Authentication Presented by Justin Daniel What is authentication

Authentication Presented by Justin Daniel

What is authentication? Process 3 steps AAA Authentication Authorization Auditing/accounting Three ways to prove who you are Something you know Something you have Something you are

Usernames and Passwords Something you know Rules for passwords Strong password creation techniques Techniques to use multiple passwords Storing passwords

5 rules to follow Passwords must be memorized Choose different passwords Use at least 6 characters Longer is better Eraider is 8 Example using 8 letters in all caps =826 302, 231, 454, 603, 657, 293, 676, 544 combos If us lower, and numeric characters =862 Use a mix of letters (uppercase and lowercase), numbers and special characters Change them periodically

Strong Password Creation Use words to a song or phrase and add a number lifes a game golf is serious =lag 7 gis Combine 2 dissimilar words shell 9 sport Replace numbers for letters Careful Pa 55 w 0 rd

Multiple Passwords Group websites and applications and use the same password Cycle complex passwords down the groups Use a common password base Change parts of it based on where you use it To. Rn 71@L sort of like torrential No. Yn 71@T for the New York times web site So. An 71@N for the Sans Institute web site

Storing Passwords If you write them down

Traditional Authentication Method Simplest Highly insecure Still in use

Traditional Authentication Client Password Database Usr 1, pass 1 Usr 2, pass 2 3 Username 1 Password (Plain text) 2 4 1. Client sends username to server 2. Client sends plain-text password to server 3. Server compares (user, passwd) pair with its database to determine if user is authentic. 4. Server provides services authorized for (user) if (user, passwd) matched in step 3. Server

Weaknesses of Traditional Auth. Passwords stored in plain-text Sending plain-text username and password across network System specific passwords Was not reusable No cross authentication

Kerberos Created at MIT Three-headed dog Version 5 standard today

How does Kerberos work? Simple example Client A Service B 3 4 1 2 K D C A S

Kerberos Ticket Granting Server Client A 4 K D C A S 3 T G S 5 6 2 1 Service B

Kerberos Assumptions/weaknesses Password guessing Physically secure Secret password Do. S Secure AS Authenticating device identifiers

Digital Certificates Electronic encryption and decryption Symmetric ciphers Asymmetric ciphers

Asymmetric Ciphers Private key Public key Certification Authorities

Security Tokens Something you have Passive Tokens Active Tokens One-time passwords Counter based Clock based

Biometrics Something you are How they work False positive False negative Types Physical characteristics Behavioral characteristics

Misc. info Domain controller Big picture of authentication Real world example DSA domain