(Authentication|Access control|Identification)

1 - About

Authentication is the process that establishes the identity of each user who accesses an application.

After a user has been authenticated, a session is created that holds all the navigation context data.

The next critical aspect in security building is the authorization step.

The process of creating, submitting, and verifying credentials is described simply as authentication, which is implemented through various authentication protocols

3 - Ways

Basically, there are three ways to authenticate an individual:

  • by something the person knows,
  • by something the person has,
  • and by something the person is.

All these ways have been used from prehistory until the present day, and they all have different security properties and trade-offs.

3.1 - The person is of a particular group

With the two first identification, you are identifying if the person is of a particular group. Not that the individual is a particular person.

  • Knowing the secret handshake authenticates you as a member of the secret society.
  • Having a copy of a house key authenticates you as one of a group that has access to a given house.
  • I might give you enough information for you to call my bank and withdraw money from my account. When you do this, the bank thinks it is authenticating the account owner, when it is really just making sure that the person on the other end of the phone knows enough information about the account and account owner to be an authorized user of the account.

3.1.1 - something the person knows

  • passwords,
  • secret handshakes,
  • PIN codes,
  • and combinations to locks.

During World War II, American soldiers in Europe would ask strangers cultural questions like “Who won the 1940 World Series?” on the assumption that German soldiers wouldn’t know the answer, but every American would.

The biggest vulnerability is that the secret can be transmitted, learned, or stolen.

3.1.2 - something the person has

The something might be:

  • a physical key,
  • a membership card,
  • or a cellphone SIM card.

Like the “something the person knows” method, anyone can give this to anyone else.

3.2 - something the person is (identification)

Something the person has that’s a physical part of their body. This is what we normally think of as identification.

When we recognize people, we recognize their physical features.

  • On the telephone, we recognize someone’s voice.
  • cats spray to mark their territory,
  • dogs sniff each others butts
  • whales have individual songs.

More modern versions of this mechanism, called “biometrics,” include:

  • fingerprinting,
  • voice printing,
  • hand geometry,
  • iris and retina scans,
  • and handwritten signatures.

Biometrics has advantages over passwords and tokens in that they:

  • can’t be forgotten, although they can be lost. (People can lose fingers in an accident, or temporarily lose their voices due to illness.)
  • can’t be changed. If someone loses a key or an access code, it’s easy to change the lock or combination and regain security. But if someone steals your biometric—perhaps by surreptitiously recording your voice or copying the database with your electronic iris scan—you’re stuck. Your iris is your iris, period.

The problem is, while a biometric might be a unique identifier, it is not a secret. You leave a fingerprint on everything you touch, and someone can easily photograph your eye.

4 - Multiple Techniques

Better authentication systems use two or more methods.

  • An ATM, for example, uses “something the person has”—an ATM card—and “something the person knows”—a PIN. (Then it takes the person’s picture, for audit purposes.)
  • A passport is a physical card that is hard to counterfeit and contains a photograph.
  • The door-locking device may uses both a PIN and a hand-geometry scanner.

5 - Identification is not authentication

Systems that confuse identification with authentication can have significant insecurities.

Some systems use the last four digits of a Social Security number as an authentication code, even though a Social Security number is a public identification number. You can’t change it. You can’t prevent others from having it. It’s a unique identifier, but it’s hardly a secret: a good number to identify me by, but a terrible one to authenticate me by. Your mother’s maiden name is a similarly lousy authentication code.

6 - Protocol

By far the most common approach is to use:

These weak cleartext protocols used together with HTTPS network encryption resolve many of threats.

Strong authentication protocols for web-based applications:

  • Public key authentication (usually implemented with a HTTPS / SSL client certificate) using a client certificate.
  • Kerberos or SPNEGO authentication, employed for example by Microsoft IIS running configured for Integrated Windows Authentication (IWA)
  • Secure Remote Password protocol (preferably within the HTTPS / TLS layer). However, this is not implemented by any mainstream browsers.

Others:

7 - Method

7.1 - Simple authentication

A username/password pairs is used as credential.

ie password authentication

The providers (implementation) differs primarily by the data store that is request:

7.2 - Identity assertion

An Identity assertion Authentication use as credentials:

  • certificates
  • or security (tokens|key).

Identity Assertion are exchanged with the help of the Security Assertion Markup Language (SAML)

8 - Provider

An Authentication Provider implements the authentication method.

9 - Documentation / Reference

security/auth/auth.txt · Last modified: 2018/04/18 14:41 by gerardnico