You know, we've spent so much time in all these episodes talking about everything from certificates to cryptography. But what we really haven't started to talk about yet is actually getting the data to the people who need it in the way that they need it. So what I want to cover in this episode is identification, authorization, and authentication. Now, when we talk about these three, the best way to really understand it is through an analogy. So I'm actually buying myself a ticket to go to the theater right now. And I'm going to print out my confirmation code.
Let's go to the theater and let me show you how these three work. Two tickets for the Traviata, please. Now before she's going to give me any tickets, we are going to have to get an essence authenticated. Now the first step I'm going to have to do here is I'm going to have to provide some form of identification. In this case, I'm just going to provide a driver's license. Now because the ticket lady is a human being.
This is an easy way for her to identify me is just by looking at the driver's license, but it still doesn't mean I'm authenticated to get some tickets in order for me to do? Yes, in order for me to do that, I'm going to have to pull out my confirmation number that I printed out on my printer earlier. Now between my identification and my confirmation number, I've actually performed proper authentication. Thank you very much. And now I've got my tickets. Let's go sit down.
Okay, roti, and my seats are 14 and 15. Okay, looks good. I think I might be here a little early. The important thing to remember for the security plus is the difference between identification, authentication and authorization. Identification just proves who I am to the authenticating system. Authentication itself takes place by me proving that I have rights to that system through passwords, smart cards, retinal scanners, whatever it might be.
And then authorization simply means What rights do I have to the system once I've been authenticated? Alright, so let's do this all over again. Except this time, let's do it in a more computer kind of world. I'm gonna watch the show. The Traviata, who doesn't enjoy a little bit of their day every now and then. Okay, well anyway, we're back in the studio now.
And what I want to do is kind of make sure we understand there's some issues when it comes to identification, authorization and authentication. The challenge we have is that computers aren't people. I can't go to a lady and a ticket booth and just show them a driver's license or confirmation number, in essence, get my tickets. Instead, what we do is we have what are called authentication factors. Now there are three big authentication factors that you're going to be seen on security Plus, the first one is something you know, and that's something like a password for example would be something you know, the next one is something you have And that means things like a smart card or something that you actually have on your person that you can use to authorize you. And the last one is something about you.
And that's what we call biometrics. That's going to be things like retinal scanners and things that actually measure the veins in your palm, all kinds of cool stuff like that. Anyway, let's go ahead and start with the first one. And that is something you know. So the best example is good old passwords. So here we are at a typical login screen, and you can see that I have my username that I type in and my passwords were all pretty comfortable with something like that.
But passwords aren't the only type of something you know. Another great example are going to be pin codes. Now we see pins all over the place. One of my favorite ones is here on my phone right here. So what I'm going to do is you guys are going to fuzz all this out, right okay, so what I'm gonna do is punch in my password 1234 It's not a password, Mike. It's a pin here.
I know it's okay. It's incorrect. Like I was really gonna let you guys see my PIN code Come on. Now we see pins all over the place. We see him on phones a lot. ATM machines.
But again, that's a great example of something, you know, in fact that for certain Department of Justice folks I work with, not only when you walk up to a machine, do you have to type in a password, but you actually have to type in a pin separately depending on what type of authenticating system you might have. But that's not the only types of something you know, there's two more I want to look at. First of all, let's take a look at CAPTCHA. We've probably all seen a CAPTCHA screen. Most of the time. These tend to pop up like on websites where you're logging in a few too many times and you're making the authenticating process a little bit nervous.
So what they're going to do is they're going to let you type in your username and password again, but you're going to have to type in the captcha. You know what that CAPTCHA says? The idea here is that it's preventing evil computer programs that can just keep logging in over and over again, from being able to log in. So that's CAPTCHA. Now the last one I want to take a look at is right here. And this is going to be security questions.
There's a good chance. Most of us have seen security questions to security questions usually pop up, for example, when you forgotten your password or something like this. And it allows for an automatic password retrieval type system simply by you remembering the name of your first dog or your mother's maiden name more your school that you graduated from whatever it might be. So you need to be careful on the security plus exam right here. It's easy to remember that something you know would be an example like a password or a pin. But also remember that CAPTCHA and security questions are included in something you know.
Okay. The next one is something you have have now when we talk about something you have, we're going to talk about two things in particular that you're going to see on security Plus, the first one is called a smart card. And I seem to be out of smart cards right now. But I got a picture of one here on the screen. Let's take a look at this. Now, this is a very typical smart card that you'll see used and like a lot of federal organizations and stuff like that.
