Sub Topics: Outline the requirements and mechanisms for identification and authentication. Activities: Browse literature, security articles, collect technical papers, tutorials, discussions and assessments "Systems that are used to process or handle classified or other sensitive information must assure individual accountability whenever either a mandatory or discretionary security policy is invoked. Furthermore, to assure accountability the capability must exist for an authorized and competent agent to access and evaluate accountability information by a secure means, within a reasonable amount of time, and without undue difficulty." The fundamental identification requirement states "Individual subjects must be identified. Each access to information must be mediated based on who is accessing the information and what classes of information they are authorized to deal with. This identification and authorization information must be securely maintained by the computer system and be associated with every active element that performs some security-relevant action in the system." OVERVIEW OF PRINCIPLES Identification and authentication requirements are found together throughout all evaluation classes. They are directly related in that "identification" is a statement of who the user is (globally known) whereas "authentication" is proof of identification. Authentication is the process by which a claimed identity is verified. The l & A procedures of a system are critical to the correct operation of all other trusted computing base (TCIS) security features. Introduction
The terms identification and authentication are
frequently used interchangeably but in fact mean different things. Put very simply, identification involves a claim or statement of identity: “I am John Doe,” “I am the customer associated with this account,” etc. Authentication is a verification of that claim. Many businesses need to identify their customers. While some transactions (retail sales, for example) can be concluded in complete anonymity, many other transactions require that the business knows with whom it is dealing. Identifying a customer allows a business to ensure that the customer’s transactions are associated with the correct account, and that records of a customer’s transactions are retrievable. The identity that is attached to the customer need not be a “real world” identity such as a name (e.g., John Doe). It could just as easily be an identity created for the purposes of the business relationship. When someone presents themselves to the business and claims to be a customer with whom the business has a relationship, the business typically needs to authenticate that claim. This is especially critical if the person wants to conduct a transaction on the customer’s account, or obtain records relating to the account. Designing identification and authentication systems involves Security requirements need to be balanced with convenience and operational requirements. Organizations authenticating individuals want to be able to do so quickly and effectively. Identification and authentication processes must be stringent enough that an impostor is unlikely to be successful without being overly complex or likely to be perceived as overly intrusive by the customer. http://www.altisinc.com/resources/Biometric/techniques.php Customers need assurance that authentication processes are sufficiently effective and stringent that an impostor cannot easily defeat them to invade their privacy, or steal their identity or money. At the same time, an authentication process that falsely rejects legitimate customers can also create problems both for individuals and organizations, particularly those in competitive markets. An organization needs enough information about individual customers to identify them and authenticate their identity, but needs to ensure that it does not collect, use, or retain unnecessary personal information that intrudes on personal privacy. One- Two- and Three-Factor Authentication Authentication is often discussed in terms of the three factors of authentication (that is, three different kinds of things that can be used to authenticate an individual) Something that is known to the individual (for example, a password, a personal identification number or PIN, an account number, favorite color, name of first pet); Something that the individual has (for example, a bankcard, token, identity card, public-key digital certificate); and Something that the individual is (for example, a biometric, such as a facial image, retina scan or voice print) or does—a signature. In some cases, any one of these factors can be used alone to authenticate an individual; in others, combinations are used. For example: •Access to e-mail using a password: This represents a single-factor authentication process that relies on something the individual knows. • Access to a physically secure area using an identity card with an embedded chip (a smartcard) and a hand-scan biometric: This represents a two-factor authentication process: it relies on something the individual has (the smartcard) and something the individual is (the biometric). • Access to a secure area using a valid magnetic strip card, a four-digit PIN code and a hand-scan biometric: This represents a three-factor authentication process: it relies on something that the individual knows (the PIN), something that the individual has (the card), and something that the individual is (the biometric.) All three factors must be satisfied in order for the individual to gain entry. Risk and Threats Identification and authentication are fundamentally about the management of risk: ◦ The risk to the organization of, through bad authentication practice, either denying access to a legitimate customer or giving access to an impostor; ◦ The risk to individuals that their personal information is lost or inappropriately disclosed, and that their identity, finances, and privacy are compromised. References http://www.fas.org/irp/nsa/rainbow/tg017.htm http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00240.html http://www.altisinc.com/resources/Biometric/techniques.php http://www.priv.gc.ca/information/guide/auth_061013_e.cfm http://support.novell.com/techcenter/articles/ana19941002.html http://csrc.nist.gov/publications/nistpubs/800-11/node26.html http://csrc.nist.gov/publications/nistpubs/800-11/node1.html http://csrc.nist.gov/ Week: Sixth Topic: Password Authentication Sub Topics: Explain issues about password authentication, including dictionary attacks, password management policies, and one-time password mechanisms. Activities: Browse literature, security articles, collect technical papers, tutorials, discussions and assessments