7.6 Authentication and authorization

Authentication and authorization are crucial components of network security and forensics. They ensure only legitimate users can access systems and resources, protecting against unauthorized access and potential breaches.

Authentication verifies user identity through various methods like passwords, tokens, or biometrics. Authorization determines what actions authenticated users can perform. Together, they form a robust security framework for maintaining confidentiality and integrity of systems and data.

Authentication fundamentals

• Authentication verifies the identity of users, devices, or services attempting to access a system or resource
• Ensures only authorized entities can gain access, protecting against unauthorized access and potential security breaches
• Fundamental security control in network security and forensics to maintain confidentiality, integrity, and availability of systems and data

Verifying identity

Top images from around the web for Verifying identity

• 

  Security (Symfony 2.1 Docs) View original

  Is this image relevant?

• 

  Generative Identity View original

  Is this image relevant?

• 

  Multi-Source and Self-Sovereign Identity View original

  Is this image relevant?

• 

  Security (Symfony 2.1 Docs) View original

  Is this image relevant?

• 

  Generative Identity View original

  Is this image relevant?

1 of 3

Top images from around the web for Verifying identity

• 

  Security (Symfony 2.1 Docs) View original

  Is this image relevant?

• 

  Generative Identity View original

  Is this image relevant?

• 

  Multi-Source and Self-Sovereign Identity View original

  Is this image relevant?

• 

  Security (Symfony 2.1 Docs) View original

  Is this image relevant?

• 

  Generative Identity View original

  Is this image relevant?

1 of 3

• Process of confirming the claimed identity of a user, device, or service
• Establishes trust and ensures the entity is who or what it claims to be
• Involves collecting and validating credentials (username, password, biometric data, digital certificates)
• Examples:
  • User entering username and password to log into a system
  • Device presenting a digital certificate to authenticate to a network

Authentication factors

• Different types of information or methods used to verify identity
• Three main categories:
  • Knowledge factors: Something the user knows (passwords, PINs, security questions)
  • Possession factors: Something the user has (smart cards, security tokens, mobile devices)
  • Inherence factors: Something the user is (biometric characteristics like fingerprints, facial recognition)
• Combining multiple factors (multi-factor authentication) enhances security by making it harder for attackers to compromise accounts

Multi-factor authentication

• Requires users to provide two or more authentication factors to verify their identity
• Adds an extra layer of security beyond single-factor authentication (e.g., password only)
• Common combinations:
  • Password (knowledge factor) + SMS one-time code (possession factor)
  • Fingerprint (inherence factor) + Hardware security token (possession factor)
• Protects against threats like password guessing, phishing, and credential theft

Authentication protocols

• Standardized methods for securely exchanging authentication information between entities
• Define the format, sequence, and encryption of authentication messages
• Examples:
  • Kerberos: Network authentication protocol using tickets and symmetric-key cryptography
  • RADIUS (Remote Authentication Dial-In User Service): Centralized authentication, authorization, and accounting (AAA) protocol
  • SAML (Security Assertion Markup Language): XML-based framework for exchanging authentication and authorization data between parties
• Ensure interoperability and secure communication during the authentication process

Authorization basics

• Authorization determines what actions or resources an authenticated entity is allowed to access
• Grants or denies access to specific functionalities, data, or systems based on predefined policies or rules
• Essential for enforcing access control and protecting sensitive resources in network security and forensics

Principle of least privilege

• Security concept that grants users only the minimum level of access necessary to perform their tasks
• Limits the potential damage if a user account is compromised or misused
• Reduces the attack surface by minimizing unnecessary permissions and privileges
• Example: A user with read-only access to a database cannot modify or delete records

Role-based access control (RBAC)

• Access control model that assigns permissions to users based on their roles or job functions within an organization
• Roles are defined based on common responsibilities and access requirements
• Users acquire permissions by being assigned to specific roles
• Simplifies access management and helps maintain consistent access policies across an organization
• Example: A "Manager" role may have access to sensitive financial data, while an "Employee" role has limited access

Attribute-based access control (ABAC)

