Authentication and Authorization

Q1: What is an attacker’s first step?
- A: Gathering information (aka assessment or reconnaissance).
Q2: After the initial assessment, what is usually the next step?
- A: Plan your attack(s).
Q3: What is usually included in your attack(s)?
- A: Getting into the target system.

Q4: What is access control?
- A: Access control is about securely controlling access to the protected asset (i.e., Who or What can access the asset, and in what ways?).
- Access Control is often referred to as the AAA service, which consists of three components:
- Authentication:
  - The validation of someone’s identity (aka the first line of defense).
- Authorization:
  - After an entity is authenticated by the system, that entity’s rights or privileges are granted.
- Accounting (aka Logging):
  - The accesser’s actions/operations/commands are recorded in a log (mainly for the purpose of forensics).

Q5: What mechanisms would provide authentication?
- A: Various mechanisms such as:
- Log-in (an example of password-based authentication).
- Biometric authentication (e.g., facial recognition, fingerprint recognition/mapping, voice recognition).
- 2-factor or multi-factor authentication.
- Location-based authentication.
- Challenge/response authentication.
- What can be used for authentication:
- What the entity knows (e.g., passwords).
- What the entity is (e.g., biometric data).
- Where the entity is located (e.g., IP address).

Q6: What are the participants in the authentication process?
- A:
- Authenticatee: The entity that initiates the request to access.
- Authenticator: The entity/program/server that authenticates the authenticatee’s request.

Q7: What is challenge/response authentication?
- Process:
  a. Authenticatee sends a request to access to authenticator.
  b. Authenticator sends a challenge (typically a randomly-generated number) to authenticatee.
  c. Authenticatee generates a response based on the challenge and sends it to authenticator.
- Note: The authenticator checks the response. If valid, the requester is authenticated; else, authentication fails.
Important Note: The authenticator and the authenticatee must pre-share a secret function that generates a response when given a challenge.

Q8: Origin Integrity is also called Authentication. What exactly is their relationship?
- The relationship involves the process of confirming the authenticity of the origin/source of a message or data.
Q9: Can mechanisms like message authentication codes and digital signatures be used to devise a protocol of authentication?
- A: Yes.

Q10: How would you use the digital signature mechanism to devise an authentication protocol?
- Pre-requisites: The authenticator must have the requester’s public key (this can be done by validating the requester’s digital certificate).
- Process:
  a. Authenticatee sends a request to access along with the requester’s digital certificate to authenticator.
  b. Authenticator sends a challenge to authenticatee.
  c. The authenticatee generates a signature based on the received challenge.
  d. Authenticatee sends the signature to authenticator.
  e. The authenticator validates the received signature using the authenticatee’s public key and the challenge.
  f. If the received signature is valid, then the requester is authenticated; otherwise, authentication fails.

Q11: How would you use the message authentication codes mechanism to devise an authentication protocol?
- Note: A symmetric key is typically established via the Key Exchange protocol.
Note: Further discussion and details are needed for a complete understanding of using message authentication codes in authentication protocols.
Next Steps: Continue exploring methods and implications of message authentication for future discussions.