8.4 Authentication-based Solutions

Authentication is the process of verification of the entity prior to accessing the system and networking resources. In this case, the entity should prove its identity by using various techniques, such as personal attributes, digital signatures, and others (Morreale and Terplan 2001). In general, authentication takes one of the following three forms (Kizza 2009):

Basic authentication involving a server. The server maintains a user file of either passwords or user names,

or some other useful piece of authenticating information. This information is always examined before authorization is granted. This is the most common way computer network systems authenticate users. It has several weaknesses though, including forgetting and misplacing authenticating information such as passwords.

Challenge-response, in which the server or any other authenticating system generates a challenge to the

host requesting for authentication and expects a response.

Centralized authentication, in which a central server authenticates users on the network and in addition also

authorizes and audits them. These three processes (authenticates, authorizes, and audits) are done based on server action. If the authentication process is successful, the client seeking authentication is then authorized to use the requested system resources. However, if the authentication process fails, the authorization is denied. The process of auditing is done by the server to record all information from these activities and store it for future use.

8.4 Authentication-based Solutions

Different authentication methods are used based on different authentication algorithms. These authentication methods can be combined or used separately, depending on the level of functionality and security needed. Among such methods are password authentication, public-key authentication, anonymous authentication, remote and certificate-based authentication. As example, we will discuss SSL and Kerberos authentication protocols.

4.1 Secure Sockets Layer (SSL) Authentication

Secure Sockets Layer (SSL) is an industry standard protocol designed by Netscape Communications Corporation for securing network connections. SSL provides authentication, encryption, and data integrity using public key infrastructure (PKI). SSL authentication, being cryptographic-based, uses a public/private key pair that must be generated before the process can begin. Communicating elements acquire verification certificates from a certificate authority (CA) (Kizza 2009).
These certificates are signed by calculating a checksum over the certificate and encrypting the checksum and other information using the private key of a signing certificate. User certificates can be created and signed by a signing certificate which can be used in the SSL protocol for authentication purposes. The following steps are needed for an SSL authentication (Kizza 2009):

1. The user initiates a connection to the server by using SSL.
2. SSL performs the handshake between client and server.
3. If the handshake is successful, the server verifies that the user has the appropriate authorization to access the resource.

8.4 Authentication-based Solutions

4.2 Kerberos Authentication

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology (MIT). Kerberos is available in many commercial products as well (MIT 2012).
Firewalls assume that attacks come from outside. Most of the really damaging incidents of computer crime are carried out by insiders. Firewalls also have a significant disadvantage in that they restrict how your users can use the Internet. In many places, these restrictions are simply unrealistic and unacceptable.
Kerberos was created by MIT as a solution to these network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity.
Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the client's password as the key, and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, using its password. If the client successfully decrypts the TGT (i.e., if the client gave the correct password), it keeps the decrypted TGT, which indicates proof of the client's identity (MIT 2012).