• Dynamic access control model that grants access based on attributes of users, resources, and environment
• Attributes can include user characteristics (department, security clearance), resource properties (sensitivity level, owner), and contextual factors (time, location)
• Allows fine-grained access control decisions based on the combination of attributes
• Provides flexibility and scalability in managing access policies
• Example: Access to a confidential document is granted only to users with a specific security clearance level and during business hours

Discretionary vs mandatory access control

• Discretionary Access Control (DAC):
  • Access control policy determined by the owner or administrator of the resource
  • Owners can grant or revoke access permissions to other users at their discretion
  • Flexible but may lead to inconsistent or insecure access policies
  • Example: File system permissions in Windows or Unix-based systems
• Mandatory Access Control (MAC):
  • Access control policy enforced by the system based on predefined rules and security labels
  • Users cannot override or modify the access rules set by the system
  • Provides stricter and more centralized control over access permissions
  • Example: Security-Enhanced Linux (SELinux) or US Department of Defense's Multi-Level Security (MLS) model

Password-based authentication

• Most common and widely used authentication method
• Users provide a secret password to verify their identity
• Relies on the confidentiality and strength of the password
• Vulnerable to various attacks if not implemented securely

Password strength considerations

• Length: Longer passwords (12+ characters) are harder to crack
• Complexity: Include a mix of uppercase, lowercase, numbers, and special characters
• Uniqueness: Avoid using the same password across multiple accounts
• Avoid common words, phrases, or personal information that can be easily guessed
• Encourage the use of password managers to generate and store strong, unique passwords

Password storage best practices

• Never store passwords in plain text
• Use secure, one-way hashing algorithms (bcrypt, PBKDF2, scrypt) to store password hashes
• Apply a unique salt to each password before hashing to prevent rainbow table attacks
• Iterate the hashing process multiple times (key stretching) to increase computational cost for attackers
• Protect password databases with strong access controls and encryption

Password attacks and defenses

• Brute-force attacks: Systematically trying all possible password combinations
  • Defense: Enforce strong password policies and implement account lockout after failed attempts
• Dictionary attacks: Trying common words and variations from a predefined list
  • Defense: Encourage the use of long, complex passwords and avoid common words
• Password spraying: Trying a few common passwords against many user accounts
  • Defense: Implement multi-factor authentication and monitor for suspicious login attempts
• Phishing and social engineering: Tricking users into revealing their passwords
  • Defense: Educate users about phishing techniques and encourage the use of anti-phishing tools

Implementing secure password policies

• Define minimum password length and complexity requirements
• Enforce regular password expiration and prevent password reuse
• Implement password history to prevent users from recycling old passwords
• Provide user education on creating strong passwords and identifying phishing attempts
• Enable multi-factor authentication for an additional layer of security
• Regularly audit and monitor password-related events and anomalies

Token-based authentication

• Uses secure tokens to authenticate users and grant access to resources
• Tokens contain encrypted or signed authentication information
• Provides a stateless and scalable alternative to session-based authentication

Session tokens vs API tokens

• Session tokens:
  • Issued by the server upon successful authentication
  • Stored on the client-side (e.g., browser cookies) and sent with each request to maintain the session state
  • Used for web applications to authenticate and track user sessions
  • Example: JSON Web Tokens (JWTs) used for session management
• API tokens:
  • Used to authenticate and authorize access to API endpoints
  • Typically long-lived and issued to client applications or services
  • Included in the request headers or parameters to authenticate API calls
  • Example: OAuth 2.0 access tokens used for API authorization

JSON Web Tokens (JWTs)

• Compact, self-contained tokens for securely transmitting authentication and authorization information
• Consist of three parts: header, payload, and signature
• Header specifies the token type and hashing algorithm
• Payload contains claims (user information, token expiration, etc.)
• Signature ensures the integrity of the token using a secret key or public/private key pair
• Widely used for stateless authentication in web applications and microservices architectures

OAuth 2.0 framework

• Industry-standard protocol for authorization and secure delegated access to resources
• Enables users to grant third-party applications limited access to their resources without sharing credentials
• Defines four roles: resource owner, client application, authorization server, and resource server
• Supports different grant types (authorization code, implicit, resource owner password credentials, client credentials) for various use cases
• Provides secure mechanisms for obtaining and refreshing access tokens
• Widely adopted by web and mobile applications for authentication and authorization

