SlideShare uma empresa Scribd logo

Authentication Models

Transferir como DOC, PDF
Raj Chanchal
Raj Chanchal
Tecnologia
1 de 7
An Overview of Authentication Mechanisms on Windows This article gives overview of various authentication mechanisms for applications on Windows. It also touches upon upcoming technologies like CardSapce and OpenID. It concludes with relating the development of new authentication mechanisms to be evolving with a basic need for SSO. Background With emergence of Web 2.0, identity management is becoming a core focus. Security in online transactions is gaining attention from all technology vendors including Microsoft. Microsoft's recent release of .NET framework 3.0 includes Windows CardSpace which provides a solid foundation for identity management of future. Also, with recent announcement from Microsoft to tie-up with OpenID, takes the CardSpace initiative to the next level. Current article gives overview of various authentication mechanisms on Microsoft Windows platform. Introduction A digital identity is a set of characteristics associated with an individual or a device which allows us to address it distinctly from rest of the world. Before granting access to a valuable resource, a digital identity is checked to confirm the source of the request. This mechanism is termed as authentication. Various popular authentication mechanisms are – 1. User name and password 2. Digital certificates 3. Biometrics – Fingerprints, Iris/retina scan 4. Dynamic biometrics – signature, voice recognition Authentication in Windows OS Microsoft Windows Server 2003 has adopted Kerberos 5 as the default protocol for network authentication. Active Directory is merely the directory that holds all the information. Kerberos protocol implementation is used to protect it and make it function. Microsoft Windows Server 2000 and beyond use following as default authentication mechanism - Default authentication package Kerberos Credential store Active Directory SAM (Security Authentication Module) Authentication protocols Clear Text NTLM (NT LAN Manager) Standard Kerberos Kerberos PKINIT (Public Key cryptography for INITial Authentication) All the authentication protocols are exposed via SSPI (Security Support Provider Interface). 1
Windows authentication process using Kerberos KDC (Key Distribution Center) is shown below. Authentication in .NET Applications The .NET Framework has a model for managing user or automated agent based on the notion of a Identity. The identity object encapsulates information about the user or entity being validated. Basic identity objects contain a name and an authentication type. The name can either be a user's name or the name of a Windows account, while the authentication type can be either a supported logon protocol, such as Kerberos V5, or a custom value. namespace System.Security.Principal { public interface IIdentity { bool IsAuthenticated { get; } string AuthenticationType { get; } string Name { get; } } } IIdentity interface shown above abstracts the authentication part of security context. The .NET Framework defines a GenericIdentity object that can be used for most custom logon scenarios and a more specialized WindowsIdentity object that can be used when application relies on Windows authentication. Additionally, own identity class can be defined that encapsulates custom user information. Web Application Authentication ASP.NET implements authentication via authentication providers. Providers are basically Classes that contain Public Static Methods to help in authenticating requests from Clients. An ASP.NET Application can be configured to use one of the following Authentication Providers - 1. Windows Authentication 2
The WindowsAuthenticationModule provider relies on IIS to provide authenticated users. The provider module constructs a Windows Identity object. The default implementation constructs a WindowsPrincipal object and attaches it to the application context. One of the major advantages of Windows Authentication is to allow implementation of an impersonation scheme. 2. Forms Authentication Forms authentication is recommended if the application needs to collect its own user credentials at logon time through HTML forms. All the unauthorized requests are redirected to the logon page using HTTP client-side redirection. Forms authentication provider may implement custom logic for validating username and password against identity store. If the application authenticates the request, the system issues a ticket that contains a key for reestablishing the identity for subsequent requests. 3. Passport Authentication Passport authentication is Microsoft's centralized authentication service that offers a single logon and core profile services for member sites. Passport uses the Triple DES encryption scheme. When member sites register with Passport, they are granted a site- specific key. The Passport logon server uses this to encrypt and decrypt the query 3
strings passed between sites. Authentication ticket is preserved by client in a cookie and is used for all future requests to the application till the cookie expires. Web Services Authentication Authentication of Web Services can be classified into two models as follows – 1. Direct Authentication In direct authentication model, the client and the service establish a direct trust. Client application send the credentials directly to the service along with the service request. Service maintains the catalog of the authorized clients and authentication mechanism is built into the service components. This model can be considered similar to the Forms authentication for web applications as both mechanisms do not require any intermediary to build the trust. 2. Brokered Authentication Brokered authentication has an intermediary called as 'broker' to perform authentication when client and service do not share trust relationship. Credentials are used to authenticate with the broker, which issues a security token. The security token is then used to authenticate with services. 4
WSE (Web Services Enhancement) provides 3 main security tokens which support brokered authentication. I. X.509 This requires support for a PKI (Public Key Infrastructure). In cases where a limited number of certificates are needed, an external CA (Certificate Authority) can be used. Most X.509 implementations, such as SSL, exchange a symmetric session key that is used for encryption. II. KerberosToken This requires an identity provider that supports the Kerberos protocol, such as Active Directory. Service tickets are session-based tokens that can be used for confidentiality and integrity. III. STS (Security Token Service) This requires an STS implementation that issues and manages security tokens. Custom security tokens can be used for session based operations. CardSpace Authentication Windows CardSpace is a technology designed to help eliminate the need for usernames and passwords. Instead it will provide Windows users with digital identities in the form of Cards that users can access in a secure and familiar manner. 5
CardSpace provides an identity selector and a self-issued identity provider, both of which run on a client machine. CardSpace is a new way of doing strong authentication across trust boundaries. Internet Explorer 7 uses Windows CardSpace, if installed. Windows CardSpace uses following interoperable protocols - WS-Security, WS-SecurityPolicy, WS-Trust and WS-MetadataExchange. Identity Provider provides the card (.crd file) which contains the metadata information. This card is used to obtain the security token from the Identity provider for sending the claim to the relying party. OpenID Authentication OpenID uses XRI (eXtensible Resource Identifier) to verify the digital identity. CardSpace can play a role to supplement the OpenID authentication process by establishing a relationship between client and OP using WS-Trust and WS-MetadataExchange. This may help eliminate steps 4 and 5 from the overall authentication process. Also, Card can additionally carry the XRI along with OP token. 6
Conclusion SSO (Single sign-on) is a form of software authentication that enables a user to authenticate once with one software system and in turn gain access to multiple software systems. Windows OS authentication being a primary authentication, it is ideal to base the SSO on the same to gain access to all the applications accessed in that Windows session without a need for (re-)entering the credentials. Internet has opened the doors for a very large number of applications accessible to the users typically in B2C scenario with each application requiring user to undergo it's own registration and authentication process. Along with the SSO, a demand for secure and reliable as well as generic mechanism to establish a trust persists. With the evolution of technology and the open standards being widely accepted, the vision of 'Trustworthy SSO' across the web will not be too far from getting into reality. 7

