Skip to:Content
|
Bottom
Cover image for Mechanics of user identification and authentication : fundamentals of identity management
Title:
Mechanics of user identification and authentication : fundamentals of identity management
Personal Author:
Todorov, Dobromir
Publication Information:
Boca Raton : Auerbach Publications, 2007
Physical Description:
xxv, 728 p. : ill. ; 25 cm.
ISBN:
9781420052190
Subject Term:
Computer networks -- Security measures

Computers -- Access control

Computer security

Available:*

Library
Item Barcode
Call Number
Material Type
Item Category 1
Status
Searching...
 30000010196913 TK5105.59 T62 2007 Open Access Book Book
Searching...
Searching...
 30000003495011 TK5105.59 T62 2007 Open Access Book Book
Searching...
Searching...
 30000010196914 TK5105.59 T62 2007 Open Access Book Book
Searching...

On Order

Summary

Summary

User identification and authentication are essential parts of information security. Users must authenticate as they access their computer systems at work or at home every day. Yet do users understand how and why they are actually being authenticated, the security level of the authentication mechanism that they are using, and the potential impacts of selecting one authentication mechanism or another?

Introducing key concepts, Mechanics of User Identification and Authentication: Fundamentals of Identity Management outlines the process of controlled access to resources through authentication, authorization, and accounting in an in-depth, yet accessible manner. It examines today's security landscape and the specific threats to user authentication. The book then outlines the process of controlled access to resources and discusses the types of user credentials that can be presented as proof of identity prior to accessing a computer system. It also contains an overview on cryptography that includes the essential approaches and terms required for understanding how user authentication works.

This book provides specific information on the user authentication process for both UNIX and Windows. Addressing more advanced applications and services, the author presents common security models such as GSSAPI and discusses authentication architecture. Each method is illustrated with a specific authentication scenario.