Token security best practices

• Keep token lifetimes short and use refresh tokens for long-lived access
• Encrypt sensitive information in token payloads using strong encryption algorithms
• Validate and verify token signatures to ensure integrity and detect tampering
• Implement secure token storage on the client-side (e.g., secure cookies, local storage with encryption)
• Use secure communication channels (HTTPS) to prevent token interception and eavesdropping
• Implement token revocation mechanisms to invalidate tokens when necessary (e.g., user logout, password change)
• Regularly rotate and update token signing keys to minimize the impact of key compromises

Biometric authentication

• Uses unique physical or behavioral characteristics to verify user identity
• Provides a convenient and secure alternative to traditional authentication methods
• Relies on the uniqueness and permanence of biometric traits
• Requires specialized hardware or sensors for capturing and processing biometric data

Fingerprint recognition

• Uses the unique patterns and minutiae points of a user's fingerprints for authentication
• Captures fingerprint images using optical, capacitive, or ultrasonic sensors
• Compares the captured fingerprint against a stored template to verify identity
• Widely used in smartphones, laptops, and access control systems
• Example: Touch ID on Apple devices

Facial recognition

• Uses the unique facial features and geometry of a user's face for authentication
• Captures facial images using cameras and applies computer vision algorithms for analysis
• Compares the captured facial data against a stored facial template to verify identity
• Increasingly used in smartphones, surveillance systems, and border control
• Example: Face ID on Apple devices, Windows Hello facial recognition

Iris and retinal scanning

• Iris recognition:
  • Uses the unique patterns and texture of the iris (colored part of the eye) for authentication
  • Captures high-resolution images of the iris using near-infrared cameras
  • Analyzes the iris patterns and compares them against a stored template
• Retinal scanning:
  • Uses the unique pattern of blood vessels at the back of the eye (retina) for authentication
  • Captures retinal patterns using low-intensity light and specialized cameras
  • Requires precise alignment and is more intrusive compared to iris recognition
• Provides high accuracy and is commonly used in high-security environments (e.g., military, government facilities)

Behavioral biometrics

• Uses unique patterns and characteristics of a user's behavior for authentication
• Analyzes various behavioral traits such as typing rhythm, mouse movements, gait, or voice patterns
• Continuously monitors user behavior and compares it against a baseline profile
• Provides passive and continuous authentication without requiring explicit user interaction
• Helps detect anomalous behavior and potential account compromises
• Example: Keystroke dynamics analysis for continuous authentication

Certificate-based authentication

• Uses digital certificates to authenticate entities (users, devices, servers) in a network
• Relies on public key cryptography and a trusted third-party (Certificate Authority) for issuing and verifying certificates
• Provides strong authentication, encryption, and integrity for secure communication

Public key infrastructure (PKI)

• Framework for creating, managing, and distributing digital certificates
• Consists of:
  • Certificate Authorities (CAs): Trusted entities that issue and sign digital certificates
  • Registration Authorities (RAs): Verify the identity of entities requesting certificates
  • Certificate repositories: Store and distribute issued certificates and certificate revocation lists (CRLs)
  • Key management systems: Generate, store, and manage cryptographic keys
• Enables secure communication and authentication in large-scale networks

Digital certificates and signatures

• Digital certificates:
  • Electronic documents that bind a public key to the identity of an entity
  • Issued and digitally signed by a trusted Certificate Authority (CA)
  • Contain information such as the entity's name, public key, validity period, and issuer details
  • Used to establish trust and verify the identity of entities in a network
• Digital signatures:
  • Mathematical scheme for verifying the authenticity and integrity of digital documents or messages
  • Generated using the private key of the signer
  • Can be verified using the corresponding public key from the signer's digital certificate
  • Provide non-repudiation and ensure that the signed data has not been tampered with

Certificate authorities (CAs)

• Trusted third-party entities responsible for issuing and managing digital certificates
• Follow strict procedures for verifying the identity of entities requesting certificates
• Digitally sign issued certificates using their own private key
• Maintain certificate revocation lists (CRLs) to revoke compromised or invalid certificates
• Examples: Symantec, DigiCert, GlobalSign, Let's Encrypt

