Transcript Slide 1
Authentication
Presented by
Justin Daniel
What is authentication?
Process
3 steps AAA
Authentication
Authorization
Auditing/accounting
Three ways to prove who you are
Something you know
Something you have
Something you are
Usernames and Passwords
Something you know
Rules for passwords
Strong password creation techniques
Techniques to use multiple passwords
Storing passwords
5 rules to follow
Passwords must be memorized
Choose different passwords
Use at least 6 characters
Longer is better
Eraider is 8
Example using 8 letters in all caps =826
302,231,454,603,657,293,676,544 combos
If us lower, and numeric characters =862
Use a mix of letters (uppercase and lowercase),
numbers and special characters
Change them periodically
Strong Password Creation
Use words to a song or phrase and add a
number
lifes a game golf is serious =lag7gis
Combine 2 dissimilar words
shell9sport
Replace numbers for letters
Careful
Pa55w0rd
Multiple Passwords
Group websites and applications and use
the same password
Cycle complex passwords down the groups
Use a common password base
Change parts of it based on where you use it
ToRn71@L sort of like torrential
NoYn71@T for the New York times web site
SoAn71@N for the Sans Institute web site
Storing Passwords
If you write them down
Traditional Authentication Method
Simplest
Highly insecure
Still in use
Traditional
Authentication
Password Database
Usr1, pass1
Usr2, pass2
3
Client
Username
1
Password (Plain text)
2
4
1. Client sends username to server
2. Client sends plain-text password to server
3. Server compares (user, passwd) pair with its
database to determine if user is authentic.
4. Server provides services authorized for (user) if
(user, passwd) matched in step 3.
Server
Weaknesses of Traditional Auth.
Passwords stored in plain-text
Sending plain-text username and
password across network
System specific passwords
Was not reusable
No cross authentication
Kerberos
Created at MIT
Three-headed dog
Version 5 standard today
How does Kerberos work?
Simple example
Client A
Service B
3
4
1
2
K
D
C
A
S
Kerberos
Ticket Granting Server
Client A
4
3
K
D
C
A
S
T
G
S
5
6
2
1
Service B
Kerberos
Assumptions/weaknesses
Password guessing
Physically secure
Secret password
DoS
Secure AS
Authenticating device identifiers
Digital Certificates
Electronic encryption and decryption
Symmetric ciphers
Asymmetric ciphers
Asymmetric Ciphers
Private key
Public key
Certification Authorities
Security Tokens
Something you have
Passive Tokens
Active Tokens
One-time passwords
Counter based
Clock based
Biometrics
Something you are
How they work
False positive
False negative
Types
Physical characteristics
Behavioral characteristics
Misc. info
Domain controller
Big picture of authentication
Real world example
DSA domain