CBT IT Certification Training

Unlimited IT Certification Courses via Streaming Video

User Authentication

Explain methods of user authentication. This chapter describes user authentication techniques, including PKI, Kerberos, AAA, 802.1X, two-factor authentication, and single sign-on. We teach authentication in more detail in our security courses including the SSCP course.

Back to book index.

Contents hide
User Authentication – General Concepts
PKI
Kerberos
AAA
802.1X and EAP
PAP and CHAP
Multi-Factor Authentication
Single Sign-On
Summary

User Authentication – General Concepts

User authentication is a fundamental component of security policies across the network. From a user’s perspective, this can be accomplished in multiple ways:

  • Username and password
  • Token generators
  • Fingerprint readers
  • A combination of multiple factors

Even though this process may seem simple from a user’s perspective, it becomes complicated behind the scenes as one or multiple authentication protocols have to be used to achieve this purpose. In addition, you need to ensure that authentication to a remote device is performed in a secure manner that will not provide anyone with the ability to discover the user’s credentials.

One common way to secure authentication communication is using a hash. This is a complex cryptographic function that achieves one-way translation of credentials (password) to something called a message digest. The digest is a summary of the input information and it can be obtained using a series of algorithms:

  • MD5 (Message Digest algorithm 5)
  • SHA (Secure Hash Algorithm)

If a password is put into the MD5 or SHA cryptographic function, the string (digest) will look like this:  ag8hh884904atg490049dg99491. As mentioned, this is a one-way function, so you cannot obtain the original password if you have the hash string. This is very useful when dealing with passwords because they don’t need to be sent in plain text to the other side; you can simply hash it and send the output. The other side (server) already has the user credentials in its database, so it can create a hash of the locally stored password and compare it to the received hash. If the hashes match, the user is authenticated. This process is depicted in Figure 29.1 below:

Authentication Using Hash Algorithms

Figure 29.1 – Authentication Using Hash Algorithms

PKI

The Public Key Infrastructure (PKI) is a complex authentication technique that functions by using digital certificates. These certificates provide a certain level of trust to the communication as they authenticate the sender. PKI uses the concept of Certificate Authority (CA) for the central entity that issues certificates to users. The CA confirms the identity of every user and every user in an organization trusts the CA.

Some situations might not require a central certification authority and one alternative to this approach is using a “web of trust.” With this approach, users sign certificates for people they know and those people sign certificates for other people they know. In this way a web of trust is built and users may accept messages from other users just because they have a common trusted friend.

Most of the modern operating systems have an integrated component that helps manage certificates and keys but you can also use third-party solutions.

PKIs are built to manage certificates, including the issuing, assigning, and verification process. A PKI generally works using one of two encryption types:

  • Symmetric encryption
  • Asymmetric encryption

Symmetric encryption involves using the same key for both data encryption and decryption. However, most of the time a PKI uses an asymmetric encryption type, which works by providing users with a public key they use to encrypt data sent out on the network. The encrypted data will be decrypted with a different key.

The public and the private keys are created at the same time in order for them to be cryptographically related to each other. When building the keys, you can use a certain level of randomization to ensure increased security. Once the key pair is available, you can provide the public key to all users so they can encrypt data that can be decrypted only by using the associated private key, which is known only by the key pair generator entity.

To increase the level of protection, a certificate is usually valid for a limited period of time. The CA can then revoke it and issue the user a fresh certificate.

Building a PKI involves a lot of planning and it should be done considering the many factors and teams in the organization. A large network may involve using a central CA and a series of subordinate CAs assigned to different regions to properly manage user and machine certificates.

Kerberos

Kerberos is a network authentication protocol that allows a user to enter his credentials once and receive access to all necessary network resources, without the need to re-authenticate for each one of them. Kerberos offers advanced cryptographic functions using a mutual authentication between the client and the server to protect against man-in-the-middle attacks.

Kerberos, which was developed by MIT (Massachusetts Institute of Technology), has been in use since the 1980s and is covered in RFC 4120. Microsoft has been using Kerberos as its authentication method since Windows 2000, so it is often associated with Windows environments but it is also compatible with other operating systems and devices.

