CompTIA Security SY0-601 Exam: Authentication and Authorization Design

Objective: Summarize authentication and authorization design concepts.

Topics:
- authentication
- federation
- time-based one-time password (TOTP)
- HMAC-based one-time password (HOTP)
- false acceptance rate (FAR)
- false rejection rate (FRR)
- crossover error rate (CER)
- biometrics
- multifactor authentication (MFA)
- authentication, authorization, and accounting (AAA)

Identification and Authentication, Authorization, and Accounting (AAA)
It is necessary to discern the differences between the actions identification and authentication, authorization, and accounting (AAA) because you will be tested on all these concepts. Identification occurs when a user or device presents information such as a username, a process ID, a smart card, or another unique identifier and claims an identity. Authentication is the process of validating an identity. It occurs when the user provides appropriate credentials, such as the correct password with a username. When identification through the presentation and acceptance of credentials is accomplished, the credentials must be measured against a list of all known credentials by the authentication service to determine authorization of the request before access rights during the session can be established. Authorization is based on security policy.
Accounting keeps track of the resources a user accesses by keeping a record of authentication and authorization actions. Accounting functions log session statistics and usage information, which can then be used for management tasks such as access control and resource utilization. Additional capabilities include billing, trend analysis, and capacity planning. Implementing the accounting component of AAA requires special server considerations.

These are the core components of AAA:
- The device that wants to access the network is known as the client.
- The policy enforcement point (PEP) is the authenticator. The PEP enforces the conditions of the client’s access.
- The policy information point (PIP) holds data relevant to the decision on whether to grant access to the client.
- The policy decision point (PDP) is the crux of the AAA decision and is responsible for making the final decision about whether to grant access to the client.
- The accounting and reporting system tracks the client network usage and reports the “who, what, where, when, and why.”
- Core AAA components are logical functions that can be combined and are not necessarily physical devices.

Multifactor Authentication
A method for authenticating users must be designed and implemented properly for an organization to achieve established business goals and security control objectives. Several common factors are used for authentication: something you know, something you have, something you are, something you do, and somewhere you are. Authentication factors provide a means of implementing multifactor authentication. Multifactor authentication provides additional security because account access requires more than a password.

Forms of authentication credentials can be generally broken into three basic categories, or factors, depending on what is required to identify the access requester:
- Something you know (passwords, account logon identifiers)
- Something you have (smart cards, synchronized shifting keys)
- Something you are (fingerprints, retinal patterns, hand geometry)

Additional categories, more appropriately known as attributes, include the following:
- Something you can do
- Somewhere you are
- Something you exhibit
- Someone you know

The most common form of authentication combines two “something you know” forms of authentication: a username and a password or passphrase. This form is easily implemented across many types of interfaces, including standard keyboards and assistive technology interfaces. If both values match the credentials associated within the authorization system’s database, the credentials can be authenticated and authorized for a connection.
An organization’s authentication needs are relative to the value assigned to a particular resource’s security. Additional authentication layers required for access increase both the administrative overhead necessary for management and the difficulty users have trying to reach needed resources. Consider, for example, the differences in authentication requirements for access to a high-security solution such as the Department of Energy’s power grid control network and those needed to access an unprivileged local account at a public kiosk. In the first scenario, to establish authentication for rightful access, the use of a combination of multiple biometric, token-based, and password form authentication credentials might be mandatory. You can also use these access methods with more complex forms of authentication, such as dedicated lines of communication, time-of-day restrictions, synchronized shifting-key hardware encryption devices, and redundant-path comparison. You use these to ensure that each account attempting to make an access request is properly identified. In the second scenario, authentication might be as simple as an automatic anonymous guest logon that all visitors share.
Different mechanisms for authentication provide different levels of identification, different security of data during the authentication exchange, and suitability to different authentication methods, such as wireless or dial-up network access requests.
Multiple authentication factors can be combined to improve the overall strength of the access control mechanism.
A common example of a multifactor authentication system is an automated teller machine (ATM), which requires both a “something you have” physical key (your ATM card) and a “something you know” personal identification number (PIN). Issues with payment card systems have arisen following public attacks on vendors such as Target, resulting in expanded efforts to enable two-factor authentication using electronic chips in the cards (something you have) and a PIN (something you know). Combining two or more types of authentication improves access security above a single-factor authentication such as your “something you have” car key, which can be used alone without any additional credentials beyond simply possessing the physical key or its duplicate.
The difficulty involved in gaining unauthorized access increases as more types of authentication are used, although the difficulty also increases for users who want to authenticate themselves. Administrative overhead and cost of support also increase with the complexity of the authentication scheme, so a solution should be reasonable based on the sensitivity of the data being secured.
The exam might ask you to distinguish between single-factor and multifactor authentication solutions. A multifactor authentication scenario involves two or more types of authentication (something you know, have, or are), not simply multiple credentials or keys of the same type. The common logon/password combination is single-factor authentication using your identity and something you know.

