Principles of Identity

Principles of Identity

Topics

  • Authentication Concepts

  • Training Password Users

  • Implementing Password Policies

  • Authentication Technologies

Key Knowledge Points

  • Password Complexity and Policy

  • Tokens, HOTP, and TOTP Control

  • Biometric and Geolocation Methods

  • Kerberos

  • SSO, SAML, OAuth, and OpenID Connect

Authentication Concepts in Electronic Commerce (EC)

AAA Model

  • Authentication, Authorization, and Accounting (AAA): A framework that works with Identification to provide comprehensive access management.

    • Identification: A person or system claims an identity.

    • Authentication: Validation of that identity claim.

    • Authorization: Determines access to resources post-authentication.

    • Accounting: Monitors and logs actions of entities.

Authentication Factors

  • Authentication factors are categorized into five broad categories:

    • One factor: Basic authentication.

    • Two factors: More security.

    • Multiple factors: Maximum security.

    • Categories:

    • Something You Know: Password or PIN.

    • Something You Have: Token or Smart Card.

    • Something You Are: Biometric Identifiers (e.g., fingerprints).

    • Somewhere You Are: Geolocation or IP Address.

    • Something You Do: Behavioral interactions within the network.

Password Complexity and Policy

Password Strength

  • Strong Password: Must be lengthy, avoid dictionary words or names, and combine four types of characters (uppercase, lowercase, numbers, symbols).

  • Typically, a strong password is at least 14 characters long.

  • A complex password does not equal a strong password alone; length is crucial.

  • Password Permutations Example:

    • 6 Characters =26626^6 = 308 Million Permutations.

    • 10 Characters = 261026^{10}= 141 Trillion Permutations.

Password Cracking Estimates

  • A 10-character password (lowercase only): Can be cracked in under 2 hours.

  • If using all four character types:

    • 6 Characters = 94694^6 = 689 Billion Permutations.

    • 10 Characters =941094^{10}= 53 Quintillion Permutations.

Training Password Users

User Training Importance

  • Proper training is necessary for users handling passwords, especially when generating encryption keys.

  • Training Topics for Password Users:

    1. Password Behaviors.

    2. Password Expiration Dates.

    3. Password Recovery Procedures.

    4. Password History.

    5. Password Reuse Policies.

Implementing Password Policies

Elements of Password Policies

  • Initially documented to express the organization’s security goals regarding passwords.

  • Five key components to include in password policies:

    1. Password History: Prevents reuse of passwords, especially minor variations.

    2. Maximum Password Age: Enforces regular password changes.

    3. Minimum Password Age: Avoids rapid password changes leading to original password reuse.

    4. Minimum Password Length: Enhances credential security by setting a minimum length requirement.

    5. Complexity Requirements: Prevents easily guessable passwords (e.g., “123456” or “password123”).

Authentication Technologies

Tokens

  • Tokens provide a "something you have" authentication factor.

  • They display a changing code, usually every 60 seconds, that allows for one-time password (OTP) auth.

  • Time-Based Tokens: Since OTPs change frequently, intercepted codes quickly become invalid.

Example Scenario Using Tokens

  1. Initial Setup: User registers token by synchronizing with the server using a shared secret key.

  2. Login Process: User inputs username, password, and OTP from token.

  3. Server Authentication: Verifies user credentials and generates expected OTP based on time.

  4. Code Expiration: OTP expires after a designated short period (30-60 seconds).

Advantages of Token Authentication

  • Highly Secure: Physical token reduces risk from password-only authentication.

  • No Communication Needed: Functions offline, resisting man-in-the-middle attacks.

  • Dynamic Passwords: Change frequently, minimizing the window of misuse.

One-Time Password Algorithms

  • HMAC-Based One-Time Password (HOTP): Based on the Hash-Based Message Authentication Code (HMAC), Utilizes a secret key and counter for generating OTPs. Valid until used; risk includes potential exposure if not used immediately.

  • Time-Based One-Time Password (TOTP): Uses time-stamping to create temporary codes valid typically for 30 seconds; risk includes clock drift affecting performance.

Authenticator Apps

  • Apps like Google Authenticator provide additional security using TOTP/HOTP.

    • Initial Setup: Pair with service via QR code or manual key entry.

    • Code Generation: Generates time-based codes for user input during login.

    • Verification: Server checks code match using the shared secret and current time.

    • Best to use for project.

CAPTCHA for Verification

CAPTCHA Overview

  • CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart.

  • It helps to verify human users and prevents automated operations, such as bot attacks.