The important thing about a smart card is embedded somewhere on that smart card is a chip that holds a unique identifying code. And when you insert this, or when you wave it over a sensor or whatever it might be, it provides that code to the authenticating body. Now, smart cards are great, but the last one I want to show you is known as an RSA key. Now an RSA key. It can be a little device that is got a number or it can be a piece of software. And I actually have one here.
So let me show you how an RSA key works. Now I want you to watch this very closely. You'll see this eight digit code watch. Okay, you see it, just check an RSA token or an RSA key is a piece of software or an actual physical key get that stores a secret code of some form. It then takes that secret code and performs some magic little Voodoo on it, and will generate a value that changes depends. There's no law of physics every 30 seconds every 60 seconds.
So the only way that another device can authenticate This is that if it also has a secret code, and it will go ahead and run the same mumbo jumbo and if it comes up with the same value, you are in good shape. Now the last one is something about you. And when we talk about something about you, we're talking about something about you physically, so we could have fingerprint scanners or Iris patterns or even the pattern of the veins in your wrist can be used to identify you uniquely. Now there's a bunch of these that are out there. You've got a lead generation iPhone five, there's things Print scanners and things like that. But what I have here is my buddy Scott has a cool laptop.
And on this laptop is facial recognition. So to use this, all I'm going to have to do and this allows him to log into his laptop. So what I'm going to do here is I'm going to fire the laptop up. So on his laptop, he's actually just using the camera here to recognize me. Now, if you look on the screen, you see it's actually trying to find Scott Jernigan. So we might have a bit of a problem.
Yeah. Where's my laptop? Oh, sorry, Scott. Hi. I was just trying to show people how security plus covers things like something you are pretty slick. I like it is slick.
Thank you for letting me steal your laptop. Thanks. Y'all done. We're done. We're done. Take it away.
Jeeves. Bye. Bye. Look forward to stealing more from you in the future. Okay, so that is a great An example of something about you now there are two more on the security plus we need to talk about. One of them is called something you do.
And when we talk about something you do, there are actually authentication programs like we're if you log in your password, for example, not only do you have to have the right password, but literally the rhythm of your typing can be used to verify that it's actually your kind of typing style, which is pretty cool. Now the last one I want to talk about is called somewhere you are and when we talk about somewhere you are, it implies it has to do with geography. So the best way to show you this is let's go buy some gasoline. Now, somewhere you are, has to do. Well, we see it in a lot of places on authentication, but one place we see it a lot is in the credit card world. For example, here I am buying gas, and it wants me to enter my zip code.
Hey, it works. So I'm gonna put regular in here now The other thing to remember about some where you are is that this is also used by credit card companies to detect fraud. So for example, while I'm here in Houston, Texas, that someone else we're trying to use this card and Chattanooga, Tennessee, that would definitely set off some alarms to the credit card company. Those are the types of authentication really identifications that we run into. So the challenge that we start to get is that we do a lot of authenticating all over the place. And if I've got one network over here, and then there's like a company and we access their data a lot for some reason or another, the hassle of authenticating from one place and then another can be a bit of a problem.
So with a lot of operating systems, in fact, well, let me rephrase that with Microsoft Windows in particular, we can actually create authentications based on trust. So here I've got three different networks. And in this particular situation, these are three different companies that access this one company's database So what becomes interesting is that we can set up what are known as a federated trust situation. And when we say federated trust, it's basically this system saying to this system, if you got somebody you trust, then I'll trust him as well. And what we can do this sets up in Windows, fascinatingly under active directory, is we can set something up and we can actually establish a trust, we can connect to another windows domain and say, this domain, trust this domain, and it can automatically create these types of federated transitive trusts. Alright, so there's a lot to cover in this one particular episode.
And it's important because security plus is going to ding you with lots of little examples of one type of authentication versus another. The last thing to throw in here is the idea of what we call multi factor authentication. You would never ever use a biometric as a primary and only source of authentication. Typically, what you're going to do is pretty much everything works with The username and password, or it could be a pin number. So if you're going to authenticate on a system, you're going to use a fingerprint scanner and you're going to type in a username and password, you're going to type in a username and password and you're going to use a hardware token. So we're always doing the multi factor form of authentication.
Be careful, folks. You're going to see all of this on security, plus