fips191_15
FIPS PUB 191
2.2.1 Identification and Authentication
The first step toward securing the resources of a LAN is the ability to verify the identities of
users [BNOV91]. The process of verifying a users identity is referred to as authentication.
Authentication provides the basis for the effectiveness of other controls used on the LAN. For
example the logging mechanism provides usage information based on the userid. The access
control mechanism permits access to LAN resources based on the userid. Both these controls
are only effective under the assumption that the requestor of a LAN service is the valid user
assigned to that specific userid.
Identification requires the user to be known by the LAN in some manner. This is usually based
on an assigned userid. However the LAN cannot trust the validity that the user is in fact, who
the user claims to be, without being authenticated. The authentication is done by having the user
supply something that only the user has, such as a token, something that only the user knows,
such as a password, or something that makes the user unique, such as a fingerprint. The more
of these that the user has to supply, the less risk in someone masquerading as the legitimate user.
A requirement specifying the need for authentication should exist in most LAN policies. The
requirement may be directed implicitly in a program level policy stressing the need to effectively
control access to information and LAN resources, or may be explicitly stated in a LAN specific
policy that states that all users must be uniquely identified and authenticated.
On most LANs, the identification and authentication mechanism is a userid/password scheme.
[BNOV91] states that "password systems can be effective if managed properly [FIPS112], but
seldom are. Authentication which relies solely on passwords has often failed to provide adequate
protection for systems for a number of reasons. Users tend to create passwords that are easy to
remember and hence easy to guess. On the other hand users that must use passwords generated
from random characters, while difficult to guess, are also difficult to be remembered by users.
This forces the user to write the password down, most likely in an area easy accessible in the
work area". Research work such as [KLEIN] detail the ease at which passwords can be guessed.
Proper password selection (striking a balance between being easy-to-remember for the user but
difficult-to-guess for everyone else) has always been an issue. Password generators that produce
passwords consisting of pronounceable syllables have more potential of being remembered than
generators that produce purely random characters. [FIPS180] specifies an algorithm that can be
used to produce random pronounceable passwords. Password checkers are programs that enable
a user to determine whether a new passwords is considered easy-to-guess, and thus unacceptable.
Password-only mechanisms, especially those that transmit the password in the clear (in an
unencrypted form) are susceptible to being monitored and captured. This can become a serious
problem if the LAN has any uncontrolled connections to outside networks. Agencies that are
17