Application Security explanation of SDLC
- 1. AHMET KEMAL AYGIN ahmetkemal.aygin@uskudar.edu.tr CYS504- Application Security Lesson Seven Identity Management TürkTelekom | Dahili | Kişisel Veri İçermez
- 2. Scope of Lesson • General Scope • Manage Identification and Authentication • Authentication • Authorization • Accountability • Single Sign On (SSO) • SESAME • SAML • Single Factor/Multifactor Authentication • Something You Know, Something YouHave, Something You Are • Emerging Authentication Technologies TürkTelekom | Dahili | Kişisel Veri İçermez
- 3. This Lesson’s scope is to give to concept of identity management. The terminology will be given. Further readings will be mentioned. General Scope TürkTelekom | Dahili | Kişisel Veri İçermez
- 4. • A person’s identity is, in one sense, who they are. When a person opens a new bank account, creates a new email account, or is hired by a company, the organization creates a formal identity for that person in its system. This often includes defining the specific resources a user needs and determining the type of access to those resources the user may have. Manage Identification and Authentication of People, Devices, and Services TürkTelekom | Dahili | Kişisel Veri İçermez
- 5. • Authentication (who can log in) is actually a two- step process consisting of identification and authentication (I&A). Identification is the means by which a user (subject) presents a specific identity (such as a username) to a system (object). Authentication is the process of verifying that identity. For example, a username/password combination is one common technique (albeit a weak one) that demonstrates the concepts of identification (username) and authentication (password). Authentication
- 6. • Authorization (also referred to as establishment) defines the rights and permissions granted to a user account or process (what you can do). After a system authenticates a user, authorization determines what that user can do with a system or resource. Authorization
- 7. • Accountability is the capability to associate users and processes with their actions (what they did). Audit trails and system logs are components of accountability. • An important security concept that’s closely related to accountability is non-repudiation. Non-repudiation means that a user (username Madame X) can’t deny an action because her identity is positively associated with her actions. Non-repudiation is an important legal concept. If a system permits users to log in using a generic user account, or a user account that has a widely known password, or no user account at all, then you can’t absolutely associate any user with a given (malicious) action or (unauthorized) Access on that system, which makes it extremely difficult to prosecute or otherwise discipline that user. • Accountability determines what a subject did. Accountability
- 8. Single Sign On (SSO) Few users really want to have to keep track of a separate password for every application they use at work. Similarly, no IT department truly wants to supply you with a separate account for each task you perform at work. The resulting challenge is how to provide authentication for multiple separate applications and services without building an unacceptable burden for users and system administrators. This is the reason single sign-on (SSO) became a popular goal for security architects. The idea, simply, is that each user gets a single identity (and a single set of credentials) to use with all software across the enterprise. It becomes the job of the various pieces of software to communicate (“talk to each other”), keeping track of when, whether, and with what degree of assurance the user has been authenticated.
