PACE-IT, Security + 5.2: Authentication and Authorization Basics (part 2)

Authentication
and authorization
basics II.

Instructor, PACE-IT Program – Edmonds Community College
Areas of Expertise Industry Certifications
 PC Hardware
 Network Administration
 IT Project Management
 Network Design
 User Training
 IT Troubleshooting
Qualifications Summary
Education
 M.B.A., IT Management, Western Governor’s University
 B.S., IT Security, Western Governor’s University
Entrepreneur, executive leader, and proven manger
with 10+ years of experience turning complex issues
into efficient and effective solutions.
Strengths include developing and mentoring diverse
workforces, improving processes, analyzing
business needs and creating the solutions
required— with a focus on technology.

PACE-IT.
– Authentication concepts.
– Authorization concepts.

Authentication and authorization basics II.

A common method of
authentication involves
creating a hashed value of
the information.
Hashing is a cryptographic process that uses an algorithm to
derive a set value (the hashed value) from data and a secret key.
The hash can be used to verify that data is coming from where it
is supposed to and that it has not been intercepted or changed in
transit—providing both authentication and an integrity check at
the same time.
The most popular hashing algorithms are MD5 (message-digest
algorithm) and SHA-1 (Secure Hash Algorithm). Of the two, SHA-
1 is the more secure.

– HMAC (hashed-based message
authentication code).
» A secret key—in which both parties have the secret key—is
combined with an algorithm to create the message
authentication code (MAC).
• The MAC is actually the resulting hashed value.
– HOTP (HMAC-based one-time password).
» A HMAC-based algorithm is used to created the password that
is used for authentication purposes.
• Often used by authentication servers.
– TOTP (Time-based One-time Password).
» An authentication process for creating passwords based on the
current time.
• An algorithm is combined with a shared secret key and the
current time to generate a one time password; it is a type of
HOTP.
» Commonly used with security tokens that are used for two
factor authentication.

– PAP (Password Authentication Protocol).
» When logging in to a network resource, the user or device is
required to supply a username and password.
• The username and password are sent in clear text format, so
this method is considered unsecure and should only be used
as a last resort.
– CHAP (Challenge Handshake
Authentication Protocol).
» When logging in to a network resource, the user or device is
challenged to supply a username and secret password and it
authenticates through a three-way handshake process:
• The resource issues a challenge—what is the hashed value of
the username and secret password (the HMAC)?
• The user’s device sends the hashed value to the resource
device.
• The resource evaluates the hashed value and either accepts
or rejects the connection.

– Token.
» Utilizes a TOTP (usually generated every 30 to 60 seconds) to
authenticate users via two-factor authentication.
• May be hardware based (e.g., attached to a key fob).
• May be software based (e.g., an app on a smartphone).
– Smartcard.
» Utilizes a card—usually credit card sized—that has an
embedded circuit and a PIN (personal identification number) to
provide two-factor authentication.
– Common access card (CAC).
» A type of smartcard issued by the U.S. military that is used for
identification and authentication purposes.
• Is used to authenticate users on military networks.
• Is used to encrypt and digitally sign electronic messages.

– Separation of duties.
» The process of taking a critical organizational task and
separating it into smaller jobs.
• No one person is allowed (authorized) to perform all of the
duties that make up the task—reducing the risks that can
arise from a malicious employee.
– Principle of least privilege.
» Only granting the minimum amount of rights and privileges
(authorization) that are required for employees to perform their
jobs.
• Reduces the risks associated with either a malicious
employee or a compromised user account.
– Time of day restrictions.
» Establishing technological controls that limit what actions may
be taken based on time (e.g., preventing employees from
logging on to the network outside of operating hours).

– Rule-based access control (RBAC).
» The creation of rules within a system that either allow or
disallow authorization to perform actions based on the rule.
– ACL (access control list).
» A type of RBAC implementation that can be used for
authorization purposes—typically in the form of a list of rules.
• The list is typically examined from top to bottom; once a rule
is matched, the corresponding action is taken. If no rule is
matched, the typical response is to deny authorization.
– Role-based access control (also called
RBAC).
» A process of creating authorization levels based on the role
(e.g., user group) that a person fulfills within an organization.
• Different roles will have different authorization levels, allowing
the people who fill those roles to perform different duties.
• It is most often implemented using the principle of least
privilege.

– Discretionary access control (DAC).
» A technological control that is used to determine authorization
to resources based on a specific list—the discretionary access
control list (DACL).
• The DACL is a listing of users and groups that are granted
access (authorization) to resources.
• The DACL will also determine the amount of access (what
actions can be taken based on permissions) that the user or
group has to the resource.
– Mandatory access control (MAC).
» An access control model in which each individual (known as a
subject) is assigned to a clearance level (e.g., top secret or
confidential).
» Authorization to resources is based on the resource’s
classification (e.g., top secret or confidential).
• The subject is usually granted automatic authorization for
resources that fall below their clearance level (e.g., a top
secret clearance will always be able to access resources
classified as secret).

Hashing can be used to provide both an integrity check and authentication
through the use of HMAC. HOTP and TOTP both rely upon HMAC. PAP
should not be used, as it sends authentication credentials in clear text.
CHAP can be used, as credentials are sent as a hashed value. Some other
authentication concepts include: tokens, smartcards, and common access
cards.
Topic
Authentication concepts.
Summary
Important authorization concepts include: separation of duties, the principle
of least privilege, time of day restrictions, rule-based access control, access
control list, role-based access control, discretionary access control, and
mandatory access control.
Authorization concepts.

This workforce solution was 100 percent funded by a $3 million grant awarded by the
U.S. Department of Labor's Employment and Training Administration. The solution was
created by the grantee and does not necessarily reflect the official position of the U.S.
Department of Labor. The Department of Labor makes no guarantees, warranties, or
assurances of any kind, express or implied, with respect to such information, including
any information on linked sites and including, but not limited to, accuracy of the
information or its completeness, timeliness, usefulness, adequacy, continued availability
or ownership. Funded by the Department of Labor, Employment and Training
Administration, Grant #TC-23745-12-60-A-53.
PACE-IT is an equal opportunity employer/program and auxiliary aids and services are
available upon request to individuals with disabilities. For those that are hearing
impaired, a video phone is available at the Services for Students with Disabilities (SSD)
office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call
425.354.3113 on a video phone for more information about the PACE-IT program. For
any additional special accommodations needed, call the SSD office at 425.640.1814.
Edmonds Community College does not discriminate on the basis of race; color; religion;
national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran
status; or genetic information in its programs and activities.

PACE-IT, Security + 5.2: Authentication and Authorization Basics (part 2)

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (19)

Destaque

Destaque (9)

Semelhante a PACE-IT, Security + 5.2: Authentication and Authorization Basics (part 2)

Semelhante a PACE-IT, Security + 5.2: Authentication and Authorization Basics (part 2) (20)

Último

Último (20)

PACE-IT, Security + 5.2: Authentication and Authorization Basics (part 2)