Table of Contents

Acknowledgmentsp. xix
About the Authorp. xxi
About This Bookp. xxiii
1 User Identification and Authentication Conceptsp. 1
1.1 Security Landscapep. 1
1.2 Authentication, Authorization, and Accountingp. 3
1.2.1 Identification and Authenticationp. 4
1.2.2 Authorizationp. 7
1.2.3 User Logon Processp. 8
1.2.4 Accountingp. 8
1.3 Threats to User Identification and Authenticationp. 9
1.3.1 Bypassing Authenticationp. 9
1.3.2 Default Passwordsp. 10
1.3.3 Privilege Escalationp. 10
1.3.4 Obtaining Physical Accessp. 11
1.3.5 Password Guessing: Dictionary, Brute Force, and Rainbow Attacksp. 12
1.3.6 Sniffing Credentials off the Networkp. 14
1.3.7 Replaying Authenticationp. 14
1.3.8 Downgrading Authentication Strengthp. 15
1.3.9 Imposter Serversp. 15
1.3.10 Man-in-the-Middle Attacksp. 16
1.3.11 Session Hijackingp. 16
1.3.12 Shoulder Surfingp. 16
1.3.13 Keyboard Loggers, Trojans, and Virusesp. 17
1.3.14 Offline Attacksp. 17
1.3.15 Social Engineeringp. 17
1.3.16 Dumpster Diving and Identity Theftp. 18
1.4 Authentication Credentialsp. 18
1.4.1 Password Authenticationp. 20
1.4.1.1 Static Passwordsp. 20
1.4.1.2 One-Time Passwordsp. 22
1.4.2 Asymmetric Keys and Certificate-Based Credentialsp. 26
1.4.3 Biometric Credentialsp. 34
1.4.4 Ticket-Based Hybrid Authentication Methodsp. 37
1.5 Enterprise User Identification and Authentication Challengesp. 39
1.6 Authenticating Access to Services and the Infrastructurep. 43
1.6.1 Authenticating Access to the Infrastructurep. 43
1.6.2 Authenticating Access to Applications and Servicesp. 44
1.7 Delegation and Impersonationp. 45
1.8 Cryptology, Cryptography, and Cryptanalysisp. 45
1.8.1 The Goal of Cryptographyp. 46
1.8.2 Protection Keysp. 47
1.8.2.1 Symmetric Encryptionp. 49
1.8.2.2 Asymmetric Keysp. 51
1.8.2.3 Hybrid Approaches: Diffie-Hellman Key Exchange Algorithmp. 52
1.8.3 Encryptionp. 54
1.8.3.1 Data Encryption Standard (DES/3DES)p. 55
1.8.3.2 Advanced Encryption Standard (AES)p. 57
1.8.3.3 RC4 (ARCFOUR)p. 58
1.8.3.4 RSA Encryption Algorithm (Asymmetric Encryption)p. 58
1.8.4 Data Integrityp. 59
1.8.4.1 Message Integrity Code (MIC)p. 60
1.8.4.2 Message Authentication Code (MAC)p. 61
2 UNIX User Authentication Architecturep. 65
2.1 Users and Groupsp. 65
2.1.1 Overviewp. 66
2.1.2 Case Study: Duplicate UIDsp. 67
2.1.3 Case Study: Group Login and Supplementary Groupsp. 68
2.2 Simple User Credential Storesp. 69
2.2.1 UNIX Password Encryptionp. 70
2.2.2 The /etc/passwd Filep. 73
2.2.3 The /etc/group Filep. 76
2.2.4 The /etc/shadow Filep. 76
2.2.5 The /etc/gshadow Filep. 79
2.2.6 The /etc/publickey filep. 80
2.2.7 The /etc/cram-md5.pwd Filep. 81
2.2.8 The SASL User Databasep. 82
2.2.9 The htpasswd Filep. 82
2.2.10 Samba Credentialsp. 83
2.2.11 The Kerberos Principal Databasep. 84
2.3 Name Services Switch (NSS)p. 84
2.4 Pluggable Authentication Modules (PAM)p. 88
2.5 The UNIX Authentication Processp. 95
2.6 User Impersonationp. 96
2.7 Case Study: User Authentication against LDAPp. 104
2.7.1 Preparing Active Directoryp. 105
2.7.2 PADL LDAP Configurationp. 105
