Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010196913 | TK5105.59 T62 2007 | Open Access Book | Book | Searching... |
Searching... | 30000003495011 | TK5105.59 T62 2007 | Open Access Book | Book | Searching... |
Searching... | 30000010196914 | TK5105.59 T62 2007 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
User identification and authentication are essential parts of information security. Users must authenticate as they access their computer systems at work or at home every day. Yet do users understand how and why they are actually being authenticated, the security level of the authentication mechanism that they are using, and the potential impacts of selecting one authentication mechanism or another?
Introducing key concepts, Mechanics of User Identification and Authentication: Fundamentals of Identity Management outlines the process of controlled access to resources through authentication, authorization, and accounting in an in-depth, yet accessible manner. It examines today's security landscape and the specific threats to user authentication. The book then outlines the process of controlled access to resources and discusses the types of user credentials that can be presented as proof of identity prior to accessing a computer system. It also contains an overview on cryptography that includes the essential approaches and terms required for understanding how user authentication works.
This book provides specific information on the user authentication process for both UNIX and Windows. Addressing more advanced applications and services, the author presents common security models such as GSSAPI and discusses authentication architecture. Each method is illustrated with a specific authentication scenario.
Table of Contents
Acknowledgments | p. xix |
About the Author | p. xxi |
About This Book | p. xxiii |
1 User Identification and Authentication Concepts | p. 1 |
1.1 Security Landscape | p. 1 |
1.2 Authentication, Authorization, and Accounting | p. 3 |
1.2.1 Identification and Authentication | p. 4 |
1.2.2 Authorization | p. 7 |
1.2.3 User Logon Process | p. 8 |
1.2.4 Accounting | p. 8 |
1.3 Threats to User Identification and Authentication | p. 9 |
1.3.1 Bypassing Authentication | p. 9 |
1.3.2 Default Passwords | p. 10 |
1.3.3 Privilege Escalation | p. 10 |
1.3.4 Obtaining Physical Access | p. 11 |
1.3.5 Password Guessing: Dictionary, Brute Force, and Rainbow Attacks | p. 12 |
1.3.6 Sniffing Credentials off the Network | p. 14 |
1.3.7 Replaying Authentication | p. 14 |
1.3.8 Downgrading Authentication Strength | p. 15 |
1.3.9 Imposter Servers | p. 15 |
1.3.10 Man-in-the-Middle Attacks | p. 16 |
1.3.11 Session Hijacking | p. 16 |
1.3.12 Shoulder Surfing | p. 16 |
1.3.13 Keyboard Loggers, Trojans, and Viruses | p. 17 |
1.3.14 Offline Attacks | p. 17 |
1.3.15 Social Engineering | p. 17 |
1.3.16 Dumpster Diving and Identity Theft | p. 18 |
1.4 Authentication Credentials | p. 18 |
1.4.1 Password Authentication | p. 20 |
1.4.1.1 Static Passwords | p. 20 |
1.4.1.2 One-Time Passwords | p. 22 |
1.4.2 Asymmetric Keys and Certificate-Based Credentials | p. 26 |
