Methods of Authentication
[edit section] Special Authentication Methods
There are some authentication methods that merit their own coverage because they are specifically tested on the exam. Below is the information about each of them that you need to know in order to answer these kinds of questions correctly.
[edit section] Kerberos
Kerberos is an open-source and widely-accepted method of authentication that works on a shared secret key system with a trusted third party. Before you begin to understand how Kerberos actually works, you should consider this analogy: two people are in love and want to deliver messages of their affection to each other. The problem is that they cannot express their love for each other openly because of a family feud. So, they entrust a mutual friend to deliver their secrets to each other.
In essence, Kerberos does much of the same. If two users wish to communicate with each other, they must first contact a trusted Kerberos server to obtain a shared secret key. Only the users that have this key can communicate with each other because the key encrypts and decrypts messages. The logical part of the Kerberos server that governs key distribution is aptly called the Key Distribution Center, or KDC. Once keys have been distributed to the two parties wishing to communicate, Kerberos then issues what are known as “tickets” through the TGS or Ticket Granting Server. These tickets allow for the actual communication between the clients by storing authentication information.
Kerberos has a wide variety of applications, especially in open source software, but is not without vulnerabilities. One is that Kerberos makes extensive use of that trusted third party. If the third party is compromised, information confidentiality and integrity may be breached. If the third party simply fails, availability is lost. Kerberos also uses time stamps in order to “time out” communications. Time stamps mitigate the threat of replay attacks and provide a small measure of integrity. If two hosts are on different times, communication will be impossible.
Remember that Kerberos is associated with SSO (single sign-on) technology.
[edit section] Biometrics
As discussed before, biometric factors are methods of authentication that utilize the biological entities of a user. Biometric authentication and identification is considered the most secure. Typical biometric factors include fingerprint and retinal scans as well as photo-comparison technology.
[edit section] Username / Password
The most common form of authentication system is a username and password system. This is a Type I system and therefore relies on the difficulty of guessing the password for effectiveness. There may be questions on the Security+ exam about what constitutes a good password. Use common sense here! A good password would obviously consist of numbers and letters, lower and upper case, and symbols. In other words, the general rule of thumb is that a good password is complex. Another rule of thumb is that a good password should be at least six characters and probably eight. In fact, eight or more is the standard at the moment. Systems that allow for lost password retrieval should not allow a malicious user to learn information about the users of a system; in addition, systems should not elaborate as to whether a username or password is incorrect as this would aid potential attackers.
[edit section] Multifactor
Multifactor authentication refers to using more than one
type of access control to authenticate a user. Multifactor authentication is more secure than single factor authentication in most cases. An example of multifactor authentication would be an authentication system that required a user to have both a password and a fingerprint.
[edit section] CHAP
Challenge-Handshake Authentication Protocol, or CHAP, is an authentication protocol that uses username and password combinations that authenticate users. It is used in PPP, so its most common application is dial-up internet access user authentication. All you really need to know about it is that it uses a three-way handshake to prevent replay attacks. Microsoft has a version of CHAP known as MS-CHAP.
[edit section] SSO
Single sign-on, or SSO, refers to the ability for a user to only be authenticated once to be provided authorization to multiple services.
[edit section] Summing it up
You will see a question on the Security+ exam on almost every one of these items. Kerberos will be tested with more than two questions. It would be to your benefit to carefully study each of these items individually to understand what each is all about.
[edit section] Quick Review
1. Which of the following would not be a form of multifactor authentication?
a. Requiring an ATM card and a pin number
b. Requiring a secret answer to a given question
c. Requiring a fingerprint and a Kerberos ticket
d. Requiring a USB key and a password
2. Which of the following is a true statement about Kerberos?
a. It requires two distinct physical servers, one to give keys and the other to give tickets.
b. It is only used in UNIX environments.
c. Communication can only take place when both parties can utilize a trusted third party Kerberos server.
d. It is a form of biometric identification and authorization.
3. A user complains that he has to use a separate login and password for his email, his domain account, his specialized software, and even for his computer. What would be a solution to his problems?
a. Smart card
b. SSO technology
[edit section] Answers:
1. All of the choices use two factors for authentication with the exception of B, which requires only one factor (an answer to a question). (B)
2. Be careful! Kerberos is often used in UNIX environments, but it is not exclusively used in UNIX environments. Also, the TGS and KDC servers are logically but not necessarily physically separate. Finally, choice D is totally without merit. The answer is ( C ).
3. Because SSO provides a single sign on for multiple services, the user would desire that as a solution as it could create fewer login screens. The answer is ( B )