Recomendados

Symmetric and asymmetric key cryptography
Symmetric and asymmetric key cryptographySymmetric and asymmetric key cryptography
Symmetric and asymmetric key cryptographyMONIRUL ISLAM
 
Cloud Security Mechanisms
Cloud Security MechanismsCloud Security Mechanisms
Cloud Security MechanismsMohammed Sajjad Ali
 
Network Security Issues
Network Security IssuesNetwork Security Issues
Network Security IssuesAfreenYousaf
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Threads (operating System)
Threads (operating System)Threads (operating System)
Threads (operating System)Prakhar Maurya
 
Eucalyptus, Nimbus & OpenNebula
Eucalyptus, Nimbus & OpenNebulaEucalyptus, Nimbus & OpenNebula
Eucalyptus, Nimbus & OpenNebulaAmar Myana
 
Application of Cloud Computing
Application of Cloud ComputingApplication of Cloud Computing
Application of Cloud ComputingBoonlert Aroonpiboon
 
Protection models
Protection modelsProtection models
Protection modelsG Prachi
 

Recomendados

Symmetric and asymmetric key cryptography
Symmetric and asymmetric key cryptographySymmetric and asymmetric key cryptography
Symmetric and asymmetric key cryptographyMONIRUL ISLAM
 
Cloud Security Mechanisms
Cloud Security MechanismsCloud Security Mechanisms
Cloud Security MechanismsMohammed Sajjad Ali
 
Network Security Issues
Network Security IssuesNetwork Security Issues
Network Security IssuesAfreenYousaf
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Threads (operating System)
Threads (operating System)Threads (operating System)
Threads (operating System)Prakhar Maurya
 
Eucalyptus, Nimbus & OpenNebula
Eucalyptus, Nimbus & OpenNebulaEucalyptus, Nimbus & OpenNebula
Eucalyptus, Nimbus & OpenNebulaAmar Myana
 
Application of Cloud Computing
Application of Cloud ComputingApplication of Cloud Computing
Application of Cloud ComputingBoonlert Aroonpiboon
 