Kerberos has three main components:

  • KDC (Key Distribution Center): The KDC checks the valid login credentials and vouches for the user’s identity. It operates on TCP and UDP port 88.
  • Authentication Service: This is the component that actually performs the authentication on the network.
  • Ticket Granting Service: Kerberos works with internal tickets and this service is the component that manages tickets and provides user access on the different network components.

Next, we will analyze an example in which a user wants to access an application server. Once the user decides to log into the network, he will need to talk with the Authentication Service by sending a login request. During this process, the date and time on the local computer is encrypted using the key that is in the password hash. Since the password hash is not actually sent over the network, it is used as a key to encrypt the date and time instead. For this reason, everyone in the network should use NTP to synchronize their clocks.

The Authentication Service receives the information sent by the user and tries to decrypt the information with the hash of the credentials it has. After it is successfully decrypted, it sends a Ticket Granting Ticket (TGT) back to the user, which includes:

  • Client name
  • IP address
  • Timestamp
  • TGT validity period (default 10 hours)

The TGT is encrypted with the KDC secret key so it cannot be decrypted by anyone else. The client will also receive a Ticket Granting Service (TGS) session key, used for communication between the client and the TGS. The TGS is then encrypted with the user’s password hash so he will be able to decrypt it.

Once the client has a ticket that allows access to resources, he will send the ticket and the name of the application server he wants to access to the TGT to request access to that specific server. This particular request is time stamped with the client’s ID and encrypted with the TGS session key (to avoid request spoofing). The TGS will send a response back to the client with the following information:

  • A session key to use with the application server (this is also encrypted with the TGS session key)
  • A service ticket containing user information and service session key (encrypted with the application server’s secret key)

When the client receives information, he cannot decrypt it so he needs to pass the encrypted service ticket to the application server. The client will also send a time-stamped authentication, encrypted with the service session key. Once the application server receives this information, it begins to decrypt the data to confirm its integrity. The server might send a final message check back to the user to be sure that there is no man-in-the-middle. This is an optional step that is most often deployed in high security environments. Finally, the client receives access to the application server’s resources.

Although the Kerberos authentication process appears complex, it all happens transparently to the user and ensures increased security in accessing network resources.

AAA

Logging in to network resources may not be a consistent process, as different devices use different authentication techniques. Access control in enterprise organizations typically relies on Authentication, Authorization, and Accounting (AAA) services. AAA offers the following services:

  • Verifies user identity and credentials (authentication)
  • Provides access to network resources (authorization)
  • Logs user access (accounting)

The general concept behind AAA is centralizing all these actions under a single system and making it easier for the user to authenticate via a single username and password. AAA solutions can use an intermediate authenticator device (e.g., router, switch, or firewall) that can leverage some back-end services, like various RADIUS or TACACS+ servers.

RADIUS and TACACS+ are often called authentication servers/services and the way they function is as follows:

  • The user sends an authentication request to an authenticator device (router, switch, etc.)
  • The authenticator device passes the request to a RADIUS or TACACS+ server
  • The RADIUS/TACACS+ server responds to the authenticator device
  • The authentication device allows or blocks user access based on the response it received from the authentication server

RADIUS stands for Remote Authentication Dial-In User Service and was first defined in RFC 2058, but the current RFC is 2865. RADIUS uses UDP port 1812 and works by receiving user credentials and verifying them against a central database.

