NJA

Identification Authentication and Operational

Security
• Username and Password
• When first time user log on to computer ask for user
name and password.
• The first step is called Identification, purpose is Who
you are ?
• Second is called Authentication, what you access ?
• If your username and password is correct then you
successfully log into computer, and if username or
password is incorrect then login screen display again.
• Some times incorrect attempts will be count and if
threshold attempts reached system prevent to login again.

1PPN0143
NJA

Managing Password
• All time we try not to disclose password at any level.
• There are number of tools to crack password.
• Send password through courier with personal delivery.
(Banks normally use it)
• Send Password through information given in the form like
email or Mobile number, use that password for one time
only.
• Ask user to change that password in first login only.
• Confirmation should send through mail or activate
account through particular link only.
• Do not relay only on password also use some key, this key
will be generated through device or generate online and
send through mail or mobile number.
• Do not use vehicle no, computer name,spell backwords like
drowssap etc

2PPN0143
NJA

Choosing a password
• Do not choose password base upon personal data.
• Do not choose password that is English dictionary
word, TV show, keyboard sequence.
• Do not choose password that is append special
character. Like pasword123, password!, password* etc..
• Do not choose password less then 8 characters.
• Do not only use characters, numbers.
• Avoid guessable words, or easily traceable.
• Do not choose Default Passwords
• Do not use password as name of spouse, child
,surname, friends name etc
• Do not give same password to all account.

3PPN0143
NJA

Best method to choose password

• Select more that 8 characters in a password.
• Create a phrase or series of letters
randomly but easy to remember like :I Have
Two Kids
:Jack And Jill
• Convert it like ihtk:jaj
• Add numbers in it ih2k:jaj
• Add special characters like ih2k:j&j
• Use combinations of upper case and lower
4PPN0143
NJA

case like Ih2k:J&j

5PPN0143
NJA

• Make following password

• My name is Bond: James Bond.
• We lives in Maharashtra: Pune
• I like chicken
• I love my country: India.

6PPN0143
NJA

Role of people in security

Password Selection
• Make your password as long as possible.
• Use many characters as possible like Upper case,
Lower case, Numbers Special Characters etc.
• Do not use personal data, like account no, mob. No.
• Change your password regularly, ideally after 30 ,60
or 90 days.
• Make sure that password is hard to crack but easy
to remember.
• Do not write down password any ware like on
table,in a computer file, in your personal dairy.

7PPN0143
NJA

Password Selection Strategy

• User Education
• Computer Generated Password.
• Reactive Password.
• Proactive Password.

8PPN0143
NJA

User Education
 Tell computer users importance of hard-to
guess password.
 Give password selection guidelines.
 Do not tell your password to unknown person.
Computer Generated Password
 Computer generated password also have some problem
, it is reasonable random in nature but very difficult to
remember like : gTs!P5w2q.
 Many time users write it down.
 Automated password generators use random
characters and numbers generator.
 Many system generator passwords is used for one
time only or at first login we have to change it.
9PPN0143
NJA

Reactive Password Checking

 In this scheme system periodically run it’s own
password cracker and find out guessable
password.
 If system found system cancel it and inform to user.
 This method has number of drawbacks, it will
take hours to check the system.
 Many vulnerable passwords existing until
reactive password checker find it.
 Reactive password system is not available in
each system.

10PPN0143
NJA

Proactive Password Checking

 It is the most promising approach to improve password
, in this scheme user is allowed to select his/her own
password.
 However at the time of selection system check the
password if the password is allowable then allow
or reject it.
 Such systems are designed by considering all guidelines .
 Some systems are show bar between weak and
strong password.
 If system continuously reject password it means that
user gives weak password.
 It will also provide guidelines to select passwords.

11PPN0143
NJA

Piggybacking
• Piggybacking is the simply access of a wireless
connection closely behind a person who just used there
own access card on PIN to gain physical access to a
room or building, without knowing to subscriber
• They get access to facility to without knowing
to authorized persons.
• In short, access of wireless internet connection by
bringing one’s computer within range of another
wireless connection without permission.
Reasons for piggy backing:
• Avoid paying required access fees.
• Gain access to area which is completely restricted .
• To hide identification.
• Person forgotten or loss it’s access key.

12PPN0143
NJA

Shoulder Surfing
• In shoulder surfing refer to use direct observation
technique. looking overs some one ‘s shoulder to get
information.
• This method is effective in crowded places because it
is relatively easy to observe some one’s activity like:
– Entering password or PIN number in the computer.
– Fill out form
– Entering access code in ATM or public places.
– Shoulder surfing can be done at a distance using vision
enhancing devices.
• To avoid shoulder surfing it is advice to
hide keypad by using body.
• Do not use computer in crowded places like
cyber café ,libraries or places where people are
very close to you.
13PPN0143
NJA

Dumpster Diving
• Dumpster Diving is method by which attacker search for
important system information by diving into the dump.
The search is carried out in paper waste, electronic waste
such as old HDD, floppy and CD media recycle and trash
bins on the systems etc.
• attackers tries to extracts passwords, system
configuration, network configuration, user lists from
these list from these methods, and gain access to these
important details.
• Dumpster diving is learning
anything valuable from your trash,
• Experts recommended that company should ake
m policy where all paper, including print outs and disposal
impo documents should be erased properly and
recycled.
14PPN0143
NJA

Unauthorized Software/Hardware installation

• Installing software from unauthorized sources will
automatically install some software which user
don’t want.
• Such software may be harmful to your system.
– Such software may contain viruses which infect your system
or network.
– May send unwanted messages from your system.
– These software should be pirated, leads penalties incase
of audit.
– May contain spyware that will capture information and send
to unauthorized persons.

15PPN0143
NJA

Individual User Responsibility

• Every Computer User must aware about
computer security aspects, comprised security by
doing following things –
– Execute program from unknown or unreliable sources.
– Opening and accessing documents from unsecure sources.
– Exposing password or not protecting them.
– Access computer network remotely.
– Opening e-mails and their attachments from
untrusted origin .
– Download plugging and active-X controls.
• To secure computer system avoid
these points.

16PPN0143
NJA

Access Control
• Access control is the ability to permit or deny use
of particular resource by a particular entity.
• Access control mechanism is minimize
physical resource, logical resources or digital
resources.
• Access control techniques:
– Discretionary Access Control (DAC)
– Mandatory Access Control (MAN)
– Role Base Access Control (RBAC)

17PPN0143
NJA

Discretionary Access Control (DAC)

• Discretionary Access Control: This is a type of access

control in which user has complete control over all
the programs it own and execute.
• DAC is an access policy determined by the owner of an
object. Owner decide who is allowed to access the
object and what privilege they have .
• Two important aspects:
 File and Data Ownership : Every object in the system has
an owner . In most DAC system initial owner is subject that
cause it to be created.
– Access policy for an object is determine by it’s owner
 Access rights and Permissions : These are the control that
an owner can assign to other subjects for specific
18PPN0143
NJA

resources

19PPN0143
NJA

Mandatory Access Control (MAN)

• In this control administrator cam manages the access control.

The administrator can define uses of access policy , which can
not be modify or change by user.
• MAC is used in multilevel system that process highly sensitive
data, such as classified Government and military information.
• Sensitive labels: All subjects and objects must have labels
assigned to them. A subject sensitive label specify the level of
truth required to access a given object.
• Data Import and Export: Controlling import of information
from other system is a critical function of MAC base system,
which must ensure that sensitive label are properly maintain.
• Rule Base access control: These type of control further define
specific condition for access.
20PPN0143
NJA

Role Base Access Control (RBAC)

• RBAC is an access control is determine by the system not by
the owner, This type of access control is used in commercial
applications and also in military system. where multi level
access control is required
• ABAC and DAC is differ in nature as DAC allow user to control
but in RBAC system access is controlled by the system which
is outside user’s control.
• Three Rules are defined fro RBAC:
– Role Assigned: Subject can execute a transaction, only if the
subject has selected or being a role.
– Role authorization : A subject’s active role must be authorize
for the subject.
– Transaction authorization : A subject can execute a transaction
only if transaction is authorized, this insures that user can
execute only transaction for which they are authorized.
21PPN0143
NJA

BIOMETRICS
• “Biometric refers study of method for uniquely
recognizing human based upon one of more physical
or behavioral characters.”
•

22PPN0143
NJA

• Physiological are related the shape of the body. For

example Fingerprints, Face recognition, DNA, Palm
print, iris recognition ,retina scan.
• Behavioral are related to the behavior of a
person, typing rhythm, signature and voice.
• Why human characters can be used
for Biometric:
– Universality : Every person should have these characters
– Uniqueness : biometric separates each individual
from another.
– Collect ability: Easy to collect samples for measurements.
– Performance: accuracy speed and robustness of
technology used.
– Acceptability: Degree of approval of a technology.
23PPN0143
NJA

• Biometric work on following two modes.

• Verification : A one two one comparison of a
capture biometric with a stored temple to
verify that individual is who he claim to be.
• Identification: A one to many comparison of the
captured biometric against a biometric
database in attempt to identify an unknown
individual.

