 Week: Fifth

 Topic: Identification and Authentication

 Sub Topics: Outline the requirements and
mechanisms for identification and
authentication.
 Activities: Browse literature, security
articles, collect technical papers, tutorials,
discussions and assessments
 "Systems that are used to process or handle
classified or other sensitive information must
assure individual accountability whenever
either a mandatory or discretionary security
policy is invoked.
 Furthermore, to assure accountability the
capability must exist for an authorized and
competent agent to access and evaluate
accountability information by a secure
means, within a reasonable amount of time,
and without undue difficulty."
The fundamental identification
requirement states
 "Individual subjects must be identified. Each
access to information must be mediated
based on who is accessing the information
and what classes of information they are
authorized to deal with. This identification
and authorization information must be
securely maintained by the computer system
and be associated with every active element
that performs some security-relevant action
in the system."
OVERVIEW OF PRINCIPLES
 Identification and authentication
requirements are found together throughout
all evaluation classes. They are directly
related in that "identification" is a statement
of who the user is (globally known) whereas
"authentication" is proof of identification.
Authentication is the process by which a
claimed identity is verified.
 The l & A procedures of a system are critical
to the correct operation of all other trusted
computing base (TCIS) security features.
Introduction

 The terms identification and authentication are

frequently used interchangeably but in fact mean
different things.
 Put very simply, identification involves a claim or
statement of identity: “I am John Doe,” “I am the
customer associated with this account,” etc.
Authentication is a verification of that claim.
 Many businesses need to identify their customers.
While some transactions (retail sales, for
example) can be concluded in complete
anonymity, many other transactions require that
the business knows with whom it is dealing.
 Identifying a customer allows a business to
ensure that the customer’s transactions are
associated with the correct account, and that
records of a customer’s transactions are
retrievable. The identity that is attached to
the customer need not be a “real world”
identity such as a name (e.g., John Doe). It
could just as easily be an identity created for
the purposes of the business relationship.
 When someone presents themselves to
the business and claims to be a customer
with whom the business has a
relationship, the business typically needs
to authenticate that claim.
 This is especially critical if the person
wants to conduct a transaction on the
customer’s account, or obtain records
relating to the account.
 Designing identification and
authentication systems involves
 Security requirements need to be balanced
with convenience and operational
requirements. Organizations authenticating
individuals want to be able to do so quickly
and effectively. Identification and
authentication processes must be stringent
enough that an impostor is unlikely to be
successful without being overly complex or
likely to be perceived as overly intrusive by
the customer.
http://www.altisinc.com/resources/Biometric/techniques.php
 Customers need assurance that
authentication processes are sufficiently
effective and stringent that an impostor
cannot easily defeat them to invade their
privacy, or steal their identity or money.
At the same time, an authentication
process that falsely rejects legitimate
customers can also create problems both
for individuals and organizations,
particularly those in competitive markets.
 An organization needs enough
information about individual customers to
identify them and authenticate their
identity, but needs to ensure that it does
not collect, use, or retain unnecessary
personal information that intrudes on
personal privacy.
One- Two- and Three-Factor
Authentication
 Authentication is often discussed in terms of the
three factors of authentication (that is, three different
kinds of things that can be used to authenticate an
individual)
 Something that is known to the individual (for
example, a password, a personal identification number
or PIN, an account number, favorite color, name of
first pet);
 Something that the individual has (for example, a
bankcard, token, identity card, public-key digital
certificate); and
 Something that the individual is (for example, a
biometric, such as a facial image, retina scan or voice
print) or does—a signature.
  In some cases, any one of these factors can be used
alone to authenticate an individual; in others,
combinations are used. For example:
•Access to e-mail using a password: This represents a single-factor authentication
process that relies on something the individual knows.
• Access to a physically secure area using an identity card with an embedded chip
(a smartcard) and a hand-scan biometric: This represents a two-factor
authentication process: it relies on something the individual has (the smartcard)
and something the individual is (the biometric).
• Access to a secure area using a valid magnetic strip card, a four-digit PIN code
and a hand-scan biometric: This represents a three-factor authentication process:
it relies on something that the individual knows (the PIN), something that the
individual has (the card), and something that the individual is (the biometric.) All
three factors must be satisfied in order for the individual to gain entry.
Risk and Threats
 Identification and authentication are
fundamentally about the management of
risk:
◦ The risk to the organization of, through bad
authentication practice, either denying access
to a legitimate customer or giving access to
an impostor;
◦ The risk to individuals that their personal
information is lost or inappropriately
disclosed, and that their identity, finances, and
privacy are compromised.
References
 http://www.fas.org/irp/nsa/rainbow/tg017.htm
 http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00240.html
 http://www.altisinc.com/resources/Biometric/techniques.php
 http://www.priv.gc.ca/information/guide/auth_061013_e.cfm
 http://support.novell.com/techcenter/articles/ana19941002.html
 http://csrc.nist.gov/publications/nistpubs/800-11/node26.html
 http://csrc.nist.gov/publications/nistpubs/800-11/node1.html
 http://csrc.nist.gov/
 Week: Sixth
 Topic: Password Authentication
 Sub Topics: Explain issues about password
authentication, including dictionary attacks,
password management policies, and one-time
password mechanisms.
 Activities: Browse literature, security
articles, collect technical papers, tutorials,
discussions and assessments