asadislam78
New Member
- Messages
- 1
- Reaction score
- 0
- Points
- 0
Authentication is verification that the user’s claimed identity is valid, and it is usually implemented through a user password at logon time. Authentication is provided through a variety of means from secret passwords to using biometric characteristics. In general, authentication is accomplished by testing one or more of the following items:
• Something we know, such as a personal identification number (PIN) or password; this factor is known as Type 1 authentication.
• Something we have, such as an ATM card or smart card; this factor is known as Type 2 authentication.
• Something we are (physically), such as a fingerprint or retina scan; this factor is known as Type 3 authentication.
Obviously, using more than one factor adds additional credence (credibility) to the authentication process. For example, two-factor authentication refers to using two of the three factors, such as a PIN number (something we know) in conjunction with an ATM card (something we have).
After authentication, a user is granted rights and permissions to access certain computer resources and information. This allocation is known as authorization of the user.
Passwords
Passwords are, by far, the most popular factor used for authentication. Therefore, protecting passwords from compromise and unauthorized use is crucial.
Similar to a one-time pad in cryptography, a one-time password provides the highest level of password security. Because a new password is required every time a user logs on to the network, an attacker cannot use a previously compromised password. A password that changes frequently is called a dynamic password. A password that is the same for each logon is called a static password. An organization can require that passwords change monthly, quarterly, or at other intervals, depending on the sensitivity of the protected information and the password’s frequency of use.
In some instances, a passphrase can be used instead of a password. A passphrase is a sequence of characters that is usually longer than the allotted number of characters for a password. The passphrase is converted into a virtual password by the system.
Passwords can be generated automatically by credit card–sized memory cards, smart cards, or devices resembling small calculators. Some of these devices are referred to as tokens. These password generators are Type 2 devices, something we have.
Biometrics
Biometrics is defined as an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics. Biometrics is a Type 3 authentication mechanism because it is based on what a person “is.” Biometrics is useful in both identification and authentication modes.
For identification, biometrics is applied as a one-to-many search of an individual’s characteristics from a database of stored characteristics of a large population. An example of a one-to-many search is trying to match a suspect’s fingerprints to a database of fingerprints of people living in the United States. Conversely, authentication in biometrics is a one-to-one search to verify a claim to an identity made by a person. An example of this mode is matching an employee’s fingerprints against the previously registered fingerprints in a database of the company’s employees. Relative to access control, biometrics is used for identification in physical controls and for authentication in logical controls.
Performance measures of a biometric system range from technical characteristics to employees “feeling comfortable” with their use. Examples of performance measures are as follows:
• Type I Error or False Rejection Rate (FRR)
The percentage of valid subjects that are falsely rejected.
• Type II Error or False Acceptance Rate (FAR)
The percentage of invalid subjects that are falsely accepted.
• Crossover Error Rate (CER)
The percent in which the FRR equals the FAR. The smaller the CER, the better the biometric system.
• Enrollment time
The time that it takes to initially “register” with a system by providing samples of the biometric characteristic to be evaluated. An acceptable enrollment time is around two minutes.
• Throughput rate
The rate at which the system processes and identifies or authenticates individuals. Acceptable throughput rates are in the range of 10 subjects per minute.
• Acceptability
The considerations of privacy, invasiveness, and psychological and physical comfort when using the system. For example, a concern with retina scanning systems might be the exchange of body fluids on the eyepiece. Another concern would be the retinal pattern, which could reveal changes in a person’s health, such as the onset of diabetes or high blood pressure.
The following are typical biometric characteristics:
• Retina scans
• Iris scans
• Fingerprints
• Facial scans
• Palm scans
• Hand geometry
• Voice
• Handwritten signature dynamics
Single Sign-On
In Single Sign-On (SSO), a user provides one ID and password per work session and is automatically logged on to all the required network resources and applications. Without SSO, a user normally must enter multiple passwords to access different network resources. In applying SSO, passwords should be transmitted or stored in encrypted form for security purposes. With SSO, network administration is simplified, a stronger password can be used, and resources can be accessed in less time.
The major disadvantage of many SSO implementations is that once a user obtains access to the system through the initial logon, the user can freely roam the network resources without any restrictions.
SSO can be implemented in the following ways:
• Through scripts that replay the users’ multiple logins.
