Understanding User Authentication
An authentication is the process in which peoples prove their identities. User authentication is the process in which users have to prove their identity through the network. It is generally established in one among the 3 methods or combination of 3 also called as factors. This 3 factors in which users have to prove their identity, such as something they have, something they know and something they are. In that something that the user knows may be a personal identification number or a password that's associated with the smart card. Then something the user has maybe a cryptographic key or a smart card. The something the user is maybe related to the biometric authentication like iris scan, voice print, fingerprint, hand geometry print or cornea. Combining the above factors will provide greater security than anything. In the above case, each factor of an authentication uses a different protocol. It is essential to understand the option in regard to every type of the user authentication. Here listed below are most commonly used methods of the user authentication.
The public key infrastructure is the method of the user authentication, which falls in the "something I have" type. If any use got the right key, then the users can prove the identity and also gain access to the resources. If any user doesn't have necessary right key, then it is not at all possible to gain access to a resource. The key is stored in the electronic document is called as a certificate. An essential part of the PKI is a process of tracking a certificate is called as certificate server. It is possible to use their own certificate servers to track the certificate that issue within the own organizations. If it becomes necessary to prove the identity to others, at that make use of the 3rd party company like VeriSign, which specializes by checking the identities and providing the appropriate keys and certificates. Most of the organizations use the certificate hierarchy, thereby they believe someone due to someone else trust them. The PKI will work with the help of a pair of keys is called as the private key and public key.
In that the public key is the one which identifies the user and it is used to encrypt the data that can be sent to the user, hence only authorized users can decrypt it. Here the public key won't decrypt the data and it can freely distribute without any concern whether it will be intercepted or stolen.
The private keys are the other type of key which in the key pair and it is different from a public key. This private key is only held by a user and not shared with someone else. It was stored by a user operating system and will automatically used by operating systems by the PKI enabled applications. It just decrypts something that a public key has encrypted. It is the unique key which can decrypt in what a public key in their key pair has encrypted.
The kerberosis is the authentication protocol, which was developed by the MIT and also named for a mythical 3 headed dog which guards the Hades gate over the Styx River. It is most commonly used in the LAN and it is a default authentication protocol for the Novell NDS systems and the Windows Active Directory. This Kerberos was specially proposed to prevent the replay attacks where the user records an authentication process of the device to the resource and also "plays back" most appropriate pieces to gain access.
In order to prevent the replay attacks, the Kerberos uses the system of keys which expires soon they are used or else after the definable time period. When the user log on first, they will receive the special token called as TGT- ticket granting ticket. When it requires access to the resources. Then their systems will offer the TGT to the server called as KDC- key distribution center. This KDC is usually a domain controller. Then the KDC will provide the user computers either key to access a resource or TGT to access a next KDC which is the way towards a resource. In the larger networks with multiple domains, this process may repeat several times simply to get access to a resource. This Kerberos will work well when the users are part of the network and are authenticated by a domain controller. The provisions may vary depending upon the operating system but it is simpler to use the PKI for accounts which are not part of a network.
AAA (RADIUS, TACACS+)
This triple A is referred as authentication, authorization and accounting, which define the goal of the organization with regard to its resources and data. An authentication is the process of the uses proving the identity. Like that an authorization is a process of analyzing what resources the user has access to authenticate once. And finally, an accounting is the process if tracking resource the user has connected and the resource they used. Many protocols and services have been developed which conform to the AAA concepts. In this, 2 most common services used with the remote access are TACACS+ and RADIUS.
The RADIUS is the remote authentication dial in user service is the service which offers the centralized systems for an authentication, authorization and accounting. The remote access server becomes clients of the other server which is referred as a RADIUS server. This RADIUS uses the UDP to broadcast a communication in between the RAS and RADIUS server. The RADIUS is supported on most of the latest Microsoft server system such as windows server 2003, windows server 2008 and windows 2000 server. When the RADIUS is used with the wireless networks, the WPA and IEEE 802.1x, the overall result is WPA foe Enterprise.