2.7.3 User Authentication Using NSS LDAPp. 108
2.7.4 User Authentication Using PAM LDAPp. 124
2.8 Case Study: Using Hesiod for User Authentication in Linuxp. 129
3 Windows User Authentication Architecturep. 139
3.1 Security Principalsp. 140
3.1.1 Security Identifiers (SIDs)p. 140
3.1.2 Users and Groupsp. 140
3.1.3 Case Study: Group SIDsp. 152
3.1.4 Access Tokensp. 153
3.1.5 Case Study: SIDs in the User Access Tokenp. 155
3.1.6 User Rightsp. 157
3.2 Stand-Alone Authenticationp. 160
3.2.1 Interactive and Network Authenticationp. 161
3.2.2 Interactive Authentication on Windows Computersp. 162
3.2.3 The Security Accounts Manager Databasep. 165
3.2.4 Case Study: User Properties - Windows NT Local User Accountsp. 168
3.2.5 Case Study: Group Properties - Windows Local Group Accountsp. 169
3.2.6 SAM Registry Structurep. 170
3.2.7 User Passwordsp. 173
3.2.8 Storing Password Hashes in the Registry SAM Filep. 174
3.2.8.1 LM Hash Algorithmp. 174
3.2.8.2 NT Hash Algorithmp. 178
3.2.8.3 Password Hash Obfuscation Using DESp. 178
3.2.8.4 SYSKEY Encryption for Storing Password Hashes in the SAMp. 179
3.2.8.5 Case Study: The SYSKEY Utility, the System Key, and Password Encryption Keyp. 181
3.2.8.6 Threats to Windows Password Hashesp. 185
3.2.8.7 Tools to Access Windows Password Hashesp. 188
3.2.8.8 Case Study: Accessing Windows Password Hashes with pwdump4p. 188
3.2.9 LSA Secretsp. 190
3.2.9.1 Case Study: Exploring LSA Secrets on a Windows NT 4.0 Domain Controller That Is an Exchange 5.5 Serverp. 192
3.2.10 Logon Cachep. 197
3.2.11 Protected Storagep. 199
3.2.12 Data Protection API (DPAPI)p. 200
3.2.13 Credential Managerp. 205
3.2.14 Case Study: Exploring Credential Managerp. 208
3.3 Windows Domain Authenticationp. 210
3.3.1 Domain Modelp. 210
3.3.2 Joining a Windows NT Domainp. 214
3.3.3 Computer Accounts in the Domainp. 215
3.3.4 Domains and Trustsp. 217
3.3.5 Case Study: Workstation Trust and Interdomain Trustp. 219
3.3.6 SID Filtering across Trustsp. 220
3.3.7 Migration and Restructuringp. 222
3.3.8 Null Sessionsp. 224
3.3.9 Case Study: Using Null Sessions Authentication to Access Resourcesp. 227
3.3.10 Case Study: Domain Member Start-up and Authenticationp. 230
3.3.11 Case Study: Domain Controller Start-up and Authenticationp. 233
3.3.12 Case Study: Windows NT 4.0 Domain User Logon Processp. 233
3.3.13 Case Study: User Logon to Active Directory Using Kerberosp. 235
3.3.14 Windows NT 4.0 Domain Modelp. 235
3.3.14.1 User Accountsp. 235
3.3.14.2 Group Accounts and Group Strategiesp. 236
3.3.14.3 Authentication Protocols: NTLM and LMp. 237
3.3.14.4 Trust Relationshipsp. 237
3.3.15 Active Directoryp. 240
3.3.15.1 Active Directory Overviewp. 240
3.3.15.2 Logical and Physical Structurep. 240
3.3.15.3 Active Directory Schemap. 244
3.3.15.4 Database Storage for Directory Informationp. 245
3.3.15.5 Support for Legacy Windows NT Directory Servicesp. 246
3.3.15.6 Hierarchical LDAP-Compliant Directoryp. 249
3.3.15.7 Case Study: Exploring Active Directory Using LDP.EXEp. 249
3.3.15.8 User Accounts in ADp. 252
