5.3 Explain methods of user authentication.
EAP (Extensible Authentication Protocol) :It is a framework for transporting authentication protocols. EAP defines the format of the messages. It uses four types of packets : request, response, success and failure. Request packets are issued by authenticator and ask for response packet from supplicant. If authentication is successful, a success packet is sent to the supplicant is not a failure packet is sent.
Public Key Infrastructure (PKI): It is a framework for all of the entities involved in digital certificates—including hardware, software, people, policies, and procedures to create, store, distribute, and revoke digital certificates. PKI is essentially digital certificate management.
Kerberos: Kerberos is basically an authentication protocol that uses secret-key cryptography for secure authentication. In Kerberos, all authentication takes place between clients and servers. The name Kerberos comes from Greek mythology; it is the three-headed dog that guarded the entrance to Hades. It was developed by the Massachusetts Institute of Technology, USA Kerberos require that the time sources are approximately in synchronization (with in 5 minutes) with each other. However, with recent revisions of Kerberos software, this rule has become flexible. Some of the features of Kerberos authentication system:
Uses client-server based architecture.
Kerberos server, referred to as KDC (Key Distribution Ceter) implements the Authentication Service (AS) and the Ticket Granting Service (TGS).
The term "application server" generally refers to Kerberized programs that clients communicate with using Kerberos tickets for authentication purpose. For example, the Kerberos telnet daemon (telnetd) is an example of an application server.
When the user wants to talk to a Kerberized service, he uses the TGT to talk to the Ticket Granting Service (TGS, also runs on the KDC). The TGS verifies the user's identity using the TGT and issues a ticket for the desired service. The TGT ensures that a user doesn't have to enter in their password every time they wish to connect to a Kerberized service. The TGT usually expires after eight hours. If the Ticket Granting Ticket is compromised, an attacker can only masquerade as a user until the ticket expires. The following are the important properties of Kerberos:
It uses symmetric encryption
Tickets are time stamped
Passwords are not sent over the network
Remote Authentication Dial-In User Service (RADIUS): It provides centralized administration of dial-up, VPN, and wireless authentication and can be used with EAP and 802.1X.
Terminal Access Controller Access-Control System (TACACS ): It is remote authentication protocol used more often in UNIX networks. In UNIX, the TACACS service is known as the TACACS daemon. The newer and more commonly used implementation of TACACS is called TACACS+. It is not backward compatible with TACACS. TACACS+, and its predecessor XTACACS, were developed by Cisco. TACACS+ uses inbound port 49. TACACS and XTACACS are not commonly seen anymore. The two common protocols used today are RADIUS and TACACS+.
CHAP: It is an authentication type that uses three-way handshake. The passwords are transmitted in encrypted form ensuring security. Compare this with PAP, which transmits passwords in clear text. It uses a three step process for authentication (excluding making the connection itself). If making the connection is also involved, it would be a 4 step process.
Multifactor authentication: Here two or more number of authentication methods are used for granting access to a resource. Usually, it combines a password with that of a biometric authentication.
Copyright © Anand Software and Training Private Limited.