WEBVTT

00:00.750 --> 00:06.330
You know we spent so much time in all these episodes talking about everything from certificates to cryptography.

00:06.330 --> 00:11.220
But what we really haven't started to talk about yet is actually getting the data to the people who

00:11.220 --> 00:13.320
need it in the way that they need it.

00:13.320 --> 00:19.680
So what I want to cover in this episode is identification authorization and authentication.

00:19.710 --> 00:21.630
Now when we talk about these three.

00:21.630 --> 00:24.510
The best way to really understand it is through an analogy.

00:24.510 --> 00:30.660
So I'm actually buying myself a ticket to go to the theater right now and I'm going to print out my

00:30.690 --> 00:32.010
confirmation code.

00:32.010 --> 00:32.920
Let's go to the theater.

00:32.940 --> 00:39.070
And let me show you how these three work two tickets for La Traviata please.

00:39.240 --> 00:44.270
Now before she's going to give me any tickets we are going to have to get in essence authenticated.

00:44.340 --> 00:49.230
Now the first step I'm going to have to do here is I'm going to provide some form of identification

00:49.650 --> 00:50.230
in this case.

00:50.250 --> 00:54.790
I'm just going to provide a driver's license now because the ticket lady is a human being.

00:54.810 --> 01:00.060
This is an easy way for her to identify me as just by looking at the driver's license but it still doesn't

01:00.060 --> 01:04.100
mean I'm authenticated to get some tickets in order for me to do.

01:04.140 --> 01:04.570
Yes.

01:04.650 --> 01:09.340
In order for me to do that I'm going to have to pull out my confirmation number that I printed out of

01:09.340 --> 01:10.920
my printer earlier.

01:10.920 --> 01:17.610
Now between my identification and my confirmation number I've actually performed proper authentication.

01:18.090 --> 01:19.850
Thank you very much.

01:20.730 --> 01:22.280
And now I've got my tickets.

01:22.320 --> 01:23.910
Let's go sit down.

01:27.010 --> 01:32.800
OK Rotti and my seats are 14 and 15.

01:33.170 --> 01:33.840
OK.

01:33.910 --> 01:34.800
Good.

01:36.920 --> 01:40.030
I think I might be here a little early.

01:40.040 --> 01:45.620
The important thing to remember for the security plus is the difference between identification authentication

01:45.680 --> 01:47.840
and authorization identification.

01:47.840 --> 01:54.020
Just proves who I am to the authenticating system authentication itself takes place by me proving that

01:54.050 --> 02:00.180
I have rights to that system through passwords smart cards retinal scanners whatever it might be.

02:00.470 --> 02:06.080
And then authorization simply means what rights do i have to the system.

02:06.110 --> 02:07.920
Once I've been authenticated.

02:08.300 --> 02:08.720
All right.

02:08.720 --> 02:14.300
So let's do this all over again except this time let's do it in a more computer kind of world.

02:14.330 --> 02:15.300
I'm going to watch the show

02:18.120 --> 02:19.310
La Traviata.

02:19.340 --> 02:22.570
Who doesn't enjoy a little bit of their day every now and then.

02:22.580 --> 02:22.890
OK.

02:22.910 --> 02:28.060
Well anyway we're back in the studio now and what I want to do is kind of make sure we understand there's

02:28.070 --> 02:33.680
some issues when it comes to identification authorization and authentication.

02:33.680 --> 02:36.630
The challenge we have is that computers aren't people.

02:36.980 --> 02:41.990
I can't go to a lady in a ticket booth and just show him a driver's license or confirmation number and

02:42.110 --> 02:43.970
in essence get my tickets.

02:43.970 --> 02:47.480
Instead what we do is we have what are called authentication factors.

02:47.480 --> 02:52.730
Now there are three big authentication factors that you're going to be seen on security plus the first

02:52.730 --> 02:57.860
one is something you know and that's something like a password for example would be something you know

02:58.430 --> 03:00.450
the next one is something you have.

03:00.560 --> 03:05.030
And that means things like a smart card or something that you actually have on your person that you

03:05.030 --> 03:07.430
can use to authorize you.