Single Sign-on
The proper identification of a person, device, or group is important to protect and maintain the confidentiality, integrity, and availability (CIA) of an organization’s assets and infrastructure. Based on business policies, identification and access controls can be created to authenticate users and devices. Various methodologies are used to validate identification and grant resource access. Federation, single sign-on, and transitive trust are the three most popular methods of object identification and access validation.
Distributed enterprise networks often include many different resources, each of which might require a different mechanism or protocol for authentication and access control. To reduce user support and authentication complexity, a single sign-on (SSO) capable of granting access across multiple services might be desirable. SSO solutions can use a central metadirectory service or can sequester services behind a series of proxy applications, as with the service-oriented architecture (SOA) approach. In the SOA network environment, the client-facing proxy application provides a standard mechanism for interacting with each service (called a wrapper), handling specialized logon, authentication, and access control functions behind the scenes and out of sight of the consuming user or service.
With SSO, a user can log in to multiple applications during a session after authenticating only once. Access to cloud-based applications has ushered in widespread use of SSO technology in large enterprises.
All applications still require a password for login, but the software stores the password. When an application requires a login, the software automatically retrieves the password and provides it to the application on the user’s behalf, resulting in an automatic login. The user still has a password for each system and must change it regularly, based on organizational policy.

Federation
Federation, which is related to SSO, makes it possible to connect identity management systems by allowing identities to cross multiple jurisdictions. A political federation involves myriad equal participants, collaborating through agreements and agreed-upon rules or mediators that can represent a particular political agenda. In the United Nations, for example, each governmental body assigns its own ambassador to speak for the country’s interests. A federated identity management solution transfers this idea into technology by assigning an administrative account capable of enumerating local security principals and resources. Based on a preestablished trust relationship, a third party accepts the attestation from the original authenticating party. The federation system is accessible from each domain. Thus, accounts in one area can be granted access rights to any other resource, whether local or remote within the communicating domains. This enables enterprises to exchange identity information securely across Internet domains and integrate access to applications across distinct business units within a single organization.
In a federated identity system, the user does not supply credentials directly to any application or service except the originating identity provider. The user’s credentials are always stored with the originating organization or identity provider.
When the user logs in to a service, the service provider trusts the identity provider to validate the credentials instead of providing credentials to the service provider. This type of enterprise solution provides flexibility for organizations when acquisitions happen or when individual business units maintain independent authentication mechanisms across applications.
Federation and SSO are often used together but are two distinct and different concepts. Many federated identity management solutions provide some form of SSO, and many SSO systems are implemented using federated identity management. The two don’t have to be intertwined; they can be used entirely separately from each other. The main difference is that federation eliminates the requirement to use a password. The federation server stores the username in each application and presents that application with a token that is then used for authentication.

Transitive Trust
In addition to the mechanisms described so far for provisioning identification and access control, transitive trust relationships can be configured for directory services to allow users to traverse domains. Transitive trust provides access across an enterprise or multiple enterprises, connecting resources and users across multiple resource pools. Two domains can be configured to share trust through configuration of an administrative connection between two resource pools.
A one-way trust—in which, for example, Domain A trusts Domain B—allows resources in Domain A to be accessed by security principals (users, services, and so on) in Domain B. A two-way trust allows each domain to trust members of either domain. For example, with two-way trust, Domain A and Domain B resources can be accessed by authorized requests from user accounts in either Domain A or Domain B.
In compatible domains, a limited form of interoperation can be assigned directly between two resource pools through administrative actions within each to specifically designate the other as a trusted resource pool and allow enumeration of accounts and available resources. Access control over any resource can then be granted or denied to any account in either domain. This connection is termed a trust, which is like a direct agreement between allied countries. If the trust is configured so that any domain trusting Domain A will then trust all other domains that Domain A trusts, this connection is called a transitive trust. This is like having your siblings trust a friend of your father, and the arrangement turns transitive if you and your siblings agree to trust everyone your father trusts.

