Authentication is the act of establishing identity via the presentation of information that allows the verifier to know the presenter is who or what it claims. This identity could be any number of things, including: People Systems Applications Messages Why would one want to verify an identity in the first place? Hopefully, most people reading this recognize that as sarcastic humor. If not, here are a few common reasons: To control access to a system or application To bind some sensitive data to an individual, such as for encryption To establish trust between multiple parties to form some interaction with them To assure that a piece of information is genuine Within an application, one or all of these aspects may apply. This article presents different types of authentication and ways of adding it to your applications.
• • • •
• • • •
Types of Authentication
There are many different types of authentication that can be used in an application. The selection of the most appropriate type of authentication will depend on the needs of the application; use this guide to determine which makes the most sense for your application.
These authentication types apply to all classes of entity that require authentication: systems, users, messages, and applications.
Basic authentication is a commonly used term that most people probably understand already. It refers to passwordbased authentication. A password can be any information that is used to verify the identity of a presenter. Common examples that fall into this category are:
• The common password • Host or system names • Application names
• Numerical IDs Authentication entails the validation of a single credential pair—the presenter's identity reference and their password. The authentication process typically takes the password and compares it to that which is stored in the authentication database. This comparison is often done as a plain text comparison where the provided password exactly matches that expected password, or with some permutation function where the password first undergoes an alteration such as hashing or encryption and the resulting data is then compared. The storage of the password is the next piece that is also often in plaintext or some permutation based on the aforementioned cryptographic function. Basic authentication has the following benefits. It is: • Easy to manage within an application • Easy to deploy across applications • Easy for end users to use
There are some important caveats when using basic authentication of which every developer should be aware: Passwords are commonly weakly specified Identities can be spoofed and impersonated Passwords can be susceptible to theft Requires considerable effort to provide strong security Can be difficult to scale across distributed and large environments Basic authentication often entails the transmission of a name (username or system name), and the password, which can be easily stolen and compromised if they're transmitted unprotected across the network. Here are some of the ways to increase the strength of Basic authentication: 1. Use digest authentication—hash or encrypt the password prior to transmission 2. Use pass phrases (longer passwords) and set minimum password lengths 3. Enforce the usage of diverse character sets that include alpha-numeric, special characters, and mixedcase passwords that are not in a dictionary 4. Add security to the connection wherein the password is not transmitted in the clear across the network, such as TLS/SSL 5. Do not store passwords in plaintext in whatever mechanism is used—database, file system, directory
• • • • •
Multi-factor authentication is the use of a combination of authentication methods to validate identity. The most commonly used description of multi-factor authentication is the use of information that is known only by the person, combined with something in his or her possession. These are typically:
• The name and password • Some form of token
A token is a hardware component that is used during the authentication process; it typically provides another piece of information that cannot be ascertained without physical control of the token. Different types of tokens used in multifactor authentication are: Smart cards One-time password/phrases Single-use PINs or pseudo-random numbers Biometric information Multi-factor authentication provides the following additional benefits:
• • • •
• Difficult to spoof and impersonate • Easy to use
As security components are layered, the complexity also rises. The following potential drawbacks are had with multifactor authentication—each environment is different; therefore, the influence of these on the decision-making process will vary:
• Deployment can be difficult • Tokens easily can be stolen • Management of the tokens can be challenging, especially in the event of lost or stolen tokens
The final form of authentication outlined here is that which utilizes cryptography. This includes the following forms: Public Key Authentication Digital Signatures Message Authentication Code Password permutation Public Key Authentication Public key authentication occurs when the owner of a key pair (private and public) communicates the public key, in some form, to the authenticating party, at which point it is verified to be true. There are a couple of methods for public key authentication worth discussing:
• • • •
• The use of the public key itself • Public key certificates
To verify the identity of the presenter of the public key, a nonce is encrypted using the public key. If the nonce can be decrypted and returned to the sender, that means the owner of the public key also has possession of the corresponding private key. The use of public-key certificates builds on this relationship between the public and private key. Verification of a public key, alone, may indicate that the identity is as expected, but there is still a bit missing—trust. How does one know whether the party presenting the keys has not stolen them from the legitimate owner? Also, just because a person, system, or application may be truly who or what it says it is, how does the authenticating party know it can or should trust it? A public key certificate adds a trust relationship between a mutually known and trusted third party. The certificate is created when a mutually trusted third-party signs a public key with its own key. The authenticating party then can verify the identity of the presenter's key and also know that it can be trusted because of the shared relationship with the certificate signer. In the event that the keys are stolen, the trusted third party easily can revoke its trust of the keys and notify its trustees that they are no longer trustworthy. Digital Signatures Digital signatures are another piece of the cryptographic puzzle. A digital signature is made when the owner of a key pair (an individual or a system) uses its private key to "sign" a message. This signature can be verified only by the corresponding public key. This is most recognizable with the signed public key certificate—wherein the Certificate Authority, or trusted third party, signs a public key. The party doing the authentication can verify that the presenter of a public key has possession of the private key, and that a mutually trusted party vouches that the holder of the key is true. Digital signatures are also commonly used on messages such as e-mail, so that the recipient can have some trust that the e-mail message was sent by the person they expect.
