Authentication & Access Control

Authentication, basic information of it is the process of identifying an individual, usually based on a username and password.

It is process of confirming the correctness of the claimed identity that ensures that users are who they say they are. When we type our name & password to login into a system, there is where we are authenticated & allowed access.

Authentication and authorization are never be the same.While authentication provides proof of identity, it does not describe the privileges an entry processes. So for instance, we are authenticated before we access a database system, but this does not tell the database system which data you are entitle to access. So this function is known as the authorization or access control.


In traditional systems, the user's identity is verified by checking a password typed during the login; the system record the identity and use it to determine what operations may be performed.

User authentication in computer systems has been a cornerstone of computer security for decades. The concept of a user id and password is a cost effective and efficient method of maintaining a shared secret between a user and a computer system. One of the key elements in the password solution for security is a reliance on human cognitive ability to remember the shared secret. In early computing days with only a few computer systems and a small select group of users, this model proved effective.

With the advent of the Internet, e-commerce, and the proliferation of PCs in offices and schools, the user base has grown both in number and in demographic base. Individual users no longer have single passwords for single systems, but are presented with the challenge of remembering numerous passwords for numerous systems, from email, to web accounts, to banking and financial services.

Password-based authentication is not suitable anymore for use on this advance era of computer networks. Password send across the networks can be intercepted and subsequently used by eavesdroppers to impersonate the user. In addition to the security concern, password based authentication is inconvenient; user does not want to enter password each time they access the network service. This has led to the use of the even weaker authentication on computer networks.

To over come these problems we need a stronger authenticatin methods based on cryptography are required. When using authentication based on cryptography, an attacker listing to the network gain no information that would enable it to falsely claim another's identity. So Kerberos is generated to replace the unsecure method of password-based authentication.

Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by Massachusetts Institute of Technology (MIT) that implements this protocol. Its designers aimed primarily at a client-server model, and it provides mutual authentication — both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

Kerberos builds on symmetric key cryptography and requires a trusted third party. Extensions to Kerberos can provide for the use of public-key cryptography during certain phases of authentication.

The name is taken from Greek mythology;
Kerberos was a three-headed dog who guarded the gates of Hades

How Kerberos Works

1. Suppose you want to access a server on another computer (which you may get to by sending a Telnet or similar login request). You know that this server requires a Kerberos "ticket" before it will honor your request.
2. To get your ticket, you first request authentication from the Authentication Server (AS). The Authentication Server creates a "session key" (which is also an encryption key) basing it on your password (which it can get from your user name) and a random value that represents the requested service. The session key is effectively a "ticket-granting ticket."
3. You next send your ticket-granting ticket to a ticket-granting server (TGS). The TGS may be physically the same server as the Authentication Server, but it's now performing a different service.The TGS returns the ticket that can be sent to the server for the requested service.
4. The service either rejects the ticket or accepts it and performs the service.
5. Because the ticket you received from the TGS is time-stamped, it allows you to make additional requests using the same ticket within a certain time period (typically, eight hours) without having to be reauthenticated. Making the ticket valid for a limited time period make it less likely that someone else will be able to use it later.
   

In term of technology, biometrics refers to technologies that measure and analyze human body characteristics, such as fingerprints, eye retinas and irises, voice patterns, facial patterns and hand measurements, for authentication purposes.

Authentication by biometric verification is becoming increasingly common in corporate and public security systems, consumer electronics and point of sale (POS) applications. In addition to security, the driving force behind biometric verification has been convenience.

Biometric devices, such as fingerscanners, consist of:

• A reader or scanning device
• Software that converts the scanned information into digital form and compares match points
• A database that stores the biometric data for comparison
  

To prevent identity theft, biometric data is usually encrypted when it's gathered. Here's how biometric verification works on the back end:
To convert the biometric input, a software application is used to identify specific points of data as match points. The match points in the database are processed using an algorithm that translates that information into a numeric value. The database value is compared with the biometric input the end user has entered into the scanner and authentication is either approved or denied.

The nice thing about using biometrics is that end-users do not lose or misplace their personal identifier. It's hard to leave your fingers at home. However, biometrics have not caught on as fast as originally anticipated due to the false positives and false negatives that are common when using biometric technologies.

Access Control

The purpose of access control is to limit the actions or operations that a legitimate user of a computer system can perform. Access control constrains what a user can do directly, as well as what programs executing on behalf of the users are allowed to do. In this way access control seeks to prevent activity that could lead to a breach of security.

Access control by fingerprint identification

The primary objective of access control is to preserve and protect the confidentiality, integrity, and availability of information, systems, and resources. Many people confuse confidentiality with integrity. Confidentiality refers to the assurance that only authorized individuals are able to view and access data and systems. Integrity refers to protecting the data from unauthorized modification. You can have confidentiality without integrity and vice versa. It's important that only the right people have access to the data, but it's also important that the data is the right data, and not data that has been modified either accidentally or on purpose.

Controlling how network resources are accessed is paramount to protecting private and confidential information from unauthorized users. The types of access control mechanisms available for information technology initiatives today continues to increase at a breakneck pace. Most access control methodologies are based on the same underlying principles.

Access control devices properly identify people, and verify their identity through an authentication process so they can be held accountable for their actions. Good access control systems record and timestamp all communications and transactions so that access to systems and information can be audited at later dates.


Availability is certainly less confusing than confidentiality or integrity. While data and resources need to be secure, they also need to be accessible and available in a timely manner. If you have to open 10 locked safes to obtain a piece of data, the data is not very available in a timely fashion. While availability may seem obvious, it is important to acknowledge that it is a goal so that security is not overdone to the point where the data is of no use to anyone.