Protection models
Protection modelsProtection models
Protection modelsG Prachi
 
Introduction Cloud Computing
Introduction Cloud ComputingIntroduction Cloud Computing
Introduction Cloud ComputingRoel Honning
 
Ddb 1.6-design issues
Ddb 1.6-design issuesDdb 1.6-design issues
Ddb 1.6-design issuesEsar Qasmi
 
Information Security
Information SecurityInformation Security
Information SecurityDhilsath Fathima
 
Protection and security
Protection and securityProtection and security
Protection and securitymbadhi
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptkusum sharma
 
Network security
Network securityNetwork security
Network securityquest university nawabshah
 
Eucalyptus cloud computing
Eucalyptus cloud computingEucalyptus cloud computing
Eucalyptus cloud computingRahul Rana
 
Key management
Key managementKey management
Key managementSujata Regoti
 
Cryptography
CryptographyCryptography
Cryptographyjayashri kolekar
 
Cloud deployment models
Cloud deployment modelsCloud deployment models
Cloud deployment modelsAshok Kumar
 
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...JAINAM KAPADIYA
 
Cryptography
CryptographyCryptography
CryptographySidharth Mohapatra
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security pptVenkatesh Chary
 
Distributed Systems Introduction and Importance
Distributed Systems Introduction and Importance Distributed Systems Introduction and Importance
Distributed Systems Introduction and Importance SHIKHA GAUTAM
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric keyTriad Square InfoSec
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography pptThushara92
 
Query Decomposition and data localization
Query Decomposition and data localization Query Decomposition and data localization
Query Decomposition and data localization Hafiz faiz
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key CryptosystemDevakumar Kp
 
Peer to peer system
Peer to peer systemPeer to peer system
Peer to peer systemJahanzaib Niazi
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
Web services security_in_wse_3_ppt
Web services security_in_wse_3_pptWeb services security_in_wse_3_ppt
Web services security_in_wse_3_pptHarshavardhan Achrekar
 

Mais conteúdo relacionado

Mais procurados

Introduction Cloud Computing
Introduction Cloud ComputingIntroduction Cloud Computing
Introduction Cloud ComputingRoel Honning
 
Ddb 1.6-design issues
Ddb 1.6-design issuesDdb 1.6-design issues
Ddb 1.6-design issuesEsar Qasmi
 
Protection and security
Protection and securityProtection and security
Protection and securitymbadhi
 
Eucalyptus cloud computing
Eucalyptus cloud computingEucalyptus cloud computing
Eucalyptus cloud computingRahul Rana
 
Cloud deployment models
Cloud deployment modelsCloud deployment models
Cloud deployment modelsAshok Kumar
 
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...JAINAM KAPADIYA
 
Distributed Systems Introduction and Importance
Distributed Systems Introduction and Importance Distributed Systems Introduction and Importance
Distributed Systems Introduction and Importance SHIKHA GAUTAM
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography pptThushara92
 
Query Decomposition and data localization
Query Decomposition and data localization Query Decomposition and data localization
Query Decomposition and data localization Hafiz faiz
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key CryptosystemDevakumar Kp
 

Mais procurados (20)

Introduction Cloud Computing
Introduction Cloud ComputingIntroduction Cloud Computing
Introduction Cloud Computing
 
Ddb 1.6-design issues
Ddb 1.6-design issuesDdb 1.6-design issues
Ddb 1.6-design issues
 
Information Security
Information SecurityInformation Security
Information Security
 
Protection and security
Protection and securityProtection and security
Protection and security
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
Network security
Network securityNetwork security
Network security
 
Eucalyptus cloud computing
Eucalyptus cloud computingEucalyptus cloud computing
Eucalyptus cloud computing
 
Key management
Key managementKey management
Key management
 
Cryptography
CryptographyCryptography
Cryptography
 
Cloud deployment models
Cloud deployment modelsCloud deployment models
Cloud deployment models
 
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
Symmetric Cipher Model, Substitution techniques, Transposition techniques, St...
 
