Identification and authentication are the basis of modern software and hardware security, as any other services are mainly designed to service these entities. These concepts are a kind of first line of defense, ensuring the security of the information space of the organization.
What it is?
Authentication and authentication have different functions. The first provides the subject (the user or process that acts on his behalf) with the opportunity to communicate his own name. With the help of authentication, the second side is finally convinced that the subject really is the one for whom he claims to be. Often, as synonyms, identification and authentication are replaced by the phrase āmessage nameā and āauthenticationā.
They themselves are divided into several varieties. Next, we look at what identification and authentication are and what they are.
Authentication
This concept provides for two types: one-way, when the client must first prove its authenticity to the server, and two-way, that is, when mutual confirmation is conducted. A standard example of how standard user authentication and authentication is performed is the procedure for logging into a specific system. Thus, different types can be used in different objects.
In a networked environment, when users are authenticated and authenticated on geographically dispersed sides, the service in question has two main aspects:
- what acts as an authenticator;
- how exactly the exchange of authentication and identification data was organized and how its protection is ensured.
To confirm its authenticity, the subject must be presented with one of the following entities:
- certain information that he knows (personal number, password, special cryptographic key, etc.);
- a certain thing that he owns (a personal card or some other device having a similar purpose);
- a certain thing that is an element of himself (fingerprints, voice and other biometric means of identification and authentication of users).
System Features
In an open network environment, the parties do not have a trusted route, and this indicates that in the general case the information transmitted by the subject may ultimately not coincide with the information received and used during authentication. The security of active and passive listening to the network is required, that is, protection from adjustment, interception or reproduction of various data. The option of transmitting passwords in clear form is unsatisfactory, and just like that, it cannot save the position and encryption of passwords, since they do not provide protection against reproduction. That is why today more sophisticated authentication protocols are used.
Reliable identification has difficulties not only because of various network threats, but also for a number of other reasons. First of all, almost any authentication entity can be stolen, faked or deduced. There is also a certain contradiction between the reliability of the system used, on the one hand, and the conveniences of a system administrator or user, on the other. Thus, for security reasons, it is necessary to request the user to re-enter his authentication information with some frequency (since some other person may already be sitting in his place), and this not only creates additional troubles, but also significantly increases the chance that someone can spy on entering information. Among other things, the reliability of the protective equipment significantly affects its cost.
Modern identification and authentication systems support the concept of single sign-on to the network, which in the first place allows satisfying the requirements in terms of user convenience. If a standard corporate network has many information services that provide for the possibility of independent circulation, then in this case, the repeated introduction of personal data becomes too burdensome. At the moment, it cannot be said yet that the use of single sign-on to the network is considered normal, since the dominant decisions have not yet been formed.
Thus, many are trying to find a compromise between affordability, convenience and reliability of the means by which identification / authentication is provided. User authorization in this case is carried out according to individual rules.
Special attention should be paid to the fact that the service used can be selected as an object of an attack on availability. If the system is configured in such a way that after a certain number of unsuccessful attempts, the input option is blocked, then in this case the attackers can stop the work of legal users by literally a few keystrokes.
Password Authentication
The main advantage of such a system is that it is extremely simple and familiar to most. Passwords have long been used by operating systems and other services, and when used correctly they provide a level of security that is quite acceptable for most organizations. But on the other hand, according to the general set of characteristics, such systems represent the weakest means by which identification / authentication can be carried out. Authorization in this case becomes quite simple, since passwords should be memorable, but simple combinations are easy to guess, especially if a person knows the preferences of a particular user.
Sometimes it happens that passwords, in principle, are not kept secret, since they have quite standard values āāspecified in certain documentation, and by no means always after the system is installed, they are changed.
When entering the password, you can see, and in some cases, people even use specialized optical devices.
Users, the main subjects of identification and authentication, can often passwords to colleagues so that they change the owner for a certain time. In theory, in such situations, it will be most appropriate to use special means of access control, but in practice this is not used by anyone. And if two people know the password, this greatly increases the chances that others will eventually learn about it.
How to fix it?
There are several ways in which identification and authentication can be protected. The information processing component may be protected by the following:
- By imposing various technical limitations. Most often, rules are set for the length of the password, as well as the content of certain characters in it.
- By managing the validity of passwords, that is, the need for their periodic replacement.
- Restricting access to the main password file.
- Limiting the total number of failed attempts available at logon. Due to this, attackers should only perform actions before identification and authentication, since the brute force method cannot be used.
- User pre-training.
- Using specialized software password generators that allow you to create such combinations that are harmonious and quite memorable.
All of these measures can be used in any case, even if other means of authentication are used along with passwords.
One-time passwords
The options discussed above are reusable, and if the combination is revealed, the attacker is able to perform certain operations on behalf of the user. That is why one-time passwords are used as a more powerful tool that is resistant to the possibility of passive listening to the network, thanks to which the identification and authentication system becomes much more secure, although not so convenient.
