CONTROLLING USER ACCESS: AUTHENTICATION AND AUTHORIZATION DEFIANA ARNALDY, M.SI

OVERVIEW Introduction Authentication techniques IIS authentication Microsoft.NET Passport authentication Hashing information Hashing algorithms SSL Financial network security Conclusion 2

INTRODUCTION Until now, we have assumed that hackers use network- sniffing software to intercept confidential data; however, there is as much danger in forged or spoofed data Authentication systems must be able to validate supplied credentials securely against trusted sources and also to ensure that the message has not been tampered with in transit 3

AUTHENTICATION TECHNIQUES To guarantee the identity of a client, you need to trust one piece of information that is unique to that client and that cannot easily be determined or faked (e.g., IP address, Windows username/password, or some other credential) 4

Several different types of authentications are applicable to different scenarios ISP  can use IP addresses as credentials Windows-only intranet application  Windows logins 5

IIS AUTHENTICATION The most basic is anonymous  the clients do not have to supply any credentials and are automatically granted IUSR (guest) privileges. One step above is basic authentication  Forces the client to supply credentials in base64 (basically, clear text) combined with SSL, this is a secure solution. 6

MICROSOFT.NET PASSPORT AUTHENTICATION Passport authentication is where users can be identified by their Hotmail addresses The advantage of passport over in-house-developed systems is that many people already have a Hotmail address, and thus do not have to reregister their details. 7

Passport authentication is used primarily for Web sites, but can also be applied to applications, MSN Messenger being a good example Passports are available in two flavors: Preproduction  free Production  not free 8

HASHING INFORMATION Hashing is a one-way algorithm in which data can be converted to a hash value, but a hash value cannot be converted back to meaningful data Modern hashing systems include Message Digest (MD5) and Secure Hash Algorithm (SHA-1). 9

HASHING ALGORITHMS.NET provides support for two hashing algorithms: Secure Hash Algorithm (SHA), and Message Digest (MD5) There are four different variations of the SHA available for use in.NET: SHA1Managed (20-byte hash), SHA256Managed (32-byte hash), SHA384Managed (48-byte hash), SHA512Managed (64-byte hash). 10

SSL SSL is a secure stream protocol, which uses both symmetric and asymmetric encryption, combined with digital certificates to provide authentication. Digital certificates can be bought from a certificate authority (CA) such as Thawte or Verisign 11

SSL is defined in RFC SSL is used for securing Web pages, , FTP, or news. HTTP over SSL (HTTPS) operates on port 443; SMTP over SSL (SSMTP) operates on port 465; NNTP over SSL (SNNTP) operates on port

CERTIfiCATES A certificate has to be issued by a CA in order to be globally accepted. It is possible to create self-signed certificates, but these would generally be deemed trustworthy only within your organization The most common form of digital certificate is known as X.509. This is an international standard maintained by the IETF Public Key Infrastructure (PKIX) working group 13

The certificate comprises various fields that identify the holder, the issuer, and the certificate itself: Serial number: The unique serial number on every certificate created by an issuer Signature: Identifies the makeup of the certificate, represented by an object identifier (OID). Validity period: The date at which the certificate becomes and ceases to be valid Subject: The owner of the private key Public key : The key that will decrypt the certificate hash Signed hash: The hash of the certificate encrypted with the private key of the CA 14

15

SERVER CERTIfiCATES Server certificates for real-world Web sites need to be obtained from a CA. A useful utility for creating self-signed certificates is IBM KeyMan ( The steps to enable HTTPS using a self-signed certificate and IBM KeyMan on IIS  see your self on the e-book. 16

CLIENT CERTIFICATES Client certificates are only used for maximum-security Web sites, such as online business banking. Client certificates are available free of charge from Thawte. They are used to send and receive encrypted s and to authenticate your address to recipients 17

18

MICROSOFT CERTIFICATE SERVICES MSCS runs on Windows 2000 and can generate X.509 certificates in PKCS #7 format from PKCS #10 certificate requests. MSCS can run as either a root CA or subordinate CA and can optionally hold certificates in the active directory. When used in conjunction with the active directory, MSCS will use this as its certificate revocation list (CRL) 19

READING CERTIFICATES Certificates can be read using the X509Certificate class (Table 9.2) in.NET. 20

21

FINANCIAL NETWORK SECURITY If a hacker were to break into an e-commerce site successfully and capture someone’s credit card number, some unfortunate person would get stung financially; however, if the same thing happened on an interbank network, a country’s economy could be ruined overnight 22

Most banks use private leased lines between their branches so that the confidential information does not come into contact with the public phone network When a bank needs to communicate with a second financial institution overseas to perform, it must use the public phone network 23

CONCLUSION This chapter has looked at the mechanisms for guaranteeing the identity of network clients over the Web and on Microsoft networks Extending the topic to real-world scenarios, we looked at how banks use authentication to transfer billions of dollars safely across phone lines. 24