0:05
Hi, Adam Row.
So I want to welcome you to a section of our course now,
where we are digging into classical cybersecurity.
And we're going to start with what I think maybe the most important primitive in
cyber it's called authentication.
And let's talk a little bit about this because I think he asked ten cybersecurity
experts, what is the one most important thing you can do,
if you're allowed to have one thing what would you pick?
They'd all say authentication.
The idea that, if Alice and Bob are communicating, this ability for
Alice to identify herself to Bob in such a manner,
that Bob can be pretty confident that it's really Alice.
That's for many people the most important thing that goes on, so
let's start with the idea of identification.
How do we identify ourselves just in regular life?
How do I Identify that I'm Ed?
If I meet you somewhere and I woke up to you and I say, hey, how you doing?
I'm Ed, I hope you enjoy the course and you see me.
You see my face, you see my voice, you see who I am.
Contextually, maybe there's a reason why we would see each other.
You probably pretty confident when I say I'm Ed, that's fine, and
question is my name a secret.
Is your identifier a secret?
Is your email address a secret?
Is your phone number a secret?
These are weird questions, right?
Your phone number, let's say I said, is your mobile number a secret?
You would say, of course not.
It's on my business card, or I tell my friends, or whatever.
But if you're in some creepy bar somewhere and some weirdo comes up to you and
says, hey, can I have your mobile number?
You're probably not going to be sharing it, and
you're glad that at least in some sense it's secret.
So there's this weird kind of concept of what's secret, what's not.
Your user ID.
If I know your user ID for
a particular system you use, we all know that most systems have lockout.
Which means, if I know your user ID,
I can type it in, I can type a bogus password, it'll say no.
I type your user ID, I type a bogus password, it'll say no.
I do it enough times, I lock you out.
Just by knowing your User ID.
So is it secret?
Should it be secret?
2:23
Kind of an open question in cybersecurity, but the one thing we do know, is that
after reporting an identity, we want to be able to validate it's authenticity.
So, the definition of authentication is the process of reporting,
rather the process of validating a reported identify.
Alice says, I'm Alice,
Bob takes some authentication steps to validate that reported identify.
Is that make sense?
So, that possibility as you'll see is harder than it sounds.
Now again, human beings we said a minute ago, you see me,
you probably look me over, hear my voice, ask me a couple of questions and
you kind of know that I'm me.
What if I'm behind the wall, and I say, Hamed, and what if my voice is disguised?
So now you can't use my face,
you can't use my voice, how do you figure out that I'm me?
Chances are, you're going to do something called challenge.
Meaning, you're going to say, all right, let's see if you're ED.
What did you say on the last video I watched that blah, blah, blah, blah, blah,
and maybe that's a good test, maybe it's not.
It's probably a lot of people watching the video so
a lot of people could answer that.
Maybe that's a terrible challenge to determine my authenticity, but
you get the idea.
Subsequent video we're going to spend some time on the proof factors, but for now,
let's think about a couple of different possibilities for authentication.
One, is a client reporting an identity to a server.
And the server saying, hey, client prove that you are who you say you are.
That's called client authentication, which you would guess.
Person with a browser trying to get on to a server and it's says,
well, before you can come on, you gotta prove you are who you are.
4:12
Second possibility, is a server reports an identity to a client.
And the client says, hey, server, prove who you are.
Now why would you do that?
Again, client with a browser, and
now e-commerce site that would like you to send a credit card.
And you go, hey, I'm www.walmart.com., please send money.
And what would happen is, the client would say, well prove your really Walmart.
And Walmart would, it's all protocol for that.
That's called server authentication.
That makes sense?
You either authenticate client or authenticate a server, and
then all variations on that, peer authentication is to peers authenticating.
Mutual authentication is, I authenticate you, you authenticate them.
Like in mobility 2G, 3G service, 3G,
the second generation, third generation, like UMTS,
didn't have the correct concept of server,
rather tower and handset authentication.
2G a handset will pretty much connect to anything.
By the time we got to 4G and 5G, a lot of that is fixed.
Some in 3G, but with fallback, it still caused some problems.
But you get the idea, that you can do client authentication,
server authentication, mutual authentication, peer authentication.
This is all just around the direction.
So, hopefully, that's going to be useful for you.
Now I want to offer a little quiz here, just to make sure we're together on some
of the basic concepts of identification authentication.
As if you look at the three, you can see that answer c is right,
like that's the essence of user ID, be it privacy and secrecy.
The idea that it's really not that easy to determine whether your mobile number,
your user ID, your email address is truly secret.
It's sort of secret, but sort of not.
That discomfort is normal in cybersecurity, not everything is so
crystal clear.
Other things kind of determine or determined by the context.
So keep that in mind as you continue to think about, and grow and
learn more about cybersecurity.
In our next video, we'll look at some of the proof factors used in authentication.
Dr. Edward G. AmorosoResearch Professor, NYU and CEO, TAG Cyber LLC