03:07.520 --> 03:12.170
And the last one is something about you and that's what we called biometrics that's going to be things

03:12.170 --> 03:18.290
like retinal scanners and things that actually measure the veins in your palm all kinds of cool stuff

03:18.290 --> 03:19.310
like that.

03:19.370 --> 03:23.470
Anyway let's go and start with the first one and that is something you know.

03:23.570 --> 03:27.090
So the best example is good old passwords.

03:28.580 --> 03:34.220
So here we are a typical log in screen and you can see that I have my user name that I type in and my

03:34.220 --> 03:37.060
passwords were all pretty comfortable with something like that.

03:38.140 --> 03:42.040
But passwords aren't the only type of something you know.

03:42.040 --> 03:49.580
Another great example we're going to be pin codes now we see pins all over the place.

03:49.630 --> 03:52.390
One of my favorite ones is here on my phone right here.

03:52.390 --> 03:56.230
So what I'm going to do is you guys are going to fuzz all this out.

03:56.230 --> 03:56.680
Right.

03:56.680 --> 04:00.440
OK so what I'm going to punch in my password one two three four.

04:00.550 --> 04:02.280
It's not a password it's a pen.

04:02.350 --> 04:03.560
I know it's OK.

04:04.020 --> 04:04.830
That's incorrect.

04:08.710 --> 04:10.930
Like I was really going to let you guys see my PIN code.

04:10.930 --> 04:14.020
Come on now we see pins all over the place.

04:14.050 --> 04:15.940
We see him on phones a lot.

04:16.300 --> 04:17.030
Machines.

04:17.110 --> 04:20.230
But again that's a great example of something you know.

04:20.470 --> 04:26.110
In fact at first certain Department of Justice folks I work with not only when you walk up to a machine

04:26.110 --> 04:30.310
do you have to type in a password but actually they have to type in a pin separately depending on what

04:30.310 --> 04:32.600
type of authentication system you might have.

04:32.890 --> 04:35.150
But that's not the only types of something you know.

04:35.290 --> 04:36.940
There's two more I want to look at.

04:36.940 --> 04:41.440
First of all let's take a look at Kaptchuk.

04:41.730 --> 04:44.670
We've probably all seen a captious screen.

04:44.670 --> 04:50.370
Most the time these tend to pop up like on Web sites where you're logging in a few too many times and

04:50.370 --> 04:53.920
you're making the authenticating process a little bit nervous.

04:54.060 --> 04:58.020
So what they're going to do is they're going to let you type in your username and password again but

04:58.020 --> 04:59.800
you're going to have to type in the caption.

05:00.060 --> 05:03.300
You know what that captures says.

05:03.330 --> 05:08.160
The idea here is that it's preventing evil computer programs that could just keep logging in over and

05:08.160 --> 05:11.050
over again from being able to log in.

05:11.070 --> 05:12.570
So that's capture.

05:12.570 --> 05:18.740
Now the last one I want to take a look at is right here and this is going to be security questions.

05:18.870 --> 05:24.540
There's a good chance most of us have seen security questions to security questions usually pop up for

05:24.540 --> 05:29.790
example when you've forgotten your password or something like this and it allows for an automatic password

05:29.790 --> 05:37.100
retrieval type system simply by you remembering the name of your first dog or your mother's maiden name

05:37.100 --> 05:37.770
more.

05:37.950 --> 05:42.980
Your school that you graduated from whatever it might be.

05:43.270 --> 05:46.670
So you need to be careful on the security plus exam right here.

05:46.690 --> 05:51.320
It's easy to remember that something you know would be an example like a password or a pin.

05:51.460 --> 05:58.180
But also remember that capture and security questions are included in something you know OK.

05:58.390 --> 06:03.190
The next one is something you have now when we talk about something you have We're going to talk about

06:03.220 --> 06:07.780
two things in particular that you're going to see on security plus the first one is called a Smart Card

06:07.780 --> 06:12.490
and I seemed to be out-of smart cards right now but I got a pitcher on here on the screen.

