Identification and authentication: basic concepts

Identification and authentication are the basis of modern software and hardware security tools, since any other services are mainly designed for servicing these entities. These concepts represent a kind of first line of defense, ensuring the security of the information space of the organization.

What it is?

Identification and authentication have different functions. The first provides the subject (the user or a process that acts on his behalf) the ability to communicate his own name. With the help of authentication, the second party is finally convinced that the subject really represents who he claims to be. Often, as a synonym, identification and authentication are replaced by the phrases "message name" and "authentication."

They themselves are divided into several varieties. Next, we'll look at what identity and authentication are and what they are.

Authentication

This concept provides for two types: one-sided, when the client must first prove to the server its authenticity, and two-sided, that is, when mutual confirmation is conducted. A standard example of how standard authentication and user authentication is performed is the procedure for entering a specific system. Thus, different types can be used in different objects.

In a networked environment, where the identification and authentication of users are carried out on geographically dispersed parties, the service in question is characterized by two main aspects:

• That acts as an authenticator;
• How exactly the exchange of authentication and identification data was organized and how its protection is ensured.

To confirm its authenticity, the subject must be presented one of the following entities:

• Certain information that is known to him (personal number, password, special cryptographic key, etc.);
• A certain thing that he owns (a personal card or some other device having a similar purpose);
• A certain thing that is an element of it (fingerprints, voice and other biometric means of identification and user authentication).

Features of the systems

In an open network environment, the parties do not have a trusted route, which means that in general the information transmitted by the subject may not ultimately coincide with the information obtained and used in authentication. It is necessary to ensure the security of active and passive listening of the network, that is, protection from correction, interception or reproduction of various data. The option of sending passwords in the clear is unsatisfactory, and can not save the position and encryption of passwords in the same way, as they are not protected from playback. That is why today more sophisticated authentication protocols are used.

Reliable identification is difficult not only because of various network threats, but also for a variety of other reasons. First of all, almost any authentication entity can be stolen, faked, or hunted out. There is also a certain contradiction between the reliability of the system used, on the one hand, and the conveniences of the system administrator or the user, on the other. Thus, for security reasons, it is required, with some frequency, to ask the user to re-enter his authentication information (since someone else can already sit in his place), and this not only creates additional chores, but also significantly increases the chance that, That someone can spy on the input of information. Among other things, the reliability of the protection significantly affects its cost.

Modern authentication and authentication systems support the concept of single sign-on to the network, which in the first place allows satisfying requirements in terms of user-friendliness. If the standard corporate network has a lot of information services that provide for the possibility of independent treatment, then the repeated introduction of personal data becomes too onerous. At the moment, it can not yet be said that the use of a single entry into the network is considered normal, since the dominant decisions have not yet been formed.

Thus, many people try to find a compromise between affordability, convenience and reliability of the means by which authentication / authentication is provided. Authorization of users in this case is carried out according to individual rules.

Special attention should be paid to the fact that the used service can be chosen as an object of attack for availability. If the system configuration is configured so that after some unsuccessful attempts the input capability has been blocked, in this case, the attackers can stop the work of legitimate users by just a few keystrokes.

Password Authentication

The main advantage of such a system is that it is extremely simple and familiar to most. Passwords have long been used by operating systems and other services, and with proper use they provide a level of security that is quite acceptable for most organizations. But on the other hand, for a common set of characteristics, such systems are the weakest means by which authentication / authentication can be performed. Authorization in this case is quite simple, since passwords should be memorable, but simple combinations are easy to guess, especially if a person knows the preferences of a particular user.

Sometimes it happens that passwords, in principle, are not kept secret, since they have quite standard values specified in a certain documentation, and not always after the system is installed, they are changed.

When entering the password you can see, and in some cases people use even specialized optical devices.

Users, the main subjects of identification and authentication, can often report passwords to colleagues so that they change the owner for a certain period of time. In theory, in such situations, it will be more appropriate to use special access control, but in practice it is not used by anyone. And if two people know the password, this greatly increases the chances that, in the end, others will also learn about it.

How to fix it?

There are several ways in which authentication and authentication can be protected. The information processing component can be secured with the following:

• Imposition of various technical limitations. Most often, rules are set for the length of the password, as well as the content of certain characters in it.
• Management of the validity of passwords, that is, the need for their periodic replacement.
• Restricting access to the main password file.
• Limit the total number of failed attempts that are available when you log on to the system. Thanks to this attacker, only actions must be performed before identification and authentication are performed, as the brute force can not be used.
• Preliminary training of users.
• Using specialized software password generators that allow you to create such combinations that are euphonic and quite memorable.

All these measures can be used in any case, even if other authentication methods are used along with the passwords.

One-time passwords

The options discussed above are reusable, and if the combination is disclosed, the attacker is able to perform certain operations on behalf of the user. That's why one-time passwords are used as a stronger tool, which is resistant to the possibility of passive network listening, thanks to which the authentication and authentication system becomes much safer, although not so convenient.

At the moment one of the most popular software generators of one-time passwords is the system called S / KEY, released by Bellcore. The basic concept of this system is that there is a certain function F that is known to both the user and the authentication server. The following is the secret key K, which is known only to a specific user.

