Identification

What I want to cover in this episode is identification authorization and

authentication.

Now when we talk about these three the best way to really understand it is through
an analogy.

So I'm actually buying myself a ticket to go to the theater right now and I'm going
to print out my confirmation code.

Let's go to the theater.

And let me show you how these three work two tickets for La Traviata please.

Now before she's going to give me any tickets we are going to have to get in
essence authenticated.

Now the first step I'm going to have to do here is I'm going to provide some form
of identification in this case.

I'm just going to provide a driver's license now because the ticket lady is a human
being.

This is an easy way for her to identify me is just by looking at the driver's
license.

But it still doesn't mean I'm authenticated to get some tickets in order for me to
do.

Yes.

In order for me to do that I'm going to have to pull out my confirmation number
that I printed out of my printer earlier now between my identification and my
confirmation number.

I've actually performed proper authentication.

Thank you very much.

And now I've got my tickets.

Let's go sit down.

OK Row T and my seats are 14 and 15.

OK.

Good.

I think I might be here a little early.

The important thing to remember for the security plus is the difference between
identification authentication and authorization identification just proves who I am
to the authenticating system authentication itself takes place by me proving that I
have rights to that system through passwords smart cards retinal scanners whatever
it might be.

And then authorization simply means what rights do i have to the system once I've
been authenticated.

All right.

So let's do this all over again except this time let's do it in a more computer
kind of world.

I'm going to watch the show.

La Traviata.

Who doesn't enjoy a little bit of their day every now and then.

OK.

Well anyway we're back in the studio now and what I want to do is kind of make sure
we understand there's some issues when it comes to identification authorization and
authentication.

The challenge we have is that computers aren't people.

I can't go to a lady in a ticket booth and just show them a driver's license or
confirmation number and in essence get my tickets.

Instead what we do is we have what are called authentication factors.

Now there are three big authentication factors that you're going to be seen on
security plus the first one is something you know and that's something like a
password for example would be something you know the next one is something you
have.

And that means things like a smart card or something that you actually have on your
person that you can use to authorize you.

And the last one is something about you and that's what we call biometrics that's
going to be things like retinal scanners and things that actually measure the veins
in your palm all kinds of cool stuff like that.

Anyway let's go ahead and start with the first one and that is something you know
so the best example is good old passwords.

So here we are a typical log in screen and you could see that I have my user name
that I type in and my passwords were all pretty comfortable with something like
that.

But passwords aren't the only type of something you know.

Another great example are going to be pin codes now we see pins all over the place.

One of my favorite ones is here on my phone right here.

So what I'm going to do is you guys are going to fuzz all this out.

Right.

OK so what I'm going to punch in my password one two three four.

It's not a password it's a pin.

I know.

OK.

That's incorrect.

Like I was really going to let you guys see my PIN code.

Come on now we see pins all over the place.

We see them on phones a lot.

18 machines.

But again that's a great example of something you know.

In fact at first certain Department of Justice folks I work with not only when you
walk up to a machine do you have to type in a password bijectively you have to type
in a pin separately depending on what type of authenticating system you might have.

But that's not the only types of something you know.

There's two more I want to look at.

First of all let's take a look at CAPTCHA.

We've probably all seen a CAPTCHA screen.

Most the time these tend to pop up like on Web sites where you're logging in a few
too many times and you're making the authenticating process a little bit nervous.

So what they're going to do is they're going to let you type in your username and
password again but you're going to have to type in the CAPTCHA.

You know what that CAPTCHA says.

The idea here is that it's preventing evil computer programs that can just keep
logging in over and over again from being able to log in.

So that's CAPTCHA.

Now the last one I want to take a look at is right here and this is going to be
security questions.

There's a good chance most of us have seen security questions to security questions
usually pop up for example when you've forgotten your password or something like
this and that allows for an automatic password retrieval type system simply by you
remembering the name of your first dog or your mother's maiden name more your
school that you graduated from whatever it might be.

