The path to the Development of cissp (20): explains the authentication process

In the previous article "detailed security threat control measures" in the cissp development path series specially planned by 51cto Security Channel, j0ker briefly introduced the Identity Recognition Knowledge in access control CBK. After accessing entities (users, processes, and so on) to provide their own unique identification information for access to information resources, the information system needs to use some technical means to determine whether the access entity is in line with the identity recognition information provided by it. This process is the authentication process that j0ker will introduce.

In the previous article "detailed security threat control measures" in the cissp development path series specially planned by 51cto Security Channel, j0ker briefly introduced the Identity Recognition Knowledge in access control CBK. After accessing entities (users, processes, and so on) to provide their own unique identification information for access to information resources, the information system needs to use some technical means to determine whether the access entity is in line with the identity recognition information provided by it. This process is the authentication process that j0ker will introduce.

To understand identity authentication, We can first look at an example that is often encountered in daily work: in the information systems or networks of most enterprises or organizations, users need to access their own files, you must first provide your own identity to the system, and then the system verifies the user's identity. If the authentication passes, the user can obtain access to his/her files. It can be understood that in the process of resource access, identity recognition is provided to the system by the user, while identity authentication and its results are provided to the user.

Information systems can use three factors, or methods, to authenticate a user's identity. These three factors are known credenyou (something you know), all user creden (something you have) or user's biological characteristics (something you are ). We often see concepts such as single-factor authentication and two-factor authentication when using authentication technology, one-factor authentication is a user authentication method that only uses a single credential, such as the password authentication method used by default in many information systems (to verify the creden that the user already knows ); two-factor authentication is a user identity authentication method that uses two creden at the same time, such as the user password used in some information systems and fingerprint recognition (to verify the user's biological characteristics) two-factor or multi-factor authentication is usually used in information systems with high security requirements. The following table compares three verification factors:

Verification Method Application Example advantages and disadvantages

Users' known creden and passwords and personal identification numbers (PIN) are easy to deploy. users' operations are simple and prone to guesses, dictionary or brute force cracking attacks. Users often do not properly keep their passwords.

Users' existing token tokens, memory cards, and smart cards are difficult to defend against such verification methods. They may be lost or stolen, resulting in high deployment costs.

User biometric features such as fingerprint recognition, speech recognition, iris scanning, and other biometric identification devices provide simple, reliable, and simple user verification deployment costs, limited user acceptance, and error rejection/ accept rate must meet security policy requirements

To help you better understand the three authentication factors and some key terms, the following j0ker describes the common technical implementation and features of the three authentication factors:

User-known creden:

The most common technical implementation of this identity authentication factor is password. A password is a confidential word (or string). You can provide the correct password, confirm your identity and gain access to the system and information resources. The advantage of a password is that it is easy to deploy and use. It is also the default authentication method supported by almost all information systems. However, the disadvantage of a password is as obvious as that of a password, and its confidentiality is weak, users often write passwords on paper to remember complex passwords and paste them to a screen or keyboard that is easily discovered by others; some users will also use the password that is easy to guess for good note. Therefore, because password protection is easily damaged, password authentication is not considered safe enough.

To overcome the authentication risks caused by password alone, the concept of passphrase is introduced into the authentication technology. Cryptographic phrases and passwords are essentially different. They are all strings of a specified length, the only difference between them is the user's understanding-the word "password" seems to encourage users to use simple and easy-to-remember words, while the phrase "password" seems to encourage users to use a more complex phrase. For example, a standard phrase can be obtained from any sentence or idiom. For example, a phrase from "To be or not to be" can be tobeornottobe. Although the password phrase is more powerful than the password, attackers can easily use an automated password cracking tool to crack a weak phrase.

Cryptographic phrases are often used as keys for encryption algorithms. In this case, the difference between a phrase and a password is the length. The length of a phrase is usually 6 to 8 characters, while the phrase varies according to the encryption algorithm, it can often reach more than 100 bits or even longer.

The following are some suggestions for j0ker on using passwords in daily work:

1. The password should be changed regularly. The validity period of the password depends on multiple factors, for example, the password change cost, the impact of password cracking, the risk of password distribution, and the password usage frequency. Generally, the password of an information system with high security requirements needs to be changed every day. Information Systems with low security requirements can change the password once a week, every month, every quarter, or even every year, in general, we can change the password every half-month.

2. When creating a password, you should not use words or names that can be found in the dictionary.

3. When creating a password, you should use uppercase/lowercase letters, numbers, and special characters, such as "th3re! 5 ac4t "password.

4. Users should try to use a long password. A 16-bit password is far safer than an 8-bit password.

5. Others: the elements of a highly confidential phrase are: only known by the Creator; adequate length to ensure security; difficult to guess, even if the attacker knows the Creator well, he cannot guess; easy to remember and easy to input correctly.

Because of the important role of passwords in access control, many systems often store passwords in password files. Therefore, protecting password files in the system is also a key factor to ensure system security. Generally, the system uses an unrecoverable one-way encryption method to encrypt the password file, and also limits the access to the password file. If the attacker can physically access the server or file backup that stores the password file, the attacker can still use an automated password cracking tool to crack the encrypted password in the password file. Therefore, limiting users' physical access to servers and file backups is also an important measure to ensure password security.

Speaking of password cracking, you have to mention the important measures of the information system for password cracking-Account lockout ), account locking means that after the system detects the number of wrong logon password settings for an account, the system will automatically disable the account's logon permission and automatically or re-open it by the Administrator after a period of time. Account locking effectively defends against attacks by attackers using automated password cracking tools. It also allows administrators to quickly detect attempts by attackers to crack passwords. Generally, our common information system sets the number of account locks to 3 to 5. After the number of password errors reaches the specified number, the account is usually locked for 5 to 15 minutes.