At the initial administration of the user this function is used to the key a certain number of times, after which the stored result is stored on the server. In the future, the authentication procedure looks like this:

1. On the user's system a number comes from the server, which is 1 less than the number of times the function is used to the key.
2. The user uses the function to the existing secret key that is the number of times that was set in the first paragraph, after which the result is sent through the network directly to the authentication server.
3. The server uses this function to obtain the value, after which the result is compared with the previously saved value. If the results are the same, then the user's authenticity is established, and the server saves the new value, and then reduces the counter by one.

In practice, the implementation of this technology has a somewhat more complex structure, but at the moment it is not so important. Since the function is irreversible, even if you intercept a password or gain unauthorized access to the authentication server, it does not provide an opportunity to obtain a secret key and in any way to predict how the next one-time password will look exactly.

In Russia, as a joint service, a special state portal is used - the "Unified Identification / Authentication System" ("ESIA").

Another approach to a reliable authentication system is to generate a new password at short intervals, which is also realized through the use of specialized programs or various smart cards. In this case, the authentication server should accept the corresponding algorithm for generating passwords, as well as certain associated parameters, and in addition, synchronization of the server and client clock should also be present.

Kerberos

For the first time Kerberos authentication server appeared in the middle of 90s of the last century, but since then it has managed to get a huge number of fundamental changes. At the moment, individual components of this system are present in almost every modern operating system.

The main purpose of this service is to solve the following problem: there is a certain unprotected network, and its nodes are concentrated different entities in the form of users, as well as server and client software systems. Each such subject has an individual secret key, and in order for subject C to have the opportunity to prove his own authenticity to the subject S, without which he simply does not serve him, he will need to not only identify himself, but also show that he knows a certain The secret key. At the same time, C does not have the ability to just send its secret key to S, since the network is primarily open, and besides that, S does not know, and, in principle, does not need to know it. In this situation, a less straightforward technology is used to demonstrate knowledge of this information.

Electronic authentication / authentication through the Kerberos system provides for its use as a trusted third party that has information about the secret keys of the objects served and, if necessary, assists them in performing pairwise authentication.

Thus, the client first sends a request to the system, which contains the necessary information about it, as well as the requested service. After that, Kerberos provides him with a unique ticket that is encrypted with the server's secret key, as well as a copy of some of the data from it, which is classified by the client's key. In case of coincidence, it is established that the client has been deciphered the information intended for him, that is, he was able to demonstrate that the secret key is really known to him. This indicates that the client is exactly the person for whom he issues himself.

Special attention should be paid to the fact that the transfer of secret keys was not carried out over the network, and they were used exclusively for encryption.

Authentication using biometric data

Biometrics includes a combination of automated means of identification / authentication of people, based on their behavioral or physiological characteristics. Physical means of authentication and identification include checking the retina and cornea of the eyes, fingerprints, face and hand geometry, as well as other individual information. Behavioral same characteristics include the style of working with the keyboard and the dynamics of the signature. Combined methods are an analysis of various features of a person's voice, as well as the recognition of his speech.

Such identification / authentication and encryption systems are used everywhere in many countries around the world, but for a long time they have been extremely expensive and difficult to use. Recently, the demand for biometric products has increased significantly due to the development of e-commerce, since, from the point of view of the user, it is much more convenient to present oneself than to remember some information. Accordingly, demand generates supply, so relatively inexpensive products began to appear on the market, which are mainly focused on fingerprint recognition.

In most cases, biometrics is used in combination with other authenticators like smart cards. Often, biometric authentication is only the first line of defense and acts as a means of activating intellectual maps, including various cryptographic secrets. Using this technology, the biometric template is stored on the same map.

Activity in the field of biometrics is quite high. Already there is an appropriate consortium, and work is also being actively carried out aimed at standardizing various aspects of technology. Today, you can see a lot of advertising articles, in which biometric technologies are presented as an ideal means of providing increased security and at the same time accessible to the masses.

ESIA

The system of identification and authentication ("ESIA") is a special service created to ensure the implementation of various tasks related to verifying the authenticity of applicants and participants in interagency cooperation in the event of the provision of any municipal or public services in electronic form.

In order to gain access to the "Single portal of state structures", as well as to other information systems of the infrastructure of the current e-government, you will first need to register an account and, as a result, get a PEP.

Levels

The portal of the unified identification and authentication system provides for three basic levels of accounts for individuals:

• Simplified. To register it, you just need to specify your name and surname, as well as some specific communication channel in the form of an e-mail or mobile phone address. This is the primary level by which a person can only access a limited list of various public services, as well as the capabilities of existing information systems.
• Standard. To receive it, you first need to issue a simplified account, and then provide additional data, including information from your passport and the number of the insurance individual account. The specified information is automatically checked through the information systems of the Pension Fund, as well as the Federal Migration Service, and if the check is successful, the account is transferred to the standard level, which opens the user an expanded list of public services.
• Confirmed. To obtain such a level of account, a unified identification and authentication system requires users to have a standard account, as well as identity verification, which is performed through a personal visit to the branch of an authorized service or by obtaining an activation code via registered mail. In the event that the confirmation of the identity is successful, the account will move to a new level, and the user will have access to a full list of necessary public services.

Despite the fact that the procedures may seem rather complicated, in fact, you can see the full list of necessary data directly on the official website, so full registration is quite possible for several days.