Cryptography
CryptographyCryptography
Cryptography
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
Distributed Systems Introduction and Importance
Distributed Systems Introduction and Importance Distributed Systems Introduction and Importance
Distributed Systems Introduction and Importance
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric key
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography ppt
 
Query Decomposition and data localization
Query Decomposition and data localization Query Decomposition and data localization
Query Decomposition and data localization
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key Cryptosystem
 
Peer to peer system
Peer to peer systemPeer to peer system
Peer to peer system
 

Semelhante a Authentication Models

Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfJUSTSTYLISH3B2MOHALI
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization ModelsCSCJournals
 
Session 10 Tp 10
Session 10 Tp 10Session 10 Tp 10
Session 10 Tp 10githe26200
 
76 s201923
76 s20192376 s201923
76 s201923IJRAT
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on systemSwati Sinha
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsIRJET Journal
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CAnton Staykov
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identityWAFAA AL SALMAN
 
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATUREProfesia Srl, Lynx Group
 
Narrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forwardNarrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forwardConference Papers
 
Microsoft Graph API Webinar Application Permissions
Microsoft Graph API Webinar Application PermissionsMicrosoft Graph API Webinar Application Permissions
Microsoft Graph API Webinar Application PermissionsStefan Weber
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authenticationijtsrd
 
Digital Certificates and Secure Web Access
Digital Certificates and Secure Web AccessDigital Certificates and Secure Web Access
Digital Certificates and Secure Web Accessbluntm64
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 

Semelhante a Authentication Models (20)

Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
Web services security_in_wse_3_ppt
Web services security_in_wse_3_pptWeb services security_in_wse_3_ppt
Web services security_in_wse_3_ppt
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization Models
 
Session 10 Tp 10
Session 10 Tp 10Session 10 Tp 10
Session 10 Tp 10
 
76 s201923
76 s20192376 s201923
76 s201923
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on system
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed Systems
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2C
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
 
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
 
ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - Security
 
Narrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forwardNarrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forward
 
Access management
Access managementAccess management
Access management
 
Microsoft Graph API Webinar Application Permissions
Microsoft Graph API Webinar Application PermissionsMicrosoft Graph API Webinar Application Permissions
Microsoft Graph API Webinar Application Permissions
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
 
Digital Certificates and Secure Web Access
Digital Certificates and Secure Web AccessDigital Certificates and Secure Web Access
Digital Certificates and Secure Web Access
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 Authentication
 

Último

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Último (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Authentication Models

