This section is centred in the measures of authentication of users used in the platforms e-learning in the market.
A study of these platforms has been made, taking care of the form of each one of them to identify its users: the common denominator of all is the use of the user-password key. They are centred in the use of the software, much more economic and it requires less maintenance during its use. This tendency, in addition to the evident economic saving, presents other characteristics that explain this tendency:
At the time of users registration, it is not necessary that there is a user-administrator interaction, since the user only must give a data, not to present a biometric characteristic (to register in the identification presenting his digital fingerprint, the iris of his eye...).
The user will not require of any tool for his identification once he is registered, this will allow him to enjoy the platform in any computer, and on the other hand, it is avoided to assume the cost of the necessary peripheral to authenticate himself in its platform (reader of digital fingerprints, identifier of ocular code...).
The saving as far as the amount of transmitted information is remarkable, since less transmitted information has is much a password, for example, that the necessary one for the recognition of a recognition parameter. We are going to see the technologies that are being used nowadays in the commercial platforms of e-learning.
SMTP is the abbreviations of Simple Mail Transfer Protocol. This protocol is a standard of Internet for the interchange of electronic mail. To be clearer, when you send an electronic mail , you do it by means of a server SMTP which is in charge to make the mail arrive at his destiny, we can compare it with the postal service, to make delivery of the mail we needed three important data: the origin, the destiny and the via that is the server SMTP. Next it is explained why you must configure the Authentication SMTP.
Authentication SMTP is formed with the purpose of elevating the security levels and effectiveness of the service of electronic mail and with the objective to diminish the possibility that their account is used without authorization from their PC or others, also it will diminish the possibility that their PC is used like "bridge" for the sending of massive post office through our servers.
This report is not going to display the supply of more common platforms and the ways of identification that present, but it will be the supply of the methods of authentication more used by the platforms in Spain.
One of the most important companies of the sector of the automatic authentication in real time is ADR Formation, which mainly is centred in the solutions based only on software more than in the dependent methods of physical mechanisms (hardware), so that, they are not centred as much in the biometric methods of authentication as in those like key/password.
It is possible to form IIS to authenticate or to determine the identity of the account of a user of Windows, before allowing that this one establishes a networking with its server. Nevertheless, the authentication of the users only takes place when the anonymous access is deactivated or when permissions NTFS require that the users identify with the name and the password of a valid account of user of Windows.
With the authentication options that IIS offers, an authentication method can be chosen that adjusts to the requirements of security and the capacities of the exploratory Web of the user.
It can specify that the users provide the name of user and the password of an account of user valid of Microsoft Windows to be able to have access to any information of the server. This process of identification receives the name of authentication. The authentication, like many of the IIS characteristics, can be established for Web sites, directories or archives. IIS provides the following methods of authentication to control the access to the content of the server. We are going to see the most important methods that it has this company:
The anonymous authentication provides to the users access to the public areas of the Web site or FTP without asking the name of user or the password. When a user tries to connect to the Web site public or FTP, the Web server assigns the account of windows´ user called IUSR_name_equipment, where equipment_name is the name of the server where IIS is executed. In a predetermined way, the IUSR_name_equipent account is including in the user group Invited of Windows. This group has restrictions of security imposed by the permissions NTFS, that designate to the level of access and the type of content that are available for the public users.
If it has several sites in the server or if it has areas of his site require different privileges from access, it can create several anonymous accounts, one for each Web site or FTP, directory or file. Giving to these accounts different access permissions or assigning these accounts to different user groups from Windows, can grant to the users anonymous access to different areas from public content Web and FTP.
1. The account IUSR_machine_name is added to the group “guest” of equipment IIS during the setup.
2. When a request is received, IIS uses the account IUSR_machine_name to run (execute) any code or to have access to any file. IIS can supplant the IUSR_machine_name account because it knows the name user and the password of this account.
3. Before giving back a page to the client, IIS verifies the permissions of archives and directories NTFS to determine if the account IUSR_machine_name has access to the file.
