Chapter 6 Implementing Identity and Access Management Controls

The following locations are used to store passwords:

%SystemRoot%\System32\config\SAM %SystemRoot%\NTDS\NTDS.DIT /etc/passwd are moved to /etc/ shadow

Behavioral technologies

(sometimes classified as Something you do) are often cheap to implement but tend to produce more errors than scans based on physical characteristics.

UNIX® and Linux® vs Windows password storage

UNIX® and Linux® password storage mechanisms use salt, but Windows does not. Consequently, in a Windows environment it is even more important to enforce password policies, such as selecting a strong password and changing it periodically.

During authentication Process: Presuming the user entered the correct password, the client

the client can decrypt the TGS session key but not the TGT. This establishes that the client and KDC know the same shared secret and that the client cannot interfere with the TGT.

During authentication Process: To access resources within the domain

the client requests a Service Ticket (a token that grants access to a target application server). This process of granting service tickets is handled by the Ticket Granting Service (TGS).

Kerberos was named after

the three-headed guard dog of Hades (Cerberus) because it consists of three parts. Clients request services from a server, which both rely on an intermediary—a Key Distribution Center (KDC)—to vouch for their identity. There are two services that make up a KDC: the Authentication Service and the Ticket Granting Service. The KDC runs on port 88 using TCP or UDP.

The latest generation of cards can generate

their own keys, which is more secure than programming the card through software. When the card is read, the card software usually prompts the user for a PIN or password, which mitigates the risk of the card being lost or stolen.

Iris scan

this matches patterns on the surface of the eye using near-infrared imaging and so is less intrusive than retinal scanning (the subject can continue to wear glasses, for instance), and a lot quicker. Iris scanners offer a similar level of accuracy as retinal scanners but are much less likely to be affected by diseases. Iris scanning is the technology most likely to be rolled out for high-volume applications, such as airport security. There is a chance that an iris scanner could be fooled by a high-resolution photo of someone's eye.

Single sign-on

this means that all network resources and applications accept the same set of credentials, so the subject only needs to authenticate once per session. This requires application compatibility and is difficult to make secure or practical across third-party networks.

Rainbow tables are also impractical when trying

to discover long passwords (over about 14 characters).

hardware token type

type of device is typified by the SecurID token from RSA. The device generates a passcode based on the current time and a secret key coded into the device. An internal clock is used to keep time and must be kept precisely synchronized to the time on the authentication server. The code is entered along with a PIN or password known only to the user, to protect the system against loss of the device itself.

Point-to-Point Protocol (PPP)

used to transfer TCP/IP data over serial or dial-up connections. It relies on clear text password exchange and is, therefore, obsolete for the purposes of any sort of secure connection.

hybrid password attack

uses a combination of dictionary and brute force attacks. It is principally targeted against naively strong passwords, such as james1. The password cracking algorithm tests dictionary words and names in combination with several numeric prefixes and/or suffixes. Other types of algorithms can be applied, based on what hackers know about how users behave when forced to select complex passwords that they don't really want to make hard to remember. Other examples might include substituting "s" with "5" or "o" with "0".

Identity proofing

verifying that subjects are who they say they are at the time the account is created. Attackers may use impersonation to try to infiltrate a company without disclosing their real identity. Identity proofing means performing background and records checks at the time an account is created.

Challenge Handshake Authentication Protocol (CHAP)

was also developed as part of PPP as a means of authenticating users over a remote link. It is defined in http://www.ietf.org/rfc/rfc1994.txt. ________ relies on an encrypted challenge in a system called a three-way handshake. 1. Challenge—the server challenges the client, sending a randomly generated challenge message. 2. Response—the client responds with a hash calculated from the server challenge message and client password (or other shared secret). 3. Verification—the server performs its own hash using the password hash stored for the client. If it matches the response, then access is granted; otherwise, the connection is dropped.