1.4.3 Biometric Credentials | p. 34 |
1.4.4 Ticket-Based Hybrid Authentication Methods | p. 37 |
1.5 Enterprise User Identification and Authentication Challenges | p. 39 |
1.6 Authenticating Access to Services and the Infrastructure | p. 43 |
1.6.1 Authenticating Access to the Infrastructure | p. 43 |
1.6.2 Authenticating Access to Applications and Services | p. 44 |
1.7 Delegation and Impersonation | p. 45 |
1.8 Cryptology, Cryptography, and Cryptanalysis | p. 45 |
1.8.1 The Goal of Cryptography | p. 46 |
1.8.2 Protection Keys | p. 47 |
1.8.2.1 Symmetric Encryption | p. 49 |
1.8.2.2 Asymmetric Keys | p. 51 |
1.8.2.3 Hybrid Approaches: Diffie-Hellman Key Exchange Algorithm | p. 52 |
1.8.3 Encryption | p. 54 |
1.8.3.1 Data Encryption Standard (DES/3DES) | p. 55 |
1.8.3.2 Advanced Encryption Standard (AES) | p. 57 |
1.8.3.3 RC4 (ARCFOUR) | p. 58 |
1.8.3.4 RSA Encryption Algorithm (Asymmetric Encryption) | p. 58 |
1.8.4 Data Integrity | p. 59 |
1.8.4.1 Message Integrity Code (MIC) | p. 60 |
1.8.4.2 Message Authentication Code (MAC) | p. 61 |
2 UNIX User Authentication Architecture | p. 65 |
2.1 Users and Groups | p. 65 |
2.1.1 Overview | p. 66 |
2.1.2 Case Study: Duplicate UIDs | p. 67 |
2.1.3 Case Study: Group Login and Supplementary Groups | p. 68 |
2.2 Simple User Credential Stores | p. 69 |
2.2.1 UNIX Password Encryption | p. 70 |
2.2.2 The /etc/passwd File | p. 73 |
2.2.3 The /etc/group File | p. 76 |
2.2.4 The /etc/shadow File | p. 76 |
2.2.5 The /etc/gshadow File | p. 79 |
2.2.6 The /etc/publickey file | p. 80 |
2.2.7 The /etc/cram-md5.pwd File | p. 81 |
2.2.8 The SASL User Database | p. 82 |
2.2.9 The htpasswd File | p. 82 |
2.2.10 Samba Credentials | p. 83 |
2.2.11 The Kerberos Principal Database | p. 84 |
2.3 Name Services Switch (NSS) | p. 84 |
2.4 Pluggable Authentication Modules (PAM) | p. 88 |
2.5 The UNIX Authentication Process | p. 95 |
2.6 User Impersonation | p. 96 |
2.7 Case Study: User Authentication against LDAP | p. 104 |
2.7.1 Preparing Active Directory | p. 105 |
2.7.2 PADL LDAP Configuration | p. 105 |
2.7.3 User Authentication Using NSS LDAP | p. 108 |
2.7.4 User Authentication Using PAM LDAP | p. 124 |
2.8 Case Study: Using Hesiod for User Authentication in Linux | p. 129 |
3 Windows User Authentication Architecture | p. 139 |
3.1 Security Principals | p. 140 |
3.1.1 Security Identifiers (SIDs) | p. 140 |
3.1.2 Users and Groups | p. 140 |
3.1.3 Case Study: Group SIDs | p. 152 |
3.1.4 Access Tokens | p. 153 |
3.1.5 Case Study: SIDs in the User Access Token | p. 155 |
3.1.6 User Rights | p. 157 |
3.2 Stand-Alone Authentication | p. 160 |
3.2.1 Interactive and Network Authentication | p. 161 |
3.2.2 Interactive Authentication on Windows Computers | p. 162 |
3.2.3 The Security Accounts Manager Database | p. 165 |
3.2.4 Case Study: User Properties - Windows NT Local User Accounts | p. 168 |
3.2.5 Case Study: Group Properties - Windows Local Group Accounts | p. 169 |
3.2.6 SAM Registry Structure | p. 170 |
3.2.7 User Passwords | p. 173 |
3.2.8 Storing Password Hashes in the Registry SAM File | p. 174 |
