Authentication and Authorization
Design
So we have established how
to secure an application during development with code and deployment.
Automation can assist in security,
via monitoring and enforcing policies
and being of SLDC and build process
Part of securing Systems
and applications is Authentication and
Authorization
Three main concepts
These concepts are related,
and usually happen during a login process
user or device, says they
are particular identity,
the claim and present Identity
Basically say Hey I am this person
or Here's my ID
Otherwise known as
Identification
After ID or identification is presented
(aka the credentials)
These credentials(or ID) has to be
validated
The credential Validation is
known as
Authentication
Authentication as in are you
Authentic, are you really who
say you are.
(has to be confirmed)
after authentication is confirmed,
has to determine the users rights.
what are they allowed to do and not do.
aka the type of access
what are they authorized to do
aka
Authorization
after authorization,
remember authorization is about access.
Now important to keep track of access,
what has been accessed, and actions
known as
Accounting
account for what they have done,
their actions,
like log session statistics,
usage information
All of these make up the concepts
of AAA
(Identity & Authentication, Authorization, Accounting)
Core Components of
AAA (details of,
components and process involved)
Authentication
consists of
Client/Devices than wants
to connect to/access network
Access/Conditions
aka
Policies
Client is then given a set
of conditions, aka
its access is defined
known as
Policy Enforcement Point
(PEP)
enforces conditions/policies
PEP makes its decisions
based on Info
from
Policy Information Point
(PIP)
Final policy decision
(to grand access)
is from
Policy Decision Point
Authorization is
granted
After client is authorized,
by policies,
the access is then tracked/reported
aka
Accounting
other than policies
there are several factors,
involved in decision for
authentication
factors include,
something you know,
something you have,
something you are,
something you do
and
somewhere you are
known as
authentication factors
(factor as in fact)
multiple factors
provide better security
multiple factors aka
Multi-factor Authentication
factors are forms
of credentials
credentials fall into different
factor categories
(most of these are common on
mobile devices)
Something you know,
passwords or login id/username
Something you have,
smart card or
entry pass/badge
Something you are,
fingerprint, retinal pattern,
hand geometry
Additional Categories
aka Attribute
Something you can do,
Somewhere you are,
Something you exhibit,
Someone you know
are human/person,
so prove by fingerprint,
eye
multiple factors
provides additional layer of security
e.g. ATM requires Card (something you have), and
PIN (something you know)
Additional security layers means more
difficulty for user access and
more work for management
(not as easy to get in to)
biometrics
different factors,
provide different levels of security
during the authentication process
multiple factors or two factors,
means combining factors from
different factor category.
User and Pass is just one
category(something you know)
factors can be used
as part of authentication
framework or technology
Authentication
Technologies/Frameworks
includes Single-Sign On (SSO),
Transitive Trust and Federation
user can access
different resources across
an organization without having
to constantly login to each one
reduces amount of
login and repeated authentication
allows access across
multiple services
known as
SSO
Single Sign On
Single Sign On uses
Security Assertion Markup Language
aka SAML
Credentials from a different service
can be used to login to another
service
service can be from
same network or partnership with
third party
known as
Federation
or Federated Identity
think login screen
for/with preexisting
Twitter,
Facebook, or Gmail account
these third-parties
have relationship
based on a set of authentication standards
Security Assertion Markup
Language
(SAML)
(used for web, but not ideal for
mobile devices)
Allows 3rd parties
to exchange authentication informatiom
SAML had to be
improved upon.
So newer Federated Identity
protocols needed.
In comes
OpenID and OAuth
OpenID Connect and OAuth
OAuth
(as in O Authorization)
is framework for
Authorization
OpenID Connect,
as in Open Identification,
so used for Identification
and Authentication
Both are often
combined and used
together
determines what
user can access aka
rights
Single Sign On
seems to be part of
larger Federated Identity
Management
Federated Identity management
could also include
Directory Services, directory Domains
As in Active Directory
(Domains, Objects, trees etc)
2 Types of trust between
Domains.
One-way and Two-Way
One-way trust,
meaning Domain A
trusts and allows Domain B
to access its resources
Two-way trust,
means both Domains trust
each other
So trust is
One direction
Domain A can access B's resources.
Domain B can access A's resources
Trust goes in
both Directions
Trust can be
extended further,
So Domain A trusts B,
and B trusts C.
Therefore Domain A also Trusts C.
So trust extended to all Bs
trusted domains
Known as
Transitive trust
All these authentication methods or functionalities
use specific technologies to
perform Authentication
aka Authenticaion Technologies
For digital access control
and authentication
going back to
(multi) factors,
specifically something you have
SYH (Something You have),
can be in form of security
token
tokens are
delivered via
a physical object,
Key card or fob
for physical/in-person
authentication or access
control.
Card
aka Proximity Card
or KeyCard
basically similar to
contactless card,
(doesn't have to be inserted into reader)
Contains the users identity and details
and can be used to access restricted areas
Other tokens can be
digital
(think RSA token)
Tokens are often
combined with PIN, or OTP (or
Something You Know, SYK),
for extra security.
(think multi-factor)
2 types of
One Time Password
(OTP)
Time Based
One Time Password
(TOTP)
HMAC-Based
One Time Password
(HOTP)
OTP based on 2 inputs,
Seed(Static Value) and Moving factor (Dynamic value).
Seed aka secret
both used to
generate OTP
HMAC (Hash Based Message Authentication)
Each type of OTP,
is based on how
moving factor is generated
Moving factor here is
event based.
And this event is a counter.
Each time OTP is requested,
the counter is incremented.
(incremented moving factor combined
with seed to generate OTP
Seed(Secret) is static value.
Comboned with Moving factor
Moving Factor in this case
is Time
so for TOT Passwords,
only have certain amount of time
to use pass
One time Passwords (Or PIN)
can be delivered via
different methods
sent via
SMS to phone
using Authentication
App
Token Key,
(device that plugs into USB)
Statics Codes
(think Google does this)
Phone Callback
biometrics like
biology(body) metrics
Other biometrics, includes
invludes voice recognition pattern,
facial recognition
All fall under
SYA
(Something You Are) Factors
Well known biometrics have
their faults.
(Again is always best combine
multiple factors to ensure
security)
Injuries or loss of part
can cause rejections
Something
like fingerprinting
Hand Span
Geometry
Similar issues to fingerprinting,
injuries or finger loss
can lead to rejection
Possible for illness or
scanner misplacement to
lead or cause rejection
Facial Recognition
(face characteristics)
(scan not aligned to face)
Retinal
(eyes)
Voice Recognition
(tone and pacing patterns)
Allergies, Illness and stress
affect voice
may have issues (with rejection,)
if users gets a scarring or,
loses their finger
Environmental conditions,
Clothing
Blood Vessels
(measures uniqueness of
blood vessel patterns)
Use of Alcohol
or medicition
Signature
(measures speed,shape,
kinematics)
Gait
(Patterns of Weight shit
and Leg kinematics)
False Rejection can also be
result of attitude, environment,
injury
effectiveness of
biometrics
effectives depends on
Efficacy Rate
how well it
identifies user and
how difficult is it for attacker
to trick the system
Based on how likely
unauthorized user
can gain access
aka
False Acceptance Rate
(FAR)
how often an authorized
person gets rejected,
basically the failure to
recognize authorized user
False Rejection Rate
(FRR)
if both rates are equal,
then this percentage
is called
Crossover Error Rate
(CER)