Unit 1-5b.docx
Document Details
Uploaded by StimulatingSpinel
Full Transcript
**Module 1-5. Networked Systems** OBJECTIVE 5b. Identify basic facts and terms about Networked Authentication. \- Components of Public-Key Infrastructure (PKI) \- Authentication Factors **OVERVIEW** **COMPONENTS OF PUBLIC KEY INFRASTRUCTURE (PKI)** **DOD PKI PROGRAM** The DoD successfully de...
**Module 1-5. Networked Systems** OBJECTIVE 5b. Identify basic facts and terms about Networked Authentication. \- Components of Public-Key Infrastructure (PKI) \- Authentication Factors **OVERVIEW** **COMPONENTS OF PUBLIC KEY INFRASTRUCTURE (PKI)** **DOD PKI PROGRAM** The DoD successfully deployed a major program providing secure access to its communications and computer networks in late 1990 replacing the User ID/Password authentication method. The architecture put into place tracks, certifies and approves a variety of transactions (from verifying personal identification to encrypting messages) for the millions of DoD employees. The DoD Public Key Infrastructure (DOD PKI) program is overseen by the National Security Agency (NSA) and the Defense Information Systems Agency (DISA). By 2005, this program issued more than 16 million PKI certificates and almost 7 million Common Access Cards (CACs). **PKI CREDENTIALS** The DoD PKI program provides most of its members with three types of credentials: - An identity credential or certificate for each employee CAC. - An e-mail encryption - Digital signature certificate for personnel with e-mail accounts An important tool in issuing CACs across the DoD are the 1800 computer terminals at U.S. military facilities worldwide to enter personnel information in real-time. These stations are linked to the main DOD PKI architecture and contain the information of all personnel who are issued PKI credentialed CACs. This DoD PKI program allows the smart card logons. This feature gives personnel the ability to use their CACs (in association with the corresponding PKI credentials) to log onto a network eliminating the need for user names and passwords. **PKI KEYS** Generally stated, PKI uses a combination of symmetric and asymmetric algorithms to generate keys necessary to ensure authentication and protection of encrypted messages. Both schemes use a mathematical equation referred to as an algorithm. According to Mike Meyers\' Certification Passport (Meyers, 2009), \"an algorithm is a complex mathematical formula that dictates how the encryption and decryption process takes place.\" The two types of keys used are symmetric and asymmetric. The **symmetric key** scheme allows the key to accomplish both encryption and decryption. Therefore, each user must possess the same key to send and open encrypted messages. An **asymmetric key** consist of a public key, which is freely available, and a private key, which is kept secret. \[Asymmetric Key function\]. Asymmetric Keys provide the advantages of authentication and nonrepudiation, but are much slower to process than Symmetric Keys. PKI layers asymmetric and symmetric encryption in order to gain the advantages of both systems. For example: a symmetric key is generated to encrypt the body of an email. The newly generated symmetric key and the symmetrically encrypted message body are packaged up before being asymmetrically encrypted using the public key of the intended recipient. When the recipient receives the email it is decrypted with the recipient's private key which grants access to the symmetric key needed to decrypt the message body. Using this method the PKI system gains the security of asymmetric encryption and the speed of symmetric encryption. The integrity of the Public Key is of the utmost importance. The integrity of a Public Key is usually assured by completion of a certification process carried out by a Certification Authority (CA). Once the CA has certified the credentials provided by the entity securing the Public Key are valid, the CA digitally signs the key so visitors accessing the material the key is protecting will know the entity has been certified. **PKI INFRASTRUCTURE** The PKI Infrastructure is made up of five components: **Certification Authority (CA)** Serves as the root of trust to authenticate the identity of individuals, computers and other entities in the network. **Registration Authority (RA)** Is certified by a root CA to issue certificates for uses permitted by the CA. In a Microsoft PKI environment, the RA is normally called a subordinate CA. **Certificate Database** Saves certificate requests issued and revoked certificates from the RA or CA. **Certificate Store** Saves issued certificates and pending or rejected certificate requests from the local computer. **Key Archival Server** Saves encrypted private keys in a certificate database for disaster recovery purposes in case the Certificate Database is lost. **CERTIFICATE AUTHORITY (CA) SERVER** It is important the Certificate Authority (CA) publish the PKI digital certificates immediately after the certificate is issued. The CA Server is a repository for the certificates issued to the requesting user. There are different categories of digital certificates associated or bind a user's identity to a public key and verify the sender's