4. If the access is allowed, the authentication will be completed and the resources will be available for the user.
5. If the access is not allowed, IIS will try to use another method of authentication. If there is not selected, IIS will give back to the explorer a message of error "HTTP 403 denied Access".
The anonymous account must have the right to start a local session. If the account doesn’t allow the starting a local session, IIS will not fulfill any anonymous request.
The IIS setup process grants the right to start a local session to the IUSR_machine_name account. By default, the IUSR_machine_name account of the domain controller are not assigned to the accounts of guests. In order to allow anonymous starting session, it must change to the IUSR_machine_name accounts at the starting a local session.
The basic authentication is a standard method very extended in the market to compile information of user name and password. The process to authenticate is made of the following form:
1. Web Browser Internet Explorer shows a dialogue picture in which the user must write his user name and Windows password previously assigned that also are known like credentials.
2. Web Browser will try to establish the connection with a server, by means of the credentials of the user. The simple text password is codified in Base64 before sending it through the network.
3. Important: the codification in Base64 is not a coding. If a password codified in Base64 is intercepted in the network by a sniffer, the password can be decoded and be used by non authorized people.
4. If the credentials of a user are rejected, Internet Explorer shows a window of authentication dialogue so that the user returns to write his credentials. In Internet Explorer three attemps of conection are allowed before saying the connection cannot be established.
5. When the Web server verifies that the name of user and the password correspond to a valid account of user of Microsoft Windows, a connection will settle down.
The basic authentication has the advantage of which it comprises of specification HTTP and is compatible with most of the explorers. The disadvantage of the explorers Web who use the basic authentication is that they transmit the passwords without coding. By means of the supervision of the communications in the network, somebody could easily intercept and decode these passwords by means of tools of public dominion. Therefore, the basic Authentication is not recommendable unless it has the security of which the connection between the user and the Web server is safe, as a dedicated line or a connection Layer of safety sockets (SSL).
The implicit text authentication offers the same functionality that the basic authentication. Nevertheless, the implicit text authentication supposes an improvement in the security due to the form in which the credentials of the user through the network are sent.
The implicit text authentication transmits the credentials through the network like hash MD5, also known like implicit message, in which the name of original user and the password cannot be deciphered from the hash. The implicit text authentication is available for the directories of the distributed System of creation and version control Web (WebDAV). Before qualifying the implicit text authentication in server IIS, it is necessary to make sure that the following minimum requirements are fulfilled. Only the domain administrators can verify that the requirements of the domain controller are fulfilled (DC). If there are any doubts, consults the administrator of the domain if the domain controller fulfils the following requirements:
• All the clients who have access to a resource protected with implicit text authentication are going to use Internet Explorer 5, 0 or later versions.
• The user and server IIS must be members or to have the confidence of the same domain.
• The users must have a valid account of user of Windows stored in Activates Directory in the domain controller.
• The controller of the domain must be an equipment with Windows 2000 or a later one.
• Server IIS must be an equipment with Windows 2000 or a later one.
The authentication of integrated Windows (previously call NTLM, also denominated authentication of challenge and answer of Windows NT) is a safe method of authentication, since the name of user and the password are processed with the method of hash before sending them through the network. When qualifying the integrated authentication of Windows, the explorer of the user demonstrates that it knows the password by means of a cryptographic interchange with the Web server, in whom takes part the method of hash. The integrated authentication of Windows uses the methods of authentication Kerberos v5 and NTLM. If the services Activate Directory are installed in a controller of dominion with Windows 2000 or a later version and the explorer of the user is compatible with the protocol of authentication Kerberos v5, authentication Kerberos will be used v5; otherwise, authentication NTLM will be used.
N.B the protocol of authentication Kerberos V5 is a characteristic of the architecture of distributed Services of Windows 2000. So that authentication Kerberos v5 is made correctly, as the client as the server must have a connection of confidence to a Centre of distribution of keys (KDC) and to be compatible with the Services of directory.