• Through Enterprise Access Management (EAM). EAM provides access control management services, including SSO, to Web-based enterprise systems. In one approach, SSO is implemented on Web applications residing on different servers in the same domain by using nonpersistent, encrypted cookies on the client interface.
• Using authentication servers to verify a user’s identity and encrypted authentication tickets to permit access to system services.
A popular authentication server approach that can implement SSO is the Kerberos system.
Cryptography
Cryptography is the practice and study of hiding information. In modern times, cryptography is considered to be a branch of both mathematics and computer science, and is affiliated closely with information theory, computer security, and engineering. Cryptography is used in applications present in technologically advanced societies; examples include the security of ATM cards, computer passwords, and electronic commerce, which all depend on cryptography.
The terms used in relation to cryptography are
• Encryption
Encryption is the process of taking plain text and using a key to convert it into cipher text. Ciphers, algorithms, or schemes are used to encrypt data. All encryption algorithms require the use of a key, and must be able, with the proper key, to be reversed, converting the cipher text back into the original plain text.
• Key
A random piece of data used with encryption and decryption. Encryption and decryption algorithms require a key and plain text or cipher text to produce cipher text or plain text, respectively. The key is usually shared only with those parties that should be allowed to encrypt and decrypt messages.
• Plain text
Plain text refers to any type of data in its original, readable, unencrypted form. A text document, an image, and an executable are all examples of plain text. It is important to note that plain text refers only to unencrypted data.
• Cipher text
Cipher text is the data in its encrypted, unreadable form. Cipher text only refers to encrypted data and speaks nothing about the type of data before encryption, or the algorithm used to encrypt the data. Encrypted data is a synonym for cipher text.
• Cryptanalysis
Cryptanalysis is the process of analyzing cipher text or the algorithms to find a weakness so that plain text can be extracted from the cipher text without the key. Cryptanalysis is done by cryptanalysts who use techniques such as frequency analysis to find patterns in the cipher text.
• Decryption
Taking cipher text and using a key to convert it into plain text. In most cases, the algorithm or key used to encrypt the data is not the same as the one used to decrypt the data. Decrypting cipher text should not be computationally feasible without the proper key.
• Brute-force attack
This is the process of enumerating through all of the possible keys until the proper key is found that decrypts a given cipher text into correct plain text. All encryption is vulnerable to a brute-force attack and will eventually fall to brute-force attack given enough time.
• Something we know, such as a personal identification number (PIN) or password; this factor is known as Type 1 authentication.
• Something we have, such as an ATM card or smart card; this factor is known as Type 2 authentication.
• Something we are (physically), such as a fingerprint or retina scan; this factor is known as Type 3 authentication.
Obviously, using more than one factor adds additional credence (credibility) to the authentication process. For example, two-factor authentication refers to using two of the three factors, such as a PIN number (something we know) in conjunction with an ATM card (something we have).
After authentication, a user is granted rights and permissions to access certain computer resources and information. This allocation is known as authorization of the user.
Passwords
Passwords are, by far, the most popular factor used for authentication. Therefore, protecting passwords from compromise and unauthorized use is crucial.
Similar to a one-time pad in cryptography, a one-time password provides the highest level of password security. Because a new password is required every time a user logs on to the network, an attacker cannot use a previously compromised password. A password that changes frequently is called a dynamic password. A password that is the same for each logon is called a static password. An organization can require that passwords change monthly, quarterly, or at other intervals, depending on the sensitivity of the protected information and the password’s frequency of use.
In some instances, a passphrase can be used instead of a password. A passphrase is a sequence of characters that is usually longer than the allotted number of characters for a password. The passphrase is converted into a virtual password by the system.
Passwords can be generated automatically by credit card–sized memory cards, smart cards, or devices resembling small calculators. Some of these devices are referred to as tokens. These password generators are Type 2 devices, something we have.
Biometrics
Biometrics is defined as an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics. Biometrics is a Type 3 authentication mechanism because it is based on what a person “is.” Biometrics is useful in both identification and authentication modes.
For identification, biometrics is applied as a one-to-many search of an individual’s characteristics from a database of stored characteristics of a large population. An example of a one-to-many search is trying to match a suspect’s fingerprints to a database of fingerprints of people living in the United States. Conversely, authentication in biometrics is a one-to-one search to verify a claim to an identity made by a person. An example of this mode is matching an employee’s fingerprints against the previously registered fingerprints in a database of the company’s employees. Relative to access control, biometrics is used for identification in physical controls and for authentication in logical controls.