identity. The CA Server ensures the authenticity of the cryptographic connection, transmit encrypted data, as well as provide public/private key information for encryption. As illustrated in Figure 1-32, the process of PKI involves the user's request to the Registration Authority (RA), the algorithm utilized, certificate authority server generation of the key, digital certificate established and the Certificate Authority issuing the certificate to the user. **CERTIFICATE REVOCATION LIST (CRL)** Just as digital certificates are issued, they can also be revoked. Revoking a certificate invalidates a certificate before its expiration date. Revocation typically occurs because the certificate (or employee) is considered no longer trustworthy. For example: If a certificate holder's private key is compromised, the certificate is likely to be revoked. Certificate Revocation List is the mechanism PKI uses for distributing certificate revocation information. A CRL is used when verification of digital certificate takes place to ensure the validity of a digital certificate. Revoking a certificate is just not enough especially when the user's private key may become compromised or lost. The community trusting these certificates must be notified the certificates are no longer valid. This is accomplished by the Certificate Revocation List. **CAC MIDDLEWARE** Middleware is a general term for computer software providing services to software applications beyond those available from the operating system. It can be described as \"software glue" because it acts as a bridge between the operating system and other applications or between two applications (especially on a network). The software application serving as the interface between the host's applications (such as email, cryptographic network logon, web browsers, and public key enabled applications) and the CAC is known as middleware. The middleware provides access to cryptographic services, CAC data, and CAC management features. **Cryptographic Services** Cryptographic Services are the set of functions necessary for cryptographic operations, such as signing and encrypting email. **CAC Data** CAC data is defined as non-cryptographic data stored on the CAC such as name, rank, and identifier. **CAC Management** CAC Management is the set of functions necessary to manage the card and the middleware environment, such as Personal Identification Number (PIN) changes and PIN timeout. Middleware plays a vital role in the way we communicate between websites and other services. Middleware enables you to uniquely identify the user across a number of different platforms; manage and maintain the data and applications accessed. DOD SMART CARD With implementation of the DoD PKI, the CAC (Ref. Figure 1-34) replaced the United States Uniformed Services Privilege and Identification Card; also known as the Geneva Convention Card (Ref. Figure 1-34). The CAC is a special smart card issued by DoD. Every smart card contains a microchip, barcode, and magnetic strip. The CAC contains selected, abbreviated data about the member (note -- the SSN was removed in 2012): - Date of birth - Personnel category - Pay category - Benefits information - Organizational affiliation - Pay grade - Blood Type - Organ Donor Information The CAC is primarily used for military and government personal as an identification and authentication card for physical access to military and government buildings as well for computer and network access. For example, you would not be able to log into a military networked computer without inserting your CAC card into the card reader and providing you PIN. The card also contains digital certificates permitting e-mail encryption and digital signatures. You need a personal identification number (PIN) to access the information stored on your CAC. Only authorized personnel who are granted access to the applications and secret keys can modify or delete the data added on the chip. To protect the information on your CAC, you should never tell anyone your PIN nor to write it down. If the PIN is forgotten, you will be asked to verify your identity by comparing your fingerprint to the one stored in the Defense Enrollment Eligibility Reporting System (DEERS). In July 2016, DoD announced its intention on replacing the CAC for network authentication within two years (i.e. 2018) and use biometrics. **AUTHENTICATION FACTORS** To enhance security, security experts often recommend using two-factor or multifactor authentication, which involves employing two separate authentication methods. However, implementing two-factor authentication can be challenging as it requires additional hardware purchases and infrastructure changes. Consequently, organizations commonly rely on a single authentication method. There are a wide variety of authentication factors, each with their own list of positives and negatives **Something You Know** This authentication factor is the most common form. Users are able to authenticate their identity by stating something only they should know. Usually this is a password or PIN. This approach is based on the concept the user is the only one who knows what the information system expects and therefore is the person he or she claims to be. This