Mutual authentication with certificates

• Process where both the client and server authenticate each other using digital certificates
• Client verifies the server's certificate to ensure it is communicating with the intended server
• Server verifies the client's certificate to authenticate the client's identity
• Establishes a secure, encrypted communication channel (e.g., SSL/TLS) between the client and server
• Prevents man-in-the-middle attacks and ensures confidentiality and integrity of the communication
• Commonly used in scenarios requiring high security, such as banking, e-commerce, and enterprise networks

Single sign-on (SSO)

• Authentication mechanism that allows users to access multiple applications or services with a single set of credentials
• Eliminates the need for users to remember and manage multiple usernames and passwords
• Improves user experience and reduces password fatigue
• Centralizes authentication and makes it easier to enforce consistent security policies

SSO protocols and standards

• SAML (Security Assertion Markup Language):
  • XML-based standard for exchanging authentication and authorization data between parties
  • Enables web-based SSO by allowing an identity provider (IdP) to authenticate users and assert their identities to service providers (SPs)
• OAuth 2.0:
  • Authorization framework that enables third-party applications to obtain limited access to user accounts on an HTTP service
  • Commonly used for SSO in web and mobile applications
  • Allows users to grant access to their resources without sharing their credentials
• OpenID Connect (OIDC):
  • Identity layer built on top of OAuth 2.0 for authentication
  • Enables clients to verify the identity of users based on the authentication performed by an authorization server
  • Provides a standard way to obtain user profile information in a secure and interoperable manner

Federated identity management

• Allows users to use the same identity across multiple organizations or domains
• Enables organizations to share identity information and trust relationships
• Users can authenticate with their home organization and access resources in partner organizations without creating separate accounts
• Facilitates collaboration and reduces administrative overhead
• Examples: SAML-based federations, OAuth-based identity providers (Google, Facebook)

Benefits and risks of SSO

• Benefits:
  • Improved user experience and productivity
  • Reduced password fatigue and password reset requests
  • Centralized authentication and access control
  • Easier to enforce consistent security policies
  • Reduced administrative overhead for managing user accounts
• Risks:
  • Single point of failure: If the SSO system is compromised, all connected applications and services are at risk
  • Increased impact of account compromises: An attacker gaining access to the SSO credentials can access multiple systems
  • Complexity in managing and synchronizing user identities across different systems
  • Potential privacy concerns with sharing user information across different services

Implementing SSO securely

• Choose a reputable and well-established SSO protocol or solution
• Ensure proper configuration and security of the SSO system, including secure communication channels and strong authentication mechanisms
• Implement multi-factor authentication (MFA) for an additional layer of security
• Regularly monitor and audit SSO-related events and logs for suspicious activities
• Educate users about the importance of protecting their SSO credentials and identifying phishing attempts
• Establish clear policies and procedures for user provisioning, deprovisioning, and access reviews
• Implement secure session management and logout mechanisms to prevent unauthorized access
• Regularly update and patch the SSO system and connected applications to address security vulnerabilities

Authentication and authorization vulnerabilities

• Weaknesses or flaws in the design, implementation, or configuration of authentication and authorization mechanisms
• Can lead to unauthorized access, data breaches, and compromised user accounts
• Regularly exploited by attackers to gain unauthorized access to systems and sensitive information

Broken authentication flaws

• Weaknesses in the authentication process that allow attackers to bypass or compromise user authentication
• Examples:
  • Weak password policies allowing easily guessable or brute-forceable passwords
  • Lack of account lockout or rate limiting, enabling brute-force attacks
  • Insecure storage of passwords (e.g., plain text, weak hashing algorithms)
  • Insufficient protection against session hijacking or session fixation attacks
  • Inadequate multi-factor authentication (MFA) implementation or bypass
• Mitigations:
  • Implement strong password policies and enforce them consistently
  • Use secure password hashing algorithms with salting and key stretching
  • Implement account lockout and rate limiting to prevent brute-force attempts
  • Properly secure session management and protect against session-related attacks
  • Implement and properly configure multi-factor authentication (MFA)

Insufficient authorization issues

• Weaknesses in the authorization process that allow users to access resources or perform actions they are not entitled to
• Examples:
  • Improper implementation of access control mechanisms (e.g., missing or incorrect permissions checks)
  • Lack of proper authorization checks at the application or API level