Authentication Mechanisms

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
12
Video Transcription
00:01
Hello, everyone.
00:02
Welcome to the S s CT exam Prep.
00:05
I am your instructor. Heater, sit the land.
00:09
Tonight is the third video on our serious is going to be a lesson three domain one for those who have been following from the beginning. But if this is your first time just seeing this video, don't worry. This is a perfect opportunity to get started.
00:25
So far, in domain one, we have taken a look at access control, fundamental concepts. So things like subjects and objects and how they relate to each other.
00:35
We've taken a will get different collective access control such as mandatory access control, discretionary access control and content based access control. We've also taken look att different security models
00:48
such as,
00:49
um, Bubble, Padula, Biba and Clark Wilson, which enforce things like confidentiality and integrity.
00:56
Tonight, in this lesson, we will be focusing on authentication mechanisms.
01:02
Now, when we look back and Saul and we learned about different types of access control, well,
01:07
think of access control as an overarching umbrella
01:11
and really is the overarching umbrella for three different parts and the three different parts combined together are the authentication mechanism.
01:21
Three different parts are identification, authentication and authorization.
01:27
Let's get started.
01:34
The authentication mechanism is broken down into three main components.
01:38
The components are identification, authentication and authorization.
01:44
Identification is, who knows, knows who is who is the subject.
01:49
This is where a person claims that they are somebody in their particular person, and they need access to a certain system.
01:59
Authentication is the action,
02:01
they add. Is this person, through authentication, is proving they are who they say they are.
02:09
Authorization. Once the person has been authenticated, there's still limitations on what they can do and what they can't do.
02:17
This is where authorization comes in. Authorization dictates
02:23
what a person can do and what they can't do once they been authenticated.
02:35
There are three main components to an authentication mechanisms.
02:38
Identification, authentication and authorization.
02:45
Identification is the first step and is basically asking who is the subject.
02:50
This is where a person who is trying to gain access to a system
02:54
makes a claim as to who they say they are.
02:58
Authentication is the action. This is the proof of the identity, right? At this point,
03:05
E person who claims they say they are who they say they are, has to prove who they say they are.
03:14
Once a person has been successfully authenticated, the system determines what
03:19
they are allowed to access and what they cannot access. Just because a person has been authenticated does not mean they can access anything they want.
03:29
Let's take a closer look at each one of these. Indeed,
03:32
the first step in the authentication mechanism is identification.
03:37
This is where somebody makes a claim as that who they are.
03:42
Most common identification types are a user I d a PIN or an account number these air associated with the individual
03:51
and make it claim to recognize who the individual is.
03:57
Authentication is the second step in the authentication mechanism.
04:00
It isn't this step where a user proves who they say they are. There are three main kinds of identification
04:09
something you know,
04:11
something you have
04:13
and something you wore.
04:17
Something you know is anything that is knowledge based anything that you can recall from your memory. Examples include passwords, pins,
04:27
things like that.
04:28
Problem with this is that it's insecure and difficult to keep safe
04:33
now. Sure, anyone can remember one password,
04:38
but
04:39
you need a password for just about every single count you have one line, every single account that you have
04:46
for your organization, your business, anything like that.
04:51
And that's a lot of passwords. That's a lot of pins
04:55
and its thief difficult to remember them all. So people want to write down their passwords on a piece of paper, while the problem with that is now you're on a piece of paper. So anyone who finds or has that piece of paper now has access to all of your passwords.
05:12
Now a way around that is, you can make the password the same for every single can't you have.
05:18
But then again, that's very insecure, because if someone could guess that one password, they have access to all of your accounts.
05:30
Another type off the authentication is something you have.
05:33
This is a physical device which a person has in their possession.
05:40
Common types of physical devices are smart cards and tokens,
05:45
different types of tokens, which we will look into our the static password token synchronous dynamic password, too.
05:51
The asynchronous passport token and the challenge response took
05:57
smartcards is only to contact and contact list,
06:02
so
06:03
authentication tokens,
06:05
right static password tokens. The device contains a password that is physically hidden, but it's transmitted for each authentication.
06:15
So what that means is that there is a password hidden inside the token.
06:21
And when a person wants to be authenticated,
06:25
they take that token that token.
06:28
Send the password from the token
06:30
to the server. Now
06:33
this password is hidden, though the person who owns the token can't see the password, but the server can. But the server can see the password.
06:44
Another type of authentication token is thes synchronous dynamic password took it.
06:49
This is different from the static password token in which that the password, which gets sent from the token to the server, is different every single time.
07:00
How does this work by use of a clock
07:03
a clock time
07:05
is combined with
07:08
the password token
07:10
through a cryptographic algorithm to create a different password every single time. Now, the only way for this the work is if the token and the server had the same time. So
07:24
when the token is ready to be authenticated, the server sends the clock time
07:30
to the token. The token then takes the password inside,
07:34
combines it with the clock time and sends that result to the server for authentication.
07:44
The other type of token is the asynchronous password token.
07:48
This is a one time password generated without a clock, either from a pad or a cryptographic algorithm.