Authentication Technologies
Employees should have access to facilities based on their roles or functions. This includes visitor control and access control to software programs for testing and revision. Access list restrictions specifically align a person’s access to information with his or her role or function in the organization. Functional or role-based access control determines which persons should have access to certain locations within the facility. Access can be granted via cards, tokens, or biometrics.
Most modern access control systems use proximity cards that enable users to gain access to restricted areas. Proximity cards store details of the holder’s identity much as chip and PIN bank cards do. The difference is that proximity readers can read the information using radio frequency communication, making actual contact with the card unnecessary. Simply holding the card close to the reader enables its details to be read and checked quickly.
Security tokens can be used to grant access to computers and devices. A security token is a small, easy-to-carry, tamper-resistant physical object. A token may be used in addition to a PIN or password so that if the token falls into the wrong hands, it is useless without the corresponding information. One of the most common physical security tokens is a key fob.

Tokens
One of the best methods of “something you have” authentication involves using a token, which can be either a physical device or a one-time password issued to the user seeking access. In the case of credit cards, this is an embedded chip in the card itself that must be paired with a “something you know” PIN code to avoid the $18.5 million exploit Target suffered in 2013. Tokens include solutions such as a chip-integrated smart card or a digital token (such as RSA Security’s SecurID token) that provides a numeric key that every few minutes and is synchronized with the authentication server. Without the proper key or physical token, access is denied. Because the token is unique and granted only to the user, pretending to be the properly authorized user (through spoofing) is more difficult. A digital token is typically used only one time or is valid for a very short period of time to prevent capture and later reuse. Most token-based access control systems pair the token with a PIN or another form of authentication to protect against unauthorized access using a lost or stolen token.
Telecommuters might use an electronic device known as a key fob that provides one part of a three-way match to use an insecure network connection to log in to a secure network. The key fob might include a keypad on which the user must enter a PIN to retrieve an access code, or it could be a display-only device such as a VPN token that algorithmically generates security codes as part of a challenge/response authentication system.
A one-time password (OTP) is a password that can be used only one time. An OTP is considered safer than a regular password because the password keeps changing, providing protection against replay attacks. The two main standards for generating OTPs are TOTP and HOTP. Both of these standards are governed by the Initiative for Open Authentication (OATH).
The time-based one-time password (TOTP) algorithm relies on a shared secret and a moving factor or counter, which is the current time. The moving factor constantly changes based on the time that has passed since an epoch.
The HMAC-based one-time password (HOTP) algorithm relies on a shared secret and a moving factor or counter. When a new OTP is generated, the moving factor is incremented, so a different password is generated each time.
The main difference between HOTP and TOTP is that HOTP passwords can be valid for an unknown amount of time. In contrast, TOTP passwords keep changing and are valid for only a short period of time. Because of this difference, TOTP is considered more secure. While traditionally many TOTP solutions were hardware based, TOTP solutions are commonly implemented via authentication applications on mobile devices.
Remember that the main difference between HOTP and TOTP is that HOTP passwords can be valid for an unknown amount of time. TOTP passwords keep changing and are valid for only a short period of time and are more secure.
Mobile devices can used as authentication device. Many vendors offer OTPs via authentication applications for mobile devices such Apple IOS and Android. Figure 12.1 shows a screenshot of one authentication application, Google Authenticator. The figure shows the application maintaining one-time-use token codes across several different cloud-based logons. In addition to providing the username, the user would need to provide the password and the one-time-use code, which changes every 30 seconds, as indicated by the decreasing pie icon on the right-hand side.



Google’s Authenticator mobile authentication application for delivering one-time token codes

An application might require an OTP for performing highly sensitive operations such as fund transfers. OTPs can be either Short Message Service (SMS) generated or device generated. Device-generated OTPs are better than SMS-generated OTPs because they eliminate the sniffing and delivery time issues associated with SMS-generated OTPs. Another feature of mobile software applications delivering OTPs is that the user can receive push notifications. With these notifications, the user doesn’t need to manually enter a code but rather needs to accept the push notification, usually with a single tap. Table 12.1 briefly describes the common authentication methods.