3.3.15.9 Case Study: User Logon Names in Active Directoryp. 257
3.3.15.10 Case Study: Using LDAP to Change User Passwords in Active Directoryp. 259
3.3.15.11 Case Study: Obtaining Password Hashes from Active Directoryp. 262
3.3.15.12 Group Accounts and Group Strategy in ADp. 262
3.3.15.13 Case Study: Exploring the Effects of Group Nesting to User Access Tokenp. 266
3.3.15.14 Computer Accounts in ADp. 270
3.3.15.15 Trees, Forests, and Intra-forest Trustsp. 270
3.3.15.16 Case Study: User Accesses Resources in Another Domain in the Same Forestp. 275
3.3.15.17 Trusts with External Domainsp. 279
3.3.15.18 Case Study: Exploring External Trustsp. 281
3.3.15.19 Case Study: Exploring Forest Trustsp. 283
3.3.15.20 Selective Authenticationp. 285
3.3.15.21 Case Study: Exploring Authentication Firewall and User Access Tokensp. 287
3.3.15.22 Protocol Transitionp. 290
3.4 Federated Trustsp. 291
3.5 Impersonationp. 291
3.5.1 Secondary Logon Servicep. 292
3.5.2 Application-Level Impersonationp. 294
4 Authenticating Access to Services and Applicationsp. 301
4.1 Security Programming Interfacesp. 301
4.1.1 Generic Security Services API (GSS-API)p. 302
4.1.1.1 Kerberos Version 5 as a GSS-API Mechanismp. 306
4.1.1.2 SPNEGO as a GSS-API Mechanismp. 308
4.1.2 Security Support Provider Interface (SSPI)p. 310
4.1.2.1 SSP Message Supportp. 311
4.1.2.2 Strong Keys and 128-bit Encryptionp. 312
4.1.2.3 SSPI Signingp. 314
4.1.2.4 SSPI Sealing (Encryption)p. 314
4.1.2.5 Controlling SSP Behavior Using Group Policiesp. 314
4.1.2.6 Microsoft Negotiate SSPp. 315
4.1.2.7 GSS-API and SSPI Compatibilityp. 330
4.2 Authentication Protocolsp. 331
4.2.1 NTLM Authenticationp. 331
4.2.1.1 NTLM Overviewp. 331
4.2.1.2 The Concept of Trust and Secure Channelsp. 332
4.2.1.3 Domain Member Secure Channel Establishmentp. 334
4.2.1.4 Domain Controller Secure Channel Establishment across Trustsp. 338
4.2.1.5 SMB/CIFS Signingp. 339
4.2.1.6 Case Study: Pass-through Authentication and Authentication Piggybackingp. 342
4.2.1.7 NTLM Authentication Mechanicsp. 344
4.2.1.8 Case Study: NTLM Authentication Scenariosp. 362
4.2.1.9 NTLM Impersonationp. 387
4.2.2 Kerberos Authenticationp. 387
4.2.2.1 Kerberos Overviewp. 387
4.2.2.2 The Concept of Trust in Kerberosp. 388
4.2.2.3 Name Format for Kerberos Principalsp. 389
4.2.2.4 Kerberos Authentication Phasesp. 389
4.2.2.5 Kerberos Ticketsp. 391
4.2.2.6 Kerberos Authentication Mechanicsp. 394
4.2.2.7 Case Study: Kerberos Authentication: CIFSp. 403
4.2.2.8 Authorization Information and the Microsoft PAC Attributep. 414
4.2.2.9 Kerberos Credentials Exchange (KRB_CRED)p. 416
4.2.2.10 Kerberos and Smart Card Authentication (PKInit)p. 416
4.2.2.11 Kerberos User-to-User Authenticationp. 418
4.2.2.12 Kerberos Encryption and Checksum Mechanismsp. 420
4.2.2.13 Case Study: Kerberos Authentication Scenariosp. 423
4.2.2.14 Kerberos Delegationp. 428
4.2.3 Simple Authentication and Security Layer (SASL)p. 430
4.2.3.1 Kerberos IVp. 432
4.2.3.2 GSS-APIp. 433
4.2.3.3 S/Key Authentication Mechanismp. 433