Message Authentication Codes (MACs) A message authentication code is created when a secret key is used in combination with the message or information to be proved authentic. The MAC can be generated by using a hashing algorithm or symmetric encryption. MACs can be used to provide integrity verification as well as authenticity to those possessing the secret key. Password Permutation I cannot discuss cryptographic methods without showing the relationship to basic authentication and its differences. As discussed above, in basic authentication, many passwords are typically encrypted or hashed, and then during the process of authentication, the password goes through the same transformation as that which is stored and then compared. This should not be confused as a method of strong authentication simply because of its use of cryptographic functionality (hashing, encryption). Password schemes are still weak because the cryptography used is only for the storage and comparison piece, but has no relationship to the presenter's authenticity. They are easily stolen and impersonated.
Applications and Authentication
Now that the overview of various authentication methods has been outlined, you can take a look at its use in the applications. The following application-specific areas will be covered:
Identifying the Need for Authentication
• Identifying what needs authentication • Choosing the appropriate authentication method(s) • Guidelines for implementing authentication
The following questions help the application designer and developer understand whether there is a need for authentication within their application:
• Are there multiple users or applications that will interact with the application in question? • If multiple entities are expected, will they all access exactly the same data, configuration, and information,
or will each have its own set of information, regardless of how small? • Is the application running in a completely closed and trusted area, wherein there is no person, system, or application that will access it from untrusted parts—such as the Internet, other networks, or unknown applications? • Is there a concept of privileged information or functionality and the separation or isolation of this within the application? If the answer to any of these questions is "yes," authentication is needed within the application.
Choosing the Appropriate Authentication Methods
Usually, deciding if authentication is necessary is the easy part. Deciding how to perform authentication quite easily can become a difficult path. This section covers an overview of architectural frameworks for providing authentication. The following high-level options for authentication are available:
• Internal or local service-based authentication • External service-based authentication and integration
Local Authentication There are several reasons, or combinations of reasons, that may warrant implementation of local, internal authentication within an application:
• Stand-alone application • No or intermittent communication capabilities
• Limited, small, or embedded applications • Restricted application resources
If one chooses to have an application utilize its own authentication mechanism, there are several common examples:
• Implement a proprietary authentication scheme, based on standard methodologies • Rely on the services of the local operating system, if available • Utilize available libraries for providing authentication functionality
The implementation of one's own proprietary scheme is generally not recommended because there are many potential risks to a home-grown method, unless it has the benefit of expert research and analysis. If a proprietary scheme is absolutely necessary, it should ideally rely on the use of standard security technologies; examples are encryption and one-way functions, protocols, and formats—all of these technologies have been well vetted and are available for everyday use. Most Operating Systems also have implementations of local authentication services. These include some of the following:
• Pluggable Authentication Modules (PAM) • Unix/Windows authentication • File-based authentication
Finally, as hinted above, when implementing authentication features in an application, from-scratch implementation of standard-based technologies should be avoided. There are several encryption libraries available, the most notable of which is OpenSSL (http://www.openssl.org), as well as those provided by the Operating System. More will be explained further in the article. External Service-based Authentication and Integration It is often desirable that an application co-exist with other applications and share common information, including authentication information. The selection of internal and/or local authentication can quickly preclude an application from integrating easily with an existing environment. Also, enterprise applications, or those that need to work within an enterprise environment, will likely need to rely on the services present, which include enterprise authentication. Authentication services at the global and enterprise levels often are part of larger directory structures and services. These include: LDAP Active Directory NIS/NIS+ Kerberos To work with these services and already installed environments, applications will have to make use of various libraries and interfaces to work with these systems and infrastructure. There are existing libraries for all of these services, in many different programming languages, that allow an application to work directly within the specific framework. If an application designer wants to work with standards-based and accepted authentication and other security services, it may be important to avoid a tight integration to one particular service or another. To leverage existing services and maintain flexibility, an application designer can look toward defined standards for general-purpose security services. The GSSAPI—the Generic Security Services API, is an defined set of standards that allows for a common interface to express security services—see RFCs 2743, 1509, and 1964 for further information. There exist GSSAPI bindings for the following authentication and security services, among others:
• • • •
• Active Directory • LDAP
Another flexible framework is SASL, Simple Authentication and Security Layer. SASL is defined in RFC 2222. SASL provides a standard way to secure authentication across network channels. SASL works by defining a standard API with support for accessing numerous "mechanisms"—these are the defined series of challenges and responses for authentication, including the following: Basic authentication with cleartext passwords Hash-based authentication One-time passwords and keyed PINs Kerberos, via GSSAPI Custom-defined authentication schemes These APIs allow application designers to standardize on a common interface for managing security services such as authentication. This allows the application to more easily extend functionality to support new and different authentication methods, as well as to integrate different security services together in a uniform way as the application and its deployment grows.