 

Common Token and Similar Authentication Technologies

Biometrics
In theory, the strongest security is offered by combining biometric (body-measuring) keys that are unique to a particular user’s physical characteristics (such as fingerprints and retinal or iris patterns) with other authentication methods that involve either access passwords or token-based security requiring the possession of a physical smart card key.
The most unique qualities of an individual can be obtained by measuring and identifying the person’s unique physical characteristics in “something you are” forms of biometric measurement authentication—called biometrics—such as fingerprints, retinal patterns, iris patterns, blood vessel patterns, bone structure, and other forms of physiological qualities unique to each person. Other “something you do” values can be measured, such as voice pattern recognition, movement kinematics, or high-resolution cardiac patterns. However, because these can change based on illness, injury, or exertion, they suffer high rates of false rejection (that is, valid attempts at authentication that are returned as failures).
Many systems are available to authenticate users by their body measurements (biometrics). Those measures are compared to values stored within an authorization system’s database and provide authentication only if the new biometric values match those previously stored. Another alternative is to store biometric data on smart card tokens, which the localized authentication service can pair with the requisite physical measurement without requiring a centralized database for comparison. When transactions against a central server storing large and complex biometric values might be difficult, users must be authenticated in a widely distributed scheme. Table 12.2 describes some of the most common biometric methods.

Common Biometric Measures for Authentication

Fingerprint
Scans and identifies the swirls and loops of a fingerprint
Issues: Injury, scars, or loss of a finger might create false rejection results. The pattern alone can easily be counterfeited, so it is best to pair this method with at least one other measure.

Hand geometry
Measures the length and width of a hand’s profile, including hand and bone measures
Issues: Loss of fingers or significant injury might create false rejection results.

Voiceprint
Measures the tonal and pacing patterns of a spoken phrase or passage
Issues: Allergies, illnesses, and exhaustion can distort vocal patterns and create false rejection results.

Facial recognition
Identifies and measures facial characteristics, including eye spacing, bone patterns, chin shape, and forehead size and shape
Issues: This method is subject to false rejection results if the scanner is not aligned precisely with the scanned face.

Retina
Scans and identifies the unique blood vessel and tissue patterns at the back of the eye
Issues: Illness or inaccurate placement of the eye against the scanner’s cuff can result in false rejection results.

Veins/blood vessels
Identifies and measures unique patterns of blood vessels in the hand or face
Issues: Environmental conditions, clothing, and some illnesses can lead to false rejection results due to measurement inaccuracies.

Signature
Records and measures the speed, shape, and kinematics of a signature provided to an electronic pad
Issues: Attitude, environment, injury, and use of alcohol or medication can create variations in personal signature and might render false rejection results.

Gait
Records and measures the unique patterns of weight shift and leg kinematics while walking
Issues: Variations in gait due to attitude, environment, injury, and alcohol or medication use might render false rejection results.

Remember that combinations of biometric solutions, such as readers for both hand geometry and blood vessel patterns, remain a single-factor “something you are” authentication solution unless they are also paired with something else, such as a “something you have” key card.
The success of using biometrics comes down to two key elements. First is the efficacy rate in uniquely identifying an individual along with how difficult it is for an attacker to trick the system. To understand this balance, it’s important to understand that biometric devices are susceptible to false acceptance and false rejection rates. A false acceptance rate (FAR) measures the likelihood that the access system will wrongly accept an access attempt (in other words, allow access to an unauthorized user). The false rejection rate (FRR) is the percentage of identification instances in which false rejection occurs. In false rejection, the system fails to recognize an authorized person and rejects that person as unauthorized. The crossover error rate (CER) is the percentage of times the FAR and FRR are equal. The CER increases if routine maintenance procedures on biometric devices are not performed. Generally, the lower the CER, the higher the accuracy of the biometric system. The lower the FAR and FRR, the better the system.
Biometric data is basically information stored in a database that is used for comparison functions to protect the database against compromise. Forgery of biometric mechanisms can be an issue, especially where fingerprint technology is concerned.
False acceptance rate (FAR) involves allowing access to an unauthorized user. False rejection rate (FRR) is the failure to recognize an authorized user.

Card Authentication
Strengthening an authentication system involves making it difficult to falsify or circumvent its process. Anonymous or open access is the weakest possible form of authentication, and a requirement for both a logon identifier and a password might be considered the simplest form of actual account verification. The highest levels of authentication might involve not only account logon but also criteria measuring whether the logon is occurring from specific network addresses or perhaps whether some type of additional physical security measure is present.
Proximity cards are a basic form of physical access controls. Such a card has an embedded microchip that holds very little information. The main purpose of the card is to determine access by matching the card identification number to information in a database. If the number is in the database, access is granted. The most common use of a proximity card is for door access. Proximity cards are also used for applications that require quick processing, such as toll booths and parking garages.
Smart card authentication is a form of “something you have” authentication that uses a standard wallet card with an embedded chip that can automatically provide an authenticating cryptographic key to a smart card reader. A smart card typically displays a picture of the cardholder and has a programmable chip that provides identification and authentication. Communication between the card and reader occurs either through direct physical contact or with a remote contactless electromagnetic field. Implementing smart cards into a physical security solution improves overall security by allowing additional identification methods such as biometrics to be used for authentication.