06:12.490 --> 06:13.680
Let's take a look at this.

06:13.780 --> 06:19.240
Now this is a very typical smart card that you'll see used in like a lot of federal organizations and

06:19.240 --> 06:19.900
stuff like that.

06:19.900 --> 06:26.260
The important thing about a smart card is embedded somewhere on that smart card is a chip that holds

06:26.320 --> 06:28.570
a unique identifying code.

06:28.570 --> 06:34.810
And when you insert this or when you wave it over a sensor or whatever it might be it provides that

06:34.810 --> 06:37.590
code to the authenticating body.

06:37.600 --> 06:42.190
Now smart cards are great but the last one I want to show you is known as an RSA key.

06:42.220 --> 06:44.120
Now an R S A key.

06:44.230 --> 06:48.740
It can be a little device that is got a number or it can be a piece of software.

06:48.790 --> 06:54.140
And I actually have one here so let me show you how an RSA key works.

06:54.190 --> 06:58.510
Now I want you to watch this very closely you'll see this eight digit code watch.

06:58.990 --> 06:59.230
OK.

06:59.230 --> 07:01.000
You see it just change.

07:01.280 --> 07:08.780
And Arrius a token or an R S A key is a piece of software or an actual physical key.

07:08.800 --> 07:14.020
Get that stores a secret code of some form.

07:14.110 --> 07:20.620
It then takes that secret code and performs some magic little voodoo on it and will generate a value

07:20.620 --> 07:23.730
that changes it depends there's no law of physics.

07:23.830 --> 07:26.190
Every 30 seconds every 60 seconds.

07:26.320 --> 07:33.490
So the only way that another device can authenticate this is that if it also has a secret code and it

07:33.490 --> 07:39.780
will go ahead and run the same mumbojumbo and if it comes up with the same value you are in good shape.

07:39.790 --> 07:44.740
Now the last one is something about you and when we talk about something about you we're talking about

07:44.950 --> 07:46.420
something about you physically.

07:46.420 --> 07:52.480
So we could have fingerprint scanners or iris patterns or even the pattern of the veins in your wrist

07:52.480 --> 07:55.540
can be used to identify you uniquely.

07:55.540 --> 07:59.620
Now there's a bunch of these that are out there and if you've got a late generation iPhone 5 there's

07:59.800 --> 08:01.850
fingerprint scanners and things like that.

08:01.900 --> 08:14.920
But what I have here is my buddy Scott has a cool laptop and on this laptop is facial recognition so

08:14.920 --> 08:17.640
to use this I'm going to have to do.

08:17.650 --> 08:20.220
And this allows him to log into his laptop.

08:20.260 --> 08:24.870
So what I'm going to do here is I'm going to fire the laptop up on his laptop.

08:24.870 --> 08:28.140
He's actually just using the camera here to recognize me.

08:28.170 --> 08:31.650
Now if you look on the screen you see it's actually trying to find Scott Kernighan so we can have a

08:31.650 --> 08:32.700
bit of a problem.

08:32.890 --> 08:34.400
OK.

08:34.620 --> 08:35.860
Oh sorry Scott.

08:35.930 --> 08:41.790
My take I was just trying to show people how security plus covers things like something you are pretty

08:41.790 --> 08:42.660
slick and.

08:42.780 --> 08:43.410
It is slick.

08:43.410 --> 08:46.760
Thank you for letting me steal your laptop.

08:46.770 --> 08:48.900
Thanks you all done.

08:48.900 --> 08:49.280
We're done.

08:49.290 --> 08:49.680
We're done.

08:49.680 --> 08:51.340
Take it away Jeeves.

08:52.050 --> 08:53.410
Bye bye.

08:53.520 --> 08:55.820
Look forward to stealing more from you in the future.

08:57.340 --> 08:58.110
OK.

08:58.200 --> 09:01.880
So that is a great example of something about you.

09:01.880 --> 09:07.220
Now there are two more on the security plus we need to talk about one of them is called something you

09:07.220 --> 09:08.070
do.

09:08.360 --> 09:13.220
And when we talk about something you do there are actually authentication programs like Word if you

09:13.220 --> 09:15.090
log in your password for example.