TACACS stands for Terminal Access Controller Access Control System and is a remote authentication protocol defined in RFC 1492.  It has been updated through the years to the following protocols:

  • XTACACS (Extended TACACS): A Cisco proprietary version that provides additional support for accounting and auditing
  • TACACS+: the latest Cisco proprietary version that includes more authentication requests and response codes but is not backward compatible with previous versions (this is the version used in current network environments)

Some of the most important differences between RADIUS and TACACS+ include the following:

  • RADIUS functions over UDP, while TACACS+ uses TCP
  • RADIUS encrypts only the password during transmission, while TACACS+ encrypts the entire session
  • RADIUS combines authentication and authorization, while TACACS+ separates authentication, authorization, and accounting
  • RADIUS is an open standard, while TACACS+ is Cisco proprietary

802.1X and EAP

Another common security issue that you have to deal with in wireless environments is managing unauthorized access. In wireless networks there are no physical boundaries, so attackers can gain access from outside the physical security perimeter. They can introduce rogue APs or soft APs on laptops or handheld devices that can breach security policies. Because wireless signals are not easily controlled or contained, this could create security issues for the network.

MAC address security can be used to allow only certain devices to associate with the access points, but this cannot prevent MAC address spoofing techniques. An effective solution would involve MAC address filtering but this is not very scalable when dealing with a large number of wireless clients. The most efficient solution to this problem is using 802.1X port-based authentication. This is an authentication standard for both wired and wireless LANs that allows individual users and devices to authenticate using the Extensible Authentication Protocol (EAP) and an authentication server (RADIUS or TACACS+).

802.1X Functionality

Figure 29.2 – 802.1X Functionality

Referencing Figure 29.2 above, 802.1X works by authenticating the user before receiving access to the network and this involves three components:

  • Supplicant (client)
  • Authenticator (access point or switch)
  • Authentication server (RADIUS or TACACS+)

The client workstation can run client software known as a supplicant, which can be a Windows client or a third-party client software supplicant. The client software requests access to different services and it uses EAP to communicate with the access point (or LAN switch), which is the authenticator. The authenticator will then verify the client information against an authentication server (e.g., RADIUS).

EAP has five different security types:

  • EAP-TLS
  • PEAP
  • EAP-TTLS
  • LEAP
  • EAP-FAST

EAP-Transport Layer Security (EAP-TLS) is a commonly used EAP method in wireless environments that requires a certificate to be installed on both the supplicant and the authentication server. The key pairs must first be generated and then signed by a local or remote CA server. The key communication process used by EAP-TLS is similar to SSL encryption, in that the user’s certificate is sent through an encrypted tunnel. EAP-TLS is one of the most secure authentication methods but it is also very expensive and difficult to implement.

Protected Extensible Authentication Protocol (PEAP) requires only a server-side certificate that will be used to create the encrypted tunnel. The authentication process takes place inside that tunnel. PEAP was jointly developed by Cisco, Microsoft, and RSA so it is heavily used in Microsoft Windows environments. PEAP uses the Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2) or Generic Token Card (GTC) to authenticate the user inside the encrypted tunnel.

EAP-Tunneled Transport Layer Security (EAP-TTLS) is a lot like PEAP, as it uses a TLS tunnel to protect the less secure authentication mechanisms. This might include protocols like PAP (Password Authentication Protocol), CHAP, MS-CHAPv2, or EAP MD5. EAP-TTLS is not widely used in enterprise networks but it can be found mainly in legacy environments that contain older authentication systems (e.g., Windows NT).

Lightweight EAP (LEAP) was created by Cisco as a proprietary solution for their equipment and systems. It is still supported by a variety of operating systems, like Windows and Linux, but it is no longer considered secure because a series of vulnerabilities that affect it was identified.

EAP-Flexible Authentication via Secure Tunneling (EAP-FAST) is also a Cisco-developed EAP type that was aimed to address the weaknesses in its LEAP protocol. When using EAP-FAST, server certificates are optional so it offers a lower cost implementation than a full-blown PEAP or EAP-TTLS. EAP-FAST uses a Protected Access Credential (PAC) technique to establish the TLS tunnel for the protection of the credential tunnel. PAC is basically a strong shared secret key that is unique for every client.

Note:     The most commonly used EAP solutions are PEAP and EAP-FAST for small business networks and EAP-TLS for large enterprise solutions.

PAP and CHAP

PAP and CHAP are authentication protocols used mostly on point-to-point links. PAP stands for Password Authentication Protocol and is a legacy protocol that functions in clear text. Although it may be preferred sometimes because of its simplicity, it is not a reliable protocol from a security perspective because it sends passwords in clear text.

