Identification and authentication: basic concepts

2024 Author: Howard Calhoun | [email protected]. Last modified: 2023-12-17 10:16

Identification and authentication are the basis of modern software and hardware security tools, since any other services are mainly designed to serve these entities. These concepts represent a kind of first line of defense that ensures the security of the information space of the organization.

What is this?

Identification and authentication have different functions. The first gives the subject (the user or process acting on their behalf) the opportunity to provide their own name. With the help of authentication, the second party is finally convinced that the subject really is who he claims to be. Identification and authentication are often replaced by the phrases "name message" and "authentication" as synonyms.

They themselves are divided into several varieties. Next, we will look at what identification and authentication are and what they are.

Authentication

This concept provides for two types: one-sided, when the clientmust first prove its authenticity to the server, and two-way, that is, when mutual confirmation is being conducted. A standard example of how standard user identification and authentication is carried out is the procedure for logging into a particular system. Thus, different types can be used in different objects.

In a network environment where user identification and authentication are carried out on geographically dispersed sides, the service in question differs in two main aspects:

• which acts as an authenticator;
• how exactly the exchange of authentication and identification data was organized and how it is protected.

To prove their identity, the subject must present one of the following entities:

• certain information that he knows (personal number, password, special cryptographic key, etc.);
• certain thing that he owns (personal card or some other device with a similar purpose);
• a certain thing that is an element of itself (fingerprints, voice and other biometric means of identifying and authenticating users).

System Features

In an open network environment, the parties do not have a trusted route, which means that, in general, the information transmitted by the subject may ultimately not match the information received and usedwhen authenticating. It is required to ensure the security of active and passive listening to the network, that is, protection from the correction, interception or playback of various data. The option of transmitting passwords in plaintext is unsatisfactory, and in the same way, password encryption cannot save the day, since they do not provide protection against reproduction. That is why more complex authentication protocols are used today.

Reliable identification is difficult not only because of various online threats, but also for a number of other reasons. First of all, almost any authentication entity can be stolen, forged or inferred. There is also a certain contradiction between the reliability of the system used, on the one hand, and the convenience of the system administrator or user, on the other. Thus, for security reasons, it is required to ask the user to re-enter his authentication information with some frequency (since some other person may already be sitting in his place), and this not only creates additional trouble, but also significantly increases the chance that that someone can spy on entering information. Among other things, the reliability of the protective equipment significantly affects its cost.

Modern identification and authentication systems support the concept of single sign-on to the network, which primarily allows you to meet the requirements in terms of user convenience. If a standard corporate network has many information services,providing for the possibility of independent treatment, then the repeated introduction of personal data becomes too onerous. At the moment, it cannot yet be said that the use of single sign-on is considered normal, since the dominant solutions have not yet formed.

Thus, many are trying to find a compromise between affordability, convenience and reliability of the means that provide identification / authentication. Authorization of users in this case is carried out according to individual rules.

Special attention should be paid to the fact that the service used can be chosen as the object of an availability attack. If the system is configured in such a way that after a certain number of unsuccessful attempts, the ability to enter is blocked, then in this case, attackers can stop the work of legal users by just a few keystrokes.

Password authentication

The main advantage of such a system is that it is extremely simple and familiar to most. Passwords have been used by operating systems and other services for a long time, and when used correctly, they provide a level of security that is quite acceptable for most organizations. But on the other hand, in terms of the total set of characteristics, such systems represent the weakest means by which identification / authentication can be carried out. Authorization in this case becomes quite simple, since passwords must bememorable, but at the same time simple combinations are not difficult to guess, especially if a person knows the preferences of a particular user.

Sometimes it happens that passwords, in principle, are not kept secret, as they have quite standard values specified in certain documentation, and not always after the system is installed, they are changed.

When entering the password, you can see, and in some cases people even use specialized optical devices.

Users, the main subjects of identification and authentication, can often share passwords with colleagues in order for them to change ownership for a certain time. In theory, in such situations it would be best to use special access controls, but in practice this is not used by anyone. And if two people know the password, it greatly increases the chances that others will eventually find out about it.

How to fix this?

There are several means of how identification and authentication can be secured. The information processing component can secure itself as follows:

• The imposition of various technical restrictions. Most often, rules are set for the length of the password, as well as the content of certain characters in it.
• Managing the expiration of passwords, that is, the need to change them periodically.
• Restricting access to the main password file.
• By limiting the total number of failed attempts available at login. Thanks toIn this case, attackers should only perform actions before performing identification and authentication, since the brute-force method cannot be used.
• Pre-user training.
• Using specialized software password generators that allow you to create combinations that are euphonious and quite memorable.

All of these measures can be used in any case, even if other means of authentication are used along with passwords.

One Time Passwords

The options discussed above are reusable, and if the combination is revealed, the attacker gets the opportunity to perform certain operations on behalf of the user. That is why one-time passwords are used as a stronger means, resistant to the possibility of passive network listening, thanks to which the identification and authentication system becomes much more secure, although not as convenient.

Currently, one of the most popular software one-time password generators is a system called S/KEY, released by Bellcore. The basic concept of this system is that there is a certain function F that is known to both the user and the authentication server. The following is the secret key K, which is known only to a certain user.

