Authentication techniques
9.2 Authentication techniques
To guarantee the identity of a client, you need to trust one piece of infor- mation that is unique to that client and that cannot easily be determined or
228 9.2 Authentication techniques
faked (e.g., IP address, Windows username/password, or some other cre- dential). Authentication systems prevent the masquerading of credentials, but they cannot protect against a careless user compromising the security of
a Windows password.
Several different types of authentications are applicable to different sce- narios. If you are developing a solution for an ISP, then the chances are the ISP can be sure which client base has what IP address and, thus, can use IP addresses as credentials. When developing a Windows-only intranet appli- cation, you can trust Windows logins. Internet service developers may use a combination of the IIS authentication options or a custom username and password system.
The most basic form of authentication is IP address validation, where access to information is granted only if the IP address of the client is within
a given range. This scheme is used by ISPs to limit access to technical sup- port to current customers. They can do this because their customers will have IP addresses in the range that was assigned to the ISP. IP spoofing would defeat form of authentication, but this is not an easy undertaking. Only a select few determined hackers are capable of carrying it off.
9.2.1 IIS authentication
Although this book focuses on stand-alone software, using IIS as a server is always an option not to be dismissed lightly. This approach does remove some of the flexibility from the system, and it becomes necessary to use the encryption and authentication mechanisms that Microsoft pro- vides, rather than proprietary protocols. IIS5 provides five kinds of authentication: anonymous, basic, NT challenge/response (NTLM, stan- dard for Windows 9x and NT), Integrated Windows (Kerberos, standard for Windows 2000 and XP), and digest. The latter two options are not available on IIS4. Each kind of authentication offers varying degrees of interoperability and security.
The most basic form of IIS authentication, if it has a right to be called authentication, is anonymous. This is where the clients do not have to sup- ply any credentials and are automatically granted IUSR (guest) privileges. This allows them to read and write files, but not to generate any graphical interface or access certain API functions.
One step above this is basic authentication. This forces the client to sup- ply credentials in base64 (basically, clear text). This system is completely interoperable between browsers, but offers very little security; however, when combined with SSL, this is a secure solution.
9.2 Authentication techniques 229
Moving toward the Microsoft world, we have NT challenge/response, or NTLM. This is quite secure and cannot be broken without significant effort, but it can be hacked by a determined individual. NTLM is sup- ported on IIS4 and all versions of Internet Explorer. The credentials sup- plied by the client will have to match those of a local account on the server.
Digest authentication was introduced in IIS5. There has not been widely publicized case of any hacker breaking digest encryption. It is com- patible with most versions of Internet Explorer. Again, the credentials sup- plied by the client will have to match those of a local account on the server.
Kerberos provides one of the highest levels of security for authentication available over the Internet. It requires access to a domain controller and works only on IIS5 and recent versions of Internet Explorer.
To access authentication options on IIS, click Start → → → → Control Panel → → → → Administrative Tools → → → → Internet Information Services. Right-click on the server in question, and click Properties. Select the Directory Security tab and press Edit (Figure 9.1).
The screen in Figure 9.1 shows the authentication options for IIS. In this case, the lowest form of security is selected as the default. Options
Figure 9.1
IIS authentication dialog.
Chapter 9
230 9.3 Microsoft .NET Passport authentication
exist to upgrade this to basic authentication or NTLM. The option for digest authentication is not enabled here because this particular server has no access to a domain controller.
Apart from the security versus interoperability trade-off, there is also a security versus performance trade-off. On a benchmark computer (Pentium
3, 450 MHz, 128 Mb RAM), each of the preceding authentication systems was tested for performance in a high-load environment.
When accepting anonymous connections, the computer handled 860 requests per second. With basic authentication, the computer handled 780 requests per second, proving to be the fastest authentication mechanism, albeit with little security. NTLM incurred an additional overhead, reducing the overall speed to 99 requests per second. Digest authentication clocked in at 96 requests per second. With Kerberos authentication, the computer could handle only 55 requests per second. Finally, with full-blown SSL, the server dropped as low as a mere 2 requests per second.