Hacking has been making headlines in recent years, and, so far, 2016 is no exception. Early on there was the email hack at the FBI and Department of Homeland Security in which names, titles, email addresses, and phone numbers for thousands of employees were collected and shared. Then, in mid-February, a hospital in Los Angeles, California, fell victim to a ransomware attack in which hackers kept the entire facility off-line for over a week.
But this year, in response to this rise in hacking, the White House has issued a new Cybersecurity National Action Plan (CNAP) to ensure the government’s security in the future. The plan features some pretty clear and straightforward proposals, including staying up to date—which turns out to be more like getting up to date—with $3.1 billion dedicated to modernizing legacy software and equipment as well as moving to two-factor authentication.
With this and our ongoing series about the Security-of-Security in mind, we thought this would be a great time to look more closely at what authentication is and how it works.
In general terms, authentication is the process of first determining if an entity-user, server, or client app-is who it claims to be and then verifying if and how that entity should access a system. Depending on the setup, the process can occur on either the client-side or server-side, or can occur at both ends.
Client-side authentication uses username/password combinations, tokens, and other techniques while server-side authentication uses certificates to identify trusted third parties. As the name suggests, two-factor authentication, like that proposed in CNAP, refers to two forms of authentication used in combination. While we're all familiar with how usernames and passwords work, tokens and certificates might be less familiar to you.
What's up with tokens & certificates?
A token is a form of claims-based authentication achieved through the presentation of valid, signed information. It works the way a boarding pass does when you fly. After all, you don't just walk up to a gate and present your passport. Instead, you are authenticated based on your picture ID and ticket and then given a boarding pass. The boarding pass is the verified claim made about you by the airline.
A digital certificate is an electronic document used to prove the ownership of a public key, to establish trust between its owner and an entity wishing to communicate with that owner. In addition to information about the public key and the owner, a digital certificate includes the digital signature of a signer which attests to the authenticity of the content. Ultimately, it confirms that communications is with the right entity/owner.
One of the most common uses of certificates is for HTTPS-based websites. In this case, a web browser will validate that a web server is authentic to ensure that the website is who it claims to be and that communication between user and website is secure.
When it comes to your physical security system, authentication is an important tool for keeping your data from getting into the wrong hands. It both prevents unauthorized access and ensures that your security personnel are, in fact, always accessing your system when they log in. This means that hackers can't pretend to be a security server in order to take control of, manipulate, or copy your valuable and sensitive data.
Once these identities have been authenticated, the next step in maintaining the security of your security system is managing who can access what part of your security system. This is achieved through various authorization mechanisms, a process that we will talk about in the weeks to come.