- 9. SESAME and Kerberos What is Kerberos? Authentication protocol that uses tickets to allow nodes to communicate over a non-secure network and prove their identity to each other in a secure way. Kerberos is based on a client–server model and it provides mutual authentication for the user and the server to verify each other’s identity. Messages are protected against eavesdropping and replay attacks. Kerberos was Built on symmetric keys and requires a trusted third party, and can use PKI during certain phases of authentication. Kerberos Uses UDP port 88 by default. The main Pros of Kerberos are it is Easy for end users, centralized control and easy also for administrators. In other side the Cons are it provides Single point of failure, access to everything with single password. What is SESAME? SESAME is shortcut for Secure European System for Applications in a Multi-vendor Environment. Often called the successor to KERBEROS, it addresses some of the issues of Kerberos. SESAME uses PKI encryption (asymmetric), which fixed the Kerberos issue in storing symmetric keys in plaintext. SESAME uses a PAS (Privilege Attribute Server), which issues PACs (Privilege Attribute Certificates) instead of Kerberos’ tickets. Not widely used, Kerberos is widely used since it is natively in most OS’s. TürkTelekom | Dahili | Kişisel Veri İçermez
- 10. • One modern way the coordination could have been achieved is via Security Assertion Markup Language (SAML) actions. SAML (currently at version 2.0) is an open OASIS standard used to exchange authentication and authorization data among cooperating processes or domains. The Organization for the Advancement of Structured Information Standards (OASIS) is a global nonprofit consortium of vendors and other companies, universities, government agencies, and individuals. OASIS has more than two dozen technical standards, either in the field or under development. SAML
- 11. • Authentication—the process of proving that a person or system is who they claim to be—has traditionally been based on one or more of three authentication factors: • Type I: Something you know (e.g., a password) • Type II: Something you have (e.g., a smartcard) • Type III: Something you are (e.g., your fingerprint) • These factors can be applied alone or in combination. Single-factor authentication involves the use of exactly one of these three factors to carry out the authentication process being requested. • Multifactor authentication helps to ensure that a user is who he or she claims to be via the use of more than one factor to carry out the authentication process being requested. Single Factor/Multifactor Authentication
- 12. • Passwords are by far the most commonly used authentication mechanism. They are just about the weakest, too. There are some methods you can use to get the most out of passwords, but relying on passwords alone as a single authentication factor is poor practice. • Passwords are not the only way to use “something you know” for authentication. Most likely, you are already familiar with the most popular alternative, known as security questions or cognitive passwords. Something You Know
- 13. • In most modern facilities, badges and smartcards have replaced keys and paper passes. • Electronic badge readers have been ubiquitous for decades, reading credentials from a magnetic stripe or chip when the ID is swiped through or waved near the reader. • Hard token • Soft token • PIVs and CACs Something You Have
- 14. • Perhaps the surest way of knowing that a person is truly who they claim to be is by comparing physical measurements of the claimant to those recorded in a template. This is the “something you are,” biometric approach. • The most commonly used biometric technique in the world, today and for the past 100 years, is fingerprinting. • Palm vein recognition is a biometric method that uses near-infrared illumination to see (and record for comparison) subcutaneous vascular patterns, which are the pattern of blood vessels beneath the skin that are unique to each individual • Biometric scans using the retina are even more individualistic than those of the iris. • Facial recognition is commonly used as a biometric tool as well Signature dynamics can be used for authentication, Keystroke dynamics can also be used for biometric purposes Something You Are
- 15. Identity Management Life Cycle
- 16. • The science of biometric services is constantly advancing. Increased processor speeds, coupled with more compact form factors, are one reason. Each year it becomes possible to pack more algorithmic intelligence into cameras and other sensors. Facial recognition, for example, has leaped forward in recent years—so much so that in the iPhone X, Apple has introduced facial recognition as the chief method for authenticating yourself to your phone, although passwords and fingerprints are still options. • Similarly, behavior-based recognition is improving each year as well. “Something you do”—as represented by signature dynamics, keystroke patterns, and even hand gestures— is growing as a factor in authentication, especially for mobile devices. • Some vendors have gone further, adding another dimension of authentication with “somewhere you are”—that is, location-based authentication. Although location has been dreamt of for decades as a means of assurance, recent advances may make it realistic at last to validate that a person or system truly is where they claim to be. The implications for off-site operation of critical infrastructure in emergencies, if nothing else, would be transformative. Emerging Authentication Technologies
- 17. What we learned today? • Manage Identification and Authentication • Authentication • Authorization • Accountability • Single Sign On (SSO) • SESAME and Kerberos • SAML • Single Factor/Multifactor Authentication • Something You Know, Something YouHave, Something You Are • Emerging Authentication Technologies TürkTelekom | Dahili | Kişisel Veri İçermez
- 18. Thanx TürkTelekom | Dahili | Kişisel Veri İçermez