09:15.110 --> 09:20.480
Not only do you have to have the right password but literally the rhythm of your typing can be used

09:20.720 --> 09:25.190
to verify that it's actually you're kind of typing style which is pretty cool.

09:25.190 --> 09:30.170
Now the last one I want to talk about is called Some where you are and when talk about some where you

09:30.170 --> 09:33.010
are as it implies it has to do with geography.

09:33.010 --> 09:40.560
So the best way to show you this is let's go buy some gasoline now some where you are has to do well.

09:40.670 --> 09:42.960
We see it in a lot of places on authentication.

09:43.000 --> 09:49.760
The one place we see it a lot is in the credit card world for example here I am buying gas and it wants

09:49.760 --> 09:53.590
me to enter my zip code.

09:54.530 --> 09:56.260
Hey it works.

09:56.390 --> 09:58.780
So I'm going for a regular in here.

09:59.300 --> 09:59.600
Now

10:02.720 --> 10:07.340
the other thing I remember about some where you are is this is also used by credit card companies to

10:07.340 --> 10:08.540
detect fraud.

10:08.540 --> 10:13.520
So for example while I'm here in Houston Texas is someone else we're trying to use his card in Chattanooga

10:13.520 --> 10:14.540
Tennessee.

10:14.540 --> 10:17.680
That would definitely set off some alarms of the credit card company.

10:17.690 --> 10:21.770
Those are the types of authentication of really identifications that we run into.

10:21.770 --> 10:28.670
So the challenge that we start to get is that we do a lot of authenticating all over the place.

10:28.850 --> 10:34.160
And if I've got one network over here and them there's like a company and we access their data a lot.

10:34.160 --> 10:40.030
For some reason or another the hassle of authenticating from one place and then another can be a bit

10:40.030 --> 10:41.070
of a problem.

10:41.080 --> 10:43.110
So with a lot of operating systems in fact.

10:43.150 --> 10:46.970
Well let me rephrase that with Microsoft Windows in particular.

10:47.110 --> 10:51.100
We can actually create authentications based on trust.

10:51.130 --> 10:53.860
So here I've got three different networks.

10:53.860 --> 10:59.290
And in this particular situation these are three different companies that access this one company's

10:59.290 --> 11:00.310
database.

11:00.340 --> 11:06.760
So what becomes interesting is that we can set up what are known as a federated trust situation and

11:06.760 --> 11:13.360
when we say Federated Trece it's basically this system saying to this system if you've got somebody

11:13.360 --> 11:15.790
you trust then I'll trust them as well.

11:15.850 --> 11:21.070
And what we can do this sets up in Windows fascinatingly under active directory is we can set something

11:21.070 --> 11:22.720
up and we can actually establish a trust.

11:22.720 --> 11:28.810
We can connect to another Windows domain and say this domain trust this domain and it can automatically

11:28.810 --> 11:33.280
create these types of federated transitive trusts.

11:33.670 --> 11:34.300
All right.

11:34.300 --> 11:39.020
So there's a lot to cover in this one particular episode.

11:39.040 --> 11:44.890
And it's important because security plus is going to deny you with lots of little examples of one type

11:44.980 --> 11:47.160
of authentication versus another.

11:47.170 --> 11:52.150
The last thing to throw in here is the idea of what we call multi-factor authentication.

11:52.150 --> 11:57.770
You would never ever use a biometric as a primary and only source of authentication.

11:57.790 --> 12:01.960
Typically what you're going to do is pretty much everything works with a username and password or it

12:01.960 --> 12:03.030
could be a pin number.

12:03.040 --> 12:09.370
So if you're going to authenticate on a system you're going to use a fingerprint scanner and you're

12:09.370 --> 12:12.870
going to type in the username and password you're going to type in using the password and you're going

12:12.870 --> 12:14.200
to use a hardware token.

12:14.200 --> 12:18.450
So we're always doing the multi-factor form of authentication.

12:18.460 --> 12:21.370
Be careful folks you're going to see all of this on security plus.