An enhanced version (MS-CHAPv2)

was developed for Windows 2000 and later. MS-CHAPv2 also supports mutual authentication. Because of the way it uses vulnerable NT hashes,

The flaws in LM and NTLMv1

would normally be considered a historical curiosity as these mechanisms are obsolete, but one of the reasons that Windows password databases can be vulnerable to "cracking" is that they can store LM hash versions of a password for compatibility with legacy versions of Windows (pre Windows 2000). LM responses can also be accepted during logon (by default, the client sends both LM and NTLM responses) and, therefore, captured by a network sniffer.

There are generally two steps in the scanning process:

• A sensor module acquires the biometric sample from the target. • A feature extraction module records the significant information from the sample (features that uniquely identify the target).

token

There are various ways to authenticate a user based on something they have or a __________. Typically, this might be a smart card, USB token, or key fob that contains a chip with authentication data, such as a digital certificate.

LM is a challenge/response authentication protocol. This means that the user's password is not sent to the server in plaintext.

1. When the server receives a logon request, it generates a random value called the challenge (or nonce) and sends it to the client. 2. Both client and server encrypt the challenge using the hash of the user's password as a key. 3. The client sends this response back to the server. 4. The server compares the response with its version and if they match, authenticates the client.

offline attack

A password cracker can work on a database of hashed passwords. This can also be referred to as an _________, as once the password database has been obtained, the cracker does not interact with the authentication system to perform the cracking.

key stretching

Another technique to make the key generated from a user password stronger is by—basically—playing around with it lots of times. The initial key may be put through thousands of rounds of hashing. This might not be difficult for the attacker to replicate so it doesn't actually make the key stronger, but it slows the attack down as the attacker has to do all this extra processing for each possible key value.

the fifth step of logon is to authenticate with a KDC server

The client forwards the service ticket, which it cannot decrypt, to the application server and adds another time-stamped authenticator, which is encrypted using the service session key.

the first step of logon is to authenticate with a KDC server (implemented as a domain controller).

The client sends the AS a request for a Ticket Granting Ticket (TGT). This is composed by encrypting the date and time on the local computer with the user's password hash as the key.

the eighth step of logon is to authenticate with a KDC server

The server now responds to client requests (assuming they conform to the server's access control list).

BIOMETRIC FACTORS Several different metrics exist for identifying people

These can be categorized as physical (fingerprint, eye, and facial recognition) or behavioral (voice, signature, and typing pattern matching).

SOMEWHERE YOU ARE AUTHENTICATION

For example, if a user enters the correct credentials at a VPN gateway, but his or her IP address shows him/her to be in a different country than expected, access controls might be applied to restrict the privileges granted or refuse access completely.

Pass-the-Hash (PtH) attacks

If an attacker can obtain the hash of a user password, it is possible to present the hash (without cracking it) to authenticate to network protocols such as CIFS.

a packet sniffer might be used to obtain

If the attacker cannot obtain a database of passwords,________________________ the client response to a server challenge in a protocol such as NTLM or CHAP/MS-CHAP. While these protocols avoid sending the hash of the password directly, the response is derived from the password hash in some way. Password crackers can exploit weaknesses in a protocol to calculate the hash and match it to a dictionary word or brute force it.

the seventh step of logon is to authenticate with a KDC server

Optionally, the application server responds to the client with the timestamp used in the authenticator, which is encrypted by using the service session key. The client decrypts the timestamp and verifies that it matches the value already sent and concludes that the application server is trustworthy. This means that the server is authenticated to the client (referred to as mutual authentication). This prevents a Man-in-the-Middle attack where a malicious user could intercept communications between the client and server.

software token

There are also 2-step verification mechanisms. These generate a _____________ on a server and send it to a resource that is assumed to be safely controlled by the user, such as a smartphone or email account. Note that this is not strictly a something you have authentication factor. Anyone intercepting the code within the timeframe could enter it as something you know without ever possessing or looking at the device itself.

the second step of logon is to authenticate with a KDC server

If the user is found in the database and the request is valid (the user's password hash matches the one in the Active Directory database and the time matches to within five minutes of the server time), the AS responds with: • Ticket Granting Ticket (TGT)—this contains information about the client (name and IP address) plus a timestamp and validity period. This is encrypted using the KDC's secret key. • TGS session key for use in communications between the client and the Ticket Granting Service (TGS). This is encrypted using a hash of the user's shared secret (the logon password, for instance). The TGT is an example of a logical token. All the TGT does is identify who you are and confirm that you have been authenticated—it does not provide you with access to any domain resources. Presuming the user entered the correct password, the client can decrypt the TGS session key but not the TGT. This establishes that the client and KDC know the same shared secret and that the client cannot interfere with the TGT. To access resources within the domain, the client requests a Service Ticket (a token that grants access to a target application server). This process of granting service tickets is handled by the Ticket Granting Service (TGS).

Something you do authentication is

In practice, however, these methods are subject to higher error rates and are much more troublesome for a subject to perform. ________ authentication is more likely to be deployed as an intrusion detection or continuous authentication mechanism

LAN Manager (LM or LANMAN)

Most computer networks depend on "something you know" authentication, using the familiar method of a user account protected by a password. There are many different ways of implementing account authentication on different computer systems and networks.

ticket-forging attacks, referred to as a "golden ticket" attack

Related to PtH, the secret keys used to secure AD Kerberos tickets are derived from NT hashes rather than randomly generated; therefore, care must be taken to protect the hashes from credential dumping or the system becomes vulnerable to

IEEE 802.1X Port-based Network Access Control

Smart cards and other token-based systems are often configured to work with the

Vendors have developed proprietary biometric cryptosystems to address security.

Standard encryption products cannot be used, as there needs to be a degree of fuzzy pattern matching between the template and the confirmation scan.

the fourth step of logon is to authenticate with a KDC server

The TGS service responds with: • Service session key—for use between the client and the application server. This is encrypted with the TGS session key. • Service ticket—containing information about the user, such as a timestamp, system IP address, Security Identifier (SID) and the SIDs of groups to which he or she belongs, and the service session key. This is encrypted using the application server's secret key.

the sixth step of logon is to authenticate with a KDC server

The application server decrypts the service ticket to obtain the service session key using its secret key, confirming that the client has sent it an untampered message. It then decrypts the authenticator using the service session key.

the third step of logon is to authenticate with a KDC server

The client sends the TGS a copy of its TGT and the name of the application server it wishes to access plus an authenticator, consisting of a time-stamped client ID encrypted using the TGS session key. The TGS should be able to decrypt both messages using the KDC's secret key for the first, and the TGS session key for the second. This confirms that the request is genuine. It also checks that the ticket has not expired and has not been used before (replay attack).

biometric authentication

The first step in setting up _________________ is enrollment. The chosen ____________ information is scanned by a _________ reader and converted to binary information. There are various ways of deploying biometric readers. Most can be installed as a USB peripheral device. Some types (fingerprint readers) can be incorporated on a laptop or mouse chassis. Others are designed to work with physical access control systems.

Cain and Abel

Windows password recovery with password sniffing utility.

biometric template is recorded in

a database stored on the authentication server. When the user wants to access a resource, he or she is re-scanned, and the scan is compared to the template. If they match to within a defined degree of tolerance, access is granted.

The handshake is repeated with

a different challenge message periodically during the connection (though transparent to the user). This guards against replay attacks, where a previous session could be captured and reused to gain access. CHAP typically provides one-way authentication only. Cisco's implementation of CHAP, for example, allows for mutual authentication by having both called and calling routers challenge one another. This only works between two Cisco routers, however.

Key stretching can be performed by using

a particular software library to hash and save passwords when they are created. Two such libraries are: • bcrypt— • Password-Based Key Derivation Function 2 (PBKDF2)—

Extensible Authentication Protocol (EAP). EAP

allows lots of different authentication methods, but many of them use a digital certificate on the server and/or client machines. This allows the machines to establish a trust relationship and create a secure tunnel to transmit the user authentication credential.

bcrypt

an extension of the crypt UNIX library for generating hashes from passwords. It uses the Blowfish cipher to perform multiple rounds of hashing.

Retinal scan

an infrared light is shone into the eye to identify the pattern of blood vessels. The arrangement of these blood vessels is highly complex and typically does not change from birth to death, except in the event of certain diseases or injuries. Retinal scanning is, therefore, one of the most accurate forms of biometrics. Retinal patterns are very secure, but the equipment required is expensive and the process is relatively intrusive and complex. False negatives can be produced by disease, such as cataracts.