3.2.8.1 LM Hash Algorithm | p. 174 |
3.2.8.2 NT Hash Algorithm | p. 178 |
3.2.8.3 Password Hash Obfuscation Using DES | p. 178 |
3.2.8.4 SYSKEY Encryption for Storing Password Hashes in the SAM | p. 179 |
3.2.8.5 Case Study: The SYSKEY Utility, the System Key, and Password Encryption Key | p. 181 |
3.2.8.6 Threats to Windows Password Hashes | p. 185 |
3.2.8.7 Tools to Access Windows Password Hashes | p. 188 |
3.2.8.8 Case Study: Accessing Windows Password Hashes with pwdump4 | p. 188 |
3.2.9 LSA Secrets | p. 190 |
3.2.9.1 Case Study: Exploring LSA Secrets on a Windows NT 4.0 Domain Controller That Is an Exchange 5.5 Server | p. 192 |
3.2.10 Logon Cache | p. 197 |
3.2.11 Protected Storage | p. 199 |
3.2.12 Data Protection API (DPAPI) | p. 200 |
3.2.13 Credential Manager | p. 205 |
3.2.14 Case Study: Exploring Credential Manager | p. 208 |
3.3 Windows Domain Authentication | p. 210 |
3.3.1 Domain Model | p. 210 |
3.3.2 Joining a Windows NT Domain | p. 214 |
3.3.3 Computer Accounts in the Domain | p. 215 |
3.3.4 Domains and Trusts | p. 217 |
3.3.5 Case Study: Workstation Trust and Interdomain Trust | p. 219 |
3.3.6 SID Filtering across Trusts | p. 220 |
3.3.7 Migration and Restructuring | p. 222 |
3.3.8 Null Sessions | p. 224 |
3.3.9 Case Study: Using Null Sessions Authentication to Access Resources | p. 227 |
3.3.10 Case Study: Domain Member Start-up and Authentication | p. 230 |
3.3.11 Case Study: Domain Controller Start-up and Authentication | p. 233 |
3.3.12 Case Study: Windows NT 4.0 Domain User Logon Process | p. 233 |
3.3.13 Case Study: User Logon to Active Directory Using Kerberos | p. 235 |
3.3.14 Windows NT 4.0 Domain Model | p. 235 |
3.3.14.1 User Accounts | p. 235 |
3.3.14.2 Group Accounts and Group Strategies | p. 236 |
3.3.14.3 Authentication Protocols: NTLM and LM | p. 237 |
3.3.14.4 Trust Relationships | p. 237 |
3.3.15 Active Directory | p. 240 |
3.3.15.1 Active Directory Overview | p. 240 |
3.3.15.2 Logical and Physical Structure | p. 240 |
3.3.15.3 Active Directory Schema | p. 244 |
3.3.15.4 Database Storage for Directory Information | p. 245 |
3.3.15.5 Support for Legacy Windows NT Directory Services | p. 246 |
3.3.15.6 Hierarchical LDAP-Compliant Directory | p. 249 |
3.3.15.7 Case Study: Exploring Active Directory Using LDP.EXE | p. 249 |
3.3.15.8 User Accounts in AD | p. 252 |
3.3.15.9 Case Study: User Logon Names in Active Directory | p. 257 |
3.3.15.10 Case Study: Using LDAP to Change User Passwords in Active Directory | p. 259 |
3.3.15.11 Case Study: Obtaining Password Hashes from Active Directory | p. 262 |
3.3.15.12 Group Accounts and Group Strategy in AD | p. 262 |
3.3.15.13 Case Study: Exploring the Effects of Group Nesting to User Access Token | p. 266 |
3.3.15.14 Computer Accounts in AD | p. 270 |
3.3.15.15 Trees, Forests, and Intra-forest Trusts | p. 270 |
3.3.15.16 Case Study: User Accesses Resources in Another Domain in the Same Forest | p. 275 |
3.3.15.17 Trusts with External Domains | p. 279 |
3.3.15.18 Case Study: Exploring External Trusts | p. 281 |
3.3.15.19 Case Study: Exploring Forest Trusts | p. 283 |
3.3.15.20 Selective Authentication | p. 285 |
