--Originally published at #TC2027 #CParravirgen
Sooooo, before my coffee power runs out, I’ve got to finish this post, so, buckle up and prepare for a not so wild, not so boring and very instructional reading. Don’t worry, I’m not that a great writer so it won’t be long, just long enough to prove I know what I’m typing
Kids, this is the story of “how I met your mother”, no, actually it’s not about how I met her, but sounds like an interesting post, or TV show to make, oh wait…
Since the “how I met your mother” has been already taken, lets see what we can say about authentication. Why?, you ask, why going from super cool to super-boring? well kids, it’s because of our security blog, eventually I’ll write about more interesting things, but for now, lets keep with authentication and security, shall we?
So, authentication and security basic goals (like the 101 of security):
- Keep unauthorized persons from gaining access to resources
- Ensure that authorized persons can access the resources they need
Therefore, you can imagine it is important to know who is knocking at our door before we open it (only in Mexico we open up the door by just saying “It’s me, open up!”
So, we know how insecure Mexico is (and yes, I can say that because I’ mexican, I live in Mexico and I care about it, any complains please refer them to your hand and the Mexican government, thank you); even though is not because we open the door without proper authentication, the computer and network world can’t work like that.
How can we protect data from people who is not authorized to see/have it but still make it available to those who should and depend on it. Keeping it under the mattress is not an
Since many data need to be accessed from different parts of the world at the same time by many people. So, the trick is to let those people see it, but keeping the rest out of it. To do that, one of the ways is setting access permissions, but, as our friends from TechRepublic say: “Access permissions work only if you are able to verify the identity of the user who is attempting to access the resources. That’s where authentication comes in.”
Again to the basics, lets define authentication: “the process of confirming the identification of a user (or in some cases, a machine) that is trying to log on or access resources”. It is important not to confuse authentication with authorization, “authentication verifies the user’s identity, authorization verifies that the user in question has the correct permissions and rights to access the requested resource. The two work together. Authentication occurs first, then authorization”.
There are many many ways to accomplish our task, I can go through all of them and so you will be bored and stop reading half way if I just copy paste what is said at the TechRepublic’s article. Here they talk about many of the authentication methods.
Let me mention and explain a little about the most common ones:
- SSL: First of all, SSL stands for “Secure Sockets Layer”. It uses a combination of secret keys and public keys to ensure they are talking to the right guy. It is supported by many browsers and most of the web servers (the important ones, at least). The basics you need to know about SSL, on how it works is this: “SSL authentication is based on digital certificates that allow Web servers and clients to verify each other’s identities before they establish a connection. (This is called mutual authentication.) Thus, two types of certificates are used: client certificates and server certificates”.
- Password authentication: The very basic one, the equivalent of the action when you arrive some place and they ask you for a magic word to open the door. In theory the magic word is set by you previously, so when you come to that place, you remember the word and so you can enter, right? Well, in theory it works and is beautiful, but (like the mexican law that works in theory but in reality it doesn’t…Ooops, I’m not supposed to talk about the mexican law here, right?, well, who cares…) it is not fail-proof. For many things, like forgetting the password, or making it too simple to figure out, by the way, never ever use “password” as password please, it’s just… just… just DON’T, ok? Deal! Another issue is that it is vulnerable to “cracking” it, meaning that, using brute force, someone might figure it out and then use it, there are methods to prevent it, like locking against X amount of failed attempts (might not be the greatest idea if your kid uses your phone a lot, you might end up with a wiped-out phone every other week).
Now, quick break, since by now you are getting tired of reading all this fancy and cool things about your password, let me tell you some nice jokes, they are in spanish so, if you don’t know spanish, you can learn it and come back, or skip this part (which would be sad cause this is the best part of the post, actually!) there are many more, but this is my top 10 (y el pilón, como con los tacos)…
By the way, if you don’t speak spanish, you should really try to, it is a beautiful language, and even better to speak “mexican”, you’ll have tons of fun with double-sensed phrases
So, after this nice break, lets keep going…
Other forms of authentication involve your actual body, like the face recognition, retina-scan or fingerprint scan. All this 007-stuff that one can see in movies where Dr. Evil keeps his darkest secret and the good guy hast to brake-in with a fake thumb, you know what I’m saying, right? Even with these advanced methods, they can be trespassed using different tricks. Like the face recognition can become useless by drawing some lines in your face or using some portrait when looking at the camera or input device. The fingerprint is a nice one (it has to be if the mighty Apple uses it in their iPhone, after all, they never do anything wrong, right?), but guess what? It has been hacked too!, this cool blog-post talks about how he hacked the Touch-ID in an iPhone (iPhone users please don’t die after such disappointment). The retina-scan is pretty fancy stuff, but because of that, it is expensive, and in my opinion, if you work somewhere that require your retinal scan, I’d be very worried about being hijacked and having my eye popped-out (yes, I watch too much TV, I know). By the way, all these methods are called Biometric authentication, they have the advantage that you don’t need to carry your card/key/remember a word or any other rocket-science stuff, just, you know, be there, be yourself (sounds like a love advice, like when trying to hit on someone) and that should be enough to open the door or safe or whatever it is that you are trying to open (it might be enough to open his/her pants too, by the way, but that’s another topic for the “how I met your mother” story kids!).
Very well, now you should know the basics of authentication. Remember don’t use “password” as your password, don’t give out your password, use secure browsers to surf the web and secure networks too (specially when doing important stuff that no one else should see/know/hear about). Always look for the “https” at the beginning of the link on the website you are on (the S means “secured”, not Superman in this context, so it is kind of important as you might think, Superman can’t help you here). I understand that you might not be like Obama or any super important figure that everyone is trying to hack and things like that, but even if you are the average Joe (just like me), you should be careful about this things, it is easier to prevent than to remake.
Coffee power is out, and I’m too; good day, good luck, be safe, eat well, move your ass at the gym or somewhere else, take your vitamins, talk to interesting people, don’t text and drive, have enough sex (even if it has to be with yourself), learn things, share things and try to make the world a better place, move on on achieving your definition of “success” and drink more coffee!
PS: credits for the pictures go to the awesome internet and the Filosorex, many things were taken out of this link, in case you want to read some more on a specific topic:
Also, thanks to Wikipedia for this whole bunch of articles where you can find more information about authentication methods and definitions: