SlideShare a Scribd company logo

Authentication Models

Download as DOC, PDF
Raj Chanchal
Raj Chanchal

This document provides an overview of authentication mechanisms on Windows, including Kerberos, Active Directory, digital certificates, biometrics, and .NET identity objects. It also discusses upcoming technologies like CardSpace and OpenID that aim to improve single sign-on authentication across multiple systems and online applications. The document concludes that with the evolution of open standards, the goal of a trustworthy single sign-on experience across the web is becoming closer to reality.

1 of 7
An Overview of Authentication Mechanisms on Windows This article gives overview of various authentication mechanisms for applications on Windows. It also touches upon upcoming technologies like CardSapce and OpenID. It concludes with relating the development of new authentication mechanisms to be evolving with a basic need for SSO. Background With emergence of Web 2.0, identity management is becoming a core focus. Security in online transactions is gaining attention from all technology vendors including Microsoft. Microsoft's recent release of .NET framework 3.0 includes Windows CardSpace which provides a solid foundation for identity management of future. Also, with recent announcement from Microsoft to tie-up with OpenID, takes the CardSpace initiative to the next level. Current article gives overview of various authentication mechanisms on Microsoft Windows platform. Introduction A digital identity is a set of characteristics associated with an individual or a device which allows us to address it distinctly from rest of the world. Before granting access to a valuable resource, a digital identity is checked to confirm the source of the request. This mechanism is termed as authentication. Various popular authentication mechanisms are – 1. User name and password 2. Digital certificates 3. Biometrics – Fingerprints, Iris/retina scan 4. Dynamic biometrics – signature, voice recognition Authentication in Windows OS Microsoft Windows Server 2003 has adopted Kerberos 5 as the default protocol for network authentication. Active Directory is merely the directory that holds all the information. Kerberos protocol implementation is used to protect it and make it function. Microsoft Windows Server 2000 and beyond use following as default authentication mechanism - Default authentication package Kerberos Credential store Active Directory SAM (Security Authentication Module) Authentication protocols Clear Text NTLM (NT LAN Manager) Standard Kerberos Kerberos PKINIT (Public Key cryptography for INITial Authentication) All the authentication protocols are exposed via SSPI (Security Support Provider Interface). 1
Windows authentication process using Kerberos KDC (Key Distribution Center) is shown below. Authentication in .NET Applications The .NET Framework has a model for managing user or automated agent based on the notion of a Identity. The identity object encapsulates information about the user or entity being validated. Basic identity objects contain a name and an authentication type. The name can either be a user's name or the name of a Windows account, while the authentication type can be either a supported logon protocol, such as Kerberos V5, or a custom value. namespace System.Security.Principal { public interface IIdentity { bool IsAuthenticated { get; } string AuthenticationType { get; } string Name { get; } } } IIdentity interface shown above abstracts the authentication part of security context. The .NET Framework defines a GenericIdentity object that can be used for most custom logon scenarios and a more specialized WindowsIdentity object that can be used when application relies on Windows authentication. Additionally, own identity class can be defined that encapsulates custom user information. Web Application Authentication ASP.NET implements authentication via authentication providers. Providers are basically Classes that contain Public Static Methods to help in authenticating requests from Clients. An ASP.NET Application can be configured to use one of the following Authentication Providers - 1. Windows Authentication 2
The WindowsAuthenticationModule provider relies on IIS to provide authenticated users. The provider module constructs a Windows Identity object. The default implementation constructs a WindowsPrincipal object and attaches it to the application context. One of the major advantages of Windows Authentication is to allow implementation of an impersonation scheme. 2. Forms Authentication Forms authentication is recommended if the application needs to collect its own user credentials at logon time through HTML forms. All the unauthorized requests are redirected to the logon page using HTTP client-side redirection. Forms authentication provider may implement custom logic for validating username and password against identity store. If the application authenticates the request, the system issues a ticket that contains a key for reestablishing the identity for subsequent requests. 3. Passport Authentication Passport authentication is Microsoft's centralized authentication service that offers a single logon and core profile services for member sites. Passport uses the Triple DES encryption scheme. When member sites register with Passport, they are granted a site- specific key. The Passport logon server uses this to encrypt and decrypt the query 3
strings passed between sites. Authentication ticket is preserved by client in a cookie and is used for all future requests to the application till the cookie expires. Web Services Authentication Authentication of Web Services can be classified into two models as follows – 1. Direct Authentication In direct authentication model, the client and the service establish a direct trust. Client application send the credentials directly to the service along with the service request. Service maintains the catalog of the authorized clients and authentication mechanism is built into the service components. This model can be considered similar to the Forms authentication for web applications as both mechanisms do not require any intermediary to build the trust. 2. Brokered Authentication Brokered authentication has an intermediary called as 'broker' to perform authentication when client and service do not share trust relationship. Credentials are used to authenticate with the broker, which issues a security token. The security token is then used to authenticate with services. 4
WSE (Web Services Enhancement) provides 3 main security tokens which support brokered authentication. I. X.509 This requires support for a PKI (Public Key Infrastructure). In cases where a limited number of certificates are needed, an external CA (Certificate Authority) can be used. Most X.509 implementations, such as SSL, exchange a symmetric session key that is used for encryption. II. KerberosToken This requires an identity provider that supports the Kerberos protocol, such as Active Directory. Service tickets are session-based tokens that can be used for confidentiality and integrity. III. STS (Security Token Service) This requires an STS implementation that issues and manages security tokens. Custom security tokens can be used for session based operations. CardSpace Authentication Windows CardSpace is a technology designed to help eliminate the need for usernames and passwords. Instead it will provide Windows users with digital identities in the form of Cards that users can access in a secure and familiar manner. 5
CardSpace provides an identity selector and a self-issued identity provider, both of which run on a client machine. CardSpace is a new way of doing strong authentication across trust boundaries. Internet Explorer 7 uses Windows CardSpace, if installed. Windows CardSpace uses following interoperable protocols - WS-Security, WS-SecurityPolicy, WS-Trust and WS-MetadataExchange. Identity Provider provides the card (.crd file) which contains the metadata information. This card is used to obtain the security token from the Identity provider for sending the claim to the relying party. OpenID Authentication OpenID uses XRI (eXtensible Resource Identifier) to verify the digital identity. CardSpace can play a role to supplement the OpenID authentication process by establishing a relationship between client and OP using WS-Trust and WS-MetadataExchange. This may help eliminate steps 4 and 5 from the overall authentication process. Also, Card can additionally carry the XRI along with OP token. 6
Conclusion SSO (Single sign-on) is a form of software authentication that enables a user to authenticate once with one software system and in turn gain access to multiple software systems. Windows OS authentication being a primary authentication, it is ideal to base the SSO on the same to gain access to all the applications accessed in that Windows session without a need for (re-)entering the credentials. Internet has opened the doors for a very large number of applications accessible to the users typically in B2C scenario with each application requiring user to undergo it's own registration and authentication process. Along with the SSO, a demand for secure and reliable as well as generic mechanism to establish a trust persists. With the evolution of technology and the open standards being widely accepted, the vision of 'Trustworthy SSO' across the web will not be too far from getting into reality. 7