3.3.15.21 Case Study: Exploring Authentication Firewall and User Access Tokens | p. 287 |
3.3.15.22 Protocol Transition | p. 290 |
3.4 Federated Trusts | p. 291 |
3.5 Impersonation | p. 291 |
3.5.1 Secondary Logon Service | p. 292 |
3.5.2 Application-Level Impersonation | p. 294 |
4 Authenticating Access to Services and Applications | p. 301 |
4.1 Security Programming Interfaces | p. 301 |
4.1.1 Generic Security Services API (GSS-API) | p. 302 |
4.1.1.1 Kerberos Version 5 as a GSS-API Mechanism | p. 306 |
4.1.1.2 SPNEGO as a GSS-API Mechanism | p. 308 |
4.1.2 Security Support Provider Interface (SSPI) | p. 310 |
4.1.2.1 SSP Message Support | p. 311 |
4.1.2.2 Strong Keys and 128-bit Encryption | p. 312 |
4.1.2.3 SSPI Signing | p. 314 |
4.1.2.4 SSPI Sealing (Encryption) | p. 314 |
4.1.2.5 Controlling SSP Behavior Using Group Policies | p. 314 |
4.1.2.6 Microsoft Negotiate SSP | p. 315 |
4.1.2.7 GSS-API and SSPI Compatibility | p. 330 |
4.2 Authentication Protocols | p. 331 |
4.2.1 NTLM Authentication | p. 331 |
4.2.1.1 NTLM Overview | p. 331 |
4.2.1.2 The Concept of Trust and Secure Channels | p. 332 |
4.2.1.3 Domain Member Secure Channel Establishment | p. 334 |
4.2.1.4 Domain Controller Secure Channel Establishment across Trusts | p. 338 |
4.2.1.5 SMB/CIFS Signing | p. 339 |
4.2.1.6 Case Study: Pass-through Authentication and Authentication Piggybacking | p. 342 |
4.2.1.7 NTLM Authentication Mechanics | p. 344 |
4.2.1.8 Case Study: NTLM Authentication Scenarios | p. 362 |
4.2.1.9 NTLM Impersonation | p. 387 |
4.2.2 Kerberos Authentication | p. 387 |
4.2.2.1 Kerberos Overview | p. 387 |
4.2.2.2 The Concept of Trust in Kerberos | p. 388 |
4.2.2.3 Name Format for Kerberos Principals | p. 389 |
4.2.2.4 Kerberos Authentication Phases | p. 389 |
4.2.2.5 Kerberos Tickets | p. 391 |
4.2.2.6 Kerberos Authentication Mechanics | p. 394 |
4.2.2.7 Case Study: Kerberos Authentication: CIFS | p. 403 |
4.2.2.8 Authorization Information and the Microsoft PAC Attribute | p. 414 |
4.2.2.9 Kerberos Credentials Exchange (KRB_CRED) | p. 416 |
4.2.2.10 Kerberos and Smart Card Authentication (PKInit) | p. 416 |
4.2.2.11 Kerberos User-to-User Authentication | p. 418 |
4.2.2.12 Kerberos Encryption and Checksum Mechanisms | p. 420 |
4.2.2.13 Case Study: Kerberos Authentication Scenarios | p. 423 |
4.2.2.14 Kerberos Delegation | p. 428 |
4.2.3 Simple Authentication and Security Layer (SASL) | p. 430 |
4.2.3.1 Kerberos IV | p. 432 |
4.2.3.2 GSS-API | p. 433 |
4.2.3.3 S/Key Authentication Mechanism | p. 433 |
4.2.3.4 External Authentication | p. 433 |
4.2.3.5 SASL Anonymous Authentication | p. 433 |
4.2.3.6 SASL CRAM-MD5 Authentication | p. 434 |
4.2.3.7 SASL Digest-MD5 Authentication | p. 437 |
4.2.3.8 SASL and User Password Databases | p. 445 |
4.3 Transport Layer Security (TLS) and Secure Sockets Layer (SSL) | p. 446 |
4.3.1 Hello Phase | p. 449 |
4.3.2 Server Authentication Phase | p. 450 |
4.3.3 Client Authentication Phase | p. 451 |
4.3.3.1 Calculate the Master Secret | p. 452 |
4.3.3.2 Calculate Protection Keys | p. 453 |
4.3.4 Negotiate Start of Protection Phase | p. 454 |
