A free video tutorial from Total Seminars • 500,000+ Enrollments
Home of Mike Meyers and his Team of IT Certification Pros
4.6 instructor rating • 30 courses • 283,935 students
In this episode, Mike explains the issues of proving you are who you are.
Learn more from the full courseTOTAL: CompTIA Security+ Certification (SY0-501).
Everything you need to pass the CompTIA Security+ SY0-501 Exam, from Mike Meyers. CompTIA expert and bestselling author.
18:57:19 of on-demand video • Updated March 2020
- This is a complete and comprehensive CompTIA Security+ Certification (SY0-501) course. It is designed to prepare you to be able to take and pass the exam to become CompTIA Security+ Certified.
- Once you complete the course, you will have the knowledge and confidence to pass the CompTIA exam AND the skills to be a great IT security tech. This course is ideal as both a study tool and an on-the-job reference.
- Your new skills and the CompTIA Security+ Certification will help you land a great IT security tech job. Or, if you are already a security tech, get that raise or advancement you are after.
English You know we've spent so much time in all these episodes talking about everything from certificates to cryptography. But what we really haven't started to talk about yet is actually getting the data to the people who need it in the way that they need it. So what I want to cover in this episode is identification, authorization, and authentication. Now when we talk about these three the best way to really understand it is through an analogy. So I'm actually buying myself a ticket to go to the theater right now and I'm going to print out my confirmation code. Let's go to the theater. And let me show you how these three work. Two tickets for La Traviata please. Now before she's going to give me any tickets we are going to have to get in essence authenticated. Now the first step I'm going to have to do here is I'm going to provide some form of identification. In this case, I'm just going to provide a driver's license now because the ticket lady is a human being this is an easy way for her to identify me as just by looking at the driver's license but it still doesn't mean I'm authenticated to get some tickets. In order for me to do that-- Ah yes. In order for me to do that I'm going to have to pull out my confirmation number that I printed out of my printer earlier. Now between my identification and my confirmation number I've actually performed proper authentication. Thank you very much. And now I've got my tickets. Let's go sit down. OK row t and my seats are 14 and 15. OK. Looks good. I think I might be here a little early. The important thing to remember for the Security+ is the difference between identification, authentication, and authorization. Identification just proves who I am to the authenticating system. Authentication itself takes place by me proving that I have rights to that system through passwords smart cards retinal scanners whatever it might be. And then authorization simply means what rights do i have to the system, once I've been authenticated. All right. So let's do this all over again except this time let's do it in a more computer kind of world. I'm going to watch the show Ah, La Traviata. Who doesn't enjoy a little bit of Verdi every now and then. OK. Well anyway we're back in the studio now and what I want to do is kind of make sure we understand there's some issues when it comes to identification, authorization, and authentication. The challenge we have is that, well, computers aren't people. I can't go to a lady in a ticket booth and just show them a driver's license or confirmation number and in essence get my tickets. Instead what we do is we have what are called authentication factors. Now there are three big authentication factors that you're going to be seeing on Security+. The first one is something you know and that's something like a password for example would be something you know. The next one is something you have. And that means things like a smart card or something that you actually have on your person that you can use to authorize you. And the last one is something about you and that's what we called biometrics that's going to be things like retinal scanners and things that actually measure the veins in your palm all kinds of cool stuff like that. Anyway let's go and start with the first one and that is something you know. So the best example is good old passwords. So here we are at a typical log in screen and you can see that I have my user name that I type in and my passwords were all pretty comfortable with something like that. But passwords aren't the only type of something you know. Another great example are going to be pin codes. Now we see pins all over the place. One of my favorite ones is here on my phone right here. So what I'm going to do is, you guys are going to fuzz all this out, right? OK so what I'm going to punch in my password one two three four. It's not a password, Mike, it's a pin. I know it's OK. That's incorrect. Like I was really going to let you guys see my PIN code, come on. Now we see pins all over the place. We see him on phones a lot. ATM machines. But again that's a great example of something you know. In fact at certain Department of Justice folks I work with not only when you walk up to a machine do you have to type in a password but actually they have to type in a PIN separately depending on what type of authenticating system you might have. But that's not the only types of something you know. There's two more I want to look at. First of all let's take a look at Captcha. We've probably all seen a Captcha screen. Most the time these tend to pop up like on Web sites where you're logging in a few too many times and you're making the authenticating process a little bit nervous. So what they're going to do is they're going to let you type in your username and password again but you're going to have to type in the Captcha. You know what that Captcha says. The idea here is that it's preventing evil computer programs that could just keep logging in over and over again from being able to log in. So that's Captcha. Now the last one I want to take a look at is right here and this is going to be security questions. There's a good chance most of us have seen security questions too. Security questions usually pop up for example when you've forgotten your password or something like this and it allows for an automatic password retrieval type system simply by you remembering the