Recommended

Cloud Security Mechanisms
Cloud Security MechanismsCloud Security Mechanisms
Cloud Security Mechanisms
Mohammed Sajjad Ali
 
Authentication (Distributed computing)
Authentication (Distributed computing)Authentication (Distributed computing)
Authentication (Distributed computing)Sri Prasanna
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication Protocols
Trinity Dwarka
 
x.509-Directory Authentication Service
x.509-Directory Authentication Servicex.509-Directory Authentication Service
x.509-Directory Authentication Service
Swathy T
 
Naming in Distributed System
Naming in Distributed SystemNaming in Distributed System
Naming in Distributed System
MNM Jain Engineering College
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 Authentication
Information Technology
 

Recommended

Cloud Security Mechanisms
Cloud Security MechanismsCloud Security Mechanisms
Cloud Security Mechanisms
Mohammed Sajjad Ali
 
Authentication (Distributed computing)
Authentication (Distributed computing)Authentication (Distributed computing)
Authentication (Distributed computing)Sri Prasanna
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication Protocols
Trinity Dwarka
 
x.509-Directory Authentication Service
x.509-Directory Authentication Servicex.509-Directory Authentication Service
x.509-Directory Authentication Service
Swathy T
 
Naming in Distributed System
Naming in Distributed SystemNaming in Distributed System
Naming in Distributed System
MNM Jain Engineering College
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 Authentication
Information Technology
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
Stephane Potier
 
6.distributed shared memory
6.distributed shared memory6.distributed shared memory
6.distributed shared memory
Gd Goenka University
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
Dr. Kapil Gupta
 
