![Page 1: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/1.jpg)
Niko Dukić/Mario ŠaleCS Computer Systems
Alternative authentication methods
![Page 2: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/2.jpg)
© 2005 CS Computer Systems d.o.o. 2
Table of contents:
• Authentication and why is it important• Authentication methods• RSA SecureID solutions for authentication• Implementation of RSA SecureID solution into Microsoft
Active Directory enviroment• Authentication and BS7799
![Page 3: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/3.jpg)
© 2005 CS Computer Systems d.o.o. 3
Authentication
![Page 4: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/4.jpg)
© 2005 CS Computer Systems d.o.o. 4
Authentication
• “Is user really the one he is claiming to be?”• 3 factors for confirmation of user’s identity
– “Something I know”– “Something I have”– “Something I am”
• Authentication selection criteria– Cost (acquisition, deployment, support)– Level of security– Ease of use/convenience
![Page 5: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/5.jpg)
© 2005 CS Computer Systems d.o.o. 5
Authentication methods
![Page 6: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/6.jpg)
© 2005 CS Computer Systems d.o.o. 6
Authentication methods
• Common method: – User name and password
• Alternative methods:– Tokens (“one-time-password” devices)– Digital certificates– Smart Cards– Biometric devices
![Page 7: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/7.jpg)
© 2005 CS Computer Systems d.o.o. 7
Passwords
• Simple and most common method • One-factor authentication• Very low cost of acquisition• Very high cost of support and administration• Balance of security policy (not too tight!)• User is not aware that his password is stolen!
![Page 8: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/8.jpg)
© 2005 CS Computer Systems d.o.o. 8
Tokens
• Pseudo-random number generation• Two-factor authentication:
– PIN– Token code
• Passcode (PIN + token code)• Higher acquisition cost, lower support cost• Offer higher security without security policies• User is aware when his token is stolen!
![Page 9: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/9.jpg)
© 2005 CS Computer Systems d.o.o. 9
Tokens
• Two kinds:– Hardware
• Key-fob• Card• PIN Pad
– Software
![Page 10: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/10.jpg)
© 2005 CS Computer Systems d.o.o. 10
Digital certificates
• High level of security• High acquisition cost, low administration cost• Central administration
![Page 11: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/11.jpg)
© 2005 CS Computer Systems d.o.o. 11
Smart Cards
• Two-factor authentication• Storage container for various passwords and
certificates• Multi-functionality
– Desktop authorization– Physical access to areas– Photo ID
![Page 12: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/12.jpg)
© 2005 CS Computer Systems d.o.o. 12
Authentication methods
Security
Weaker Stronger
No PasswordPolicy
PasswordPolicy + + +
++++PIN PIN PIN
![Page 13: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/13.jpg)
© 2005 CS Computer Systems d.o.o. 13
RSA SecureID solutions for authentication
![Page 14: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/14.jpg)
© 2005 CS Computer Systems d.o.o. 14
RSA Authentication Manager
• Central component of RSA SecureID• High level of compatibility (Microsoft, Cisco, Check
Point)• Integrated RADIUS server • Unique database of all users
– Windows domain users– RADIUS users (for dial-up access)– remote access users (RRAS, VPN)– web aplication users
![Page 15: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/15.jpg)
© 2005 CS Computer Systems d.o.o. 15
RSA Authentication Manager
Authentication agent
RSA Authentication Manager
User name and passcode
User name and passcode
![Page 16: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/16.jpg)
© 2005 CS Computer Systems d.o.o. 16
RSA Authentication Manager
• Fail over and load balancing– Primary server and replica– If primary server becomes inoperative, replica server can
be promoted to primary server very quickly
• Two license options:– Base license– Enterprise (advanced) license
![Page 17: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/17.jpg)
© 2005 CS Computer Systems d.o.o. 17
Implementation of RSA SecureID solution
![Page 18: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/18.jpg)
© 2005 CS Computer Systems d.o.o. 18
Implementation in AD enviroment
• Increased security and simplicity• Configuration:
– RSA Authentication Manager– RSA SecureID for Microsoft Windows– RSA Authentication Agent
• All user names and passwords from AD are stored in RSA Authentication Manager database
![Page 19: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/19.jpg)
© 2005 CS Computer Systems d.o.o. 19
Implementation in AD enviroment
• Instalation of clients and agents– Agents
• Windows 2000 Server• Windows 2003 Server
– Clients• Windows 2000• Windows XP• Windows 2003
![Page 20: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/20.jpg)
© 2005 CS Computer Systems d.o.o. 20
Implementation in AD enviroment
• Standard windows log-on
• RSA SecureID Windows log-on
![Page 21: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/21.jpg)
© 2005 CS Computer Systems d.o.o. 21
Implementation in AD enviroment
RSA offline
module
2. User name and passcode are sent to RSA Authentication Manager
5. User name and Windows password are sent to AD
Domain Controller
6. AD sends “kerberos ticket” to the client
User name and passcode
3. Authentication Manager checks data and sends answer to request
4. Authentication Manager decrypts the password and sends it to OS
7. Authentication Manager makes preparations for offline authentication
RSA Authentication
Manager
![Page 22: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/22.jpg)
© 2005 CS Computer Systems d.o.o. 22
Implementation in AD enviroment
RSA offlinemodule
2. User name, Passcode
StoredMicrosoft passwords
3. RSA offline module decrypts Windows password and sends it to operating system
RSA Authentication Server
User name and passcode
Client
![Page 23: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/23.jpg)
© 2005 CS Computer Systems d.o.o. 23
Authentication and BS7799
• BS7799-2:2002 - international standard for security by BSI
• Authentication - one of the most important aspects of BS7799
![Page 24: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/24.jpg)
© 2005 CS Computer Systems d.o.o. 24
For those who want to know more...
• www.rsasecurity.com• www.rsasecured.com• www.microsoft.com• www.checkpoint.com
![Page 25: Alternative authentication methods · • Fail over and load balancing – Primary server and replica – If primary server becomes inoperative, replica server can be promoted to](https://reader035.vdocuments.mx/reader035/viewer/2022071016/5fcf0ac013ad02301e3c2849/html5/thumbnails/25.jpg)
© 2005 CS Computer Systems d.o.o. 25
CS Computer Systems d.o.o. | Prečko 1a | HR-10000 ZagrebT. +385 (0)1 3885 555 | F. +385 (0)1 3882 555
W. www.cs.hr E. [email protected]
Q & A