Bài 4 - Authentication
Bài 4 - Authentication
Authentication
Outline
1. Introduction
2. Authentication factors
3. One Time Password (OTP)
4. Single-Sign-On (SSO)
5. Labs
6. Summary
Introduction
Introduction
Authentication is about validating your
credentials such as Username/User ID
and password to verify your identity.
Introduction
User Name,
Password
/etc/shadow
Something you know
User-entered
Password hash
Password
stored on file
e.g. /etc/shadow
H1
H2 Y
H1==H2? OK
FAIL
Something you know
“Passwords are one of the biggest practical problems facing security engineers today.”
Problems:
- Easy to share (intentionally or not)
- Easy to forget
- Often easy to guess
- Too many passwords to remember
• Complex password policy
Password vulnerabilities – Forcing users to pick stronger passwords
– Access the password file
– Brute force attacks
– Directory attacks
– Social engineering
Strategies for strong passwords
• Proactive password checking
– Users select a potential password which is tested
– Weak passwords are not accepted
• Reactive password checking
– SysAdmin periodically runs password cracking tools to detect weak
passwords that must be replaced
• Computer-generated passwords
– Random passwords are strong but difficult to remember
Something you are/do
(Inherence-based)
– Biometric - “You are your key”
– Examples:
• Fingerprint
• Handwritten signature
• Facial recognition
• Speech recognition
• Iris
• Voice
• …
Something you have
(Ownership-based)
• E-Token: store credentials such as passwords, digital
signatures and certificates, and private keys
• RFID: Integrated circuit(s) with an antenna that can
respond to an RF signal with identity information
• Smart card
• Digital Certificates (used by Websites to authenticate
themselves to customers)
One Time Password
• Dynamic password that change frequently
• Systems using OTPs generate a unique password on demand
that is not reusable
Time-synchronized OTP
Challenge-based OTP
• Authentication server displays a challenge (a random number)
to the user
• User then enters the challenge number into the token
(executes a special algorithm to generate a password)
• Because the authentication server has the same algorithm, it
can also generate the password and compare it against that
entered by the user.
Single Sign On
• Multiple applications, each requires login
• Provide users with the ability to login only once for usability
• Automatically propagate login to all applications
Single Sign On
• Advantages
– Unified mechanism
– One login/password to remember
– New applications reuse code
• Disadvantages
– Can weaken security
Implementing authentication
• Local authentication
• Network authentication
Authentication Server
• Radius
• Kerberos
• TACACS+
• LDAP
RADIUS
• Wired and Wireless LANs
• Radius clients: server, switch, AP
• Radius server authenticates and authorized the radius client
requests
Lab
1. Password policies
Create an account and test some functionalities:
– Minimum the password length
– Strong password
– Account lockout threshold
$ sudo apt install libpam-pwquality
• Now first copy “/etc/pam.d/common-password” file before configuring any changes.
$sudo vi /etc/pam.d/common-password
($sudo vi /etc/security/pwquality.conf)
$sudo vi /etc/login.defs
password requisite pam_pwquality.so retry=4 minlen=9 difok=4 lcredit=-2 ucredit=2
dcredit=-1 ocredit=-1 reject_username enforce_for_root
RADIUS server
DHCP client
Database:
192.168.10.254/24 User: namlh
User: khanhnq
DHCP client
192.168.10.100/24
Supplicant Authenticator Authentication Server
Summary
• Authentication is about validating your credentials such as
Username/User ID and password to verify your identity
• Multiple factors:
– Something you know
– Something you have
– Something you are
• Implementing authentication
– Local
– network