Certificate-Based Authentication
Certificate-based authentication involves using a digital certificate to identify a user or device before granting access to a resource. Certificate-based authentication is based on “something you have,” which is the user’s private key, and “something you know,” which is the password that protects the private key.
IEEE 802.1X authentication allows only authorized devices to connect to a network. The most secure form of IEEE 802.1X authentication is certificate-based authentication. When this authentication model is used, every client must have a certificate to validate its identity. When implementing 802.1X with wired networks, using a public key infrastructure (PKI) to deploy certificates is recommended. 
A personal identity verification (PIV) card is a contactless smart card used to identify federal employees and contractors. NIST developed the standard “Personal Identity Verification (PIV) of Federal Employees and Contractors,” published as Federal Information Processing Standards (FIPS) Publication 201. A PIV card contains the data needed for the cardholder to be granted access to federal facilities and information systems, including separation of roles and strong biometric binding. A smart card used by the U.S. Department of Defense is known as a Common Access Card (CAC). Most civilian users who work for the federal government use PIV cards.
A CAC is a credit card–sized smart card used as an identification card for active duty uniformed service personnel, selected reserve personnel, DoD civilian employees, and eligible contractor personnel. It is also the principal card used to enable physical access to buildings and controlled spaces, and it provides access to DoD computer networks and systems. Homeland Security Presidential Directive 12 (HSPD 12) established the policies for a common identification standard for federal employees and contractors. DoD Instruction (DoDI) 1000.13 says that a CAC serves as the federal PIV card for DoD implementation of HSPD 12, which requires PIV cards to have secure components, including PKI digital certificates and biometrics. When a CAC is inserted into a smart card reader and the associated PIN is entered, the information on the card’s chip is compared with data on a government server. Access is then either granted or denied.

The exam might include questions about two relatively new forms of smart card required for U.S. federal service identity verification under the Homeland Security Presidential Directive 12 (HSPD 12):
- Common access card (CAC): A smart card used in military, reserve officer, and military contractor identity authentication systems
- Personal identity verification (PIV) card: A smart card used for federal employees and contractors

Quiz:

1. Which one of the following is provided to an AAA system for identification? A. Passcode B. Username C. Password D. One-time token code

2. Which of the following is an example of two-factor authentication? A. Website requiring username and password B. ATM requiring credit card and PIN C. Website requiring a one-time token code to log in D. ATM requiring facial recognition

3. The business units you represent are complaining that there are too many applications for which they need to remember unique complex passwords. This is leading many to write down their passwords. Which of the following should you implement? A. TOTP B. HOTP C. MFA D. SSO

4. Which of the following measures the likelihood that an access system will wrongly accept an access attempt and allow access to an unauthorized user? A. FRR B. FAR C. CER D. CAC

Answer 1: B. A username is the most common factor used for identification. Answers A, C, and D are all incorrect as they represent forms of authentication and not identification.
Answer 2: B. A credit card is something you have, and the PIN is something you know. Answer A is incorrect as the username and password are both something you know (and the username is really just something to identify you). Answer C is incorrect, as this is just a single factor. (However, a one-time token code is commonly used as a second factor when used with a password, for example.) Answer D, like answer C, is just a single factor and is incorrect.
Answer 3: D. SSO refers to single sign-on capabilities. With SSO, a user can log in to multiple applications during a session after authenticating only once. Answers A, B, and C are incorrect. These all refer to multifactor authentication and the use of one-time passwords.
Answer 4: B. The false acceptance rate (FAR) measures the likelihood that an access system will wrongly accept an access attempt (in other words, allow access to an unauthorized user). Answer A is incorrect because the false rejection rate (FRR) is the percentage of identification instances in which false rejection occurs. Answer C is incorrect. The crossover error rate (CER) is the percentage of times the FAR and FRR are equal. Answer D is incorrect because a Common Access Card (CAC) is a smart card used in military, reserve officer, and military contractor identity authentication systems.