Operating system security
Operating system securityOperating system security
Operating system security
Ramesh Ogania
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
Message passing in Distributed Computing Systems
Message passing in Distributed Computing SystemsMessage passing in Distributed Computing Systems
Message passing in Distributed Computing Systems
Alagappa Govt Arts College, Karaikudi
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
IGZ Software house
 
Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
Message authentication
Message authenticationMessage authentication
Message authentication
CAS
 
IP Security
IP SecurityIP Security
IP Security
Ambo University
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication TechnologiesNicholas Davis
 
Elgamal & schnorr digital signature scheme copy
Elgamal & schnorr digital signature scheme copyElgamal & schnorr digital signature scheme copy
Elgamal & schnorr digital signature scheme copy
North Cap University (NCU) Formely ITM University
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
Vishal Agarwal
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7AfiqEfendy Zaen
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
BharathiKrishna6
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
Adam Reagan
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
13 asymmetric key cryptography
13 asymmetric key cryptography13 asymmetric key cryptography
13 asymmetric key cryptographydrewz lin
 
Ddb 1.6-design issues
Ddb 1.6-design issuesDdb 1.6-design issues
Ddb 1.6-design issues
Esar Qasmi
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
Mohammad Yousri
 
Web services security_in_wse_3_ppt
Web services security_in_wse_3_pptWeb services security_in_wse_3_ppt
Web services security_in_wse_3_ppt
Harshavardhan Achrekar
 

More Related Content

What's hot

An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
Stephane Potier
 
6.distributed shared memory
6.distributed shared memory6.distributed shared memory
6.distributed shared memory
Gd Goenka University
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
Dr. Kapil Gupta
 
Operating system security
Operating system securityOperating system security
Operating system security
Ramesh Ogania
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
Message passing in Distributed Computing Systems
Message passing in Distributed Computing SystemsMessage passing in Distributed Computing Systems
Message passing in Distributed Computing Systems
Alagappa Govt Arts College, Karaikudi
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
IGZ Software house
 
Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
Message authentication
Message authenticationMessage authentication
Message authentication
CAS
 
IP Security
IP SecurityIP Security
IP Security
Ambo University
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication TechnologiesNicholas Davis
 
Elgamal & schnorr digital signature scheme copy
Elgamal & schnorr digital signature scheme copyElgamal & schnorr digital signature scheme copy
Elgamal & schnorr digital signature scheme copy
North Cap University (NCU) Formely ITM University
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
Vishal Agarwal
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7AfiqEfendy Zaen
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
BharathiKrishna6
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
Adam Reagan
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
13 asymmetric key cryptography
13 asymmetric key cryptography13 asymmetric key cryptography
13 asymmetric key cryptographydrewz lin
 
Ddb 1.6-design issues
Ddb 1.6-design issuesDdb 1.6-design issues
Ddb 1.6-design issues
Esar Qasmi
 

What's hot (20)

An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
6.distributed shared memory
6.distributed shared memory6.distributed shared memory
6.distributed shared memory
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
 
Operating system security
Operating system securityOperating system security
Operating system security
 
Intruders
IntrudersIntruders
Intruders
 
Message passing in Distributed Computing Systems
Message passing in Distributed Computing SystemsMessage passing in Distributed Computing Systems
Message passing in Distributed Computing Systems
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
 
Web Security
Web SecurityWeb Security
Web Security
 
Message authentication
Message authenticationMessage authentication
Message authentication
 
IP Security
IP SecurityIP Security
IP Security
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication Technologies
 
Elgamal & schnorr digital signature scheme copy
Elgamal & schnorr digital signature scheme copyElgamal & schnorr digital signature scheme copy
Elgamal & schnorr digital signature scheme copy
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
 
13 asymmetric key cryptography
13 asymmetric key cryptography13 asymmetric key cryptography
13 asymmetric key cryptography
 
Ddb 1.6-design issues
Ddb 1.6-design issuesDdb 1.6-design issues
Ddb 1.6-design issues
 

Similar to Authentication Models

Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
Mohammad Yousri
 
Web services security_in_wse_3_ppt
Web services security_in_wse_3_pptWeb services security_in_wse_3_ppt
Web services security_in_wse_3_ppt
Harshavardhan Achrekar
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
JUSTSTYLISH3B2MOHALI
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
Brian Culver
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization Models
CSCJournals
 
