Authentication is the process of proving one’s identity. If possible, authentication should be done even before processes attempt to assert their identity, to prevent eavesdroppers from learning who they are listening to before the users are properly authenticated. Authentication really refers to the process of users proving that they should be able to access a particular resource.
The primary forms of host-to-host authentication on the Internet today are name-based or address-based. Both approaches are notoriously weak; IP address spoofing can circumvent address-based authentication and attacks on the Domain Name System (DNS) can circumvent name-based methods. In fact, most security experts agree that authentication should be applied at the lowest possible protocol level—if someone can’t touch a terminal, they will not be able to gain unauthorized access to computer accounts or launch an attack on another site—and at the application protocol level since, in today’s highly linked world, no one can depend on other network’s authentication schemes.
A common authentication scheme used on the Internet today is Kerberos, which uses multiple handshakes and authentication levels to grant a user access to a resource. Kerberos is used primarily for client/server authentication and is based on secret key cryptography and a trusted third party (the Kerberos server). Challenge/response handshake schemes employing secret key and public key cryptography schemes are also gaining popularity. In either case, access to public keys requires trust between users.
In general, authentication involves presenting something that is unique to you to the entity with which you are attempting to communicating. In general, this something can be one of three types of thing.
- Something you have: Historically, messengers would be given the ring or a seal of the noble for whom they carried a message, authenticating that the message originated from that noble. Today, a valid ID serves a similar function. A credit card, for example, is a thing that you have that authenticates you to the store or other sales outlet. A driver's license with a picture gets you a beer at the local pub. In networking, a SecureID gives you a rotating password that you can use to access a server or network. This type of authentication can be fooled by either stealing the thing you have, or finding a way to duplicate it.
- Something you know: Information can itself serve as a form of authentication. The password is the most familiar form of this type of authentication factor. Historically, messengers would be given a code known only by the sender and receiver. If the receiver recognized the password, they would accept the message as genuine. Personal identification numbers (PIN) are used to access your bank account. When you call a bank, they may ask you for you mother's maiden name, or the city in which you were born, or any number of other pieces of information that only you would be likely to know. This type of authentication can be fooled if there is an easy way for someone else to guess or discover what you know, or fool you into telling them what you know. The former can be done if the password was poorly chosen (e.g., the name of my eldest child). The latter can be done via a variety of social engineering techniques.
- Something you are: This type of authentication factor is similar to something you have, but the something is physically a part of you. This makes it significantly more difficult to steal or replicate. Examples of this include the pattern of lines at the tips of your fingers (i.e., fingerprints), the pattern of colors on the iris in your eye, the pattern of blood vessels on the retina of your eye, the sound of your voice, or even your genetic code. None of these is 100% impossible to defeat, but they are significantly more difficult and the person attempting to do so has to be very dedicated to the task of defeating them.
|<mp3>http://podcast.hill-vt.com/podsnacks/2007q3/authentication.mp3%7Cdownload</mp3> | Authentication|