Translating this definition, we say that the navigator it is not validated every time but it sends the credentials of the scope/user and it sets a communication where it does not return back the password. It is the best system for an Intranet but we must have a system of domains installed in the network.
VeriSign is founded in 2003 with the objective to provide with services of security in Internet to companies, small businesses and to individuals, as well as to platforms of education by computer.
Between their supplies services of safe site are included, managed security and authentication. It allows any company or individual that wishes to establish or to increase its identity on line through confidentiality in the network, to improve and to develop functions of electronic commerce. They are solutions based on networks of telecommunication and software.
The solutions that contribute are the following ones:
This program is oriented to the money interchange, buying/sale of product and information, like in the platforms e-learning. This service makes possible that buying as much on line as another type of visitors makes their businesses and shares information without no type of preoccupation in their site. This system protects the credit cards and the rest of confidential information with the coding system leader of sector SSL. They know that data from the moment in its site appears the logotype VeriSign Secured Seal.
It was dominated by phishing, the crimes related to the identity and other violations on line, the seal VeriSign Secured Seal is a tool that avoids this kind of fraud.
This technology is applied to the platforms where as much the exchange of information as the economic transactions.
The increase of the use of Internet has brought with himself as much a profile as a promise without precedents. In spite of the considerable investment made in security products, the loss derived from the threats and the vulnerabilities follow in increase. In order to take advantage of the innumerable advantages the great promise of Internet and other technological advances, the companies face a strategic dilemma in the commercial surroundings simultaneously that require to be more open and safer, at the same time that they must worry about the increase of costs, fulfilment of norm and resolution of very complex subjects.
Many of the leader companies in the world are noticing that the effective security does not only imply to react to the attacks, but also to anticipate them, to recognize models and tendencies and to immediately correct the weak points without putting in danger the operation of the company. While the advanced safeties continue playing critical roles, its complete potential will be limited without the creation of a coherent policy developed by personnel with experience that includes/understands the conjunction of the control, the intelligence and the technologies of the security.
The Intelligence services and Control provide the intelligence that allows the company to regain the control of his surroundings and to prepare an offensive. They present the following characteristics:
• Independent integration of devices: Decisive combination of information in real time (intelligence) and tools (the control) to provide an integrated control and a vision in complex and heterogeneous surroundings.
• Penetrating security: To provide integrated intelligence and control for the complete range of activities of expansion of security subjects in transactions, applications and networks.
• Collective intelligence: To correlate and to develop intelligence from data collected between several companies and through Internet.
• Conclusive actions: to analyze the information on public and private security that helps the companies to heft the risk and of prioritizing the actions.
IBM Tivoli Manager Access for e-business is a solution of control of access based on policy of Gartner's Magic Quadrant. Also it is in charge of the administration of the growth and complexity, controlling the costs of scaling the administration and deals with the difficulties to implement political of security in an wide range of resources of the Web and applications.
Tivoli Manager Access for e-business allows the platforms of e-learning control the wire access and wireless to applications and data, providing Single Sign-On (SSO) for authorized users, provides to the associate, clients, suppliers and employees access to critical applications for the business and data for transactions and highly available.
• To eliminate the necessity to administer users identities and policies of security in each applicative.
• To improve the relations with clients through the unified administration of access and an only safe connection.
• To connect and to make safe the Microsoft atmospheres, with the support of Microsoft Activate Directory and connections only based on NTLM and Kerberos; the SSO to Microsoft IIS can provide access to their applications and resources protected by the Tivoli Manager Access.
• To avoid proprietary solutions and difficult to handle and to obtain time to value through control of access based on standards and support J2EE.