The main concerns with cryptographic access control technologies

are loss and theft of the devices. Token-based authentication is not always standards-based, so interoperability between products can be a problem. There are also risks from inadequate procedures, such as weak cryptographic key and certificate management.

brute force attack

attempts every possible combination in the key space in order to derive a plaintext password from a hash. The key space is determined by the number of bits used (the length of the key). In theory, the longer the key, the more difficult it is to compute each value, let alone check whether the plaintext it produces is a valid password. ______________ are heavily constrained by time and computing resources, and are therefore most effective at cracking short passwords. However, brute force attacks that are distributed across multiple hardware components, like a cluster of high-end graphics cards, can be successful at cracking longer passwords.

Password reset

automating the password reset process reduces the administration costs associated with users forgetting passwords but making the reset process secure can be problematic.

MS-CHAP should not

be deployed without the protection of a secure connection tunnel so that the credentials being passed are encrypted.

A corollary of the development of biometric cryptosystems is to use

biometric information as the key when encrypting other data. This solves the template storage problem and the problem of secure key distribution (the person is the key) but not the one of pattern matching (that is, will the same biometric sample always produce the same key and if not, how would encrypted data be recovered?)

Hash functions can be made more secure

by adding salt. Salt is a random value added to the plaintext. This helps to slow down rainbow table attacks against a hashed password database, as the table cannot be created in advance and must be recreated for each combination of password and salt value.

Mutual authentication can be configured on the basis of

can be configured on the basis of a password-like mechanism where a shared secret is configured on both server and client. Distributing the shared secret and keeping it secure is a significant challenge, however. Most ____________ mechanisms rely on digital certificates and Public Key Infrastructure (PKI).

dictionary attack

can be used where there is a good chance of guessing the likely value of the plaintext, such as a non-complex password.

smart card is either

contact-based, meaning that it must be physically inserted into a reader, or contactless, meaning that data is transferred using a tiny antenna embedded in the card. A contactless smart card can also be referred to as a proximity card. The ISO have published various ID card standards to promote interoperability, including ones for smart cards (ISO 7816 for contact and ISO 14443 for contactless types).

Secure transmission of credentials

creating and sending an initial password securely. Again, the process needs protection against snooping and rogue administrative staff. Newly created accounts with simple or default passwords are an easily exploitable backdoor.

%SystemRoot%\NTDS\NTDS.DIT

domain users and passwords are stored in the Active Directory database on domain controllers.

IAM enables

enables you to define the attributes that comprise an entity's identity, such as its purpose, function, security clearance, and more.

802.1X

establishes several ways for devices and users to be securely authenticated before they are permitted full network access. The actual authentication mechanism will be some variant of the Extensible Authentication Protocol (EAP).

Ensuring only valid accounts are created

for example, preventing the creation of dummy accounts or accounts for employees that are never actually hired. The identity issuance process must be secured against the possibility of insider threats (rogue administrative users). For example, a request to create an account should be subject to approval and oversight.

be aware that there are databases of username and password/password hash combinations

for multiple accounts stored across the Internet. These details derive from successful hacks of various companies' systems. These databases can be searched using a site such as https://haveibeenpwned.com.

online password attack can show up

in audit logs as repeatedly failed logons and then a successful logon, or as several successful logon attempts at unusual times or locations.

OTP tokens may be implemented

in hardware or in software. Many tokens exist in the form of mobile device applications.

card reader or scanner can either be built

into a computer or connected as a USB peripheral device. A software interface is then required to read (and possibly write) data from the card. The software should comply with the PKCS#11 API standard.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

is Microsoft's first implementation of CHAP, supported by older clients, such as Windows 95.

smart card

is a credit card-sized device with an integrated chip and data interface. The card must be presented to a card reader before the user can be authenticated.