07:59
So in this diagram, there's a lot. There's a lot going on, So the way this works is there is a challenge value displayed on the computer. That would be Step one.
08:09
So once the person here has the challenge value,
08:13
they take it and enter it into their token device.
08:16
Token Device
08:18
combines it with the password, gives it back to the person
08:22
that person, then takes that value, puts it into the computer, which sends it to the server for authentication.
08:30
If everything is correct,
08:33
authentication happened.
08:35
If not
08:35
well, you can always try again. Now they're easy to get a synchronous and synchronous
08:43
password tokens mixed up, So an easy way to remember them is
08:48
synchronous
08:50
password. Tokens use o'clock because they have to be synchronized with the clock, whereas
08:56
asynchronous tokens do not.
09:01
The last type of authentication token is the challenge response, toking
09:05
the authentication server and corrupt the challenge with a public key.
09:09
The device proves it possesses a copy of the matching private key by providing the decrypted challenge. So the server sends an encrypted team to the token. The token decrypt the key,
09:20
then that he back to the server
09:24
server, then looks at it. And if it's the original key before encryption that the server sent, then authentication is granted.
09:33
Now, if you're not sure what Ah, public, he or private key is, don't worry about it. We will come back to that later rolling in this series. But for now, just know that
09:45
the server sends an encrypted key to the token
09:50
token decrypt sit and then sends it back to the server.
09:54
The other type of authentication physical device are smart cards. There's really two kinds of smart cards,
10:01
contact cards and contactless cards. I'm sure you used both multiple times with in your life
10:09
contact card,
10:11
any type of credit card with the chip reader. So any time you buy anything at the store, any time
10:16
urges something, if you have to slide it into a chip reader, that is an example of a contact card.
10:24
Contact was card. You don't have to slide it in anything because there doesn't need to be a physical touch. All you need is to be close to the card, reader them with contactless cards. They use antenna and radio frequency instead of actual physical contact.
10:41
Example. Apple pay. You see it in the commercials all time. Anything this is tapped to pay
10:48
is an example of a contactless card.
10:50
The last type of authentication is something you are,
10:54
and in this case, it's biometrics. Biometrics are technologies that measure and analyze human body characteristics,
11:03
touches DNA, fingerprints, facial patterns
11:07
and things like that for authentication purposes.
11:09
There are two main kinds of biometrics.
11:13
The eight year old and physiological
11:18
behavior. Biometrics are
11:20
things that you have learned. So when you're born, you start picking up any kind of have it the way you talk,
11:26
the way you write your signature, the way you type on a keyboard, right? These air, not these are not things that you were born with. These are things that you acquired as you started speaking as you started writing and as you started typing
11:41
singer analysis looks at the series of movements, acceleration, rhythm flow, things like that.
11:48
This is not always the most accurate
11:50
biometric, simply because
11:52
your signature can can change right. If you're in a rush. Your signature is going to be much more scribbled than it. You were taking your time.
12:01
If you were nervous, your hand could be shaking. And then your signature will be very different than what it normally is.
12:09
Another type of biometrics that our behavioral is voice pattern.
12:16
This works by creating a collection of unique characters.
12:18
Uh, this subjects voice
12:20
the subject, then speaks, and the voices are compared.
12:24
This is really great, because most people, myself included, have a very unique sounding voice. So be very easy to distinguish someone's voice from someone else's voice.
12:35
Problem with this is your voice can change.
12:39
If you're nervous, begins justice this stutter like that or, um D As you grow older, your voice can get old
12:48
and you know there's a high probability of air, so it's not the most accurate form of authentication, but it is a good place to start.
12:56
No type of behavioral biometrics
13:00
is keystroke dynamics. He struck dynamics, measures, keystrokes, hassling types and what they tight so the measure of things like how long each key is held down the life of time between keystrokes. How fast you might tell you whether or not you used the numbers on a numeric pad or the numbers running across the top,
13:18
and whether or not you
13:20
capitalize any letters, people type of different speeds.
13:24
You and your grand mom type of different speeds,
13:28
and it's a really good way off determining
13:31
who was ill.
13:31
So let's focus on the other part of biometrics. Physiological biometrics. These are things that you're born with these air things like fingerprints, hand vascular I and facial recognition.
13:48
1st 1 is fingerprinting
13:52
fingerprint and creates a geometric relationship of 30 to 40 points on your finger. It does not keep an actual picture of your fingerprint on the system, but rather it just creates the geometric relationship and connects the different points.
14:09
Another type of biometrics is hand by metrics. This is looks at things like the like the fingers, the position of knuckles, the demand and the dimensions of your hands and fingers
14:20
to determine who you are. When you take the S S C. P exam,
14:24
you will have to have her hand scan before you take the exam so your hand can be examined later in the future for any future exams.
14:35
Another type of physiological biometric
14:39
is the vascular.
14:39
This is the ultimate Palm reader, best described as an image of the veins. In the subject's hand.
14:46
This is very unique to the individual and does not change if you look at the picture on the right, this is an example off
14:52
what the vascular biometric reader looks for.
14:58
The other type is that of the eye. This is one of the oldest and most accurate biometric authentication mechanisms around.