• Ready integration for the use of CRM applicative of Siebel and key solutions ERP of mySAP.com, as well as solutions of portal of Plumtree, Epicentric, WebSphere and BEA safe Services Web with support for transactions Simple Object Access Protocol (SOAP) a Federated Identity interface, to share user authentication and attribute information between reliable Web service applications, lined up to the evolution of WS-Security standards
• To administer the security in Web as a form that fulfill the conformity of his operation, as much in terms of user delegation, group, function, provision of tasks of access to policies and applications, like in terms of the election of user registry, including Microsoft Activates Directory, Sun ONE Directory Server (previously iPlanet), Novell eDirectory, Lotus I dominate Server and IBM Directory Server (Windows, Solaris, AIX, OS/390, z/OS, Linux in zSeries)
• To obtain availability, with a solution that climbs to million users.
Tivoli Manager Access for e-business is an integrated component of the solution of Administration of Identity of IBM that can help it to maintain the productive users, systems and applications online and quickly, to reduce costs and of maximizing the yield of the investment.
The administration of identity IBM provides administration of the service life of the identity (self administration, subscription and provision of users), control of identity (control of access and privacy, unique connection, and audit), federation of identity (to share user authentication and attribute information between reliable Web service applications) and to identify foundations (directory and job stream) to administer with effectiveness the internal, as well as an increasing number of clients and associated users through Internet.
IBM Client Security solutions offers PC´s selected to NetVista and notebooks ThinkPad with cryptographic technologies incorporated so much in the hardware and software that work altogether to provide a powerful level of confidence and security in platform PC client. Tivoli Manager Access for e-business can control centrally way and administer dynamically the elements of authentication used by those systems.
Netware is used in many companies of this type; it is strong and flexible within the network operating systems for the small companies. Its only disadvantage for those who need a solution at company level is its lack of global service of directories. But this can be corrected partly with NetWare Naming Service (NNS) that offers part of the distributed services to the LANs of NetWare.
It offers the ability to share archives and printers, speed, security; support for the most of the operating systems, and a great amount of Hardware. Although it has some difficulties with the memory management, still it is worth using it, because it has some other characteristics that make it important. The main attraction of US of 32 bits like which it was introduced by Novell was its modular design.
The NLMs can be updated without having to reconstruct the NOS completly, and they are possible to be loaded on-the fly. In addition, only the necessary modules are loaded in NOS, reserving the memory for other functions like the disk caché.
A disadvantage of this design is the memory use. The NLMs is loaded in thread 0 and they can lock the server if the NLM is not written correctly or if they enter conflict with the NLM of another manufacturer. On the other hand some of the modules do not vacate the memory when they unload (These problems of memory management were soon solved in Netware 4.x).
Netware is designed in its majority for networks from small to medium that they consist of individual servers, mainly because its services of directories do not integrate to the network in its totality. Each one of the servers maintains a data base centralized of individual verification called the Bindery.
Bindery of the server maintains the information like the names of connection, the passwords, the rights of access and the information of printed. If the users need to connect themselves to more of one server to share resources, it must do it with each server manually.
The strategy of Novell has been always to accelerate the growth of the networks. Previously, it developed to products hardware to later harness the growth of important aspects of the networks, leaving the manufacture of these products into the hands of other companies. Some of these soon became important product suppliers in the market in expansion of the networks.
Today the strategy of computation in network of Novell is a architecture called OPEN SYSTEMS NETWARE. This architecture has the following objectives:
• To allow the users to have the services offered by Netware in expandable platforms.
• To cause that Netware is independent of the protocol supporting the important standards of the industry, like TCP/IP and the levels of protocol OSI.
• To offer rounting and networks of wide area.
• To maintain the architecture open and to offer development tools to create applications that operate in distributed surroundings of computation in network.
Novell glides to implement this strategy offering or supporting to platforms of servers, open architecture, an open technology of protocols and services Netware.
It is a set of programs that are executed in the job and in the position of the administrator, with the NDS like bottom drop curtain, to form one of the best tools for the administration of the positions of network without effort .
