CS 126:

INTRODUCTION TO IT SECURITY

LECTURE 05
Access Controls (a)

1 5/29/2017
 Controls
The goal of security management is to protect the
company's assets.
Security has three main objectives (CIA Triad)
Controls are required in order to achieve CIA

2 5/29/2017
 Access Control
Access control is a process to determine “Who
does what to what,” based on a policy.
It is controlling access of who gets in and out of
the system and who uses what resources, when,
and in what amounts.
Access control is restricting access to a system or
system resources based on something other than
the identity of the user.

3 5/29/2017
 Access Control
 Security management utilized three control types to protect the
assets:
1. Administrative controls - are controls that include the
development and publication of security policies, standards,
procedures, personnel screening, system activity monitoring,
change control procedures, and security awareness training.
2. Technical controls - are controls that consist of logical access
control mechanisms, password and resource management,
identification and authentication methods, configuration of
the network, and relevant security devices.
3. Physical controls - are controls that allow individual access
into a facility, locking systems, protecting the perimeter of the
facility, intrusion detection, and environmental controls.
4 5/29/2017
 TERMINOLOGIES
Identification
Identification is a process through which one system
confirms the identity of another person / entity/
computer system. (Compare one to many)
Authentication
Authentication is a process to verify the credentials of
the principal or the system. (Compare one to one)
Authorization
It is a process by which the principal is either granted
access or disallowed to protected resources. Only the
trusted principal can be granted secure access.
 Note: Access control often used as synonym for authorization
5 5/29/2017
 AUTHENTICATION
(User)

6 5/29/2017
 User Authentication
How to authenticate a human to a machine?
3 types of authentication

7 5/29/2017
 Something You Know
Username
Password
PIN
Passphrase

8 5/29/2017
 Something You Have
 Smart cards (NIDA)
Multi-function
 Examples
National ID card (NIDA)
Driver’s license
ATM card

9 5/29/2017
 Something You Are (Biometrics)
Face
Signature
Fingerprint
Retina
Iris
Palm geometry
Voice
DNA
10 5/29/2017
 Passwords
Password is the most common authentication method
Something you know
A password is a word or string of characters used for
user authentication to prove identity or access approval
to gain access to a resource, which is to be kept secret
from those not allowed access.
Some passwords are formed from multiple words and
may more accurately be called a passphrase.
The terms passcode and passkey are sometimes used
when the secret information is purely numeric, such as
the personal identification number (PIN) commonly
11
used for ATM access. 5/29/2017
 Passwords
Most organizations specify a password policy that sets
requirements for the composition and usage of passwords.
Typically dictating minimum length
Required categories (e.g. Upper and lower case,
numbers, and special characters)
Prohibited elements (e.g. Own name, date of birth,
address, telephone number)
Some governments have national authentication
frameworks that define requirements for user
authentication to government services, including
requirements for passwords.
12 5/29/2017
 Passwords
The use of passwords is known to be ancient.
Sentries would challenge those wishing to enter an area or
approaching it to supply a password or watchword, and
would only allow a person or group to pass if they knew
the password.
In modern times, user names and passwords are
commonly used by people during a login process that
controls access to protected resources;
Operating systems
Mobile phones
Automated teller machines (ATMs), etc.
13 5/29/2017
 Why Passwords?
Why is “something you know” more
popular than “something you have” and
“something you are”?
Cost: passwords are free
Convenience: easier for System
Administrators to reset password than to
issue user a new thumb

14 5/29/2017
 Classic password rules
The best passwords are those that are both easy to
remember and hard to crack using a dictionary attack.
The best way to create passwords that fulfill both
criteria is to use two small unrelated words or
phonemes, ideally with a special character or number.
Good examples would be hex7goop or –typetin
Don’t use:
Common names, DOB, spouse, phone #, etc.
Word found in dictionaries
Password as a password
Systems defaults

15 5/29/2017
 Classic password rules
Use Strong Passwords
Passwords are like house keys
Different key for each lock
Brute force attacks
Sniffing clear text
SUPR tests
Strong – Password strong (length and content)?
Unique – Unique and unrelated to other
passwords?
Practical – Can you remember it?
Recent – Have you changed it recently?
16 5/29/2017
 PASSWORD MANAGEMENT
Configure system to use string passwords
Set password time and lengths limits
Limit unsuccessful logins
Enabled auditing
How policies for password resets and changes

