1

CONTROLLING USER ACCESS: AUTHENTICATIONAND AUTHORIZATION

DEFIANA ARNALDY, M.SI

0818 0296 4763

DEFF_ARNALDY@YAHOO.COM

2

OVERVIEW

Introduction

Authentication techniques

IIS authentication

Microsoft .NET Passport authentication

Hashing information

Hashing algorithms

SSL

Financial network security

Conclusion

3

INTRODUCTION

Until now, we have assumed that hackers use network-sniffing software to intercept confidential data; however, there is as much danger in forged or spoofed data

Authentication systems must be able to validate supplied credentials securely against trusted sources and also to ensure that the message has not been tampered with in transit

4

AUTHENTICATION TECHNIQUES

To guarantee the identity of a client, you need to trust one piece of information that is unique to that client and that cannot easily be determined or faked (e.g., IP address, Windows username/password, or some other credential)

5

Several different types of authentications are applicable to different scenarios

• ISP can use IP addresses as credentials• Windows-only intranet application Windows logins

6

IIS AUTHENTICATION

The most basic is anonymous the clients do not have to supply any credentials and are automatically granted IUSR (guest) privileges.

One step above is basic authentication Forces the client to supply credentials in base64 (basically, clear text)

combined with SSL, this is a secure solution.

7

MICROSOFT .NET PASSPORT AUTHENTICATION

Passport authentication is where users can be identified by their Hotmail email addresses

The advantage of passport over in-house-developed systems is that many people already have a Hotmail email address, and thus do not have to reregister their details.

8

Passport authentication is used primarily for Web sites, but can also be applied to applications, MSN Messenger being a good example

Passports are available in two flavors:

• Preproduction free• Production not free

9

HASHING INFORMATION

Hashing is a one-way algorithm in which data can be converted to a hash value, but a hash value cannot be converted back to meaningful data

Modern hashing systems include

• Message Digest (MD5) and • Secure Hash Algorithm (SHA-1).

10

HASHING ALGORITHMS

.NET provides support for two hashing algorithms:

• Secure Hash Algorithm (SHA), and • Message Digest (MD5)

There are four different variations of the SHA available for use in .NET:

• SHA1Managed (20-byte hash), • SHA256Managed (32-byte hash), • SHA384Managed (48-byte hash), • SHA512Managed (64-byte hash).

11

SSL

SSL is a secure stream protocol, which uses both symmetric and asymmetric encryption, combined with digital certificates to provide authentication.

Digital certificates can be bought from a certificate authority (CA) such as Thawte or Verisign

12

SSL is defined in RFC 2660.

SSL is used for securing

• Web pages, • email, • FTP, or news.

HTTP over SSL (HTTPS) operates on port 443;

SMTP over SSL (SSMTP) operates on port 465;

NNTP over SSL (SNNTP) operates on port 563.

13

CERTIFICATE

A certificate has to be issued by a CA in order to be globally accepted.

It is possible to create self-signed certificates, but these would generally be deemed trustworthy only within your organization

The most common form of digital certificate is known as X.509.

This is an international standard maintained by the IETF Public Key Infrastructure (PKIX) working group

14

The certificate comprises various fields that identify the holder, the issuer, and the certificate itself:

• Serial number: The unique serial number on every certificate created by an issuer

• Signature: Identifies the makeup of the certificate, represented by an object identifier (OID).

• Validity period: The date at which the certificate becomes and ceases to be valid

• Subject: The owner of the private key• Public key : The key that will decrypt the certificate hash• Signed hash: The hash of the certificate encrypted with the

private key of the CA

15

16

SERVER CERTIFICATES

Server certificates for real-world Web sites need to be obtained from a CA.

A useful utility for creating self-signed certificates is IBM KeyMan (www.alphaworks.ibm.com/tech/keyman).

The steps to enable HTTPS using a self-signed certificate and IBM KeyMan on IIS see your self on the e-book.

17

CLIENT CERTIFICATES

Client certificates are only used for maximum-security Web sites, such as online business banking.

Client certificates are available free of charge from Thawte.

They are used to send and receive encrypted emails and to authenticate your email address to recipients

18

19

MICROSOFT CERTIFICATE SERVICES

MSCS runs on Windows 2000 and can generate X.509 certificates in PKCS #7 format from PKCS #10 certificate requests.

MSCS can run as either a root CA or subordinate CA and can optionally hold certificates in the active directory.

When used in conjunction with the active directory, MSCS will use this as its certificate revocation list (CRL)

20

READING CERTIFICATES

Certificates can be read using the X509Certificate class (Table 9.2) in .NET.

21

22

FINANCIAL NETWORK SECURITY

If a hacker were to break into an e-commerce site successfully and capture someone’s credit card number, some unfortunate person would get stung financially;

however, if the same thing happened on an interbank network, a country’s economy could be ruined overnight

23

Most banks use private leased lines between their branches so that the confidential information does not come into contact with the public phone network

When a bank needs to communicate with a second financial institution overseas to perform, it must use the public phone network

24

CONCLUSION

This chapter has looked at the mechanisms for guaranteeing the identity of network clients over the Web and on Microsoft networks

Extending the topic to real-world scenarios, we looked at how banks use authentication to transfer billions of dollars safely across phone lines.