From the human point of view, the relation between NDS and Z.E.N. Works allows to create the concept of "Digital Person", introduced by Novell. This term means that the user has own surroundings that are going to have to its disposition goes where it goes and that allows him not to be neglected because it is connected to the network from a machine that is not hers. The user is identified by the writing-desk, the applications, the printers and in general by all the resources who uses in the network.
The stations of the users are going away to turn objects and we are going to be able to make the general tasks that we described next:
• To apply rulers (political) of work to the users.
• To apply work rulers to the jobs.
• To apply restrictions on the basis of the user, group or container.
• To apply restrictions on the basis of the job.
• To manage the surroundings of the positions.
• To restrict the access to the configuration of the jobs.
• To show applications on the basis of many criteria.
• To distribute, to update, to setup or to repair any type of application in the jobs without having to go there.
With this product the administrator has found the form of not losing as much time solving common and repetitive problems, like, for example, the file deletion that prevents the execution of applications, the management of the job, the modification of the parameters of the clients, the suppression or modification of elements of the operating system of the machine client, etc. Really, product Z.E.N. Works has been constructed on the basis of the study of the daily necessities of the computer science departments. We can say that Z.E.N. Works is divided in two great blocks. The First is for the management of the applications and the second for the management of the job. The basic components are enumerated next:
Throwing de Applications or NAL (from the English Novell Application Launcher). It is an application client who will execute itself in all the jobs, to take care of requests of the Administrator related to the management of the applications. Manager of the workstations Novell (from the English Novell Workstation Mana-ger). It is an application client who will execute itself in all the jobs, to take care of requests of the Administrator related to the management of the surroundings, restrictions and norms of the job.
The thrower of applications NAL allows to distribute the objects Application automatically. As far as the user acces (Login) we must try to execute any of its two versions (NAL.EXE or NALEXPLD.EXE), so that it will initiate his operation and it will show what corresponds.
He can make functions such as to allow the execution of applications with tolerance, balance of loads, automatic repair, hour programming for display the application only in certain hours, etc.
The manager of the workstation, on the other hand, allows us to form a series of rulers of the writing-desk, to be able to obtain an uniform aspect of all the writing-desks, profiles for users with certain necessities or restrictions, to make the update of the client, etc.
It is the solution of an only registry (single sign-on) enterprise safe, efficient and easy to implement for the access to applications Windows, Web and cradles in host protected by password.
The users authenticate themselves once with a single password, and Password Manager automates the beginnings of session, the fulfilment of the policies and the changes of password, obtaining that to connect itself to the applications is easier, faster and more surely. Like independent solution or within Citrix Access Suite, Password Manager improves the security of the passwords, which simplifies the computation activities and can help to diminish the costs of the lines of support in a 25%.
Password Manager 4,0 simplifies the administration and implementation, improves the security of the company and I compliment of laws and regulations and impels a productivity of the superior user. This edition displays the reestablishment of passwords like supermarket.
For surroundings of shared workstations, that are common in retail banks, hospitals, factories and commerce, Password Manager 4,0 presents the Hot Desktop (active writing-desk), that allows the users to star/finish session in seconds and eliminating the accounts of generic beginning of session.
The new version also presents the function signs cryptographic, to guarantee the integrity of the policies and the parameters of configuration that protect against the attacks "phishing" and "man-in-the-middle" (messages withreplacement of identity and espionage in intermediate place).
Citrix and HP have created an integral solution for administration of identities and access that Citrix Password Manager with HP OpenView Identity combines and Management Access Suite. The Citrix/HP solution allows the companies to offer information of complete and safe access to the employees, clients and partners all over the world.
The access is simplified to the computer science resources: The users connect themselves once with a single password and Password Manager authenticates to the user for all the other applications protected by password.
It increases the security of the network: Password Manager eliminates the necessity that the employees keep different passwords centralizing and automating the administration from the same ones.
The calls to the lines of support diminish: With Password Manager, the events of routine related to passwords are automated and been invisible for the end user, eliminating this way many unnecessary calls the line of support. With Password Manager, the events of routine related to passwords are automated and been invisible for the end-user, eliminating this way many unnecessary calls the line of support.