Kerberos

is a network authentication protocol developed by the Massachusetts Institute of Technology (MIT) in the 1980s. The protocol has been ratified as a web standard by the IETF (http://www.ietf.org/rfc/rfc4120.txt). The idea behind Kerberos is that it provides a single sign-on. This means that once authenticated, a user is trusted by the system and does not need to re-authenticate to access different resources. The _________ authentication method was selected by Microsoft as the default logon provider for Windows 2000 and later. Based on the Kerberos 5.0 open standard, it provides authentication to Active Directory, as well as compatibility with other, non-Windows, operating systems.

Time-based One-time Password Algorithm (TOTP)

is a refinement of the HOTP. One issue with HOTP is that tokens can be allowed to persist unexpired, raising the risk that an attacker might be able to obtain one and decrypt data in the future. In TOTP, the HMAC is built from the shared secret plus a value derived from the device's and server's local timestamps. TOTP automatically expires each token after a short window (60 seconds, for instance).

Mutual authentication

is a security mechanism that requires that each party in a communication verifies each other's identity. Before the client submits its credentials, it verifies the server's credentials. _____________ prevents a client from inadvertently submitting confidential information to a non-secure server. _____________ helps in avoiding Man-in-the-Middle and session hijacking attacks.

HMAC-based One-time Password Algorithm (HOTP)

is an algorithm for token-based authentication. The authentication server and client token are configured with the same shared secret. This should be an 8-byte value generated by a cryptographically strong random number generator. The token could be a fob-type device or implemented as a smartphone app. The shared secret can be transmitted to the smartphone app as a QR code image acquirable by the phone's camera so that the user doesn't have to type anything. The shared secret is combined with a counter to create a one-time password when the user wants to authenticate. The device and server both compute the hash and derive an HOTP value that is 6-8 digits long. This is the value that the user must enter to authenticate with the server. The counter is incremented by one.

Initiative for Open Authentication (OATH)

is an industry body comprising mostly the big PKI providers, such as Verisign and Entrust, established with the aim of developing an open, strong authentication framework. Open means a system that any enterprise can link into to perform authentication of users and devices across different networks. Strong means that the system is based not just on passwords but on 2- or 3-factor authentication or on 2-step verification. ________ has developed two algorithms for implementing One-time Passwords (OTPs) on the web.

Password Authentication Protocol (PAP)

is an unsophisticated authentication method developed as part of the TCP/IP

One opportunity for widening access to a Windows domain network using pass-the-hash

is for the local administrator account on a domain PC to be compromised so that the adversary can run malware with local admin privileges. The malware then scans system memory for cached password hashes being processed by the Local Security Authority Subsystem Service (lsass.exe). The adversary will hope to obtain the credentials of a domain administrator logging on locally or remotely and then replay the domain administrator hash to obtain wider privileges across the network.

One-time Password (OTP)

is one that is generated automatically (rather than being selected by a user) and used only once. Consequently, it is not vulnerable to password guessing or sniffing attacks.

Authentication Service

is responsible for authenticating user logon requests. More generally, users and services can be authenticated; these are collectively referred to as principals.

The main problem with fingerprint scanners

is that it is possible to obtain a copy of a user's fingerprint and create a mold of it that will fool the scanner.

Fingerprint recognition

is the most widely implemented biometric technology. A ____________ is a unique pattern and thus lends itself to authentication. The technology required for scanning and recording __________ is relatively inexpensive and the process quite straightforward. Scanning devices are easy to implement, with scanners incorporated on laptop chassis, mice, keyboards, smartphones, and so on. The technology is also simple to use and non-intrusive, though it does carry some stigma from association with criminality. Reader and finger also need to be kept clean and dry.

One of the noted drawbacks of Kerberos is that

the KDC represents a single point-of-failure for the network. In practice, backup KDC servers can be implemented (for example, Active Directory supports multiple domain controllers, each of which will be running the KDC service).

The principal defense against Related PtH types of attacks

is to strongly restrict the workstations that will accept logon (interactive or remote) from an account with domain administrative privileges. Domain administrators should only be allowed to log on to especially hardened workstations, and such workstations must be protected against physical and network access by any other type of account or process.

An online password attack

is where the adversary directly interacts with the authentication service—a web login form or VPN gateway, for instance. The attacker will submit passwords using either a database of known passwords (and variations) or a list of passwords that have been cracked offline.

If this compatibility is not required

it should be disabled, using the local or domain security policy (LMCompatiblityLevel or "LAN Manager Authentication Level"). Windows 7 and Windows Server 2008 were the first products to ship with LM disabled by default.

%SystemRoot%\System32\config\SAM

local users and passwords are stored as part of the Registry (Security Account Manager) on Windows machines.

NTLM only provides for client authentication which

making it vulnerable to Man-in-the-Middle attacks. It is also vulnerable to a pass-the-hash attack, where an attacker submits a captured authentication hash rather than trying to obtain the plaintext password. Finally, it does not support token or biometric authentication. For these reasons, Microsoft made Kerberos the preferred authentication protocol for Active Directory® networks. NTLM is still the only choice for workgroups (non-domain networks).

Issuance (or enrollment)

means processes by which a subject's credentials are recorded, issued, and linked to the correct account, and by which the account profile is created and maintained.

NTLM AUTHENTICATION

mechanism fixed some of the problems in LM: • The password is Unicode and mixed case and can be up to 127 characters long. • The 128-bit MD4 hash function is used in place of DES.

John the Ripper

multi-platform password hash cracker.

THC Hydra

often used against remote authentication (protocols such as Telnet, FTP, HTTPS, SMB, and so on).

L0phtcrack

one of the best-known Windows password recovery tools. There is also an open source version (ophcrack).

Password-Based Key Derivation Function 2 (PBKDF2)

part of RSA security's public key cryptography standards (PKCS#5).

Rainbow table attacks

refine the dictionary approach. The attacker uses a precomputed lookup table of all possible passwords and their matching hashes. Not all possible hash values are stored, as this would require too much memory. Values are computed in chains and only the first and last values need to be stored. The hash value of a stored password can then be looked up in the table and the corresponding plaintext discovered.

NTLMv2

response is an HMAC-MD5 hash (128-bit) of the username and authentication target (domain name or server name) plus the server challenge, a timestamp, and a client challenge. The MD4 password hash (as per NTLMv1) is used as the key for the HMAC-MD5 function.

online password attacks can be mitigated by

restricting the number or rate of logon attempts, and by shunning logon attempts from known bad IP addresses. Apart from ensuring the use of strong passwords by users.

Aircrack

sniffs and decrypts WEP and WPA wireless traffic.

Password cracker

software works on the basis of exploiting known vulnerabilities in password transmission and storage algorithms (LM and NTLM hashes, for instance). They can perform brute force attacks and use precompiled dictionaries and rainbow tables to break naïvely chosen passwords.

An OTP is generated using

some sort of hash function on a secret value plus a synchronization value (seed), such as a timestamp or counter. Other options are to base a new password on the value of an old password or use a random challenge value (nonce) generated by the server

On Linux, user account details and encrypted passwords are

stored in /etc/passwd, but this file is universally accessible. Consequently, passwords are moved to /etc/ shadow, which is only readable by the root user.

facial recognition

suffers from relatively high false acceptance and rejection rates and can be vulnerable to spoofing. Much of the technology development is in surveillance, rather than for authentication, though it is becoming a popular method for use with smartphones.

Another problem is that of dealing with templates

that have been compromised; that is, how can the genuine user be re-enrolled with a new template (revocability)? One possible solution is to employ steganography to digitally watermark each enrollment scan. Another is to "salt" each scan with a random value or a password.

the LM hash process is unsecure for the following reasons:

• Alphabetic characters use the limited ASCII character set and are converted to upper case, reducing complexity. • Maximum password length is 14 characters. Long passwords (over seven characters) are split into two and encrypted separately; this means passwords that are seven characters or less are easy to identify and makes each part of a longer password more vulnerable to brute force attacks. • The password is not "salted" with a random value, making the ciphertext vulnerable to rainbow table attacks.

COMMON ACCESS CARDS. As a result, two identity cards have been introduced:

• Common Access Card (CAC)—issued to military personnel, civilian employees, and contractors to gain access to Department of Defense (DoD) facilities and systems. • Personal Identification Verification (PIV) Card—for civilian federal government employees and contractors.

