The prevention of unauthorized access to computer systems. Authentication takes a variety of forms, ranging from verifying account credentials (using, amongst other things, a login name and password) to physical identity verification (using biometrics such as finger print scanning technology) to identifying that the client system from which a user is attempting to connect to a server is really the authorized client system.
Username and Password
Tthe most rudimentary and least secure level of authentication involves the use of a username and password to access a system. This approach simply involves presenting a user with prompts for a username and password, which if entered correctly will permit access to the system. For many years this was the primary method of authentication control.
The weakest form of username and password authentication uses plain text communication where both credentials are transmitted to the server in an unencrypted format allowing anyone eaves dropping on the connection using sniffing technology to easily identify the user name and password and subsequently use them to gain unauthorized system access. Remote access technology such as telnet use plain text when presenting authentication credentials. For this reason alone the use of telnet for providing remote access to systems has been largely discontinued in favor of encrypted alternatives.
Technologies such as Secure Shell (ssh) still use a username and password with the exception that the username and password are encrypted (as is all data transmitted after authentication has taken place), making it harder for the eavesdropper to intercept and utilize these credentials.
Even with encryption, the username and password approach to authentication has a number of inherent weaknesses. Firstly, it identifies only the account and does nothing to verify that the person accessing the account is an authorized user. As such, the username and password can fall into the wrong hands (it is amazing how many people have their username and password written on a piece of paper stuck to their monitor) and the authentication will have no way of knowing the wrong person is logging in.
Secondly, username and password security is only as secure as the choice of password. If a weak password is chosen it increases the chance that the password may be guessed or cracked using automated password cracking technology. This problem is generally mitigated through the implementation of strict rules on passwords where users are prevented from setting up weak passwords. Password cracking may also be prevented by disabling an account after a specified number of invalid password attempts.
Challenge Handshake Authentication Protocol.
The authentication such username and password outlined previously perform authentication only once, at the point that the user logs into the system. An alternative to this approach is provided by the Challenge Handshake Authentication Protocol (CHAP) which repeats an authentication procedure at random intervals during an ongoing connection between a client and a service.
The CHAP authentication scheme is used primarily by Point to Point Protocol (PPP) servers as a way to validate the identity of remote clients (perhaps most commonly used by internet service providers). At random time intervals, CHAP verifies the identity of the client by using something known as a three-way handshake. This verification is performed using a credential which is known to both the client and the service (typically the user’s password).
After the link between the client and the server (also known as the authenticator) has been established it sends a challengemessage to the peer. The peer subsequently responds to the authenticator with a hashed value calculated using the Message Digest hashing algorithm. The authenticator checks the client response against its own calculation of the expected hash value. If the two values match, the authenticator acknowledges the authentication. If the values do not match, the connect is terminated. These steps are repeated at random intervals.
Mutual Authentication.
Kerberos Authentication introduced the concept of mutual authentication (also known as two way authentication) whereby client and server verify the authenticity of each other. This is intended to prevent so-called Man in the Middle attacks whereby a malicious party inserts a system between a client and server and masquerades itself as each to the other.
Under mutual authentication, one of the two systems creates a challenge code which it transmits to the other system. The second system in turn generates a response using the received challenge code and also creates its own challenge code, both of which transmitted back to the original system. The original system validates the response code and returns its own response code based on the challenge code sent from the second system. Once the second system has validated the response code from the original system it sends an acknowledgment message and authentication is complete.
Biometrics.
Once limited to 1970’s spy movies where the finger or eye ball of an unfortunate government employee would be removed by evil spies and scanned to gain access to a secure area, biometrics are now very much a reality.
Biometrics involve the use of some part of a persons body as form of identification. Most common devices for this purpose are finger print scanners (which are even now included on some laptop models) which deny access to a system until a suitable fingerprint match is scanned by the reader.