4.3.5 Resuming TLS/SSL Sessions | p. 454 |
4.3.6 Using SSL/TLS to Protect Generic User Traffic | p. 454 |
4.3.7 Using SSL/TLS Certificate Mapping as an Authentication Method | p. 455 |
4.4 Telnet Authentication | p. 464 |
4.4.1 Telnet Login Authentication | p. 465 |
4.4.2 Telnet Authentication Option | p. 470 |
4.5 FTP Authentication | p. 479 |
4.5.1 FTP Simple Authentication | p. 480 |
4.5.2 Anonymous FTP | p. 481 |
4.5.3 FTP Security Extensions with GSS-API | p. 481 |
4.5.4 FTP Security Extensions with TLS | p. 485 |
4.6 HTTP Authentication | p. 486 |
4.6.1 HTTP Anonymous Authentication | p. 487 |
4.6.2 HTTP Basic Authentication | p. 489 |
4.6.3 HTTP Digest Authentication | p. 492 |
4.6.4 HTTP GSS-API/SSPI Authentication Using SPNEGO and Kerberos | p. 495 |
4.6.5 HTTP NTLMSSP Authentication | p. 501 |
4.6.6 HTTP SSL Certificate Mapping as an Authentication Method | p. 501 |
4.6.7 Form-Based Authentication | p. 506 |
4.6.8 Microsoft Passport Authentication | p. 506 |
4.6.9 HTTP Proxy Authentication | p. 509 |
4.7 POP3/IMAP Authentication | p. 510 |
4.7.1 POP3/IMAP Password Authentication | p. 510 |
4.7.2 POP3/IMAP Plain Authentication | p. 511 |
4.7.3 POP3 APOP Authentication | p. 511 |
4.7.4 POP3/IMAP Login Authentication | p. 513 |
4.7.5 POP3/IMAP SASL CRAM-MD5 and DIGEST-MD5 Authentication | p. 513 |
4.7.6 POP3/IMAP and NTLM Authentication (Secure Password Authentication) | p. 513 |
4.8 SMTP Authentication | p. 515 |
4.8.1 SMTP Login Authentication | p. 517 |
4.8.2 SMTP Plain Authentication | p. 519 |
4.8.3 SMTP GSS-API Authentication | p. 519 |
4.8.4 SMTP CRAM-MD5 and DIGEST-MD5 Authentication | p. 520 |
4.8.5 SMTP Authentication Using NTLM | p. 520 |
4.9 LDAP Authentication | p. 520 |
4.9.1 Simple Authentication | p. 522 |
4.9.2 LDAP Anonymous Authentication | p. 522 |
4.9.3 LDAP SASL Authentication Using Digest-MD5 | p. 522 |
4.9.4 LDAP SASL Authentication Using GSS-API | p. 526 |
4.10 SSH Authentication | p. 533 |
4.10.1 SSH Public Key Authentication | p. 535 |
4.10.2 SSH Host Authentication | p. 538 |
4.10.3 SSH Password Authentication | p. 539 |
4.10.4 SSH Keyboard Interactive Authentication | p. 541 |
4.10.5 SSH GSS-API User Authentication | p. 541 |
4.10.6 SSH GSS-API Key Exchange and Authentication | p. 543 |
4.11 Sun RPC Authentication | p. 544 |
4.11.1 RPC AUTH_NULL (AUTH_NONE) Authentication | p. 545 |
4.11.2 RPC AUTHJJNIX (AUTH_SYS) Authentication | p. 549 |
4.11.3 RPC AUTH_SHORT Authentication | p. 553 |
4.11.4 RPC AUTH_DES (AUTH_DH) Authentication | p. 553 |
4.11.5 RPC AUTHJCERB4 Authentication | p. 558 |
4.11.6 RPCSEC_GSS Authentication | p. 558 |
4.12 SMB/CIFS Authentication | p. 560 |
4.13 NFS Authentication | p. 561 |
4.14 Microsoft Remote Procedure Calls | p. 561 |
4.15 MS SQL Authentication | p. 562 |
4.15.1 MS SQL Authentication over the TCP/IP Transport | p. 563 |
4.15.2 MS SQL Server Authentication over Named Pipes | p. 564 |
4.15.3 MS SQL Server Authentication over Multiprotocol | p. 565 |
4.15.4 MS SQL Server and SSL | p. 566 |
4.16 Oracle Database Server Authentication | p. 567 |
