CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [22]
Certificates
Certificates are another common form of authentication. A server or certificate authority (CA) can issue a certificate that will be accepted by the challenging system. Certificates can be either physical access devices, such as smart cards, or electronic certificates that are used as part of the logon process. A Certificate Practice Statement (CPS) outlines the rules used for issuing and managing certificates. A Certificate Revocation List (CRL) lists the revocations that must be addressed (often due to expiration) in order to stay current.
This chapter provides only an overview of certificates. Certificates, along with Public Key Infrastructure (PKI) and related topics, are discussed in detail in Chapter 7, “Cryptography Basics, Methods, and Standards.”
A simple way to think of certificates is to think of hall passes at school. Figure 1.3 illustrates a certificate being handed from the server to the client after authentication has been established. If you have a hall pass, you can wander the halls of your school. If your pass is invalid, the hallway monitor can send you to the principal’s office. Similarly, if you have a certificate, then you can prove to the system that you are who you say you are and are authenticated to work with the resources.
FIGURE 1.3 A certificate being issued after identification has been verified
Challenge Handshake Authentication Protocol
Challenge Handshake Authentication Protocol (CHAP) challenges a system to verify identity. CHAP doesn’t use a user ID/password mechanism. Instead, the initiator sends a logon request from the client to the server. The server sends a challenge back to the client. The challenge is encrypted and then sent back to the server. The server compares the value from the client and, if the information matches, grants authorization. If the response fails, the session fails, and the request phase starts over. Figure 1.4 illustrates the CHAP procedure. This handshake method involves a number of steps and is usually automatic between systems.
FIGURE 1.4 CHAP authentication
Kerberos
Kerberos is an authentication protocol named after the mythical three-headed dog that stood at the gates of Hades. Originally designed by MIT, Kerberos is becoming very popular as an authentication method. It allows for a single sign-on to a distributed network.
Kerberos authentication uses a Key Distribution Center (KDC) to orchestrate the process. The KDC authenticates the principle (which can be a user, a program, or a system) and provides it with a ticket. After this ticket is issued, it can be used to authenticate against other principles. This occurs automatically when a request or service is performed by another principle.
Kerberos is quickly becoming a common standard in network environments. Its only significant weakness is that the KDC can be a single point of failure. If the KDC goes down, the authentication process will stop. Figure 1.5 shows the Kerberos authentication process and the ticket being presented to systems that are authorized by the KDC.
Multi-Factor Authentication
When two or more access methods are included as part of the authentication process, you’re implementing a multi-factor system. A system that uses smart cards and passwords is referred to as a two-factor authentication system. Two-factor authentication is shown in Figure 1.6. This example requires both a smart card and a logon password process.
FIGURE 1.5 Kerberos authentication process
FIGURE 1.6 Two-factor authentication
Mutual Authentication
Whenever two or more parties authenticate each other, this is known as mutual authentication . A client may authenticate to a server, and a server authenticate to a client when there is a need to establish a secure session between the two and employ encryption. Mutual authentication ensures that the client