Session 10 Tp 10
Session 10 Tp 10Session 10 Tp 10
Session 10 Tp 10githe26200
 
76 s201923
76 s20192376 s201923
76 s201923
IJRAT
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on system
Swati Sinha
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed Systems
IRJET Journal
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2C
Anton Staykov
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
WAFAA AL SALMAN
 
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
Profesia Srl, Lynx Group
 
ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - Security
Randy Connolly
 
Narrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forwardNarrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forward
Conference Papers
 
Access management
Access managementAccess management
Access management
Venkatesh Jambulingam
 
Microsoft Graph API Webinar Application Permissions
Microsoft Graph API Webinar Application PermissionsMicrosoft Graph API Webinar Application Permissions
Microsoft Graph API Webinar Application Permissions
Stefan Weber
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
ijtsrd
 
Digital Certificates and Secure Web Access
Digital Certificates and Secure Web AccessDigital Certificates and Secure Web Access
Digital Certificates and Secure Web Access
bluntm64
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
Bixlabs
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 

Similar to Authentication Models (20)

Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
Web services security_in_wse_3_ppt
Web services security_in_wse_3_pptWeb services security_in_wse_3_ppt
Web services security_in_wse_3_ppt
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization Models
 
Session 10 Tp 10
Session 10 Tp 10Session 10 Tp 10
Session 10 Tp 10
 
76 s201923
76 s20192376 s201923
76 s201923
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on system
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed Systems
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2C
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
 
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
WSO2 ITALIA SMART TALK #3 WSO2 IS NEW FEATURE
 
ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - Security
 
Narrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forwardNarrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forward
 
Access management
Access managementAccess management
Access management
 
Microsoft Graph API Webinar Application Permissions
Microsoft Graph API Webinar Application PermissionsMicrosoft Graph API Webinar Application Permissions
Microsoft Graph API Webinar Application Permissions
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authentication
 
Digital Certificates and Secure Web Access
Digital Certificates and Secure Web AccessDigital Certificates and Secure Web Access
Digital Certificates and Secure Web Access
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 

Recently uploaded

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 

Recently uploaded (20)

