for the eavesdropper to intercept and utilize these credentials.

Even with encryption, the username and password approach to authentication has a number of inherent weakness. Firstly, it identifies only and account and does nothing to verify that the person accessing the account is an authorized user. As such, the username and password can fall into the wrong hands (it is amazing how many people have their username and password written on a piece of paper stuck to their monitor) and the authentication will have no waying of knowing the wrong person is logging in.

Secondly, username and password security is only as secure as the choice of password. If a weak password is chosen it increases the chance that the password may be guessed, cracked using automated passowrd cracking technology. This problem is generally mitigated through the implementation of strict rules on passwords where users are prevented from setting up weak passwords. Password cracking may also be easily prevented by disabling an account after a specified number of invalid password entries.


Challenge Handshake Authentication Protocol (CHAP)