After a user authenticates to a computer, the operating system usually creates a process, a running program, that performs actions for the user. During a single interactive session, numerous other processes may be started for the user. Attached to each of these processes is a set of credentials that are used to uniquely identify the user. Credentials are not limited to computer environments. Spies have long carried some form of a credential in order to verify each other.

Computers and networks consist of hundreds and thousands of different processes. Something as simple as clicking on a Web link can result in dozens of interactions between different processes. Often a task you want to perform requires access to objects for which you have insufficient authorizations. To accomplish these tasks, the process representing you interacts with another process that does have the appropriate authorizations to complete the task. These specially privileged processes are performing tasks on your behalf. For example, your normal login session on a server is unlikely to be empowered to directly speak with the network adapter. Instead, various privileged programs are asked to do this on your behalf as you surf the Internet.

Notice that I&A is part of a particularly weak boundary between humans and the computer. The assumption is that the person who possesses the information required to successfully complete I&A is indeed the rightful owner. That is, the login information is sufficient for representing the user to the computer. The computer does not care whether your facial features have changed, whether your last name changed this morning, or even whether you cannot remember anything except your login information. A number of threats at this boundary include password guessing, password theft, and human error.

Identification and authentication are two distinct tasks. In some computer systems, these tasks are combined into one single step. However, the normal case requires someone to enter identifying information such as a user name for identification. When this value has been entered, the user must provide authentication information. Three classic types of authenticating information exist. These three types are briefly described in this chapter and covered in more detail in the next chapter.

How Are You Authenticated?

Authentication is typically based upon something you know, something you have, or something you are.

Something you know. The canonical example of something you know is a password or pass phrase. You might type or speak the value. A number of schemes are possible for obtaining what you know. It might be assigned to you, or you may have picked the value yourself. Constraints may exist regarding the form the value can take, or the alphabet from which you are allowed to construct the value might be limited to letters only. If you forget the value, you may not be able to authenticate yourself to the system.

Something you have. Another form of authentication requires possession of something such as a key, a smart card, a disk, or some other device. Whatever form it takes, the authenticating item should be difficult to duplicate and may require synchronization with systems other than the one to which you are requesting access. Highly secure environments may require you to possess multiple things to guarantee authenticity. A nuclear missile launch often is portrayed in movies as requiring two different people to insert a key and simultaneously press red buttons. Have you ever been asked for two credit cards to cash a check?

Something you are. Something you are is really a special case of something you have. The usual examples given include fingerprint, voice, or retinal scans. Other possibilities are implanted microchips that report to a global positioning system (GPS). Naturally, your fingerprints are definitely something you have.

Authenticating Other Entities

I&A is not limited to login events by users. When two computers want to communicate across a network, some form of I&A occurs. Sometimes computers simply exchange their network addresses for I&A. The TCP/IP protocol suite uses this type of address-based authentication in a number of applications. Numerous security hacks have exploited this method of authentication. Stronger mechanisms based on cryptography can be used by computers to identify and authenticate each other. You’ll learn more about these techniques in Chapter 4, “Traditional Network Security Approaches.”

Often individual programs running on the same computer or running on different computers need to identify and authenticate each other. The Distributed Computing Environment (DCE) provides a way for arbitrary processes to use strong authentication techniques based on cryptography. Each program has access to a secret that can be used to uniquely authenticate it to other programs, similar to the way in which users authenticate themselves with passwords.

Some authentication models require the use of trusted third parties. In such a scenario, two entities who do not necessarily trust each other might trust a common third party. This third party is asked to verify that each party is indeed authentic. For example, John and Jane might know each other. Jane and Ralph know each other, too. John approaches Ralph and tries to sell him some land, but how does Ralph know if John is indeed who he claims to be? To solve the dilemma, both John and Ralph take a trip to meet with Jane. Jane tells Ralph that John is telling the truth, at least with respect to his identity. If John had asked Jane to conversely authenticate Ralph, the interaction would have involved bilateral or mutual authentication. Notice how the interaction crosses boundaries that might be exploited. For example, is it possible to somehow impersonate the trusted third party, to pass the third party bogus information, or to steal information from the third party?

Another example of bilateral authentication occurs during logins in highly secure environments. The user wants to know for certain that no malicious programs have been left behind by previous users to grab passwords. To establish a secure channel with the computer, the user depends on a secure attention key (SAK) that can be used to terminate all activity at the login terminal and to guarantee that no bogus login program remains from the previous user session.