4.16.1 Oracle Legacy Authentication Database | p. 567 |
4.16.2 Legacy OracleNet Authentication | p. 568 |
4.16.3 Oracle Advanced Security Mechanisms for User Authentication | p. 570 |
4.17 MS Exchange MAPI Authentication | p. 571 |
4.18 SAML, WS-Security, and Federated Identity | p. 571 |
4.18.1 XML and SOAP | p. 572 |
4.18.2 SAML | p. 572 |
4.18.2.1 SAML and Web Single Sign-On | p. 575 |
4.18.2.2 Case Study: Web Single Sign-On Mechanics | p. 577 |
4.18.2.3 SAML Federated Identity | p. 578 |
4.18.2.4 Account Linking | p. 578 |
4.18.3 WS-Security | p. 580 |
5 Authenticating Access to the Infrastructure | p. 583 |
5.1 User Authentication on Cisco Routers and Switches | p. 583 |
5.1.1 Authentication to Router Services | p. 584 |
5.1.2 Local User Database and Passwords | p. 585 |
5.1.3 Centralizing Authentication | p. 588 |
5.1.4 New-Model AAA | p. 589 |
5.2 Authenticating Remote Access to the Infrastructure | p. 590 |
5.2.1 SLIP Authentication | p. 590 |
5.2.2 PPP Authentication | p. 590 |
5.2.3 Password Authentication Protocol (PAP) | p. 591 |
5.2.4 CHAP | p. 593 |
5.2.5 MS-CHAP Version 1 and 2 | p. 594 |
5.2.6 Extensible Authentication Protocol (EAP) | p. 600 |
5.2.7 EAP-TLS | p. 603 |
5.2.8 EAP-TTLS | p. 604 |
5.2.9 Protected EAP (PEAP) | p. 605 |
5.2.10 Lightweight EAP (LEAP) | p. 606 |
5.2.11 EAP-FAST | p. 607 |
5.2.11.1 EAP-FAST Automatic Provisioning (EAP-FAST Phase 0) | p. 608 |
5.2.11.2 Tunnel Establishment (EAP-Phase 1) | p. 610 |
5.2.11.3 User Authentication (EAP-FAST Phase 2) | p. 610 |
5.3 Port-Based Access Control | p. 611 |
5.3.1 Overview of Port-Based Access Control | p. 613 |
5.3.2 EAPOL | p. 614 |
5.3.3 EAPOL Key Messages | p. 616 |
5.4 Authenticating Access to the Wireless Infrastructure | p. 623 |
5.4.1 Wi-Fi Authentication Overview | p. 624 |
5.4.2 WEP Protection | p. 625 |
5.4.3 Open Authentication | p. 627 |
5.4.4 Shared Key Authentication | p. 633 |
5.4.5 WPA/WPA2 and IEEE 802.11i | p. 639 |
5.4.6 WPA/WPA2 Enterprise Mode | p. 641 |
5.4.7 WPA/WPA2 Preshared Key Mode (WPA-PSK) | p. 643 |
5.5 IPSec, IKE, and VPN Client Authentication | p. 644 |
5.5.1 IKE Peer Authentication | p. 644 |
5.5.1.1 IKE and IPSec Phases | p. 645 |
5.5.1.2 Preshared Key Authentication | p. 648 |
5.5.1.3 IKE Signature-Based Authentication | p. 649 |
5.5.1.4 IKE Public Key Authentication, Option 1 | p. 650 |
5.5.1.5 IKE Public Key Authentication, Option 2 | p. 652 |
5.5.2 IKE XAUTH Authentication and VPN Clients | p. 654 |
5.6 Centralized User Authentication | p. 670 |
5.6.1 RADIUS | p. 672 |
5.6.1.1 Overview | p. 672 |
5.6.1.2 The Model of Trust in RADIUS | p. 674 |
5.6.1.3 RADIUS Authentication Requests from Edge Devices | p. 676 |
5.6.1.4 RADIUS and EAP Pass-through Authentication | p. 678 |
5.6.2 TACACS+ | p. 682 |
5.6.2.1 Overview | p. 683 |
5.6.2.2 TACACS+ Channel Protection | p. 684 |
5.6.2.3 TACACS+ Authentication Process | p. 684 |
Appendices | |
A References | p. 691 |
Printed References | p. 691 |
Online References | p. 692 |
B Lab Configuration | p. 701 |
C Indices of Tables and Figures | p. 705 |
Index of Tables | p. 705 |
Index of Figures | p. 709 |
Index | p. 713 |