Changes

Security+ - Authentication and Identity Verification

2,635 bytes added, 19:55, 11 February 2008
Mutual Authentication
Under mutual authentication, one of the two systems creates a challenge code which it transmits to the other system. The second system in turn generates a response using the received challenge code and also creates its own challenge code, and are both transmitted back to the original system. The original system validates the response code and returns its own response code based on the challenge code send from the second system. Once the second system has validated its own response code from the original system it sends an acknowledgment message and authentication is complete.
== Certificates == Certificate Based security provides a mechanism for achieving encrypted communications over unsecured networks and is built upon the Public Key Infrastructure (PKI). Certificates use ''asymmetrical'' cryptography whereby different keys are used for the encryption and decryption process. Under ''public key encryption'' two keys are required, a public key and a private key. A client contacts a ''Certificate Authority'' (CA) to obtain both of these keys. The public key is then provided to anyone who needs to send encrypted data to the client. The sender uses the this public key to encrypt the data and send it to the original client. On reciept, the client decrypts the message using the ''private key' (which is the only key which can be used to decrypt the message since this is ''asymmetrical'' encryption. So far we have looked at certificates in terms of encrypting data between parties where the public key is used to encrypt a message to a client and the client's private key is used to decrypt the message. When using certificates as a means of authentication this process is reversed. In such a situation the client encrypts its signature using its ''private key'' and sends it to the receiving system. If the sending client is who it claims to be the receiving system should be able to decrypt the signature using the client's ''public key''. If the decryption using the ''public key'' fails, the sender is not who they claim to be and the authentication has failed. == Authenticationusing Tokens == Tokens involve the use of what are essentially one time passwords to gain access to a system. These tokens can be generated using small devices such as smart cards or key ring devices which display a new token each time the user press a button, which is sued to gain access to a system or server. Each token is unique and used only once, avoiding the problem of password falling into the wrong hands. Even if a token was to fall into the wrong hands it would be invalid before they had a chance to use it to gain unauthorized access. == Biometrics == Once the confined to spy movies where the finger or eye ball of an unfortunate government employee would be removed and scanned to gain access to a secure area, biometrics are now very much a reality.  Biometrics involve the use of some part of a persons body as form of identification. Most common devices for this purpose are finger print scanners (which are even included on laptop models) which deny access to a system until a suitable fingerprint match is scanned by the reader. Other possible biometric identification possibilities include retinal scans and voice recognition.