• • • • •
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-tonetwork), or between a security gateway and a host (network-to-host). Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of the TCP/IP model. Hence, IPsec protects any application traffic across an IP network. Applications do not need to be specifically designed to use IPsec. The use of TLS/SSL, on the other hand, must be designed into an application to protect the application protocols. IPsec is a successor of the ISO standard Network Layer Security Protocol (NLSP). NLSP was based on the SP3 protocol that was published by NIST, but designed by the Secure Data Network System project of the National Security Agency (NSA). IPsec is officially specified by the Internet Engineering Task Force (IETF) in a series of Request for Comment documents addressing various components and extensions. It specifies the spelling of the protocol name to be IPsec.
the Internet Architecture Board (IAB) issued a report entitled "Security in the Internet Architecture" (RFC 1636). The report stated the general consensus that the Internet needs more and better security, and it identified key areas for security mechanisms. Among these were the need to secure the network infrastructure from unauthorized monitoring and control of network traffic and the need to secure end-user-to-end-user traffic using authentication and encryption mechanisms.
These concerns are fully justified. As confirmation, the 1998 annual report from the Computer Emergency Response Team (CERT) lists over 1,300 reported security incidents affecting nearly 20,000 sites. The most serious types of attacks included IP spoofing, in which intruders create packets with false IP addresses and exploit applications that use authentication based on IP address; and various forms of eavesdropping and packet sniffing, in which attackers read transmitted information, including logon information and database contents. In response to these issues, the IAB included authentication and encryption as necessary security features in the next-generation IP, which has been issued as IPv6. Fortunately, these security capabilities were designed to be usable both with the current IP (IPv4) and IPv6, meaning that vendors can begin offering these features now, and many vendors do now have some IP Security Protocol(IPSec) capability in their products. Applications of IPSec The Internet community has developed application-specific security mechanisms in numerous application areas, including electronic mail (Privacy Enhanced Mail, Pretty Good Privacy [PGP]), network management (Simple Network Management Protocol Version 3[SNMPv3]), Web access (Secure HTTP, Secure Sockets Layer [SSL]), and others. However, users have some security concerns that cut across protocol layers. For example, an enterprise can run a secure, private TCP/IP network by disallowing links to untrusted sites, encrypting packets that leave the premises, and authenticating packets that enter the premises. By implementing security at the IP level, an organization can ensure secure networking not only for applications that have security mech-anisms but also for the many security-ignorant applications. IPSec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
• • • •
Secure branch office connectivity over the Internet: A company can build a secure virtual private network over the Internet or over a public WAN. This enables a business to rely heavily on the Internet and reduce its need for private networks, saving costs and network management overhead. Secure remote access over the Internet: An end user whose system is equipped with IP security protocols can make a local call to an Internet Service Provider (ISP) and gain secure access to a company network. This reduces the cost of toll charges for traveling employees and telecommuters. Establishment of extranet and intranet connectivity with partners: IPSec can be used to secure communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism. Enhancement of electronic commerce security: Most efforts to date to secure electronic commerce on the Internet have relied upon securing Web traffic with SSL since that is commonly found in Web browsers and is easy to set up and run. There are new proposals that may utilize IPSec for electronic commerce.