17 5/29/2017
 Problems with passwords
 Insecure - Given the choice, people will choose easily
remembered and hence easily guessed passwords such as
names of relatives, phone numbers, birthdays, hobbies, etc.
 Easily broken - Programs such as crack, SmartPass,
PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix,
NetWare & NT passwords.
 Dictionary attacks are only feasible because users choose
easily guessed passwords!
 Inconvenient - In an attempt to improve security,
organizations often issue users with computer-generated
passwords that are difficult, if not impossible to remember
 Repudiable - Unlike a written signature, when a transaction is
signed with only a password, there is no real proof as to the
18
identity of the individual that made the transaction 5/29/2017
 Other Password Issues

Users choose bad passwords

Failure to change default passwords
Social engineering

19 5/29/2017
 Attacks on Passwords
 The bottom line: Weak Password cracking is too easy!
 One weak password may break the whole security
Users choose bad passwords
 Social engineering attacks, etc.
 The bad guy has all of the advantages
 Passwords are a big security problem
 Attacker could…
 Target one particular account
 Target any account on system
 Target any account on any system
 Common attack path
 Outsider  normal user  administrator
20  May only require one weak password! 5/29/2017
 Attacks on Passwords
 Passwords Attacks:
1. Guessing
2. Dictionary Attacks
3. Brute force attacks
4. Social Engineering

21 5/29/2017
 Techniques for guessing passwords
 Try default passwords.
 Try all short words, 1 to 3 characters long.
 Try all the words in an electronic
dictionary(60,000).
 Collect information about the user’s hobbies,
family names, birthday, etc.
 Try user’s phone number, social security number,
street address, etc.
 Try all license plate numbers (T103 AAA).
 Use a Trojan horse

22 5/29/2017
 How to avoid Guessable
passwords?
Techniques used to avoid guessable
passwords.

Four technique exist:

1. User education
2. Computer-generated passwords
3. Reactive password checking
4. Proactive password checking
23 5/29/2017
 How to avoid Guessable passwords?
Techniques used to avoid guessable passwords.

Four technique exist:

1. User education
2. Computer-generated passwords
3. Reactive password checking
4. Proactive password checking

24 5/29/2017
 How to avoid Guessable passwords?
1. User education: Users can be told the importance of using
hard-to-guess passwords and can be provided with
guidelines for selecting strong passwords.
2. Computer-generated passwords: Users are provided
passwords generated by a computer algorithm.
3. Reactive password checking: the system periodically runs
its own password cracker to find guessable passwords. The
system cancels any passwords that are guessed and notifies
the user.
4. Proactive password checking: a user is allowed to select
his or her own password. However, at the time of selection,
the system checks to see if the password is allowable and, if
25
not, rejects it. 5/29/2017
 Password Cracking Tools
 Popular password cracking tools
Password Crackers
Password Portal
L0phtCrack and LC4 (Windows)
John the Ripper (Unix)
 Admins should use these tools to test for weak
passwords since attackers will!
 Good article on password cracking
Passwords - Cornerstone of Computer Security

26 5/29/2017
 Password protection
 Two common techniques used to protect a password file
 One-way encryption: The system stores only an
encrypted form of the user's password. When the user
presents a password, the system encrypts that password
and compares it with the stored value. In practice, the
system usually performs a one-way transformation (not
reversible) in which the password is used to generate a
key for the encryption function and in which a fixed-
length output is produced.
 Access control: Access to the password file is limited to
one or a very few accounts.
27 5/29/2017
 UNIX Password Scheme

Loading a new password

28 5/29/2017
 STORING PROCEDURE

Loading a new
password

1. Each user select a password of up to 8

printable characters in length.
2. This is converted into a 56-bit value (using 7-
bit ASCII) that serve as key input to an
encryption routine.
29 5/29/2017
 STORING PROCEDURE

Loading a new
password

3. The encryption routine known as crypt(3) is

based on DES.
4. DES algorithm is modified using 12-bit
“salt” value. Typically this value is related to
the time at which the password is assigned.
30 5/29/2017
 STORING PROCEDURE

Loading a new
password

5. The modified DES algorithm is exercised

with data input consisting of 64-bit block of
zeros.
6. The output of the algorithm then serve as the
input for the second encryption.
31 5/29/2017
 STORING PROCEDURE

Loading a new
password

7. This process is then repeated for a total of 25

encryptions.
8. The resulting 64-bit output is then translated
into an 11 character sequence
32 5/29/2017
 UNIX Password Scheme

Verifying a password file

33 5/29/2017
 ”SALT”
 The salt serves three purposes:
Prevents duplicate passwords, even if
two users choose the same password.
Effectively increases the length of the
password.
Prevents the use of hardware
implementations of DES, which
would easy the difficulty of a brute-
force attack.
34 5/29/2017
 Something You Are

