Intrusion Detection: Network Security Beyond the Firewall:The Role of Identification and Authentication in Your Environment









































function GetCookie (name)
{
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i < clen)
{
var j = i + alen;
if (document.cookie.substring(i, j) == arg) {
var end = document.cookie.indexOf (";", j);
if (end == -1)
end = document.cookie.length;
return unescape(document.cookie.substring(j, end));
}
i = document.cookie.indexOf(" ", i) + 1;
if (i == 0) break;
}
return null;
}
var m1='';
var gifstr=GetCookie("UsrType");
if((gifstr!=0 ) && (gifstr!=null)) { m2=gifstr; }
document.write(m1+m2+m3);









        






























 



Keyword
Title
Author
ISBN
Publisher
Imprint


Brief
Full

 Advanced      Search
 Search Tips














Please Select
-----------
Components
Content Mgt
Certification
Databases
Enterprise Mgt
Fun/Games
Groupware
Hardware
IBM Redbooks
Intranet Dev
Middleware
Multimedia
Networks
OS
Prod Apps
Programming
Security

UI
Web Services
Webmaster
Y2K
-----------
New Titles
-----------
Free Archive


























To access the contents, click the chapter and section titles.


Intrusion Detection: Network Security beyond the Firewall


(Publisher: John Wiley & Sons, Inc.)

Author(s): Terry Escamilla

ISBN: 0471290009

Publication Date: 11/01/98



function isIE4()
{
return( navigator.appName.indexOf("Microsoft") != -1 && (navigator.appVersion.charAt(0)=='4') );
}
function bookMarkit()
{
var url="http://www.itknowledge.com/PSUser/EWBookMarks.html?url="+window.location+"&isbn=0";
parent.location.href=url;
//var win = window.open(url,"myitk");
//if(!isIE4())
// win.focus();

}












Search this book:
 





















Previous
Table of Contents
Next




At this point, login calls the operating system routines, which change the credentials of a process. Specifically, login asks the kernel to change its UID and GIDs to the corresponding values found in /etc/passwd and in /etc/group for the logged-in user. This change prevents the child process, which login is creating, from running with root privileges. After the credentials are changed, additional initialization tasks are performed by login, including setting up the user’s environment variables, displaying the message of the day from /etc/motd, and switching into the user’s home directory. On more secure systems, the user’s last successful and unsuccessful login times are displayed. As a last step, the login program overlays itself with the shell program defined for the user in /etc/passwd. The user is now free to begin executing commands or other programs.
You can see that it is the login process which starts the first subject, your shell, executing on your behalf in the system. The security kernel uses the UID and GIDs associated with this shell, and with programs started out of this shell, to make access control decisions. Interestingly, several access control decisions were made during the login procedure already, such as when the login program accessed the files /etc/passwd, /etc/group, and the shadow password file to compare password values.
UNIX Password Mechanism
To recap, the username is the basis of identification, and the password provides authentication. How the initial password is assigned to a user varies between UNIX implementations. The recommended strategy is for the security administrator to pick an initial password for the user or to have the operating system generate one. The user is notified of this value out of band, such as verbally or via a courier service. The password can be set to expire after initial use, thus forcing the user to choose a new password after the first login procedure is completed.
The user’s password must be validated each time a user performs a login. Early operating systems stored the username and password literally in a text file or database. During the login process, normal string comparisons were performed between the value entered by the user and the stored password. The obvious threat to this approach is that if the password file is read by an unauthorized user, that person will be able to login in as and impersonate any other user.
The login procedure described here is an example of two-party authentication. The user and the computer (or operating system) are the two parties involved in the authentication. This procedure is also an example of unilateral or one-way authentication. The user authenticates to the computer, but the computer is not required to authenticate to the user. In order for one-way authentication to succeed, both parties must share a secret.
You might think that the shared secret is the user’s password, but in fact, the shared secret is a value derived from the password. UNIX operating systems, as well as other operating systems, do not store the password itself in an encrypted form. The rationale for adopting this approach lies in export restrictions imposed by the U.S. government. The U.S. government, influenced by concerns for national security, did not allow export of both encryption and decryption software (or hardware). The rather lengthy International Trade in Arms Restrictions (ITAR) is a federal document describing in detail what one can or cannot export with respect to cryptography.
To comply with the ITAR, UNIX computes a cryptographic hash based on the user’s password and stores the hashed value in /etc/passwd or in the shadow password file. In other words, when you choose a new password, the operating system uses your password as the key for a cryptographic computation.
A hash is a one-way function that takes an input value and produces an output value. A one-way function has the property that it is computationally infeasible to compute the input value given the output value. That is, you cannot compute the hash in the reverse to find the corresponding input value given the output value. To be cryptographically secure, a hash must meet the following requirements:

•  Given only the output value, it is computationally infeasible to determine the input value.
•  It is practically impossible to find two input values that will hash to the same output value, even if one input value and the hash are already known.

UNIX relies on a cryptographic algorithm based on the Data Encryption Standard (DES) to encrypt a plaintext string of 0s into a ciphertext string by using your password as the key. The resulting ciphertext value is stored along with your username in /etc/passwd or in a shadow password file. During login, the system takes the password you entered and computes the hash again, comparing the result to the hash value stored with your username. The login program does not decrypt the entry in /etc/passwd and compare it to the value you entered.
DES was designed to encrypt 64-bit blocks of text using a 56-bit key. UNIX converts your password into a 56-bit key by taking the 7-bit ASCII value for each of the first 8 characters of the password and adding some parity checking. This means that if your password is longer than 8 characters, the additional characters do not improve security unless the underlying authentication routines have been changed. The algorithm used by most UNIX systems relies on a modified version of DES, which is an effort to deter attackers who have access to hardware capable of computing DES quickly. To accomplish this, UNIX adds a salt to the procedure to further perturb the encryption steps.



Previous
Table of Contents
Next






























Products |  Contact Us |  About Us |  Privacy  |  Ad Info  |  Home


Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.
All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited.