Authentication Applications Prepared By Mahmoud Dalloul Wisam Abu Karsh Nidal El-Borbar Supervised By: Ms. Eman Alajrami Information Security Principles University of Palestine

Out Lines: Part “01”By ( Nidal El-Borbar ) Introduction Types of Authentication Applications and Authentication Part “02” By ( Mahmoud Dalloul) Kerberos Introduction to Kerberos Introduction to Kerberos Why Kerberos is needed ? Why Kerberos is needed ? Requirements for KERBEROS Requirements for KERBEROS Versions of KERBEROS Versions of KERBEROS Part “03” By ( Wisam Abu Karsh) Authentication web site

Part “01”: Introduction: Authentication is the act of establishing identity via the presentation of information that allows the verifier to know the presenter is who or what it claims. This identity could be any number of things, including: People People Systems Systems Applications Applications Messages Messages

Types of Authentication There are many different types of authentication that can be used in an application. The selection of the most appropriate type of authentication will depend on the needs of the application; use this guide to determine which makes the most sense for your application. 1. Basic, single-factor authentication 2. Multi-factor authentication 3. Cryptographic authentication

1.Basic authentication Basic authentication is a commonly used term that most people probably understand already. It refers to password-based authentication. A password can be any information that is used to verify the identity of a presenter. Common examples that fall into this category are: The common password The common password Host or system names Host or system names Application names Application names Numerical IDs Numerical IDs

2.Multi-Factor Authentication Multi-factor authentication is the use of a combination of authentication methods to validate identity. The most commonly used description of multi-factor authentication is the use of information that is known only by the person, combined with something in his or her possession. These are typically: The name and password The name and password Some form of token Some form of token

Note/ Some form of token A token is a hardware component that is used during the authentication process; it typically provides another piece of information that cannot be ascertained without physical control of the token. Different types of tokens used in multi-factor authentication are: Smart cards Smart cards One-time password/phrases One-time password/phrases Single-use PINs or pseudo-random numbers Single-use PINs or pseudo-random numbers Biometric information Biometric information Multi-factor authentication provides the following additional benefits: Difficult to spoof and impersonate Difficult to spoof and impersonate Easy to use Easy to use

3.Cryptographic Authentication The final form of authentication outlined here is that which utilizes cryptography. This includes the following forms: Public Key Authentication Public Key Authentication Digital Signatures Digital Signatures Message Authentication Code Message Authentication Code Password permutation Password permutation

Applications and Authentication Now that the overview of various authentication methods has been outlined, you can take a look at its use in the applications. The following application-specific areas will be covered: 1) Identifying what needs authentication 2) Choosing the appropriate authentication method(s) 3) Guidelines for implementing authentication

1.Identifying the Need for Authentication The following questions help the application designer and developer understand whether there is a need for authentication within their application: Are there multiple users or applications that will interact with the application in question? Are there multiple users or applications that will interact with the application in question? If multiple entities are expected, will they all access exactly the same data, configuration, and information, or will each have its own set of information, regardless of how small? If multiple entities are expected, will they all access exactly the same data, configuration, and information, or will each have its own set of information, regardless of how small? Is the application running in a completely closed and trusted area, wherein there is no person, system, or application that will access it from untrusted parts—such as the Internet, other networks, or unknown applications? Is the application running in a completely closed and trusted area, wherein there is no person, system, or application that will access it from untrusted parts—such as the Internet, other networks, or unknown applications? Is there a concept of privileged information or functionality and the separation or isolation of this within the application? Is there a concept of privileged information or functionality and the separation or isolation of this within the application? If the answer to any of these questions is "yes," authentication is needed within the application.

2.Choosing the Appropriate Authentication Methods Internal or local service-based authentication Local Authentication Local Authentication There are several reasons, or combinations of reasons, that may warrant implementation of local, internal authentication within an application: There are several reasons, or combinations of reasons, that may warrant implementation of local, internal authentication within an application: Stand-alone application Stand-alone application No or intermittent communication capabilities No or intermittent communication capabilities Limited, small, or embedded applications Limited, small, or embedded applications Restricted application resources Restricted application resources

External service-based authentication and integration It is often desirable that an application co-exist with other applications and share common information, including authentication information. These include: LDAP :Lightweight Directory Access LDAP :Lightweight Directory Access Active Directory Active Directory NIS/NIS+ : Network Information Services NIS/NIS+ : Network Information Services Kerberos ( That will “ Mahmoud Dalloul “ Take About) Kerberos ( That will “ Mahmoud Dalloul “ Take About)

3.Guidelines for Implementation This section covers some general guidelines that are helpful during implementation of authentication services. The guidelines are organized into the following sections: Approaches to sensitive data Approaches to sensitive data Security strength versus business factors Security strength versus business factors Usability Usability

When deciding on an authentication mechanism, the natural pressures of deliverables, schedules, and customers can cause difficult decisions that often leave security out of the picture. The following table provides an easy comparison of the following aspects: Ease of implementation: This is how simple or complex the implementation can be, taking into consideration the availability of libraries and standards. Ease of implementation: This is how simple or complex the implementation can be, taking into consideration the availability of libraries and standards. Ease of management: The complexity of managing the authentication environment, considering users, addition, and removal of users, updating of credentials. Ease of management: The complexity of managing the authentication environment, considering users, addition, and removal of users, updating of credentials. Ease of deployment: The complexity of deploying the authentication technology across simple and advanced environments, considering hardware and software requirements. Ease of deployment: The complexity of deploying the authentication technology across simple and advanced environments, considering hardware and software requirements.

Strength: The overall security strength, considering methods of attack and compromise and inherent weaknesses, scalability over large environments. Strength: The overall security strength, considering methods of attack and compromise and inherent weaknesses, scalability over large environments. End Of Part “01”

Part “02” Introduction to Kerberos An authentication service developed for Project Athena at MIT Provides strong security on physically insecure network a centralized authentication server which authenticates Users to servers Servers to users Relies on conventional encryption rather than public- key encryption

Why Kerberos is needed ? Problem: Not trusted workstation to identify Problem: Not trusted workstation to identify their users correctly in an open distributed environment their users correctly in an open distributed environment 3 Threats: Pretending to be another user from the workstation Sending request from the impersonated workstation Replay attack to gain service or disrupt operations

Why Kerberos is needed ? Cont. Solution: Solution: Building elaborate authentication protocols at each server A centralized authentication server (Kerberos)

Requirements for KERBEROS Secure: An opponent does not find it to be the weak link Reliable: The system should be able to back up another Transparent: An user should not be aware of authentication Scalable: The system supports large number of clients and severs

Versions of KERBEROS Two versions are in common use Version 4 is most widely used version Version 4 uses of DES Version 5 corrects some of the security deficiencies of Version 4 Version 5 has been issued as a draft Internet Standard (RFC 1510)

Kerberos 4 Overview a basic third-party authentication scheme uses DES buried in an elaborate protocol Authentication Server (AS) user initially negotiates with AS to identify self AS provides a non-corruptible authentication credential (ticket-granting ticket TGT) Ticket Granting server (TGS) users subsequently request access to other services from TGS on basis of users TGT

Kerberos 4 Overview

Kerberos Realms a Kerberos environment consists of: a Kerberos server a number of clients, all registered with server application servers, sharing keys with server this is termed a realm typically a single administrative domain if have multiple realms, their Kerberos servers must share keys and trust

Kerberos Version 5 developed in mid 1990’s provides improvements over v4 addresses environmental shortcomings encryption algorithm, network protocol, byte order, ticket lifetime, authentication forwarding, inter-realm authentication and technical deficiencies double encryption, non-standard mode of use, session keys, password attacks specified as Internet standard RFC 1510 End Of Part “02”

Part “03”: Authentication web site

introduction Authentication web site contain tow part:- 1. internet information server (IIs). 1. internet information server (IIs). 2. asp.net. 2. asp.net.

internet information server (IIs) authentication IIS -: software programs server, There are four types of mechanisms use Authentication IIS Server. software programs server, There are four types of mechanisms use Authentication IIS Server. 1.Anonymous authentication 2.Basic authentication 3.Integrated windows authentication 4.Digest authentication

Anonymous authentication 1-A Default mechanisms to use iis server. 2- allow to user browser applications web even enter user name and password.

Basic authentication this from Authentication need user name and password but se ى d password don't encryption Resulting don't secure or easy Penetrable.

Integrated windows authentication this from Authentication need that the user have the right to enter with the scope of windows Preferably be used in Web applications (B2B)Application where the user is relatively small.

Digest authentication This mechanism Likeq uite Basic authentication but this secure because send password is encrypted.

ASP.net Forms authentication Passport authentication Windows authentication

Forms authentication Forms authentication Rtkz this mechanism on the registration form and one can access it at any time when the user needs to sign in. But when it requires the use of more privacy if you want to buy something from the application will be redirected to the model to be your login and after login is successful will be redirected to the model I visited the first time Rtkz this mechanism on the registration form and one can access it at any time when the user needs to sign in. But when it requires the use of more privacy if you want to buy something from the application will be redirected to the model to be your login and after login is successful will be redirected to the model I visited the first time

Passport authentication A service provided by Microsoft for web sites such as MSN and Hotmail can Alstrak after the signing of a contract with the company and the use of this documentation is as follows: 1. When the application requests the user authentication required to be directed to the Passport login service are also included details of the application asks the user to the service automatically. 2. After the successful re-entry registration of such a mechanism used to the original application, which he requested, here is the steps similar to the Forms authentication mechanism, but differs from that that the service may pass the encrypted user authentication for the application of ASP.net To use this service should be lowered by one Passport SDK programs

Windows authentication Authentication is a mechanism in which user authentication based on the scope of the rights of entry (Windows 2000).

Authentication

Authentication

Authentication Procedures: Three alternative authentication procedures: One-Way Authentication Two-Way Authentication Three-Way Authentication All use public-key signatures

One-Way Authentication: 1 message ( A->B) used to establish the identity of A and that message is from A message was intended for B integrity & originality of message A B 1-A {ta,ra,B,sgnData,KUb[Kab]} Ta-timestamp rA=nonce B =identity sgnData=signed with A’s private key

Two-Way Authentication 2 messages (A->B, B->A) which also establishes in addition: the identity of B and that reply is from B that reply is intended for A integrity & originality of reply A B 1-A {ta,ra,B,sgnData,KUb[Kab]} 2-B {tb,rb,A,sgnData,KUa[Kab]}

Three-Way Authentication 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks A B 1- A {ta,ra,B,sgnData,KUb[Kab]} 2 -B {tb,rb,A,sgnData,KUa[Kab]} 3- A{rb} End Of Part “03”

References 1) _ _ _ _ _ _2 2) Prentice Hall Cryptography and Network Security 4 th Edition Nov ) definition/ definition/ definition/

Thank You With Our Best wishes.