15:07
There are really two kinds of eye scans.
15:09
There are
15:09
retina I scan
15:11
and the iris scan.
15:16
Last type of physiological
15:18
biometrics, spatial recognition. This one is personally my favorite.
15:22
This uses a geometric model off 14 and 22 different points on your face
15:28
to determine who you who you are.
15:31
So if you look here in this example, you see a person as their face broken up into a grid format and from their different features, are plotted on the grid.
15:43
Different points represent different features, and that once that is transferred to the computer system, it could look through its database off facial comparisons, the fine one that best matches
15:56
biometric implementation issues.
15:58
As always, nothing's perfect.
16:02
All right, you can get close,
16:03
but close only counts in horseshoes and hand grease.
16:07
There are still airs with biometrics.
16:11
There are two types of bears. There is the type one air, the false rejection re.
16:15
When the biometric system rejects an authorized individuals,
16:19
the second type of air is the false acceptance rate. When the system accepts impostors who should be rejected?
16:29
Time, too,
16:30
is always more dangerous than Type one,
16:34
for the simple fact of with a tight to air, the system except somebody who should be rejected,
16:41
took one errors. Bed.
16:44
It's when unauthorized individual gets rejected. But that's okay.
16:48
That's that's not as bad as having someone who should not be accepted.
16:53
Be accepted.
16:55
You need to know the difference between a type one error and the type to error.
17:00
There will be something like this on the exam. I can almost guarantee it's This is very, very important.
17:07
So what is the best way to remember it? Every between a type one and type to wear?
17:11
The way I usually do it is to go to heirs are far more dangerous.
17:18
So the if you take the first letter
17:22
of false acceptance free,
17:25
you get far and type two errors are far more dangerous than type one ares.
17:32
The multi factor authentication. Remember, authentication consists of three categories. Something you know,
17:40
something you have and something you are
17:42
now multi factor. Authentication
17:45
is any two or three of the categories,
17:49
So in order to have multi factor authentication,
17:53
you need both something you know and something you have.
17:56
Or you can use something you know and something you wore.
18:02
A couple of examples of multi factor authentication using a password and a smart card
18:07
using a password. This is something you know
18:11
and using a smart card. This is something you have
18:15
not multi factor. Authentication is using a retina scan and voice recognition.
18:21
These are both something you wore.
18:23
They're both biometrics
18:26
dual control, also known as what knowledge.
18:30
This is requiring two people to perform an action
18:34
Single sign on is an authentication mechanism that allows a single identity to be shared across multiple applications.
18:44
This allows the user to authenticate ones and have access to many different Resource is
18:49
perfect. Example. Google. If you sign into your Gmail account and stay signed in,
18:56
you can access your favorites on google dot com. You can access your profile on YouTube and really anything else that Google White capped off.
19:07
Another type of authentication is authentication. With Curb arose
19:11
term arose is an M. I. T designed system, which provides strong authentication using Seeger key cryptography.
19:18
This provides support for authentication, authorization, confidentiality, integrity and non repudiation.
19:27
Scarborough's uses poor. It's 53 88 for PCP and UDP.
19:37
The way Curb Rose Works is the client sends request for
19:41
a ticket from the authentication service.
19:45
The authentication service sends a ticket and a session key back to the client.
19:51
The client then request access to the server
19:55
by going to the ticket, granting service with the key
19:59
the ticket printing service. If it except the ticket,
20:03
send the encrypted session key and the ticket back to the client.
20:07
The client then sends ticket and the session key to the server, and the server responds by sending the encrypted time stand for client validation.
20:19
So, the last step in the authentication mechanism what a user can do once they are dedicated, This is usually decided by an authorization table.
20:30
Right here We have an example of an authorization table.
20:33
So in his three privileges, read right, execute.
20:37
We have our subjects. Bob, Alice and Pete
20:41
and we have our objects Objects 1234 and five.
20:47
So once.
20:48
Well, let's just say once
20:51
Alice gets authenticated,
20:55
this authorization table determines what she can access and what she can
21:00
so she can't access Object won it all or object for.
21:03
She could only read Object five,
21:07
and she can read and edit objects two and three.
21:14
In today's lecture, we discussed
21:15
identification
21:18
authentication, which is something you know, something you have and something you are.
21:23
We took a look at different types of tokens and biometrics
21:29
and the last step in authentication mechanism. Authorization
21:34
Quiz time.
21:36
This type of biometrics include signature analysis,
21:40
voice pattern recognition and keystroke dynamics. Is it a statistical
21:45
e behavioral
21:47
seed, physiological or D B N state?
21:55
If you picked be than you are correct. All of these types of biometrics are biometrics that are learned you were not born with any of them. So be is the correct answer. Behavioral.
22:08
Thanks for watching guys. I hope you guys learned a lot
Up Next
Systems Security Certified Professional (SSCP)

Obtaining your SSCP certification signifies that you possess the ability to tackle the operational demands and responsibilities of security practitioners, including authentication, security testing, intrusion detection/prevention, incident response and recovery, attacks and countermeasures, cryptography, malicious code countermeasures, and more.

Instructed By