During the initial administration of the user, this function is used to the keya certain number of times, after which the result is saved on the server. In the future, the authentication procedure looks like this:

1. A number comes to the user system from the server, which is 1 less than the number of times the function is used to the key.
2. The user uses the function to the available secret key the number of times that was set in the first paragraph, after which the result is sent via the network directly to the authentication server.
3. Server uses this function to the received value, after which the result is compared with the previously saved value. If the results match, then the user is authenticated and the server saves the new value, then decrements the counter by one.

In practice, the implementation of this technology has a slightly more complex structure, but at the moment it is not so important. Since the function is irreversible, even if the password is intercepted or unauthorized access to the authentication server is obtained, it does not provide the ability to obtain a secret key and in any way predict what the next one-time password will look like specifically.

In Russia, a special state portal is used as a unified service - the "Unified Identification / Authentication System" ("ESIA").

Another approach to a strong authentication system is to have a new password generated at short intervals, which is also implemented throughuse of specialized programs or various smart cards. In this case, the authentication server must accept the appropriate password generation algorithm, as well as certain parameters associated with it, and in addition, there must also be server and client clock synchronization.

Kerberos

The Kerberos authentication server first appeared in the mid-90s of the last century, but since then it has already received a huge number of fundamental changes. At the moment, individual components of this system are present in almost every modern operating system.

The main purpose of this service is to solve the following problem: there is a certain unprotected network, and various subjects are concentrated in its nodes in the form of users, as well as server and client software systems. Each such subject has an individual secret key, and in order for the subject C to have the opportunity to prove its own authenticity to the subject S, without which he simply will not serve him, he will need not only to name himself, but also to show that he knows a certain The secret key. At the same time, C does not have the opportunity to simply send its secret key to S, since, first of all, the network is open, and besides this, S does not know, and, in principle, should not know it. In such a situation, a less straightforward technique is used to demonstrate knowledge of this information.

Electronic identification/authentication through the Kerberos system provides for ituse as a trusted third party that has information about the secret keys of the served objects and, if necessary, assists them in conducting pairwise authentication.

Thus, the client first sends a request to the system, which contains the necessary information about him, as well as about the requested service. After that, Kerberos provides him with a kind of ticket, which is encrypted with the server's secret key, as well as a copy of some of the data from it, which is encrypted with the client's key. In case of a match, it is established that the client decrypted the information intended for him, that is, he was able to demonstrate that he really knows the secret key. This suggests that the client is exactly who he claims to be.

Special attention here should be paid to the fact that the transfer of secret keys was not carried out over the network, and they were used exclusively for encryption.

Biometric authentication

Biometrics involves a combination of automated means of identifying/authenticating people based on their behavioral or physiological characteristics. Physical means of authentication and identification include verification of the retina and cornea of the eyes, fingerprints, face and hand geometry, and other personal information. Behavioral characteristics include the style of working with the keyboard and the dynamics of the signature. Combinedmethods are the analysis of various features of a person's voice, as well as recognition of his speech.

Such identification/authentication and encryption systems are widely used in many countries around the world, but for a long time they were extremely expensive and difficult to use. Recently, the demand for biometric products has increased significantly due to the development of e-commerce, since, from the user's point of view, it is much more convenient to present oneself than to memorize some information. Accordingly, demand creates supply, so relatively inexpensive products began to appear on the market, which are mainly focused on fingerprint recognition.

In the vast majority of cases, biometrics is used in combination with other authenticators like smart cards. Often, biometric authentication is only the first line of defense and acts as a means of activating smart cards that include various cryptographic secrets. When using this technology, the biometric template is stored on the same card.

Activity in the field of biometrics is quite high. An appropriate consortium already exists, and work is underway to standardize various aspects of the technology. Today you can see a lot of advertising articles in which biometric technologies are presented as an ideal means of increasing security and at the same time accessible to the general public.the masses.

ESIA

The Identification and Authentication System ("ESIA") is a special service created in order to ensure the implementation of various tasks related to the verification of the identity of applicants and participants in interdepartmental interaction in the case of the provision of any municipal or state services in electronic form.

In order to gain access to the "Single Portal of State Structures", as well as any other information systems of the infrastructure of the current e-government, you will first need to register an account and, as a result, receive a PES.

Levels

The portal of the unified identification and authentication system provides for three main levels of accounts for individuals:

• Simplified. To register it, you just need to indicate your last name and first name, as well as some specific communication channel in the form of an email address or mobile phone. This is the primary level, through which a person has access only to a limited list of various public services, as well as the capabilities of existing information systems.
• Standard. To obtain it, you first need to issue a simplified account, and then provide additional data, including information from your passport and the number of an individual insurance account. The specified information is automatically checked through information systemsPension Fund, as well as the Federal Migration Service, and if the check is successful, the account is transferred to the standard level, which opens up an extended list of public services to the user.
• Confirmed. To obtain this level of account, the unified identification and authentication system requires users to have a standard account, as well as identity verification, which is performed through a personal visit to an authorized service branch or by obtaining an activation code via registered mail. In the event that identity verification is successful, the account will move to a new level, and the user will have access to the full list of necessary government services.

Despite the fact that the procedures may seem quite complicated, in fact, you can get acquainted with the full list of necessary data directly on the official website, so a full registration is quite possible within a few days.