  • 1. An Overview of Authentication Mechanisms on Windows This article gives overview of various authentication mechanisms for applications on Windows. It also touches upon upcoming technologies like CardSapce and OpenID. It concludes with relating the development of new authentication mechanisms to be evolving with a basic need for SSO. Background With emergence of Web 2.0, identity management is becoming a core focus. Security in online transactions is gaining attention from all technology vendors including Microsoft. Microsoft's recent release of .NET framework 3.0 includes Windows CardSpace which provides a solid foundation for identity management of future. Also, with recent announcement from Microsoft to tie-up with OpenID, takes the CardSpace initiative to the next level. Current article gives overview of various authentication mechanisms on Microsoft Windows platform. Introduction A digital identity is a set of characteristics associated with an individual or a device which allows us to address it distinctly from rest of the world. Before granting access to a valuable resource, a digital identity is checked to confirm the source of the request. This mechanism is termed as authentication. Various popular authentication mechanisms are – 1. User name and password 2. Digital certificates 3. Biometrics – Fingerprints, Iris/retina scan 4. Dynamic biometrics – signature, voice recognition Authentication in Windows OS Microsoft Windows Server 2003 has adopted Kerberos 5 as the default protocol for network authentication. Active Directory is merely the directory that holds all the information. Kerberos protocol implementation is used to protect it and make it function. Microsoft Windows Server 2000 and beyond use following as default authentication mechanism - Default authentication package Kerberos Credential store Active Directory SAM (Security Authentication Module) Authentication protocols Clear Text NTLM (NT LAN Manager) Standard Kerberos Kerberos PKINIT (Public Key cryptography for INITial Authentication) All the authentication protocols are exposed via SSPI (Security Support Provider Interface). 1
  • 2. Windows authentication process using Kerberos KDC (Key Distribution Center) is shown below. Authentication in .NET Applications The .NET Framework has a model for managing user or automated agent based on the notion of a Identity. The identity object encapsulates information about the user or entity being validated. Basic identity objects contain a name and an authentication type. The name can either be a user's name or the name of a Windows account, while the authentication type can be either a supported logon protocol, such as Kerberos V5, or a custom value. namespace System.Security.Principal { public interface IIdentity { bool IsAuthenticated { get; } string AuthenticationType { get; } string Name { get; } } } IIdentity interface shown above abstracts the authentication part of security context. The .NET Framework defines a GenericIdentity object that can be used for most custom logon scenarios and a more specialized WindowsIdentity object that can be used when application relies on Windows authentication. Additionally, own identity class can be defined that encapsulates custom user information. Web Application Authentication ASP.NET implements authentication via authentication providers. Providers are basically Classes that contain Public Static Methods to help in authenticating requests from Clients. An ASP.NET Application can be configured to use one of the following Authentication Providers - 1. Windows Authentication 2
  • 3. The WindowsAuthenticationModule provider relies on IIS to provide authenticated users. The provider module constructs a Windows Identity object. The default implementation constructs a WindowsPrincipal object and attaches it to the application context. One of the major advantages of Windows Authentication is to allow implementation of an impersonation scheme. 2. Forms Authentication Forms authentication is recommended if the application needs to collect its own user credentials at logon time through HTML forms. All the unauthorized requests are redirected to the logon page using HTTP client-side redirection. Forms authentication provider may implement custom logic for validating username and password against identity store. If the application authenticates the request, the system issues a ticket that contains a key for reestablishing the identity for subsequent requests. 3. Passport Authentication Passport authentication is Microsoft's centralized authentication service that offers a single logon and core profile services for member sites. Passport uses the Triple DES encryption scheme. When member sites register with Passport, they are granted a site- specific key. The Passport logon server uses this to encrypt and decrypt the query 3
  • 4. strings passed between sites. Authentication ticket is preserved by client in a cookie and is used for all future requests to the application till the cookie expires. Web Services Authentication Authentication of Web Services can be classified into two models as follows – 1. Direct Authentication In direct authentication model, the client and the service establish a direct trust. Client application send the credentials directly to the service along with the service request. Service maintains the catalog of the authorized clients and authentication mechanism is built into the service components. This model can be considered similar to the Forms authentication for web applications as both mechanisms do not require any intermediary to build the trust. 2. Brokered Authentication Brokered authentication has an intermediary called as 'broker' to perform authentication when client and service do not share trust relationship. Credentials are used to authenticate with the broker, which issues a security token. The security token is then used to authenticate with services. 4
  • 5. WSE (Web Services Enhancement) provides 3 main security tokens which support brokered authentication. I. X.509 This requires support for a PKI (Public Key Infrastructure). In cases where a limited number of certificates are needed, an external CA (Certificate Authority) can be used. Most X.509 implementations, such as SSL, exchange a symmetric session key that is used for encryption. II. KerberosToken This requires an identity provider that supports the Kerberos protocol, such as Active Directory. Service tickets are session-based tokens that can be used for confidentiality and integrity. III. STS (Security Token Service) This requires an STS implementation that issues and manages security tokens. Custom security tokens can be used for session based operations. CardSpace Authentication Windows CardSpace is a technology designed to help eliminate the need for usernames and passwords. Instead it will provide Windows users with digital identities in the form of Cards that users can access in a secure and familiar manner. 5
  • 6. CardSpace provides an identity selector and a self-issued identity provider, both of which run on a client machine. CardSpace is a new way of doing strong authentication across trust boundaries. Internet Explorer 7 uses Windows CardSpace, if installed. Windows CardSpace uses following interoperable protocols - WS-Security, WS-SecurityPolicy, WS-Trust and WS-MetadataExchange. Identity Provider provides the card (.crd file) which contains the metadata information. This card is used to obtain the security token from the Identity provider for sending the claim to the relying party. OpenID Authentication OpenID uses XRI (eXtensible Resource Identifier) to verify the digital identity. CardSpace can play a role to supplement the OpenID authentication process by establishing a relationship between client and OP using WS-Trust and WS-MetadataExchange. This may help eliminate steps 4 and 5 from the overall authentication process. Also, Card can additionally carry the XRI along with OP token. 6
  • 7. Conclusion SSO (Single sign-on) is a form of software authentication that enables a user to authenticate once with one software system and in turn gain access to multiple software systems. Windows OS authentication being a primary authentication, it is ideal to base the SSO on the same to gain access to all the applications accessed in that Windows session without a need for (re-)entering the credentials. Internet has opened the doors for a very large number of applications accessible to the users typically in B2C scenario with each application requiring user to undergo it's own registration and authentication process. Along with the SSO, a demand for secure and reliable as well as generic mechanism to establish a trust persists. With the evolution of technology and the open standards being widely accepted, the vision of 'Trustworthy SSO' across the web will not be too far from getting into reality. 7