Currently, one of the most popular one-time password generators is a system called S / KEY, released by Bellcore. The basic concept of this system is that there is a certain function F, which is known to both the user and the authentication server. The following is a secret key K, which is known only to a specific user.
During initial user administration, this function is used to the key a certain number of times, after which the result is stored on the server. Further authentication procedure looks like this:
- A number comes to the user system from the server, which is 1 less than the number of times the function is used to the key.
- The user uses the function to the existing secret key the number of times that was set in the first paragraph, after which the result is sent via the network directly to the authentication server.
- The server uses this function to the obtained value, after which the result is compared with the previously saved value. If the results match, then in this case the userās authenticity is established, and the server saves the new value, after which it decreases the counter by one.
In practice, the implementation of this technology has a slightly more complex structure, but at the moment it is not so important. Since the function is irreversible, even in the case of intercepting a password or gaining unauthorized access to the authentication server, it does not provide an opportunity to obtain a secret key and somehow predict how the next one-time password will look like.
In Russia, as a combined service, a special state portal is used - the āUnified Identification / Authentication Systemā (āESIAā).
Another approach to a reliable authentication system is to generate a new password at short intervals, which is also realized through the use of specialized programs or various smart cards. In this case, the authentication server must perceive the appropriate password generation algorithm, as well as certain parameters associated with it, and in addition, there should also be synchronization of the server and client clocks.
Kerberos
Kerberos authentication server first appeared in the mid-90s of the last century, but since then it has already managed to receive a huge number of fundamental changes. At the moment, the individual components of this system are present in almost every modern operating system.
The main purpose of this service is to solve the following problem: there is a certain unprotected network, and various entities in the form of users, as well as server and client software systems are concentrated in its nodes. Each such subject has an individual secret key, and so that subject C has the opportunity to prove his or her authenticity to subject S, without which he simply will not serve it, he will need to not only identify himself, but also show that he knows a certain The secret key. At the same time, C does not have the opportunity to simply send its secret key to S, since the network is primarily open, and in addition, S does not know, and, in principle, should not know it. In such a situation, a less straightforward technology is used to demonstrate knowledge of this information.
Electronic identification / authentication through the Kerberos system provides for its use as a trusted third party, which has information about the secret keys of the served objects and, if necessary, assists them in conducting pairwise authentication.
Thus, the client first sends a request to the system that contains the necessary information about him, as well as about the requested service. After that, Kerberos provides him with a kind of ticket, which is encrypted with the serverās secret key, as well as a copy of some part of the data from it, which is classified by the clientās key. In case of coincidence, it is established that the client has decrypted the information intended for him, that is, he was able to demonstrate that the secret key is really known to him. This suggests that the client is precisely the person for whom he claims to be.
Special attention should be paid to the fact that secret keys were not transmitted over the network, and they were used exclusively for encryption.
Biometric Authentication
Biometrics includes a combination of automated means of identification / authentication of people based on their behavioral or physiological characteristics. Physical means of authentication and identification include checking the retina and cornea, fingerprints, geometry of the face and hands, as well as other individual information. Behavioral characteristics include a keyboard style and signature dynamics. Combined methods are an analysis of various features of a personās voice, as well as recognition of his speech.
Such identification / authentication and encryption systems are used universally in many countries around the world, but for a long time they have been extremely expensive and difficult to use. Recently, the demand for biometric products has increased significantly due to the development of e-commerce, since, from the point of view of the user, it is much more convenient to present yourself than to remember some information. Accordingly, demand creates supply, so relatively inexpensive products that are mainly focused on fingerprint recognition have begun to appear on the market.
In the vast majority of cases, biometrics are used in combination with other authenticators like smart cards. Often, biometric authentication is only the first line of defense and acts as a means of activating smart cards, which include various cryptographic secrets. When using this technology, the biometric template is saved on the same map.
Activity in the field of biometrics is quite high. A corresponding consortium already exists, and work is actively being carried out to standardize various aspects of the technology. Today you can see many advertising articles in which biometric technologies are presented as an ideal means of providing increased security and at the same time accessible to the masses.
ESIA
The Identification and Authentication System ("ESIA") is a special service created to ensure the implementation of various tasks related to the authentication of applicants and participants in interagency cooperation in the case of the provision of any municipal or state services in electronic form.
In order to gain access to the Unified Portal of Government Structures, as well as any other information systems of the infrastructure of the current e-government, first you need to go through account registration and, as a result, get a PEP.
Levels
The portal of the unified system of identification and authentication provides three main levels of accounts for individuals:
- Simplified. To register it, you just need to indicate your last name and first name, as well as some specific communication channel in the form of an email address or mobile phone. This is the primary level by which a person has access to only a limited list of various public services, as well as the capabilities of existing information systems.
- Standard. To obtain it, you first need to issue a simplified account, and then provide additional data as well, including information from your passport and the number of your personal insurance account. , , , , , .
- . , , . , , , .
, , .