The principal feature of IPSec that enables it to support these varied applications is that it can encrypt or authenticate all traffic at the IP level. Thus, all distributed applications, including remote logon, client/server, e-mail, file transfer, Web access, and so on, can be secured. Figure 1 shows a typical scenario of IPSec usage. An organization maintains LANs at dispersed locations. Traffic on each LAN does not need any special protection, but the devices on the LAN can be protected from the untrusted network with firewalls. Since we live in a distributed and mobile world, the people who need to access the services on each of the LANs may be at sites across the Internet. These people can use IPSec protocols to protect their access. These protocols can operate in networking devices, such as a router or firewall that connects each LAN to the outside world, or they may operate directly on the workstation or server. In the diagram, the user workstation can establish an IPSec tunnel with the network devices to protect all the subsequent sessions. After this tunnel is established, the workstation can have many different sessions with the devices behind these IPSec gateways. The packets going across the Internet will be protected by IPSec but will be delivered onto each LAN as a normal IP packet. The following selectors determine an SPD entry:
• • • • • •
Destination IP address : This may be a single IP address, an enumerated list or range of addresses, or a wildcard (mask) address. The latter two are required to support more than one destination system sharing the same SA (for instance, behind a firewall). Source IP address : This may be a single IP address, an enumerated list or range of addresses, or a wildcard (mask) address. The latter two are required to support more than one source system sharing the same SA (for instance, behind a firewall). UserID : UserID is used to identify a policy tied to a valid user or system name. Data sensitivity level : The data sensitivity level is used for systems providing information flow security (for instance, "Secret" or "Unclassified"). Transport Layer protocol : This value is obtained from the IPv4 protocol or IPv6 Next Header field. This may be an individual protocol number, a list of protocol numbers, or a range of protocol numbers. IPSec protocol (AH or ESP or AH/ESP): If present, this is obtained from the IPv4 Protocol or IPv6 Next Header field.
• • • •
Source and destination ports : These may be individual TCP orUser Datagram Protocol (UDP) port values, an enumerated list of ports, or a wildcard port. IPv6 class : This class is obtained from the IPv6 header. It may be a specific IPv6 Class value or a wildcard value. IPv6 flow label : This label is obtained from the IPv6 header. It may be a specific IPv6 flow label value or a wildcard value. IPv4 Type of Service (TOS): The TOS is obtained from the IPv4 header. It may be a specific IPv4 TOS value or a wildcard value.
Figure 1: An IP Security Scenario
*Note:Click above for larger view Benefits of IPSec The benefits of IPSec include:
• • • •
When IPSec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter. Traffic within a company or workgroup does not incur the overhead of security-related processing. IPSec is below the transport layer (TCP, UDP), so is transparent to applications. There is no need to change software on a user or server system when IPSec is implemented in the firewall or router. Even if IPSec is implemented in end systems, upper layer software, including applications, is not affected. IPSec can be transparent to end users. There is no need to train users on security mechanisms, issue keying material on a per-user basis, or revoke keying material when users leave the organization. IPSec can provide security for individual users if needed. This feature is useful for offsite workers and also for setting up a secure virtual subnetwork within an organization for sensitive applications.
Is IPSec the Right Choice? There are already numerous products that implement IPSec, but it is not necessarily the security solution of choice for a network administrator. Christian Huitema, who at the time of the development of the initial IP-Sec documents was the head of the IAB, reports that the debates over how to provide Internet-based security were among the most heated that he ever observed. One issue concerns whether security is being provided at the right protocol layer. To provide security at the IP level, it is necessary for IPSec to be a part of the network code deployed on all participating platforms, including Windows NT, UNIX, and Macintosh systems. Unless a desired feature is available on all the deployed platforms, a given application may not be able to use that feature. On the other hand, if the application, such as a Web browser/server combination, incorporates the function, the developer can guarantee that the features are available on all platforms for which the application is available. A related point is that many Internet applications are now being released with embedded security features. For example, Netscape and Internet Explorer support SSL, which protects Web traffic. Also, many vendors are planning to supportSecure Electronic Transaction (SET), which protects creditcard transactions over the Internet. How-ever, for a virtual private network, a network-level facility is needed, and this is what IPSec provides.
The Scope of IPSec IPSec provides three main facilities: an authentication-only function, referred to as Authentication Header (AH), a combined authentication/ encryption function called Encapsulating Security Payload (ESP), and a key exchange function. For virtual private networks, both authentication and encryption are generally desired, because it is important both to (1) assure that unauthorized users do not penetrate the virtual private network and (2) assure that eavesdroppers on the Internet cannot read messages sent over the virtual private network. Because both features are generally desirable, most implementations are likely to use ESP rather than AH. The key exchange function allows for manual exchange of keys as well as an automated scheme. The IPSec specification is quite complex and covers numerous documents. The most important of these, issued in November 1998, are RFCs 2401, 2402, 2406, and 2408.