PAP works basically the same way as the normal login procedure. The client authenticates by sending a username and a password to the server, which the server compares to its secrets database. This technique is vulnerable to eavesdroppers, who may try to obtain the password by listening in on the serial line, as well as to repeated trial-and-error attacks.

CHAP stands for Challenge Handshake Authentication Protocol and is an evolution of PAP; it is a secure authentication protocol that uses encryption. There is also a version of CHAP modified by Microsoft and used in their specific environments called MS-CHAP. CHAP functions using a three-way handshake:

  • The server sends a challenge message
  • The client responds with a password hash for authentication purposes
  • The server compares the hash received with the stored hash and grants access if they match
Note:     CHAP uses password hashes instead of actual passwords to increase security.

Even if the client is successfully authenticated, the CHAP protocol may repeat the authentication process periodically during the connection without the user knowing this is happening. With this procedure, the server ensures that the client hasn’t been replaced by an intruder.

Multi-Factor Authentication

Multi-factor authentication is a technique that uses more than one authentication method to increase security. The most commonly used factors are:

  • Something you know: username and password
  • Something you have: token, smart card, etc.
  • Something you are: biometrics (fingerprint or retinal scanners)

These solutions are usually used in high-security environments and can be expensive, as it may involve providing hardware tokens to every user and installing biometric equipment in the organization. If the requirements are not very high, you can also use software tokens that can be installed on mobile devices (e.g., smartphones).

Many enterprise ID cards also have smart card functionality that can integrate with authentication devices. Validating the smart card ID and entering a password at the same time could be a secure way of accessing network resources.

Other types of tokens include:

  • USB token: stores a certificate and must be inserted into a USB port to be validated
  • Hardware pseudo-random authentication code generators
  • Mobile phones that can receive a unique code via SMS from the authentication server

Security Token

Figure 29.3 – Security Token

Single Sign-On

As the network gets larger, you may find that users must authenticate multiple times to gain access to multiple resources. Single sign-on allows users to overcome this issue and permits them to access the entire resources they need using a single set of credentials to authenticate a single time.

Single sign-on can be accomplished using multiple methods:

  • Kerberos (integrated in Microsoft platforms): Windows domain login provides access to all resources
  • Third-party solutions

Single sign-on is particularly useful when working with cloud applications that are located on the Internet because it is very easy for the user to login once and then access all the applications in the cloud. This solution is also referred to as software as a service (SaaS). A straightforward example of single sign-on in the cloud is Google. When signing into a Google account, the user can access mail service, a calendar, Google documents, and every other service on the Google platform.

Summary

User authentication is a fundamental component of security policies across the network. From a user’s perspective, this can be accomplished in multiple ways:

  • Username and password
  • Token generators
  • Fingerprint readers
  • A combination of multiple factors

The PKI (Public Key Infrastructure) is a complex authentication technique that functions using digital certificates. These certificates provide a certain level of trust to the communication, as they authenticate the sender. The PKI uses the concept of Certificate Authority (CA) for the central entity that issues certificates to users. The CA confirms the identity of every user and every user in an organization trusts the CA.

Kerberos is a network authentication protocol that allows a user to enter his credentials once and receive access to all necessary network resources, without the need to re-authenticate for each one of them. Kerberos offers advanced cryptographic functions using a mutual authentication between the client and the server to protect against man-in-the-middle attacks.

802.1X works by authenticating the user before receiving access to the network and this involves three components:

  • Supplicant (client)
  • Authenticator (access point or switch)
  • Authentication server (RADIUS or TACACS+)

Multi-factor authentication is a technique that uses more than one authentication method to increase security. The most commonly used factors are:

  • Something you know: username and password
  • Something you have: token, smart card, etc.
  • Something you are: biometrics (fingerprint or retinal scanners)

Configure user authentication for real using our 101 Labs – CompTIA Security+ lab book.

06 RealityPress CompTIA Security c303

Read the Cisco user authentication notes.

content-filler