Taxonomies of User-Authenticated Methods

in Computer Networks

Göran Pulkkis, Arcada Polytechnic, FinlandKaj J. Grahn, Arcada Polytechnic, Finland

Jonny Karlsson, Arcada Polytechnic, Finland

Presented By,

T.R.Santhosh

4/28/2008 2

OutlineDefinitionsClassifications of user-authentication methods

based on five different taxonomies.– User identification-based taxonomy.– Authentication methodology-based taxonomy.– Authentication quality-based taxonomy.– Authentication complexity-based taxonomy.– Authentication scope-based taxonomy.

Elements of User Authentication Methods. – User identification.– Authentication protocol.

– Registration of legitimate users.

4/28/2008 3

Definitions

Authentication:– User authentication is a process where a computer, computer

program, or another user attempts to confirm that a user trying to set up a communication, is the person he or she claims to be.

Identification:– Identification is a way of providing a user with a unique identifier

for an automated system. During the authentication process, the system validates the authenticity of the claimed user identity by comparing identification data with data stored in a user registry.

Authorization:– Authorization is a process of assigning rights to an authenticated

user to perform certain actions in the system.

4/28/2008 4

User Identification-Based Taxonomy This taxonomy of user authentication is based on how a user

identifies himself or herself. This classification has four main branches, as shown in

Figure

4/28/2008 5

User Identification-Based Taxonomy Contd.,The three first branches represent well-

known user identification methods:– “something you know” — knowledge-based user

authentication– “something you have” — token-based user

authentication– “something you are” — biometric-user

authentication– The fourth branch, recognition-based user

authentication, is a method in which the network authentication system discovers a unique user feature like the MAC address of the user computer.

4/28/2008 6

Authentication Methodology-Based TaxonomyThe taxonomy of user authentication based on the

authentication methodology has branches for:– cryptographic authentication.– non-cryptographic authentication.

– open access.

4/28/2008 7

Authentication Quality-Based Taxonomy From the quality point-of-view,

user authentication can be classified in the following categories:

– Insecure authentication = unacceptable security risks

– Weak authentication = significant security risks

– Strong authentication = small security risks.

4/28/2008 8

Authentication Complexity-Based TaxonomyAn authentication complexity based

taxonomy classifies authentication methods as:– Single-factor authentication.– Multiple-factor authentication.

Multiple-factor authentication means that a user is identified by more than one method.– Token-based authentication is the best-known

example of two-factor authentication, since token use is authorized by a PIN or by a passphrase or even biometrically.

4/28/2008 9

Authentication Scope-Based TaxonomyAn authentication scope-based taxonomy

classifies authentication methods as,– Service bound methods.– Single sign-on (SSO) methods.

Service-bound authentication gives a legitimate user access to one service or to one computer or to one network.

A SSO authentication opens user access to a set of services and/or computers and/or networks in which this user has been registered.

4/28/2008 10

Elements of an User-Authentication MethodA user authentication method consists

of three key elements:– User identification.– Authentication protocol.– Registration of legitimate users.

4/28/2008 11

User Identification

User Passwords– A user password is a character string known only by the user.

Security risks are related to password quality and password privacy. Improved password security is achieved by password renewal policies.

– Best password security is achieved by one-time passwords.

Exclusive User Ownership of a Token– Exclusive user ownership of a token means exclusive access to

a private key in public key cryptography or exclusive access to a generator of successive access codes (timed token or authenticator).

– Security risks with tokens generating access-code sequences are related to secrecy of the seed of generation algorithms.

Biometric User Identification

4/28/2008 12

Authentication Protocols

Extensible Authentication Protocol (EAP)– EAP handles the transportation of authentication messages between a

client and an Authentication, Authorization, and Accounting (AAA) server over the link layer.

4/28/2008 13

Registration of Legitimate Users

Registration in a File SystemRegistration in a Directory SystemRegistration in a Data Base

4/28/2008 14

ConclusionSecure user-authentication mechanisms

are cornerstones in the design and implementation of computer networks or network services containing important and confidential information.

User-authentication needs are dependent on several factors, such as the size of the network, number of users, and the needed security level.

When planning a taxonomy, it is important to consider user perspectives, expectations, sources of information, and uses of information.

4/28/2008 15

References

Enterprise Information Systems Assurance and System Security– Merrill Warkentin– Rayford Vaughn