name of your first dog or your mother's maiden name or your school that you graduated from, whatever it might be. So you need to be careful on the Security+ exam right here. It's easy to remember that something you know would be an example like a password or a PIN, but also remember that Captcha and security questions are included in something you know. OK. The next one is something you have. Now when we talk about something you have we're going to talk about two things in particular that you're going to see on Security+. The first one is called a Smart Card and I seem to be out-of smart cards right now but I got a picture of one here on the screen. Let's take a look at this. Now this is a very typical smart card that you'll see used in like a lot of federal organizations and stuff like that. The important thing about a smart card is embedded somewhere on that smart card is a chip that holds a unique identifying code. And when you insert this or when you wave it over a sensor or whatever it might be it provides that code to the authenticating body. Now smart cards are great but the last one I want to show you is known as an RSA key. Now an R S A key. It can be a little device that is got a number or it can be a piece of software. And I actually have one here so let me show you how an RSA key works. Now I want you to watch this very closely you'll see this eight digit code? watch. OK. You see it just change. An RSA token or an R S A key is a piece of software or an actual physical key you can get that stores a secret code of some form. It then takes that secret code and performs some magic little voodoo on it and will generate a value that changes, it depends, there's no law of physics, every 30 seconds, every 60 seconds. So the only way that another device can authenticate this is that if it also has that secret code and it will go ahead and run the same mumbojumbo and if it comes up with the same value you are in good shape. Now the last one is something about you and when we talk about something about you we're talking about something about you physically. So we could have fingerprint scanners or iris patterns or even the pattern of the veins in your wrist can be used to identify you uniquely. Now there's a bunch of these that are out there and if you've got a late generation iPhone 5 there's fingerprint scanners and things like that. But what I have here is my buddy Scott has a cool laptop and on this laptop is facial recognition. So to use this all I'm going to have to do, and this allows him to log into his laptop, so what I'm going to do here is I'm going to fire the laptop up. So on his laptop he's actually just using the camera here to recognize me. Now if you look on the screen you see it's actually trying to find Scott Jernigan so we kinda have a bit of a problem. Hey, where's my laptop. Oh sorry Scott. Mike. I was just trying to show people how Security+ covers things like something you are. Pretty slick, huh, Mike? It is slick. Thank you for letting me steal your laptop. Thanks you all done. We're done. We're done. Take it away Jeeves. Bye. Bye. Look forward to stealing more from you in the future. OK. So that is a great example of something about you. Now there are two more on the Security+ we need to talk about. One of them is called something you do. And when we talk about something you do there are actually authentication programs like where if you log in your password for example, not only do you have to have the right password but literally the rhythm of your typing can be used to verify that it's actually your kind of typing style which is pretty cool. Now the last one I want to talk about is called somewhere you are and when talk about somewhere you are as it implies it has to do with geography. So the best way to show you this is let's go buy some gasoline. Now somewhere you are has to do, well, we see it in a lot of places on authentication. The one place we see it a lot is in the credit card world. For example here I am buying gas and it wants me to enter my zip code. Hey it works. So I'm going to put regular in here. Now the other thing to remember about somewhere you are is that this is also used by credit card companies to detect fraud. So for example while I'm here in Houston Texas is someone else we're trying to use his card in Chattanooga Tennessee. That would definitely set off some alarms at the credit card company. Those are the types of authentication of really identifications that we run into. So the challenge that we start to get is that we do a lot of authenticating all over the place. And if I've got one network over here and then there's like a company and we access their data a lot for some reason or another the hassle of authenticating from one place and then another can be a bit of a problem. So with a lot of operating systems, in fact, well let me rephrase that with Microsoft Windows in particular, we can actually create authentications based on trust. So here I've got three different networks. And in this particular situation these are three different companies that access this one company's database. So what becomes interesting is that we can set up what are known as a federated trust situation and when we say federated trust, it's basically this system saying to this system if you've got somebody you trust then I'll trust them as well. And what we can do this sets up in Windows fascinatingly under active directory is we can set something up and we can actually establish a trust. We can connect to another Windows domain and say this domain trusts this domain and it can automatically create these types of federated transitive trusts. All right. So there's a lot to cover in this one particular episode. And it's important because Security+ is going to ding you with lots of little examples of one type of authentication versus another. The last thing to throw in here is the idea of what we call multi-factor authentication. You would never ever use a biometric as a primary and only source of authentication. Typically what you're going to do is pretty much everything works with a username and password or it could be a PIN number. So if you're going to authenticate on a system you're going to use a fingerprint scanner and you're going to type in the username and password. You're going to type in username and the password and you're going to use a hardware token. So we're always doing the multi-factor form of authentication. Be careful folks you're going to see all of this on Security+.