Page 43 - StudyBook.pdf
P. 43
General Security Concepts: Access Control, Authentication, and Auditing • Chapter 1 27
To summarize, multi-factor authentication is more secure than other methods,
because it adds steps that increase the layers of security. However, this must be bal-
anced against the degree to which it inconveniences the user, since this may lead to
improper use of the process.
Mutual Authentication
Mutual authentication is a process where both the requestor and the target entity
must fully identify themselves before communication or access is allowed.This can
be accomplished in a number of ways.You can share a secret or you can use a
Diffie-Hellman key exchange (see Chapter 9) that provides a more secure method
of exchange that protects the secret being used for the verification and authentica-
tion process.Another method that can be used for mutual authentication is the use
of certificates.To verify the identities, the CA must be known to both parties, and
the public keys for both must be available from the trusted CA.This is occasionally
used with SSL, where both the server and the client have certificates and each is
used to confirm the identity of the other host.
One area that uses the mutual authentication process is access of a user to a
network via remote access or authentication via a RADIUS server.This case
requires the presence of a valid Certificate to verify that the machine is the entity
that is allowed access to the network. For instance, early implementations of
Windows-based RAS servers had the ability to request or verify a particular tele-
phone number to try to verify the machine location.With the development of call
forwarding technologies, however, it became apparent that this was no longer satis-
factory. Mutual authentication allows you to set secure parameters and be more
confident that communication is not being intercepted by a Man-in-the-Middle
(MITM) attacker (see Chapter 2 and Chapter 9) or being redirected in any way.
Mutual authentication provides more secure communications by positively
identifying both sides of a communication channel. However, it is often difficult or
costly to implement.An example of this is in the online banking industry. Online
banks use SSL certificates to confirm that the site the customer is communicating
with is indeed the site they are expecting.With mutual authentication, this confir-
mation would be expanded so that the online banking site is certain that the user
accessing an account is actually who they say they are. Setting up mutual authenti-
cation in this manner would involve requiring each user to obtain a certificate
from a CA trusted by the online bank. Instructing the user on how to accomplish
this would be a daunting task.And what if they need to access their account from a
different system? If the certificate is based off of their home computer, they may
www.syngress.com