  • Types of CAPTCHAs:

    1. Traditional CAPTCHA: Distorted text input (mostly outdated due to AI advances).

    2. Image-based CAPTCHA: Requires user to select certain images (e.g., bicycles).

    3. Invisible CAPTCHA: Monitors user behavior, displaying challenges only when suspicious activity is detected.

    4. Audio CAPTCHA: Accessible for users with visual impairments.

Email-Based Verification

Methodology

  • During registration or sensitive actions, a verification link is sent to the registered email, requiring user click for identity confirmation.

  • Advantage: Simple confirmation method.

  • Risk: Compromised email accounts undermine effectiveness.

Security Questions (Knowledge-Based Authentication)

Overview

  • Users respond to pre-set security questions for extra security during login or recovery.

  • Advantage: Adds an additional layer to suspicious login attempts.

  • Risk: Weak protection due to social engineering vulnerabilities.

Certificate-Based Authentication

Description

  • Utilizes digital certificates issued by a trusted Certificate Authority (CA). Essential for verifying user identity in secure transactions.

  • Advantage: Highly secure for sensitive online transactions.

  • Risk: Complex infrastructure and management are required.

Hardware-Based Authentication (Security Keys)

Explanation

  • Supports hardware tokens (e.g., YubiKeys) as part of multi-factor authentication.

  • Advantage: Very secure, reduces phishing risks.

  • Risk: Physical token necessity could result in account lock if lost.

Biometric Methods

Description

  • Strong authentication forms based on unique physical characteristics (e.g., fingerprints, facial recognition).

  • Advantage: High security due to uniqueness.

  • Risk: False acceptance/rejection rates and privacy concerns.

Behavioral Biometrics

  • Analyzes user behavioral patterns (typing, mouse movement) for authentication.

  • Advantage: Continuous and invisible authentication.

  • Risk: Potential user inconvenience from false positives; still evolving technology.

Geolocation Methods

Overview

  • Technologies identifying user location (e.g., via IP address) enhance identity verification.

  • Risk: Malicious actors could mask IP addresses to appear in another location.

Kerberos

Overview

  • A network authentication protocol utilizing tickets for secure identity proof over networks.

  • Developed for UNIX systems, later expanded to various OS.

  • Key Components:

    • Key Distribution Center (KDC): Core component managing authentication.

    • Ticket-Granting Tickets (TGT): Issued to users for network access after verification.

Kerberos Authentication Process

  1. Request for Authentication Ticket (AS-REQ): User requests an Authentication Ticket from AS with credentials.

  2. AS Response (AS-REP): AS verifies credentials, sends back encrypted TGT.

  3. TGT and Ticket Granting Service Request (TGS-REQ): Client requests service ticket using TGT.

  4. TGS Response (TGS-REP): TGS verifies identity and sends service ticket for access.

  5. Accessing the Service (AP-REQ, AP-REP): Client presents service ticket for server access.

  6. Encryption: Utilizes symmetric key cryptography; user credentials are never sent directly over the network.

E-commerce Implementation of Kerberos

  • Ensure secure access to backend systems (e.g., databases).

  • Enables strong authentication and centralized user management.

Single Sign-On (SSO)

Definition

  • Allows a user to log on once and access multiple systems without repeated credentials.

  • Trust Model: Based on transitive trust (e.g., LinkedIn trusting Facebook).

  • Risk: If one account is compromised, all associated accounts are at risk.

Security Assertion Markup Language (SAML)

Overview

  • An open standard for exchanging authentication data between identity and service providers, primarily used for SSO.

  • Defines roles like Principal (user), Service Provider (SP), and Identity Provider (IdP).

  • Benefits

    • Better security (less passwords to steal)

    • Easier for Users

    • Simpler Administration (less accounts for IT to spend time managing.)

    • Helps with Compliance

Implementation Examples

  • Google Workspace and Microsoft 365 utilize SAML for SSO, linking internal identity systems with their services.

OAuth (Open Authorization)

Functionality

  • An authorization framework allowing third-party applications access to resources without sharing passwords.

  • Advantage: Simplifies user experience with centralized account management.

  • Risk: Potential vulnerabilities if third-party platforms are compromised.

Open ID Connect (OIDC)

Functionality

  • Works as an authentication layer atop the OAuth-2 framework.

  • Allows clients to verify user identity while maintaining credentials securely.

  • Advantage: Streamlined experience, reducing the need for multiple passwords.

  • Risk: Vulnerabilities associated with third-party service compromises.