Basically the website is defined as the particular area or the specific location on the World Wide Web which deals with different types of files and the documentation is called as the website. The main component of every website is its home page, basically home page is designed for the sake of the convenience of the viewers. Security is the main problem of the website because all type of users visit the site and can place such applications that are harmful for the websites. So on different types of securing techniques are used to save the website from, the insecure media and that is referred to as the website security.
How to Secure the Website? There are different types of techniques or the tips are used that provide security to the website from the hackers, different types of hacking applications. Some important tips of website security are as follows Password Security: The first and the easy way to secure the website or the home page of the website is the password protection. You can easily protect your important files, documents and different types of applications with the help of password. There are different types of applications and other files on the website that are secret and not all for all users. So, we can protect them by assigning the secret password and can use them confidentially. The password should be the hard to guess and can consist of secret characters. Secure Your E-mail Addresses: Another important tip to secure the website is to secure the email addresses because different types of spammers use different types of spamming techniques to spread the spam in the form of unwanted emails and also send them to your home page in the form of different types of advertisements and forms of business. So you should check the mail box daily and activate the spam security because that can resist the spreading of spam to your website. Spam is the unwanted mail that hacks the applications of the website. Protecting Source codes: One of the important components of the website is the source codes and there are many hackers that are used to hack the sources codes for the sake of the destruction of the website or generating the duplicate of the website. We can protect these important source codes by protecting the script of the internet activation or the java script. Password protection also helps in protecting the codes. Use software application: Different types of software applications are used to carry on the protection of the website. Some antivirus software is used to restrict the spread of spyware and different types of malware applications. These types of software are easily available in the market and very easy to configure on the system to carry on the working of the website smoothly. Robot Text: Another important security feature to secure the website is the robot text. It is type of text that is saved in the settings of the web. It provides and deals different types of instructions given to the search engines to display only the information or the data related to the users. It can stop hacking and the spamming of the website and home pages. Why Website Security is Important? Website security is very important in surfing the internet technologies because there are different types of personal or the important applications that play a valuable role in maintaining the working and the establishment of new features of the site. It is also important to stop the data loss and hacking of precious data or documents. On the whole website security is very important for the internet users.
Numbers of threats are present on the internet technology that breaks the security and provide the way to the hackers to hack all the personal information of the users. Different type of security measures are used to provide the security to the internet technology, one of them is the SSL or the secure socket layer. Generally it is a type of protocol that was created by the Netscape by keeping in
view the security risks while communication between the server and the client. Now it becomes an international protocol standard that is used to protect the transmission of data between the web server and the users and also prevent different type of sensitive components from stealing. History of Secure Socket Layer: As mentioned in the first paragraph of introduction that this security protocol was completely developed or created by the Netscape and they develop three different versions of SSL. The first version that was developed initially is the 1.0 but it was not released. Then the second version that was 2.0 created with some updates and changes and this time Netscape decide to release it and they released such version in February 1995 but still this version had some disadvantages. So in keeping views its flaws Netscape created the third version of the secure socket layer and that was much better and powerful from the past two versions. This version was publicly released in 1996. How to Use Secure Socket Layer or SSL? The use of the secure socket layer protocol is not a big task because its working and its use is quite easy. They are also a part of the most popular browsers and the users that are used those browsers to browse the web server or website for the sake of different communicational processes need no configurations or setting of SSL. When the users try to connect to the secure socket layer server with the help of the browser that consists of feature of SSL then it automatically works and asks the server for the CA or Digital Certificate of Authority. This certificate plays an important role while using the secure socket layer security because it provide the surety the users that their data or the information are in the safe hands and it also ensure them that they are not communicating with the hacker or the spammers. Generally the URL of the websites start from the ‘https’ in this‘s’ stands for secure networking. Important Features of Secure Socket Layer or SSL: There are many different security features that secure socket layer protocol have and SSL used such security measures to provide the safe communication to the users or the surfers of the internet technology. Some of the important security measures of the secure socket layer protocol are listed below 1. 2. 3. 4. Secure socket layer provide security against all the threats related to the protocol layers such as transport layer. They work on all types of protocols presents in the system for the same purpose and enhance their working of the security SSL also provide the strong authentication to the users that they can easily protect their important information from hackers with the help of strong authentication key. So only a person who has this key uses the MAC address and sees all the private information. The latest or the last version of the secure socket layer protocol 3.0 is more reliable and powerful over 2.0 and 1.0. More numbers of ciphers are there in the architecture of the 3.0 so they provide more security and well performing with certificate authentication. Different type of security codings are also the part of the secure socket layer or SSL security.