The compatibility with different platforms is extended: Password Manager is compatible with applications Windows, Web and base on host, it does not matter if they are executed in independent form or lodge in Citrix Presentation Server.
The implementation is simplified: With powerful tools of configuration, a console of administration based on tasks and with no need of rewrite commans, Password Manager is configured easily for the existing surroundings.
Gemplus is the main specialized world-wide smart card supplier, in Spain Orion 2000. With a large range of solutions, it offers devices for services of movable data, interoperate bank, identity, WLAN and movable commerce, between many others.
It is the only company focused completely in the area, having the greater equipment of investigation and development of smart card solutions, which has supposed the international recognition to its vast experience and to count on several records in technological innovation.
The main uses of this solution are:
• Safe access to the applications, for example, platforms e-learning.
• Safe access to equipment.
• Banking cards, corporative cards, cards of faithfulness of clients, electronic purse, among others.
The supply of Gemplus is compound of following products:
1, Smart Card. They are different types of Smart Cards:
• Conventional (to store)
• Cryptographic
• contact
• Approach
• Magnetic stripe
2, Card readers
3. Personal software of applications for smart cards.
From the starting of the development, at the beginning of the decade of the 90, the system of encryptation PGP (Pretty Good Privacy) is outstanding by its robustness, security and ease of use. Its initial quality was so high, that its author unlike other systems based on "proprietary" technology, PGP Corporation has always been based on algorithms and solutions of public knowledge.
The line of products PGP Corporation covers a large range of security necessities of the Organizations. At the moment, the line of products PGP is one of the most robust and complete solutions available in the market, incorporating solutions to encrypt hard disks and electronic mail. Base on best and more tasted technology of encryptation available in the market, suite PGP Enterprise anywhere in the world counts on the experience and endorsement of the same team of professionals who gave origin to the system of greater penetration in the market, with a base of million users.
The PGP solutions Corporation includes the following products:
PGP Desktop uses own X.509 certificates indifferently or of PGP. In addition to encrypt, the user can "sign" digitally post office and documents, assuring the authenticity and integrity the information that is transmitted.
By means of the component PGPDisk, the system encrypts the folders that contain documents of greater sensitivity, using for it the technology of "virtual disk", complemented with the algorithms of greater robustness and great efficiency in its execution, allowing therefore an operation virtually is transparent for the end-user
__PGP Keyserver__. This component of PGP allows the user to store to the keys of encryptation of the organization and the centralized policies of configuration of the PGP Desktop setup to each user. Each client communicates with this server of keys to stay updated and constitutes the datum point when there isn’t a the key of the user to who is desired to send mail encrypted. It is important to emphasize that more than the corporative keys; the policies also stay that define the way of operation of the system that the security administrator has defined at corporative level.
__PGP Admin__. This module of PGP constitutes the tool of configuration of the system. It allows the administrator to define a great amount of setup parameters and operation of the Desktop application that settles the end-users. Among other things, it is possible to specify algorithms, servers of keys, options of configuration available to the user and the quality of the password of access to the deprived keys of each user.
__ADK and "Key Reconstruction Server__. Between the most important characteristics of PGP than they are regulated from the console of the administrator, deserve special mention the capacity to handle to additional keys of encryptation- also call A.D.K (Additional Decryption Key) - and the recovery system of lost keys.
First it constitutes a great facility to assure that the organization does not lose access to her corporative data in case a user is broken ties, suffers an accident or any other reason that disqualifies it to enter the password. In order to protect with greater care this important key, one separates in several "pieces", those that are encrypted with the public keys of several users of confidence of the organization.
In order to accede to the ADK, it is required that several of these users concur, so that it does not exist a single person with the capacity to accede to the encrypted data with the key of a user.
The second characteristic, it is oriented to the scene in which a user forgets the password access. Instead of having to resort to the ADK, the user answers a series of customized questions that allow him to recover their password in safe form and to change it.