Authentication proves that a user or system is actually who they say they are. This is one of the most critical parts of a security system. It's part of a process that is also reffered to as identification and authentication (I&A). The identification process start when a user ID or logon name is typed into a sign-on screen. Authentication is accomplished by challenging the cliam about who is accessing the resource. Without authentication, anybody can claim to be anybody. Authentication systems are based on one or more of these three factors: Something you know, such as a password Something you have, such as a smartcard or identification device. Something physically unique to you, such as your fingerprints or retinal pattern. Systems authenticate eachother using similiar methods. Frequently, systems pass private information between eachother to establish identity. Once authentication has occured, the two systems can communicate in the manner specified in the design. Several common methods are used for authentication. Each has advantages and disadvantages that must be considered when you are evaluating authentication scemes or methods, thus I have gone over some briefly: Username/Password - A username and password are unique identifiers for a logon process. When you sit down in front of a computer the first thing you must do is establish who you are. Identification is typically confirmed through a logon process. Most operating systems use a user ID and password to accomplish this. These values can be sent over the network as plain text or can be encrypted. The logon process identifies to the operating system, and possibly the network, that you are who you say you are.The operating system compares this information to the stored information of the security processor and either accepts or denies the logon attempt. PAP (Password Athentication Protocol) - It offers no true security, but it's one of the simplest forms of authentication. The username and password values are both sent to the server as clear text and checked for a match. If they match, the user is granted access; if they dont match, the user is denied access. CHAP (Challenge Handshake Authentication Protocol) - It challenges a system to verify identity. CHAP doesnt use userID/Password mechanism. Instead, the initiator sends a logon request from the client to the server. The server sends a challenge back to the client. The challenge is encrypted and then sent back to the server. The server compares the value from the client and, if the information matches, grants authorization. If the response fails, the session fails, and the request phase starts over. Certificates - This is another common form of authentication. A server or certificate authority (CA) can issue a certificate that will be accepted by the challenging system. Certificates can either be physical access devices, such as smart cards, or electronic certificates that are used as part of the logon process. A certificate practice statement (CPS) outlines the rules used for issuing and managing cerftificates. A certificate revocation list (CRL) lists the revocations that must be addressed (often due to expiration) in order to stay current. A simple way to think of certificates is like hall passes at school. Security Tokens - These are similair to certificates. They contain the rights and access privileges of the token bearer as part of the token. Think of a token as a small piece of datathat holds a sliver of information about the user. Many operating systems generate a tokenthat is applied to every action taken on the computer system. If your token doent grant you access to certain information, then either that information wont be displayed or your access will be denied. The authentication system creates a token everytime a user connects or a session begins. At the completion of a session, the token is destroyed. Kerberos - It i a authentication protocol named after the mythical three-headed dog that stood at the gates of Hades. Originally designed by MIT, Kerberos is becoming very popular as an authentication method. It allows for single sign-on to a distributed network. Kerberos authentication uses key distribution center (KDC) to orchestrate the process. The KDC authenticates the principle (which can be a user, a program, or a system) and provides it with a ticket. Once this ticket is issued, it can be used to authenticate against other principles. Kerberos is quickly becoming a common standard in network environments. Its only significant weakness is that the KDC can be a single point of failure. If the KDC goes down, the authentication process will stop. Multifactor Authentication - When two or more access methods are included as part of the authentication process, your implementing a multi-factor system. A system that uses smartcards and passwords is reffered to as a two-factor system. Smart Cards - This is a type of badge or card that gives you access to resources, including buildings, parking lots, and computers. It contains information about your identity and access privileges. Each area or computer has a card scanner or reader in which you insert your card. The reader is connected to the workstation and validates against the security system. Biometrics - This uses physical characteristics to identify the user. Such devices are becoming more common in the business environment. Biometric systems include hand scanners, retinal scanners, and soon, possibly, DNA scanners. To gain access to resources you must pass a physical screening process. These are just the basics of what each of these above mentioned authentication methods do, there are going to be more and stronger methods, but there will also be a loophole in every method. As hackers we must know how these methods work so that we can find out what make them tick and then exploit them.