So you need to be careful on the security plus exam right here.

It's easy to remember that something you know would be an example like a password
or a pin.

But also remember that capture and security questions are included in something you
know.

OK.
The next one is something you have now.

When we talk about something you have We're going to talk about two things in
particular that you're going to see on security plus the first one is called a
Smart Card.

And I seem to be out of smartcards right now but I've got a pitcher on here on the
screen.

Let's take a look at this.

Now this is a very typical smart card that you'll see used in like a lot of federal
organizations and stuff like that.

The important thing about a smart card is embedded somewhere on that smart card is
a chip that holds a unique identifying code.

And when you insert this or when you wave it over a sensor or whatever it might be
it provides that code to the authenticating body.

Now smart cards are great but the last one I want to show you is known as an RSA
key.

Now an RSA key.

It can be a little device that is got a number or it can be a piece of software.

And I actually have one here so let me show you how an RSA key works.

Now I want you to watch this very closely you'll see this a digit code watch.

OK you see it just change an RSA token or an RSA key is a piece of software or an
actual physical key and get that stores a secret code of some form.

It then takes that secret code and performs some magic little voodoo on it and will
generate a value that changes.

It depends there's no law of physics.

Every 30 seconds every 60 seconds.

So the only way that another device can authenticate this is that if it also has
that secret code and it will go ahead and run the same mumbojumbo and if it comes
up with the same value you are in good shape.

Now the last one is something about you and when we talk about something about you
we're talking about something about you physically.

So we could have fingerprint scanners or iris patterns or even the pattern of the
veins in your wrist can be used to identify you uniquely.

Now there's a bunch of these that are out there and if you've got a late generation
iPhone 5 there's fingerprint scanners and things like that.

But what I have here is my buddy Scott has a cool laptop and on this laptop is
facial recognition so to use this I'm going to have to do and this allows him to
log into his laptop.

So what I'm going to do here is I'm going to fire the laptop up on his laptop.
He's actually just using the camera here to recognize me.

Now if you look on the screen you see it's actually trying to find Scott Jernigan
so we can have a bit of a problem.

They why not.

Oh sorry.

Got my take.

I was just trying to show people how security plus covers things like something you
are pretty slick and like it is slick.

Thank you for letting me steal your laptop.

Thanks you all done.

We're done.

We're done.

Take it away Jeeves.

Bye bye.

Look forward to stealing more from you in the future.

OK so that is a great example of something about you.

Now there are two more on the security plus we need to talk about one of them is
called something you do.

And when we talk about something you do there are actually authentication programs
like where if you log in your password for example.

Not only do you have to have the right password but literally the rhythm of your
typing can be used to verify that it's actually you're kind of typing style which
is pretty cool.

Now the last one I want to talk about is called Some where you are and when you
talk about somewhere you are.

Is it implies it has to do with geography.

So the best way to show you this is let's go buy some gasoline now some where you
are has to do well.

We see it in a lot of places on authentication.

The one place we see it a lot is in the credit card world for example here I am
buying gas and it wants me to enter my zip code works.

So I'm going for a regular in here now the other thing you remember about some
where you are is that this is also used by credit card companies to detect fraud.

So for example while I'm here in Houston Texas there's someone else we're trying to
use his card in Chattanooga Tennessee.
That would definitely set off some alarms.

The credit card company.

Those are the types of authentication really identifications that we run into.

So the challenge that we start to get is that we do a lot of authenticating all

over the place.

And if I've got one network over here and then there's like a company and we access
their data a lot.

For some reason or another the hassle of authenticating from one place and then
another can be a bit of a problem.

So with a lot of operating systems in fact.

Well let me rephrase that with Microsoft Windows in particular.

We can actually create authentications based on trust.

So here I've got three different networks.

And in this particular situation these are three different companies that access
this one company's database.

So what becomes interesting is that we can set up what are known as a federated
trust situation and when we say Federated Trece it's basically this system saying
to this system if you've got somebody you trust then I'll trust them as well.

And what we can do this sets up in Windows fascinatingly under active directory is
we can set something up and we can actually establish a trust we can connect to
another Windows domain and say this domain trust this domain and it can
automatically create these types of federated transitive trusts.

The last thing to throw in here is the idea of what we call multi-factor
authentication.

You would never ever use a biometric as a primary and only source of
authentication.

Typically what you're going to do is pretty much everything works with a username
and password or it could be a pin number.

So if you're going to authenticate on a system you're going to use a fingerprint

scanner and you're going to type in the username and password you're going to type
in the name and password and you're going to use a hardware token.

So we're always doing the multi-factor form of authentication.

Authentication requires sharing of something you know, somthing you have, or

something you do

A smartcard is an example of something you have, security questions are an example

of something you know.

Federated system trust is inherited from a different trusted system

Access Control

I've got a laptop right here and it's got some resources on it that I want people
to have access to.

I might have some word documents in a folder some videos whatever it might be.

And because he's on a network I want people from all over the network to be able to
get to my laptop.

Easy enough.

But when we start talking about how we let people have access to stuff primarily
within the networking world we run into authentication and authorization
authentication basically means what does it take for you to get into the network
the system the computer the resource whatever it might be.

And when we're talking about this we're talking about things like usernames and
passwords we're talking about certificates.

We're talking about RSA tokens we're talking about smart cards retinal scanners or
whatever it might be to allow the world for it to know that you are who you're
supposed to be.

Now once we're in there though.

So once we're authenticated Now it's well.

What can Mike do in there.

And that is where authorization comes into play.

So make sure you understand the difference between authentication versus

authorization.

Now the cornerstone to pretty much everything that takes place in this process is
something that we know generically as an Access Control List access control lists
exist everywhere on my computer.

I have an access control list that's pretty much usernames and passwords and what
people can do on folders on my wireless network.

I have an access control list that determines the password channels.

Things like that on my Internet connectivity.

I've got an access control lists that blocks port numbers and things like that.

So access control is a very generic term.

And we have to think very generically about this so it could be all kinds of
different things.

But understand that there's almost always going to be some type of access control
is when it comes to authentication and authorization.

Now in particular authorization is kind of interesting because over the years they
come up with a number of ways to do this so what I'm going to do is I'm going to
use folders as my analogy here and there are three types of access control that you
need to be aware of for the network plus the first one is known as mandatory access
control in a mandatory access control world.

You would put labels like for example here is top secret on the actual resource
itself and based on the label defined what you could or could not do on that
particular resource.

So it was pretty much either you could access the resource or not access it.

So top secret is he can tell this came from the U.S. military so it's it's kind of
an old fashioned way to do it.

There's nothing wrong with mandatory access control other than it was a little bit
limiting.

So over the years they came up with another type called discretionary access
control with the discretionary access control you could actually define the
resource and lots of different ways for example you can put the term owner onto a
user account.

So Mike is the owner of this resource other people can be readers of the resource
other people can write to the resource whatever it might be.

But discretionary gives a little bit more flexibility with the old school mandatory
access control.

Now this was good but what we really do tend to use today more than anything else
is role based access control.

So with a road based access control we can finally use something called Groups Yay.

So with groups what we could do is we can then create users put the users into a
group.

Now pay attention here and what we can do is we can assign rights and permissions
to a group to define what it can do with a shared resource.

So if you take a look at for example Microsoft Windows and what they call their
best practices they have a mantra if you ever go for Microsoft certification.

And we all have this memorized and it's that users go into groups who then get
rights and permissions to folders.

So with road based access control we can use groups to provide all kinds of
flexibility that we don't see with mandatory or discretionary access controls.

So for the network plus make sure you can memorize mandatory access control
discretionary exercise control and roll based access control.

Mandatory access control uses labels

Discretionary access control (DAC) gives the creators control over permissions

Role-based access control (RBAC) uses groups