Secure Authentication Technologies

Secure Authentication Technologies Secure Authentication Technologies Several technologies can enhance secure authentication. These include single sign-on authentication services. Single Sign-On One of the problems facing users today is the fact that they have many accounts across multiple platforms that each should use a unique username and password. Because managing different authentication credentials is difficult, users frequently compromise by selecting the least difficult password and then use it for all accounts. A solution to this problem is to have one username and password to gain access to all accounts so that the user has only one username and password to remember. Single Sign-On identity management : using a single authentication credential that is shared across multiple networks. When those networks are owned by different organizations, it is called federation (sometimes called federated identity management or FIM). federation (using one authentication credential to access multiple accounts or applications for different organizations) SSO holds the promise of reducing the number of usernames and passwords that users must memorize (potentially, to just one). Single Sign-On For example, a Google user can access all of Google’s features—such as Gmail, Google Docs and Spreadsheets, Calendar, and Photos— by entering a single Google account username and password. Microsoft offers a similar service through its Microsoft Account. An advantage besides only using a single username and password is that settings made on one device are automatically synced with all other devices. However, these SSOs are proprietary and restricted to Google or Microsoft applications and are not “federated” with other organizations. Authentication Services A user accessing a computer system must present authentication credentials or identification when logging in to the system. Different services can be used to provide authentication. These include RADIUS, Kerberos, Terminal Access Control Access Control Systems (TACACS), directory services, Security Assertion Markup Language, and authentication framework protocols. RADIUS RADIUS, or Remote Authentication Dial-In User Service, was developed in 1992 and quickly became the industry standard with widespread support across nearly all vendors of networking equipment. RADIUS was originally designed for remote dial-in access to a corporate network. However, the word remote in the name RADIUS is now almost a misnomer because RADIUS authentication is used for more than connecting to remote networks. With the development of IEEE 802.1x port security for both wired and wireless LANs, RADIUS has seen even greater usage. The detailed steps for RADIUS 1. A wireless device, called the supplicant (it makes an “appeal” for access), sends a request to an access point (AP) requesting permission to join the wireless LAN (WLAN). The AP prompts the user for the user ID and password. The detailed steps for RADIUS 2. The AP, serving as the authenticator that will accept or reject the wireless device, creates a data packet from this information called the authentication request. This packet includes information such as identification of the specific AP that is sending the authentication request and the user name and password. For protection from eavesdropping, the AP (acting as a RADIUS client) encrypts the password before it is sent to the RADIUS server. The authentication request is sent over the network from the AP to the RADIUS server. This communication can be done over either a local area network or a wide area network. This allows the RADIUS clients to be remotely located from the RADIUS server. If the RADIUS server cannot be reached, the AP can usually route the request to an alternate server. The detailed steps for RADIUS 3. When an authentication request is received, the RADIUS server validates that the request is from an approved AP and then decrypts the data packet to access the username and password information. This information is passed on to the appropriate security user database. This could be a text file, UNIX password file, a commercially available security system, or a custom database. The detailed steps for RADIUS 4. If the username and password are correct, the RADIUS server sends an authentication acknowledgment that includes information on the user’s network system and service requirements. For example, the RADIUS server may tell the AP that the user needs TCP/IP. The acknowledgment can even contain filtering information to limit a user's access to specific resources on the network. If the username and password are not correct, the RADIUS server sends an authentication reject message to the AP and the user is denied access to the network. To ensure that requests are not responded to by unauthorized persons or devices on the network, the RADIUS server sends an authentication key, or signature, identifying itself to the RADIUS client. The detailed steps for RADIUS 5. If accounting is also supported by the RADIUS server, an entry is started in the accounting database. 6. Once the server information is received and verified by the AP, it enables the necessary configuration to deliver the wireless services to the user. RADIUS allows an organization to maintain user profiles in a central database that all remote servers can share. Doing so increases security, allowing a company to set up a policy that can be applied at a single administered network point. Having a central service also means that it is easier to track usage for billing and for keeping network statistics. Kerberos Kerberos is an authentication system developed by the Massachusetts Institute of Technology (MIT) in the 1980s and used to verify the identity of networked users. Named after a three-headed dog in Greek mythology that guarded the gates of Hades, Kerberos uses encryption and authentication for security. Kerberos will function under Windows, macOS, and Linux. Kerberos has often been compared to using a driver’s license to cash a check. A state agency, such as the Department of Motor Vehicles (DMV), issues a driver’s license that has these characteristics: It is difficult to copy. It contains specific information (name, address, weight, height, etc.). It lists restrictions (must wear corrective lenses, etc.). It will expire at some future date. Kerberos Kerberos, which works in a similar fashion, is typically used when a user attempts to access a network service and that service requires authentication. The user is provided a ticket that is issued by the Kerberos authentication server, much as a driver's license is issued by the DMV. This ticket contains information linking it to the user. The user presents this ticket to the network for a service. The service then examines the ticket to verify the identity of the user. If the user is verified, he is then accepted. Kerberos tickets share some of the same characteristics as a driver’s license: tickets are difficult to copy (because they are encrypted), they contain specific user information, they restrict what a user can do, and they expire after a few hours or a day. Issuing and submitting tickets in a Kerberos system is handled internally and is transparent to the user. Picture of a Kerberos Realm Key Distribution Ticket Granting Center (KDC) Server (TGS) Ticket Request TGT Request TGT Ticket Ticket + service request “Do some stuff” Server Client 16 In Kerberos authentication, a Ticket Granting Ticket (TGT) is a user authentication token issued by the Key Distribution Center (KDC) that is used to request access tokens from the Ticket Granting Service (TGS) for specific resources/systems joined to the domain. Use of the TGT was designed into the Kerberos protocol to avoid frequently asking the user for a password Terminal Access Control Access Control System1 (TACACS1) (TACACS1) Similar to RADIUS, Terminal Access Control Access Control System (TACACS) is an authentication service commonly used on UNIX devices that communicates by forwarding user authentication information to a centralized server. The centralized server can be either a TACACS database or a database such as a Linux or UNIX password file with TACACS protocol support. The first version was simply called TACACS, while a later version introduced in 1990 was known as Extended TACACS (XTACACS). The current version is TACACS1. A Cisco proprietary protocol. provides the access control for routers, network access servers, and many other networked computing devices through one or more centralized servers. Provides separate Authentication, Authorization, and Accounting (AAA) services for server access. Should you be using RADIUS, TACACS+, or Kerberos? The answer usually depends on what you’re connecting to, and what is supported by that device that you’re connecting to. 1. For example, you may have a VPN concentrator that only knows how to authenticate to a RADIUS server. So you might use RADIUS for that particular service. Should you be using RADIUS, TACACS+, or Kerberos? 2. And if you’re on a Microsoft network, then by default, you’re using Kerberos. And you may find that, throughout the day, you may be using all of these different methods, depending on exactly what service you happen to be using. 3. You might have other network administrators that are authenticating to a Cisco switch, or, a Cisco router, and perhaps they’d like to have their own authentication methods that are outside the scope of what you would use elsewhere on the network. So they may set up TACACS+ server just for their Cisco authentication.

Secure Authentication Technologies

Document Details

Tags

Related

Summary

Full Transcript