Authentication Service Security

by Afshan Zameer
Authentication Service Security is about making sure that when someone tries to access a system,
application, or service, they really are who they claim to be. It's like having a secure way to check
someone's identity before letting them in.

What is Authentication ?

Authentication is the process of verifying the identity of a user or device. It's like asking for an ID card to
make sure that the person trying to enter a building is actually authorized to be there.
1. Single-Factor Authentication:
This was the first method of security that was developed. On this authentication system, the user must enter the username and the
password to confirm whether that user is logging in or not. If the username or password is wrong, then the user will not be allowed
to log in or access the system.

2. Two-Factor Authentication:
In this authentication system, the user must give a username, password and other information. There are various types of
authentication systems that are used by the user for securing the system such as OTP and more.
Types of Authentication Methods:
Passwords
Physical Identification

Biometrics
Facial Characteristics
Fingerprints
Hand Geometry
Retinal Pattern
Signature
Voice
Types of Authentication Protocols
User Authentication is the first most priority while responding to the request made by the user to the software application.

There are several mechanisms made which are required to authenticate the access while providing access to the data.

1. Kerberos
2. Lightweight Directory Access Protocol (LDAP)
3. OAuth2
4. SAML (Security Assertion Markup Language)
5. Radius
6. X.509 Authentication Service
1. Kerberos:

is a network authentication protocol that provides secure authentication for user and services network,
such as the internet. Kerberos is designed to prevent eavesdropping and replay attacks, ensuring
secure communication and authentication.

Kerberos is designed to prevent eavesdropping and replay attacks, ensuring secure communication and authentication.
This is used for validating clients/servers during a network employing a cryptographic key.
Key components : Authentication server (AS), Database, Ticket Granting Server (TGS)
Characters in the Diagram:

User: A person trying to log in or access a service.

Windows Server (KDC - Key Distribution Center): The central authority,

split into two parts:

AS 3 Authentication Server

TGS 3 Ticket Granting Server

Resource Server: The actual service you want to use, e.g., file server or
printer.

Step-by-Step Breakdown of the Diagram:

1. User ³ KDC (Request TGT)

The user sends a request to the Authentication Server (AS) for a Ticket
Granting Ticket (TGT).
This request typically includes the username.

2. KDC ³ User (TGT + Session Key)

The Authentication Server verifies the user (using password hash) and sends
back:

A TGT (Ticket Granting Ticket) 3 encrypted.

A Session Key 3 used for secure future communication.

3.User ³ TGS (Request Service Ticket + Auth)

The user now wants to access a particular service (e.g., file server).
They send:

The TGT received in step 2.

A request for access to the service.

4.TGS ³ User (Service Ticket + Session Key)

The Ticket Granting Server (TGS) validates the TGT and sends back:

A Service Ticket for the specific resource server.

A new session key (for that particular session).

5. User ³ Resource Server (Request + Auth)

Now the user sends this service ticket and authentication info to the Resource
Server (e.g., file server).

6.Resource Server ³ User (Authentication OK)

The Resource Server verifies the ticket and, if valid, grants access to the
service (like files, printers, etc.).
2. Lightweight Directly Access Protocol (LDAP):
Used for determining any individuals, organizations and other devices during a network regardless of being on public or
corporate internet.
Its an open and standard application protocol used for accessing and maintaining distributed directory information services over
an Internet Protocol (IP) network.
LDAP commonly used utilized in enterprise environments to manage and organize information about users, devices,
applications and other resources in a central directory.
3. OAuth2 (Open Authorization 2.0):
Its an open standard protocol for authorization that allows third-party applications to access user data without requiring the
user's credentials.
It is widely used for secure and delegated access to resources in a client-server application, especially over the internet. It
provides framework for authorization.
4. SAML (Security Assertion Markup Language) :
Its an XML-based open standard for securely exchanging authentication and authorization data between parties, particularly in
the context of web-based applications and services.
SAML enables single sign-on (SSO) and allows users to log in to multiple applications with a single set of credentials.
It is widely used in identity and access management (IAM) systems to enhance security and user convenience.
5. Radius (Remote Authentication Dial-In User
Service):
RADIUS is a network protocol used for centralized authentication, authorization, and accounting of users who try to connect
to a network.

Think of RADIUS as a gatekeeper that decides:

Who can log in (Authentication)

What they can do (Authorization)
What they did (Accounting)

Where is RADIUS used?

Wi-Fi login in offices, colleges, hotels
VPN (Virtual Private Network) access
ISP (Internet Service Providers) user logins
Corporate or university networks for staff/students
6. X.509 Authentication Service:
X.509 is a standard for digital certificates used in authentication and encryption over the internet or a network.

In short, X.509 is a way to prove digital identity using certificates (like a digital ID card).

Why is X.509 Important?

It helps in:

Verifying identity of users, websites, or devices

Enabling encrypted communication (like HTTPS)
Supporting digital signatures and secure logins

What is an X.509 Certificate?

An X.509 certificate is a digital document that includes:

Public key of the user/server

Identity info (e.g., name, domain)
Certificate Authority (CA) details
Validity period
Digital signature of the CA

Real-Life Example:
You open https://google.com

1. Your browser receives Google¾s X.509 certificate.

2. It verifies that:
The certificate is issued by a trusted authority
The certificate is valid and not expired
3. If all good, it creates a secure HTTPS connection

If something is wrong (e.g., certificate is fake or expired), your browser shows <Not Secureî warning.