Sunday, January 6, 2013

Authentication–Who Are You ?

Authentication

Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be (SearchSecurity.com, n.d.). Verifying an identity claim is more complex than it appears to be upfront. There are several authentication methodologies, several security protocols, encryption schemes and hashing algorithms. There is no “best” security solution. For every implementation, it is important to establish the best possible options available.

Authentication Types

Authentication has existed well into the history of ancient human civilization. In the enterprise environment, it is increasingly becoming important that the authentication architecture is well defined. It is common for the user to enter authentication credentials. Several types of authentication methods exist today. Entities can be authenticated based on secret knowledge (like username and password combination), biometric (like fingerprint scans), and digital certificates. In private and public computer networks (including the Internet), authentication is commonly done through the use of logon passwords (Faqs.org, 2003).

Knowledge-based authentication

The most common authentication type is the knowledge-based. An identification key along with a secret pass code is required to access systems protected by such an authentication scheme. A user-id and password challenge screen is commonly seen in web-based email systems. The knowledge of the password is considered secret and is considered enough information to let the user in.

Both ends of a session must have the secret password (and/or key) in order for authentication to take place. The password also needs to be transmitted from the principal’s location to the principal authenticator’s location (Jaworski, Perrone & Chaganti, 2001). This leads to an obvious exposure. The link between the locations needs to be secured such that snoop attempts are not possible or data deciphering infeasible. One way of securing such systems is by the use of Kerberos. This is a password-base authentication system where a secret symmetric key is used to cipher and decipher passwords.

Biometrics-based authentication

Authentication based on biometrics is still in its infancy. Unique attributes extracted from individuals are used for authentication. Fingerprints, hand geometry, facial recognition, iris recognition, and dynamic signature verification are some of the more prominent biometric technologies. Biometrics by themselves is not fool-proof technologies, there are several potential ways to hack into such systems, and this risk presents additional concern relative to privacy protection. While research is in progress for revocable biometric tokens, this technology is not commercially implemented on a mass scale yet.

Certificate-based authentication

This technique has grown in popularity in recent years. What is a certificate? A certificate is just data that identifies a principal. Important information contained in the certificate is the public key of the principal, the validity dates of the certificate and the digital signature issued by the certified issuer (Jaworski, Perrone & Chaganti, 2001). The signer uses its private key to generate a cipher text called signature from a block of plain text. This cipher can only be decrypted using the signer’s public key – this ensures that the signature was actually signed by the signer, because the private key, as the name suggests, is secret.

This technology has significant advantages when encrypted plain text needs to be sent across otherwise unsecured connections. On a client-server architecture enabled with both server-side and client-side certificates, both parties can send encrypted information which each side knows came from the other. This is because only the public keys can decrypt the information that the private key encrypted.

A well-know certificate, often called the root or Certificate Authority (CA), signs the server’s public key with its private key. This way no hacker can create a false public key and pretend to communicate with signed data with the assumed keys. The distribution of the root public keys is done in a secure fashion; browsers come pre-configured with these keys.

Several certificate implementations have evolved, most significantly the X.509 v3 standard. This standard allows several different algorithms to be used for creating digital signatures. The X.509 contains information about the version of the certificate, the serial number information, information identifying the signature algorithm and its parameter, the CA identity and signature, the dates of validity and the principal identity and public key.