The TACAS+ is the terminal access controller access control system+ is the service which is similar to the RADIUS, but it uses the TCP to communicate in between RAS and TACACS+ server. This was developed by the Cisco system to address the requirements for the scalable AAA solution. The AAA uses the TCP instead of a UDP provides various advantages such as that RAS servers gets an acknowledgement from a TACACS+ server, then an authentication request has received and being processed. Because the 2 can communicate with the connection oriented protocol. Then it provides a more comfortable security mechanism will be employed. The TACACS+ will keeps an accounting of the requests received from the RAS and those accounting can be secured.
Network access control (802.1x, posture assessment)
The device relays the credentials to an authentication server which does have the database and intelligence to make the correct decision. It is an example of the network access control. In this, the most common type of the network access control is the 802.1x.
The 802.1x is the standard which was developed by the IEEE. It defines the method for an access control whereby client computers request access to the network over a device such as WAP, or network appliances and an authenticator passes this request to an authentication server to be authenticated. Here WAP is referred as an authenticator and the client computer is referred as a supplicant. The authentication server will either or accepts the request, depends on its database and provides instruction to an authenticator to reject the request or accept it. It can consider the application that a supplicant is used and any configuration setting on the client. It is referred as posture assessment. This 802.1x is used commonly for both wireless and wired security in the today's networks.
The challenge handshake authentication protocol is the remote access authentication protocol, which uses the password that is shared a secret between the client and server. The 3 way handshake is used in which a server sends a client the challenge to prove that it know the password by simply inserting into the challenge string sent by a server with the help of the hashing algorithm. Then the client uses a hashing algorithm on a password to create the hash password is called as message digest that send back to a server. When a server gets a message digest from a client, it compares with a message digest of a true password with the help of same hashing algorithm.
The CHAP accomplishes authentication without sending the password in the clear text. The CHAP is a stronger authentication method which can use when deploys the mixture of clients including UNIX, Apple and Novell.
The Microsoft challenge handshake protocol is the Microsoft variation on a CHAP protocol that offers even security for an authenticating Microsoft client. The MS-CHAP is specially proposed for the Microsoft and all the clients must run the Microsoft operating system.
However, it is possible for any of the Microsoft clients to use this MS-CHAP; it will be used by windows 98, Windows NT workstation clients and Windows 95. It is because a newer client can use a more secure protocol, which is referred as MS-CHAP v2. This new version of MS-CHAP is the stronger form of the remote access authentication, which can only used by the newer clients and windows 2000 professional or by the windows 98 clients with the help of the VPN. The new features in this version strengthen the security of an authentication mechanism. It provides 2 way authentication method and it is good solution for the networks with newer servers and windows 200 server and newer clients and windows 2000 professional.
The extensible authentication protocol is an open standard set which allows an addition of new methods of authentication. The EAP can use certificate from other trusted party in the form of the authentication. It is used primarily for the smart card, but it evolves and will be used for so many forms of the biometric authentication with the help of retina scan, person's finger print and much more.
Two factor authentication
Something I have, something I own or something I know can prove easier. Each of this is the factor or a method of an authentication. Here if I use 2 of these methods at a same time, then it is referred as two factor authentication. The common example of this type is the smart card which also needs a PIN. It combines both the something that I have with the something I know.
The multifactor authentication is normally established with the help of biometrics in a combination with the other 2 factors. To take it, I may require to have my iris, or my hand scanned or I may have to provide the voice imprint. It is an example of something that I am.
Single sign- on
For example, if log on to the windows active dictionary network as the domain administrator, then you will get the rights and permissions to manage all the computers which are in your particular domain. No need to re-authenticate continually every time to connect with the computer in the domain and to manage it. It is an example of the single sign on in action. However, at first, it may tend to feel less secure than forcing to re-authenticate repeatedly, then it will turn out to be the more secure factor. It is considered as the best way to keep the password secure by not using it properly. On the other hand, less the administrator requires to enter credential to authenticate, the less chance the attacker has discovering those credential are exploiting the discovery. Because of this, the single sign on is also used active directory and many other systems such as web application and the like.
It is essential to learn the factors of user authentication. It proves their identity via network communication. This can be established by 1 or more of 3 factor. It is important to learn all the factors mentioned above to understand the user authentication to provide security for the network. Each of the above factors differs from one another and it was helpful for different manners based on user needs and requirements. In this new method of authentication uses smart cards as well as various forms of the biometric authentication methods.