Performance measures of a biometric system range from technical characteristics to employees “feeling comfortable” with their use. Examples of performance measures are as follows:
• Type I Error or False Rejection Rate (FRR)
The percentage of valid subjects that are falsely rejected.
• Type II Error or False Acceptance Rate (FAR)
The percentage of invalid subjects that are falsely accepted.
• Crossover Error Rate (CER)
The percent in which the FRR equals the FAR. The smaller the CER, the better the biometric system.
• Enrollment time
The time that it takes to initially “register” with a system by providing samples of the biometric characteristic to be evaluated. An acceptable enrollment time is around two minutes.
• Throughput rate
The rate at which the system processes and identifies or authenticates individuals. Acceptable throughput rates are in the range of 10 subjects per minute.
• Acceptability
The considerations of privacy, invasiveness, and psychological and physical comfort when using the system. For example, a concern with retina scanning systems might be the exchange of body fluids on the eyepiece. Another concern would be the retinal pattern, which could reveal changes in a person’s health, such as the onset of diabetes or high blood pressure.
The following are typical biometric characteristics:
• Retina scans
• Iris scans
• Fingerprints
• Facial scans
• Palm scans
• Hand geometry
• Voice
• Handwritten signature dynamics
Single Sign-On
In Single Sign-On (SSO), a user provides one ID and password per work session and is automatically logged on to all the required network resources and applications. Without SSO, a user normally must enter multiple passwords to access different network resources. In applying SSO, passwords should be transmitted or stored in encrypted form for security purposes. With SSO, network administration is simplified, a stronger password can be used, and resources can be accessed in less time.
The major disadvantage of many SSO implementations is that once a user obtains access to the system through the initial logon, the user can freely roam the network resources without any restrictions.
SSO can be implemented in the following ways:
• Through scripts that replay the users’ multiple logins.
• Through Enterprise Access Management (EAM). EAM provides access control management services, including SSO, to Web-based enterprise systems. In one approach, SSO is implemented on Web applications residing on different servers in the same domain by using nonpersistent, encrypted cookies on the client interface.
• Using authentication servers to verify a user’s identity and encrypted authentication tickets to permit access to system services.
A popular authentication server approach that can implement SSO is the Kerberos system.
Cryptography
Cryptography is the practice and study of hiding information. In modern times, cryptography is considered to be a branch of both mathematics and computer science, and is affiliated closely with information theory, computer security, and engineering. Cryptography is used in applications present in technologically advanced societies; examples include the security of ATM cards, computer passwords, and electronic commerce, which all depend on cryptography.
The terms used in relation to cryptography are
• Encryption
Encryption is the process of taking plain text and using a key to convert it into cipher text. Ciphers, algorithms, or schemes are used to encrypt data. All encryption algorithms require the use of a key, and must be able, with the proper key, to be reversed, converting the cipher text back into the original plain text.
• Key
A random piece of data used with encryption and decryption. Encryption and decryption algorithms require a key and plain text or cipher text to produce cipher text or plain text, respectively. The key is usually shared only with those parties that should be allowed to encrypt and decrypt messages.
• Plain text
Plain text refers to any type of data in its original, readable, unencrypted form. A text document, an image, and an executable are all examples of plain text. It is important to note that plain text refers only to unencrypted data.
• Cipher text
Cipher text is the data in its encrypted, unreadable form. Cipher text only refers to encrypted data and speaks nothing about the type of data before encryption, or the algorithm used to encrypt the data. Encrypted data is a synonym for cipher text.
• Cryptanalysis
Cryptanalysis is the process of analyzing cipher text or the algorithms to find a weakness so that plain text can be extracted from the cipher text without the key. Cryptanalysis is done by cryptanalysts who use techniques such as frequency analysis to find patterns in the cipher text.
• Decryption
Taking cipher text and using a key to convert it into plain text. In most cases, the algorithm or key used to encrypt the data is not the same as the one used to decrypt the data. Decrypting cipher text should not be computationally feasible without the proper key.
• Brute-force attack
This is the process of enumerating through all of the possible keys until the proper key is found that decrypts a given cipher text into correct plain text. All encryption is vulnerable to a brute-force attack and will eventually fall to brute-force attack given enough time.