4.2.3.4 External Authenticationp. 433
4.2.3.5 SASL Anonymous Authenticationp. 433
4.2.3.6 SASL CRAM-MD5 Authenticationp. 434
4.2.3.7 SASL Digest-MD5 Authenticationp. 437
4.2.3.8 SASL and User Password Databasesp. 445
4.3 Transport Layer Security (TLS) and Secure Sockets Layer (SSL)p. 446
4.3.1 Hello Phasep. 449
4.3.2 Server Authentication Phasep. 450
4.3.3 Client Authentication Phasep. 451
4.3.3.1 Calculate the Master Secretp. 452
4.3.3.2 Calculate Protection Keysp. 453
4.3.4 Negotiate Start of Protection Phasep. 454
4.3.5 Resuming TLS/SSL Sessionsp. 454
4.3.6 Using SSL/TLS to Protect Generic User Trafficp. 454
4.3.7 Using SSL/TLS Certificate Mapping as an Authentication Methodp. 455
4.4 Telnet Authenticationp. 464
4.4.1 Telnet Login Authenticationp. 465
4.4.2 Telnet Authentication Optionp. 470
4.5 FTP Authenticationp. 479
4.5.1 FTP Simple Authenticationp. 480
4.5.2 Anonymous FTPp. 481
4.5.3 FTP Security Extensions with GSS-APIp. 481
4.5.4 FTP Security Extensions with TLSp. 485
4.6 HTTP Authenticationp. 486
4.6.1 HTTP Anonymous Authenticationp. 487
4.6.2 HTTP Basic Authenticationp. 489
4.6.3 HTTP Digest Authenticationp. 492
4.6.4 HTTP GSS-API/SSPI Authentication Using SPNEGO and Kerberosp. 495
4.6.5 HTTP NTLMSSP Authenticationp. 501
4.6.6 HTTP SSL Certificate Mapping as an Authentication Methodp. 501
4.6.7 Form-Based Authenticationp. 506
4.6.8 Microsoft Passport Authenticationp. 506
4.6.9 HTTP Proxy Authenticationp. 509
4.7 POP3/IMAP Authenticationp. 510
4.7.1 POP3/IMAP Password Authenticationp. 510
4.7.2 POP3/IMAP Plain Authenticationp. 511
4.7.3 POP3 APOP Authenticationp. 511
4.7.4 POP3/IMAP Login Authenticationp. 513
4.7.5 POP3/IMAP SASL CRAM-MD5 and DIGEST-MD5 Authenticationp. 513
4.7.6 POP3/IMAP and NTLM Authentication (Secure Password Authentication)p. 513
4.8 SMTP Authenticationp. 515
4.8.1 SMTP Login Authenticationp. 517
4.8.2 SMTP Plain Authenticationp. 519
4.8.3 SMTP GSS-API Authenticationp. 519
4.8.4 SMTP CRAM-MD5 and DIGEST-MD5 Authenticationp. 520
4.8.5 SMTP Authentication Using NTLMp. 520
4.9 LDAP Authenticationp. 520
4.9.1 Simple Authenticationp. 522
4.9.2 LDAP Anonymous Authenticationp. 522
4.9.3 LDAP SASL Authentication Using Digest-MD5p. 522
4.9.4 LDAP SASL Authentication Using GSS-APIp. 526
4.10 SSH Authenticationp. 533
4.10.1 SSH Public Key Authenticationp. 535
4.10.2 SSH Host Authenticationp. 538
4.10.3 SSH Password Authenticationp. 539
4.10.4 SSH Keyboard Interactive Authenticationp. 541
4.10.5 SSH GSS-API User Authenticationp. 541
4.10.6 SSH GSS-API Key Exchange and Authenticationp. 543
4.11 Sun RPC Authenticationp. 544
4.11.1 RPC AUTH_NULL (AUTH_NONE) Authenticationp. 545
4.11.2 RPC AUTHJJNIX (AUTH_SYS) Authenticationp. 549
4.11.3 RPC AUTH_SHORT Authenticationp. 553
4.11.4 RPC AUTH_DES (AUTH_DH) Authenticationp. 553
4.11.5 RPC AUTHJCERB4 Authenticationp. 558
4.11.6 RPCSEC_GSS Authenticationp. 558
4.12 SMB/CIFS Authenticationp. 560
4.13 NFS Authenticationp. 561
4.14 Microsoft Remote Procedure Callsp. 561
4.15 MS SQL Authenticationp. 562