technique is vulnerable to attack by guessing or deducing the information. If the information is too simple or too easily associated with the person, then it is more susceptible to guessing. The use of User ID/Passwords is cheap to implement but offers little security. Additionally, having to manage passwords to multiple systems invariably means the user has written down a list of passwords and corresponding systems because they can\'t remember them all. While this is the most common authentication method on the Internet and in the computer world, a password policy is typically implemented to assist users in selecting a good, difficult-to-guess password. Password guidelines should be clearly communicated and cover the following areas: - **Password Complexity** o This consist of the number of characters a password should have, the use of capitalization/numbers/special characters, not basing the password on a dictionary word, personal information, and not making the password a slight modification of an existing password. - **Password History** o This will identify the policy on reusing a password such as how many different passwords must be used before you can reuse one you use previously. - **Duration** o This is the minimum and maximum number of days a password can be used before it can be changed or must be changed. - **Protection of Passwords** o This will include where and how you store your passwords. It is not wise to record your passwords where others can find it. And you certainly do not want to save passwords for automated logins. Lastly, don\'t share your passwords with other users. - **Consequences** o Implementing consequences associated with violation or noncompliance with the organizational policies. **Something You Are** This factor uses a physical attribute to verify somebody. These are usually biometrics based (fingerprints, hand scans, retina scans, etc.). The downside to these authentication devices are they tend to cost more than other methods because the hardware required to capture and analyze physical characteristics is more complicated. Properly implemented though, biometrics systems can provide a high level of security because the authentication is directly related to a user's unique physical characteristics. Biometric authentication is widely regarded as the hardest to forge or spoof if implemented properly. This form of identification and authentication is based on physical, genetic, or human characteristic. An employee's unique information about their body is stored in a database and then it is associated with a specific set of credentials for authentication. The biggest benefit over the other methods is ease of use. However, a good biometric system will employ at least two strategies (example: fingerprints and pulse). Examples of biometric factors include: - Fingerprints (most common) - Hand Geometry - Voice Recognition - Iris/Retinal Scans - Face Recognition - Vascular Patterns (blood vessel patterns) - Signature Dynamics (how you sign) - Typing Patterns - Gait (how you walk) - Odor - Ear Shape - Heart Rate - Butt Shape (pressure points when sitting) - Eye Movement - Nose Shape **Something You Have** Something only, you should physically possess can be used is another form of authentication. Common access cards or USB tokens are common examples of possession-based authentication. This is best done in conjunction with another authentication factor. You carry one of these with you at all times: Your Common Access Card. This is what you provide at the gate when driving on base or what you supply to a computer as your form of identification along with another form of authentication (e.g. PIN).These systems reduce the threat from perpetrators who attempt to guess or steal passwords because the perpetrator must either fabricate a counterfeit token or steal a valid token from a user. Using smart cards (a.k.a. Common Access Cards) is more expensive, needs more infrastructure support as well as specialized hardware, but when used with a PIN or password (i.e., two-factor identification), it offers acceptable levels of security. **Somewhere You Are** Location can be used as an authentication factor. If you've ever had a bank account get locked out after you make a purchase on vacation - this is why. Banking institutions check the location of the purchases to see if they are abnormal. **Something You Do** This is closely related to the "something you know" authentication factor. This factor is a performance-based version of authentication. For example, you may perform a gesture on a touch screen for this factor. The use of two or more authentication factors is known as multi-factor authentication. Combining techniques makes it much more difficult for the perpetrator to obtain the necessary items for access. We said earlier entry into secure facilities might have multi-factor authentication. Some facilities need to be more secure than others based upon the material inside or the nature of the mission. Some buildings may have you scan a badge in order to enter through the first layer of security. After you have authenticated through the first layer of security, you may have to scan your hand and provide a PIN linked to your badge. This covers three