controlling user access: authentication and authorization defiana arnaldy, m.si 0818 0296 4763...
TRANSCRIPT
1
CONTROLLING USER ACCESS: AUTHENTICATIONAND AUTHORIZATION
DEFIANA ARNALDY, M.SI
0818 0296 4763
2
OVERVIEW
Introduction
Authentication techniques
IIS authentication
Microsoft .NET Passport authentication
Hashing information
Hashing algorithms
SSL
Financial network security
Conclusion
3
INTRODUCTION
Until now, we have assumed that hackers use network-sniffing software to intercept confidential data; however, there is as much danger in forged or spoofed data
Authentication systems must be able to validate supplied credentials securely against trusted sources and also to ensure that the message has not been tampered with in transit
4
AUTHENTICATION TECHNIQUES
To guarantee the identity of a client, you need to trust one piece of information that is unique to that client and that cannot easily be determined or faked (e.g., IP address, Windows username/password, or some other credential)
5
Several different types of authentications are applicable to different scenarios
• ISP can use IP addresses as credentials• Windows-only intranet application Windows logins
6
IIS AUTHENTICATION
The most basic is anonymous the clients do not have to supply any credentials and are automatically granted IUSR (guest) privileges.
One step above is basic authentication Forces the client to supply credentials in base64 (basically, clear text)
combined with SSL, this is a secure solution.
7
MICROSOFT .NET PASSPORT AUTHENTICATION
Passport authentication is where users can be identified by their Hotmail email addresses
The advantage of passport over in-house-developed systems is that many people already have a Hotmail email address, and thus do not have to reregister their details.
8
Passport authentication is used primarily for Web sites, but can also be applied to applications, MSN Messenger being a good example
Passports are available in two flavors:
• Preproduction free• Production not free
9
HASHING INFORMATION
Hashing is a one-way algorithm in which data can be converted to a hash value, but a hash value cannot be converted back to meaningful data
Modern hashing systems include
• Message Digest (MD5) and • Secure Hash Algorithm (SHA-1).
10
HASHING ALGORITHMS
.NET provides support for two hashing algorithms:
• Secure Hash Algorithm (SHA), and • Message Digest (MD5)
There are four different variations of the SHA available for use in .NET:
• SHA1Managed (20-byte hash), • SHA256Managed (32-byte hash), • SHA384Managed (48-byte hash), • SHA512Managed (64-byte hash).
11
SSL
SSL is a secure stream protocol, which uses both symmetric and asymmetric encryption, combined with digital certificates to provide authentication.
Digital certificates can be bought from a certificate authority (CA) such as Thawte or Verisign
12
SSL is defined in RFC 2660.
SSL is used for securing
• Web pages, • email, • FTP, or news.
HTTP over SSL (HTTPS) operates on port 443;
SMTP over SSL (SSMTP) operates on port 465;
NNTP over SSL (SNNTP) operates on port 563.
13
CERTIFICATE
A certificate has to be issued by a CA in order to be globally accepted.
It is possible to create self-signed certificates, but these would generally be deemed trustworthy only within your organization
The most common form of digital certificate is known as X.509.
This is an international standard maintained by the IETF Public Key Infrastructure (PKIX) working group
14
The certificate comprises various fields that identify the holder, the issuer, and the certificate itself:
• Serial number: The unique serial number on every certificate created by an issuer
• Signature: Identifies the makeup of the certificate, represented by an object identifier (OID).
• Validity period: The date at which the certificate becomes and ceases to be valid
• Subject: The owner of the private key• Public key : The key that will decrypt the certificate hash• Signed hash: The hash of the certificate encrypted with the
private key of the CA
15
16
SERVER CERTIFICATES
Server certificates for real-world Web sites need to be obtained from a CA.
A useful utility for creating self-signed certificates is IBM KeyMan (www.alphaworks.ibm.com/tech/keyman).
The steps to enable HTTPS using a self-signed certificate and IBM KeyMan on IIS see your self on the e-book.
17
CLIENT CERTIFICATES
Client certificates are only used for maximum-security Web sites, such as online business banking.
Client certificates are available free of charge from Thawte.
They are used to send and receive encrypted emails and to authenticate your email address to recipients
18
19
MICROSOFT CERTIFICATE SERVICES
MSCS runs on Windows 2000 and can generate X.509 certificates in PKCS #7 format from PKCS #10 certificate requests.
MSCS can run as either a root CA or subordinate CA and can optionally hold certificates in the active directory.
When used in conjunction with the active directory, MSCS will use this as its certificate revocation list (CRL)
20
READING CERTIFICATES
Certificates can be read using the X509Certificate class (Table 9.2) in .NET.
21
22
FINANCIAL NETWORK SECURITY
If a hacker were to break into an e-commerce site successfully and capture someone’s credit card number, some unfortunate person would get stung financially;
however, if the same thing happened on an interbank network, a country’s economy could be ruined overnight
23
Most banks use private leased lines between their branches so that the confidential information does not come into contact with the public phone network
When a bank needs to communicate with a second financial institution overseas to perform, it must use the public phone network
24
CONCLUSION
This chapter has looked at the mechanisms for guaranteeing the identity of network clients over the Web and on Microsoft networks
Extending the topic to real-world scenarios, we looked at how banks use authentication to transfer billions of dollars safely across phone lines.