4.15.1 MS SQL Authentication over the TCP/IP Transportp. 563
4.15.2 MS SQL Server Authentication over Named Pipesp. 564
4.15.3 MS SQL Server Authentication over Multiprotocolp. 565
4.15.4 MS SQL Server and SSLp. 566
4.16 Oracle Database Server Authenticationp. 567
4.16.1 Oracle Legacy Authentication Databasep. 567
4.16.2 Legacy OracleNet Authenticationp. 568
4.16.3 Oracle Advanced Security Mechanisms for User Authenticationp. 570
4.17 MS Exchange MAPI Authenticationp. 571
4.18 SAML, WS-Security, and Federated Identityp. 571
4.18.1 XML and SOAPp. 572
4.18.2 SAMLp. 572
4.18.2.1 SAML and Web Single Sign-Onp. 575
4.18.2.2 Case Study: Web Single Sign-On Mechanicsp. 577
4.18.2.3 SAML Federated Identityp. 578
4.18.2.4 Account Linkingp. 578
4.18.3 WS-Securityp. 580
5 Authenticating Access to the Infrastructurep. 583
5.1 User Authentication on Cisco Routers and Switchesp. 583
5.1.1 Authentication to Router Servicesp. 584
5.1.2 Local User Database and Passwordsp. 585
5.1.3 Centralizing Authenticationp. 588
5.1.4 New-Model AAAp. 589
5.2 Authenticating Remote Access to the Infrastructurep. 590
5.2.1 SLIP Authenticationp. 590
5.2.2 PPP Authenticationp. 590
5.2.3 Password Authentication Protocol (PAP)p. 591
5.2.4 CHAPp. 593
5.2.5 MS-CHAP Version 1 and 2p. 594
5.2.6 Extensible Authentication Protocol (EAP)p. 600
5.2.7 EAP-TLSp. 603
5.2.8 EAP-TTLSp. 604
5.2.9 Protected EAP (PEAP)p. 605
5.2.10 Lightweight EAP (LEAP)p. 606
5.2.11 EAP-FASTp. 607
5.2.11.1 EAP-FAST Automatic Provisioning (EAP-FAST Phase 0)p. 608
5.2.11.2 Tunnel Establishment (EAP-Phase 1)p. 610
5.2.11.3 User Authentication (EAP-FAST Phase 2)p. 610
5.3 Port-Based Access Controlp. 611
5.3.1 Overview of Port-Based Access Controlp. 613
5.3.2 EAPOLp. 614
5.3.3 EAPOL Key Messagesp. 616
5.4 Authenticating Access to the Wireless Infrastructurep. 623
5.4.1 Wi-Fi Authentication Overviewp. 624
5.4.2 WEP Protectionp. 625
5.4.3 Open Authenticationp. 627
5.4.4 Shared Key Authenticationp. 633
5.4.5 WPA/WPA2 and IEEE 802.11ip. 639
5.4.6 WPA/WPA2 Enterprise Modep. 641
5.4.7 WPA/WPA2 Preshared Key Mode (WPA-PSK)p. 643
5.5 IPSec, IKE, and VPN Client Authenticationp. 644
5.5.1 IKE Peer Authenticationp. 644
5.5.1.1 IKE and IPSec Phasesp. 645
5.5.1.2 Preshared Key Authenticationp. 648
5.5.1.3 IKE Signature-Based Authenticationp. 649
5.5.1.4 IKE Public Key Authentication, Option 1p. 650
5.5.1.5 IKE Public Key Authentication, Option 2p. 652
5.5.2 IKE XAUTH Authentication and VPN Clientsp. 654
5.6 Centralized User Authenticationp. 670
5.6.1 RADIUSp. 672
5.6.1.1 Overviewp. 672
5.6.1.2 The Model of Trust in RADIUSp. 674
5.6.1.3 RADIUS Authentication Requests from Edge Devicesp. 676
5.6.1.4 RADIUS and EAP Pass-through Authenticationp. 678
5.6.2 TACACS+p. 682
5.6.2.1 Overviewp. 683
5.6.2.2 TACACS+ Channel Protectionp. 684
5.6.2.3 TACACS+ Authentication Processp. 684
Appendices
A Referencesp. 691
Printed Referencesp. 691
Online Referencesp. 692
B Lab Configurationp. 701
C Indices of Tables and Figuresp. 705
Index of Tablesp. 705
Index of Figuresp. 709
Indexp. 713
Go to:Top of Page