General Security Concepts: Access Control, Authentication, and Auditing • Chapter 1  13

                 highly complex and secure methods, which may involve higher costs and more
                 time, or can be very simple. For example, if someone you personally know comes
                 to your door, you visually recognize them, and if you want them to enter, you
                 open the door. In this case, you have performed the authentication process through
                 your visual recognition of the individual.All authentication processes follow this
                 same basic premise; that we need to prove who we are or who the individual, ser-
                 vice, or process is before we allow them to use our resources.
                    Authentication allows a sender and receiver of information to validate each
                 other as the appropriate entities with which they want to work. If entities wishing
                 to communicate cannot properly authenticate each other, there can be no trust in
                 the activities or information provided by either party. Only through a trusted and
                 secure method of authentication can administrators provide for a trusted and secure
                 communication or activity.
                    The simplest form of authentication is the transmission of a shared password
                 between entities wishing to authenticate each other.This can be as simple as a
                 secret handshake or a key.As with all simple forms of protection, once knowledge
                 of the secret key or handshake is disclosed to non-trusted parties, there can no
                 longer be trust in who is using the secrets.
                    Many methods can be used by an unauthorized person to acquire a secret key,
                 from tricking someone into disclosing it, to high-tech monitoring of communica-
                 tions between parties to intercept the key as it is passed between parties. However
                 the code is acquired, once it is in a non-trusted party’s hands, it can be used to
                 falsely authenticate and identify someone as a valid party, forging false communica-
                 tions or utilizing the user’s access to gain permissions to the available resources.
                    Original digital authentication systems shared a secret key across the network
                 with the entity with which they wanted to authenticate.Applications such as Telnet
                 and FTP are examples of programs that simply transmit the username and password
                 in cleartext to the party they are authenticating.Another area of concern is Post
                 Office Protocol 3 (POP3) e-mail, which, in its default state, sends the complete
                 username and password information in cleartext, with no protection.
                    The problem with this method of authentication is that anyone that monitors a
                 network can possibly capture a secret key and use it to gain access to the services
                 or to attempt to gain higher privileged access with your stolen authentication
                 information.
                    What methods can be used to provide a stronger defense? As discussed previ-
                 ously, sharing a handshake or secret key does not provide long lasting and secure
                 communication or the secure exchange of authentication information.This has led
                 to more secure methods of protection of authentication mechanisms.The following



                                                                              www.syngress.com