Follow these guidelines when implementing IAM:

• Ensure robust procedures for creating accounts that identify network subjects (users and computers) and issue credentials to those subjects securely. • Determine which authentication factors and technology provide the best security, given any limitations imposed by existing infrastructure and budget. - Understand some of the risks in relying on password-based authentication. - Consider implementing certificate-based or hardware token-based authentication methods in a multifactor scheme to mitigate issues associated with passwords and biometrics. - Recognize the strengths and weaknesses of each type of biometric device and how they can mitigate risks when implemented as single-factor or multifactor authentication technology. • Consider that using PIV or CACs may be mandatory if you work with or for the U.S. federal government.

Key metrics and considerations used to evaluate different technologies include the following:

• False negatives (where a legitimate user is not recognized); referred to as the False Rejection Rate (FRR) or Type I error. • False positives (where an interloper is accepted); referred to as the False Acceptance Rate (FAR) or Type II error. False negatives cause inconvenience to users, but false positives can lead to security breaches, and so is usually considered the most important metric. • Crossover Error Rate (CER)—the point at which FRR and FAR meet. The lower the CER, the more efficient and reliable the technology. • Errors are reduced over time by tuning the system. This is typically accomplished by adjusting the sensitivity of the system until CER is reached. • Throughput (speed)—this refers to the time required to create a template for each user and the time required to authenticate. This is a major consideration for high traffic access points, such as airports or railway stations.

An Identity and Access Management (IAM) system is usually described in terms of four main processes:

• Identification • Authentication • Authorization • Accounting

Issuance (or enrollment) Some of the issues involved are:

• Identity proofing • Ensuring only valid accounts are created • Secure transmission of credentials • Revoking the account if it is compromised or no longer in use.

Security of the template and storage mechanism is a key problem for biometric technologies.

• It should not be possible to use the template to reconstruct the sample. • The template should be tamper-proof (or at least tamper-evident). • Unauthorized templates should not be injected.

Some well-known password cracking tools include:

• John the Ripper— • THC Hydra— • Aircrack— • L0phtcrack— • Cain and Abel—

NTLMv2 also defines other types of responses that can be used in specific circumstances:

• LMv2—provides pass-through authentication where the target server does not support NTLM but leverages the authentication service of a domain controller that does. LMv2 provides a mini-NTLMv2 response that is the same size as an LM response. • NTLMv2 Session—provides stronger session key generation for digital signing and sealing applications (see the Kerberos Authentication section for a discussion of the use of session keys). • Anonymous—access for services that do not require user authentication, such as web servers.

On a personal level, managing those identities is becoming increasingly difficult, forcing users into unsecure practices, such as sharing passwords between different accounts. These difficulties can be mitigated by two techniques:

• Password reset— • Single sign-on—

RETINAL AND IRIS SCANNERS There are two types of biometric recognition based on features of the eye:

• Retinal scan— • Iris scan—

There are many different technologies for defining credentials. They can be categorized as the following factors:

• Something you know, such as a password. • Something you have, such as a smart card. • Something you are, such as a fingerprint. • Something you do, such as making a signature. • Somewhere you are, such as using a mobile device with location services.

The main problems with biometric technology generally are:

• Users can find it intrusive and threatening to privacy. • The technology can be discriminatory or inaccessible to those with disabilities. • Setup and maintenance costs to provision biometric readers. • Vulnerability to spoofing methods.

Behavioral technologies. They can also be discriminatory against those with disabilities:

• Voice recognition—this is relatively cheap, as the hardware and software required are built into many standard PCs and mobiles. However, obtaining an accurate template can be difficult and time-consuming. Background noise and other environmental factors can also interfere with logon. Voice is also subject to impersonation. • Signature recognition—everyone knows that signatures are relatively easy to duplicate, but it is more difficult to fake the actual signing process. Signature matching records the user applying their signature (stroke, speed, and pressure of the stylus). • Typing—this matches the speed and pattern of a user's input of a passphrase.