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 

Authentication Models

  • 1. An Overview of Authentication Mechanisms on Windows This article gives overview of various authentication mechanisms for applications on Windows. It also touches upon upcoming technologies like CardSapce and OpenID. It concludes with relating the development of new authentication mechanisms to be evolving with a basic need for SSO. Background With emergence of Web 2.0, identity management is becoming a core focus. Security in online transactions is gaining attention from all technology vendors including Microsoft. Microsoft's recent release of .NET framework 3.0 includes Windows CardSpace which provides a solid foundation for identity management of future. Also, with recent announcement from Microsoft to tie-up with OpenID, takes the CardSpace initiative to the next level. Current article gives overview of various authentication mechanisms on Microsoft Windows platform. Introduction A digital identity is a set of characteristics associated with an individual or a device which allows us to address it distinctly from rest of the world. Before granting access to a valuable resource, a digital identity is checked to confirm the source of the request. This mechanism is termed as authentication. Various popular authentication mechanisms are – 1. User name and password 2. Digital certificates 3. Biometrics – Fingerprints, Iris/retina scan 4. Dynamic biometrics – signature, voice recognition Authentication in Windows OS Microsoft Windows Server 2003 has adopted Kerberos 5 as the default protocol for network authentication. Active Directory is merely the directory that holds all the information. Kerberos protocol implementation is used to protect it and make it function. Microsoft Windows Server 2000 and beyond use following as default authentication mechanism - Default authentication package Kerberos Credential store Active Directory SAM (Security Authentication Module) Authentication protocols Clear Text NTLM (NT LAN Manager) Standard Kerberos Kerberos PKINIT (Public Key cryptography for INITial Authentication) All the authentication protocols are exposed via SSPI (Security Support Provider Interface). 1
  • 2. Windows authentication process using Kerberos KDC (Key Distribution Center) is shown below. Authentication in .NET Applications The .NET Framework has a model for managing user or automated agent based on the notion of a Identity. The identity object encapsulates information about the user or entity being validated. Basic identity objects contain a name and an authentication type. The name can either be a user's name or the name of a Windows account, while the authentication type can be either a supported logon protocol, such as Kerberos V5, or a custom value. namespace System.Security.Principal { public interface IIdentity { bool IsAuthenticated { get; } string AuthenticationType { get; } string Name { get; } } } IIdentity interface shown above abstracts the authentication part of security context. The .NET Framework defines a GenericIdentity object that can be used for most custom logon scenarios and a more specialized WindowsIdentity object that can be used when application relies on Windows authentication. Additionally, own identity class can be defined that encapsulates custom user information. Web Application Authentication ASP.NET implements authentication via authentication providers. Providers are basically Classes that contain Public Static Methods to help in authenticating requests from Clients. An ASP.NET Application can be configured to use one of the following Authentication Providers - 1. Windows Authentication 2
  • 3. The WindowsAuthenticationModule provider relies on IIS to provide authenticated users. The provider module constructs a Windows Identity object. The default implementation constructs a WindowsPrincipal object and attaches it to the application context. One of the major advantages of Windows Authentication is to allow implementation of an impersonation scheme. 2. Forms Authentication Forms authentication is recommended if the application needs to collect its own user credentials at logon time through HTML forms. All the unauthorized requests are redirected to the logon page using HTTP client-side redirection. Forms authentication provider may implement custom logic for validating username and password against identity store. If the application authenticates the request, the system issues a ticket that contains a key for reestablishing the identity for subsequent requests. 3. Passport Authentication Passport authentication is Microsoft's centralized authentication service that offers a single logon and core profile services for member sites. Passport uses the Triple DES encryption scheme. When member sites register with Passport, they are granted a site- specific key. The Passport logon server uses this to encrypt and decrypt the query 3
  • 4. strings passed between sites. Authentication ticket is preserved by client in a cookie and is used for all future requests to the application till the cookie expires. Web Services Authentication Authentication of Web Services can be classified into two models as follows – 1. Direct Authentication In direct authentication model, the client and the service establish a direct trust. Client application send the credentials directly to the service along with the service request. Service maintains the catalog of the authorized clients and authentication mechanism is built into the service components. This model can be considered similar to the Forms authentication for web applications as both mechanisms do not require any intermediary to build the trust. 2. Brokered Authentication Brokered authentication has an intermediary called as 'broker' to perform authentication when client and service do not share trust relationship. Credentials are used to authenticate with the broker, which issues a security token. The security token is then used to authenticate with services. 4
  • 5. WSE (Web Services Enhancement) provides 3 main security tokens which support brokered authentication. I. X.509 This requires support for a PKI (Public Key Infrastructure). In cases where a limited number of certificates are needed, an external CA (Certificate Authority) can be used. Most X.509 implementations, such as SSL, exchange a symmetric session key that is used for encryption. II. KerberosToken This requires an identity provider that supports the Kerberos protocol, such as Active Directory. Service tickets are session-based tokens that can be used for confidentiality and integrity. III. STS (Security Token Service) This requires an STS implementation that issues and manages security tokens. Custom security tokens can be used for session based operations. CardSpace Authentication Windows CardSpace is a technology designed to help eliminate the need for usernames and passwords. Instead it will provide Windows users with digital identities in the form of Cards that users can access in a secure and familiar manner. 5
  • 6. CardSpace provides an identity selector and a self-issued identity provider, both of which run on a client machine. CardSpace is a new way of doing strong authentication across trust boundaries. Internet Explorer 7 uses Windows CardSpace, if installed. Windows CardSpace uses following interoperable protocols - WS-Security, WS-SecurityPolicy, WS-Trust and WS-MetadataExchange. Identity Provider provides the card (.crd file) which contains the metadata information. This card is used to obtain the security token from the Identity provider for sending the claim to the relying party. OpenID Authentication OpenID uses XRI (eXtensible Resource Identifier) to verify the digital identity. CardSpace can play a role to supplement the OpenID authentication process by establishing a relationship between client and OP using WS-Trust and WS-MetadataExchange. This may help eliminate steps 4 and 5 from the overall authentication process. Also, Card can additionally carry the XRI along with OP token. 6
  • 7. Conclusion SSO (Single sign-on) is a form of software authentication that enables a user to authenticate once with one software system and in turn gain access to multiple software systems. Windows OS authentication being a primary authentication, it is ideal to base the SSO on the same to gain access to all the applications accessed in that Windows session without a need for (re-)entering the credentials. Internet has opened the doors for a very large number of applications accessible to the users typically in B2C scenario with each application requiring user to undergo it's own registration and authentication process. Along with the SSO, a demand for secure and reliable as well as generic mechanism to establish a trust persists. With the evolution of technology and the open standards being widely accepted, the vision of 'Trustworthy SSO' across the web will not be too far from getting into reality. 7