Security Now Episode #95

Steve Gibson and Leo Laporte talked about OpenID on Episode 95.  OpenID would provide a single-sign on verification for site logins.  This would not replace something like SSL (which is mutual authentication), but it would be better for simple site logins to sites like del.icio.us, digg.com and others.
openid

BYU professor Philip J. Windley, explains how OpenID works on his site.

Security+ Authentication Methods Explained: Kerberos, CHAP, Certificates

Authentication and Crypto are two of the hardest subject for me.  So I've tried to break each one down in terms I can understand.  I've only gotten up the Certificates.  I'll finish the others soon.

 

1.2 Recognize and be able to differentiate and explain the following methods of authentication · Kerberos
· CHAP (Challenge Handshake Authentication Protocol)
· Certificates
·
Username / Password
· Tokens
· Multi-factor
· Mutual
· Biometrics

 

The following definitions are necessary to understand the different methods of

Authentication:

 

Authentication: Verification of person who created or sent the data and the integrity of the data.

 

Data Integrity:  Assurance (confidence) that the data created or sent by an authenticated person has not been corrupted and/or tampered with, data is in original form.

 

Principal: Authenticated person.

 

Peer: client or user trying to get authenticated

 

Verifier : server or application approving the principal.  CHAP term is “authenticator.”  These terms are used interchangeably.

 

Hackers tools make it very easy to “sniff” out passwords and logins over a network or computers and allow unauthorized programs or users to impersonate authorized users.  That is why authentication is so important to computer security.

 

Kerberos

 

Kerberos was created in the ’80 by MIT’s Athena Project.  Kerberos is a distributed application that works over a network.  A Kerberos client acts on behalf of the principal to authenticate with a verifier without exposing the users data to hacker tools.

 

The Kerberos client sends encrypted messages to the verifier.  These messages are time stamped and sent using Kerberos protocol.  Kerberos protocol is based on the Needham and Schroeder authentication protocol.  The current implementation of Kerberos uses Data Encryption Standard (DES).

 

CHAP (Challenge Handshake Authentication Protocol)

 

The CHAP authenticator (a.k.a verifier) randomly sends “challenge” message to the peer (a.k.a client, or user).  The responses with a value that calculated by running the “challenge” message through a one way hash function (using MD5).  The authenticator checks the message against its own calculations. 

 

CHAP replaces Password Authentication Protocol (PAP) which sends logins and passwords CLEAR TEXT over the network.  Upon initial connection between peer and authentication CHAP is used and maybe used over and over again as the authenticators sends random challenge messages.

 

The disadvantage is that the challenge message is sent in plain text allowing a hacker to possible capture the data and do a Man in the Middle attack.

 

Certificates

 

Certificates are used a lot on web pages with a need for strong security.  Certificates are based on two or more people or groups using a trusted third party to confirm that each of the two parties are who they claim to be.  Certificates provide public-key infrastructure (PKI) solutions.  Certificates are provided by Certificate Authorities such as thawte and VeriSign.  These, and other Certificate Authorities, act as a third party issuing Private keys to organization, groups and/or persons and confirm the identities of by verifying the issued private key with a public key.  Usually Certificate Authorities us a secure method of communication called Secure Socket Layer (SSL) to send and receive messages.  SSL was developed by Netscape.  SSL uses a private key to encrypt data over the SSL connections.  Secure Http is an alternative to SSL.  Public keys are not need for S-Http or SSL.  When a secure session is occurring when the URL turns from HTTP to HTTPS.

 

Issues digital IDs to enable authenticated, 128-bit SSL encryption that secure e-commerce and online payments across the Internet.

 

 References

  1. Neuman b. & Theodore T. Kerberos: An Authentication Service for Computer Networks. USC/ISI Technical Report number ISI/RS-94-399.  http://www.isi.edu/gost/publications/kerberos-neuman-tso.html
  2. Simpson W. PPP Challenge Handshake Authentication Protocol (CHAP), RFC 1994 (RFC1994). Internet RFC Archives. August 1996 http://www.faqs.org/rfcs/rfc1994.html
  3. Karve, Anita. SSL and S-HTTP: Secure Communication over the Internet. 1 Jan 1997. Networkmagazine.com

http://www.webopedia.com/TERM/S/SSL.html