Biometric

35 5/29/2017
 Biometrics
 Authenticating a user via human characteristics
 Using measurable physical characteristics of a person to
prove their identification
Fingerprint, Handwritten signature, Facial recognition,
Speech recognition, Iris, Retina, DNA, Blood
 Biometrics seen as desirable replacement for passwords
 …but cheap and reliable biometrics is needed
 Today, a very active area of research
 Biometrics are used in security today
Thumbprint mouse, Palm print for secure entry,
Fingerprint to unlock car door, etc.
 But biometrics not too popular
36
Has not lived up to its promise (yet) 5/29/2017
 Desired Properties
 Universal: Applies to (almost) everyone
 In reality, no biometric applies to everyone
 Distinguishing: Distinguish with certainty
 In reality, cannot hope for 100% certainty
 Permanent: Physical characteristic being measured never
changes
 In reality, want it to remain valid for a long time
 Collectable: Easy to collect required data
 Depends on whether subjects are cooperative
 Performance, User’s Accpetability, Robustness against
Circumvention
37 5/29/2017
 Practical biometric applications
Network access control
Staff time and attendance tracking
Authorizing financial transactions
Government benefits distribution (Social Security,
welfare, etc.)
Verifying identities at point of sale
Using in conjunction with ATM , credit or smart cards
Controlling physical access to office buildings or
homes
Protecting personal property
38 5/29/2017
 Comparison
Biometric Type Accuracy Ease of Use User Acceptance

Fingerprint High Medium Low

Hand Geometry Medium High Medium

Voice Medium High High

Retina High Low Low

Iris Medium Medium Medium

Signature Medium Medium High

Face Low High High

39 5/29/2017
 Fingerprint Biometric

 Capture image of fingerprint

 Enhance image
 Identify minutia
40 5/29/2017
 Fingerprint Biometric
 Advantages of fingerprint-based biometrics
 Can’t be lent like a physical key or token and can’t be forgotten
like a password
 Good compromise between ease of use, template size, cost and
accuracy
 Fingerprint contains enough inherent variability to enable
unique identification even in very large (millions of records)
databases
 Basically lasts forever
 Makes network login & authentication effortless
 Biometric Disadvantages
 Still relatively expensive per user
 Companies & products are often new & immature
 No common API or other standard
 Some hesitancy for user acceptance
41 5/29/2017
 Hand Geometry
 Popular form of biometric
 Measures shape of hand
 Width of hand, fingers
 Length of fingers, etc.
 Human hands not unique
 Hand geometry sufficient for many
situations
 Suitable for authentication
 Not useful for ID problem
 Advantages
 Quick
 Hands symmetric (use other hand backwards)
 Disadvantages
42  Cannot use on very young or very old 5/29/2017

 Relatively high equal error rate

 Iris Patterns

 Iris pattern development is “chaotic”

 Little or no genetic influence
 Different even for identical twins
 Pattern is stable through lifetime
43 5/29/2017
 Attack on Iris Scan

 Good photo of eye can be scanned

Attacker could use photo of eye
 Afghan woman was authenticated by iris
scan of old photo
 To prevent photo attack, scanner could
use light to be sure it is a “live” iris

44 5/29/2017
 Face Recognition
 Issues with Face Recognition?

45 5/29/2017
46 5/29/2017
 Biometrics: The Bottom Line
 Biometrics are hard to forge
 But attacker could
 Steal Alice’s thumb
 Photocopy Bob’s fingerprint, eye, etc.
 Subvert software, database, “trusted path”, …
 Also, how to revoke a “broken” biometric?
 Biometrics are not foolproof!
 Biometric use is limited today
 That should change in the future…

47 5/29/2017
 MULTI-FACTOR AUTHENTICATION
 Requires 2 out of 3 of
1. Something you know
2. Something you have
3. Something you are
 Examples
 ATM machine: ATM Card and PIN
 Credit card: Card and signature
 Smartcard with password/PIN

48 5/29/2017
 MULTI-FACTOR AUTHENTICATION
 2-factor authentication: To increase the level of
security, many systems will require a user to provide
2 of the 3 types of authentication.
 ATM card + PIN
 Credit card + signature
 PIN + fingerprint
 Username + Password (Unix, NT default)

 3-factor authentication: For highest security

Username + Password + Fingerprint
Username + Passcode + SecurID token

49 5/29/2017
 END

CS 126 LECTURE 05
50 5/29/2017