pace-it, security + 5.2: authentication and authorization basics (part 2)

Authentication and authorization basics II.

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certifications PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

Authentication and authorization basics II.PACE-IT.

– Authentication concepts.

– Authorization concepts.

Authentication concepts.Authentication and authorization basics II.

A common method of authentication involves creating a hashed value of the information.

Hashing is a cryptographic process that uses an algorithm to derive a set value (the hashed value) from data and a secret key. The hash can be used to verify that data is coming from where it is supposed to and that it has not been intercepted or changed in transit—providing both authentication and an integrity check at the same time.The most popular hashing algorithms are MD5 (message-digest algorithm) and SHA-1 (Secure Hash Algorithm). Of the two, SHA-1 is the more secure.



– HMAC (hashed-based message authentication code).

» A secret key—in which both parties have the secret key—is combined with an algorithm to create the message authentication code (MAC).

• The MAC is actually the resulting hashed value.

– HOTP (HMAC-based one-time password).

» A HMAC-based algorithm is used to created the password that is used for authentication purposes.

• Often used by authentication servers.

– TOTP (Time-based One-time Password).

» An authentication process for creating passwords based on the current time.

• An algorithm is combined with a shared secret key and the current time to generate a one time password; it is a type of HOTP.

» Commonly used with security tokens that are used for two factor authentication.


– PAP (Password Authentication Protocol).

» When logging in to a network resource, the user or device is required to supply a username and password.

• The username and password are sent in clear text format, so this method is considered unsecure and should only be used as a last resort.

– CHAP (Challenge Handshake Authentication Protocol).

» When logging in to a network resource, the user or device is challenged to supply a username and secret password and it authenticates through a three-way handshake process:

• The resource issues a challenge—what is the hashed value of the username and secret password (the HMAC)?

• The user’s device sends the hashed value to the resource device.

• The resource evaluates the hashed value and either accepts or rejects the connection.


– Token.» Utilizes a TOTP (usually generated every 30 to 60

seconds) to authenticate users via two-factor authentication.

• May be hardware based (e.g., attached to a key fob).• May be software based (e.g., an app on a

smartphone).

– Smartcard.» Utilizes a card—usually credit card sized—that has an

embedded circuit and a PIN (personal identification number) to provide two-factor authentication.

– Common access card (CAC).» A type of smartcard issued by the U.S. military that is

used for identification and authentication purposes.• Is used to authenticate users on military networks.• Is used to encrypt and digitally sign electronic

messages.

Authorization concepts.Authentication and authorization basics II.


– Separation of duties.» The process of taking a critical organizational task and

separating it into smaller jobs.• No one person is allowed (authorized) to perform all of

the duties that make up the task—reducing the risks that can arise from a malicious employee.

– Principle of least privilege.» Only granting the minimum amount of rights and

privileges (authorization) that are required for employees to perform their jobs.

• Reduces the risks associated with either a malicious employee or a compromised user account.

– Time of day restrictions.» Establishing technological controls that limit what

actions may be taken based on time (e.g., preventing employees from logging on to the network outside of operating hours).


– Rule-based access control (RBAC).» The creation of rules within a system that either allow

or disallow authorization to perform actions based on the rule.

– ACL (access control list).» A type of RBAC implementation that can be used for

authorization purposes—typically in the form of a list of rules.

• The list is typically examined from top to bottom; once a rule is matched, the corresponding action is taken. If no rule is matched, the typical response is to deny authorization.

– Role-based access control (also called RBAC).

» A process of creating authorization levels based on the role (e.g., user group) that a person fulfills within an organization.

• Different roles will have different authorization levels, allowing the people who fill those roles to perform different duties.

• It is most often implemented using the principle of least privilege.


– Discretionary access control (DAC).» A technological control that is used to determine

authorization to resources based on a specific list—the discretionary access control list (DACL).

• The DACL is a listing of users and groups that are granted access (authorization) to resources.

• The DACL will also determine the amount of access (what actions can be taken based on permissions) that the user or group has to the resource.

– Mandatory access control (MAC).» An access control model in which each individual

(known as a subject) is assigned to a clearance level (e.g., top secret or confidential).

» Authorization to resources is based on the resource’s classification (e.g., top secret or confidential).

• The subject is usually granted automatic authorization for resources that fall below their clearance level (e.g., a top secret clearance will always be able to access resources classified as secret).

What was covered.Authentication and authorization basics II.

Hashing can be used to provide both an integrity check and authentication through the use of HMAC. HOTP and TOTP both rely upon HMAC. PAP should not be used, as it sends authentication credentials in clear text. CHAP can be used, as credentials are sent as a hashed value. Some other authentication concepts include: tokens, smartcards, and common access cards.

Topic

Authentication concepts.

Summary

Important authorization concepts include: separation of duties, the principle of least privilege, time of day restrictions, rule-based access control, access control list, role-based access control, discretionary access control, and mandatory access control.

Authorization concepts.

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.