24PPN0143
NJA

Block diagram of Biometric Device Stored Templates

Biometric System

Feature ExtractorTemplate Matcher

Pre- processing
Generator

Applicatio
n Device
Sensor

25PPN0143
NJA

Fingerprints
• In this fingerprints are matched with the database and
matching is carried out using complex image
processing algorithm, user is authonticated,if matched.
• Fingerprint Recognition or fingerprint
authentication Process.
• Fingerprints are one of many forms of biometric used
to identify and individual and verify there identify.
• Analysis of fingerprints for matching purpose
requires several comparison of features of the print
pattern.
• These patterns include unique features found with
in patterns.
26PPN0143
NJA

Finger Print Patterns

27PPN0143
NJA

Finger print Sensors

• A finger print sensor is an electronic device used
to capture a digital image of the fingerprint
patterns.
• Captured image is called as live scan.
• Which is used for creating template and
this template is used for matching live
scan.
• Optical: Capturing Digital Image using visible light.
• Ultrasonic Sensors use principle of medical
ultrasonography in order to create visual image
of the fingerprint.
28PPN0143
NJA

Applications Of Fingerprints
• Forensic
Criminal investigation.
Terrorist identification
• Government
National ID card (Aadhaar
Card) Driving License
Social Security
• Commercial
• Computer network Cellular Phone
• E-commerce Medical record management
• ATM,Credit Card. Distance Learning

29PPN0143
NJA

Advantage
• High Accuracy
• Most Economical.
• Easy to use
• Small storage space.
• It is standardized
• Fingerprints are much harder to fake than identity cards.
• ·You can't guess a fingerprint pattern like you can guess
a password.
• You can't misplace your fingerprint, like you can
misplace an access card.
• You can't forget your fingerprints like you can forget
a password.

30PPN0143
NJA

Disadvantages
• Using the fingerprint scanner does not take into
consideration when a person physically changes.
• Using the fingerprint scanner can lead to false rejections.
• Some people have damaged fingerprints.

31PPN0143
NJA

Hand Prints
• Hand biometric is base on the geometric shape of the
hand size of palm, length and width of finger,
distance between knuckles etc.
• In hand geometric user can be identify by using
shapes and other dimensions matches with live hand
scan.
• Advantages: Requires special Hardware which is
easily integrated with other devices.
• The amount of data requires to
identify a user in a system is
small.
• Easy to use.
• Hand data easy to collect.
32PPN0143
NJA

• Environmental factors is no issues

33PPN0143
NJA

• Disadvantages: Special Device required

and Expensive .
• It is not valid for arthritic persons.
• Not ideal for growing children.
• Jewelry (Rings etc) may pose a challenge
in extracting information from hand.
• Size of Sample is very large so it is it is
not ideal for Embedded systems.

34PPN0143
NJA

Retina Scan Technique

35PPN0143
NJA

• A Retina Scan Technology is a biometric technique that use a

unique pattern on a persons retina to identify them.
• Human Retina is a thin tissue composed of neural cells that
is located in posterior portion of the eyes.
• Complex structure of capillaries each person’s retina unique.
• Even identical twins have different retina
• This retina remain same from birth to death because
it’s unique and unchanged nature.
• Retina scan is used a low energy infrared light into
persons eye.
• Because retina blood vessels are more absorbent of this
light then rest of eye.
• Patterns of variations is converted to computer code
and store in the database.

36PPN0143
NJA

• Advantages :
• Very high accuracy.
• Extremely low false rate.
• Speedily result.
• Like fingerprint it remain same through life of human.
• So useful for children's also.
• Disadvantages: Measurement accuracy can be
affected by some deices like diabetes, glaucoma etc.
• Not user friendly.
• High equipment cost . Technology difficult to use as
some people discomfort for scanning.
• User commonly fear that the device itself or light
can harm to there eyes.

37PPN0143
NJA

Voice Synthesis
• In this method the voice of user is recorded and it’s digitally
signal analysis is carried out.
• There are Speaker recognition is to recognition WHO is
speaking and
• Speech recognition WHAT is speaking,. Words
• Voice recognition is combination of both speaker and
speech.
• Various technologies are used for
recording voice like frequency
estimation, Gaussian mixture model
etc.
38PPN0143
NJA

• Advantages: Cheap technology.

• Highly acceptable
• Can be automated and coupled with speech
recognition systems.
• No training required for users
• Disadvantages : Hig
• Even the best speech recognition systems
sometimes make errors. If there is noise or some
other sound in the room (e.g. the television or a
kettle boiling), the number of errors will increase.
false non matching rates
• Due to illness voice may change
39PPN0143
NJA

Signature and Writing Pattern

• Biometric signature recognition system will measure
and analyze the physical activity of signing, such as
stroke order, pressure applied and the speed.
• In a signature recognition system , a person signs
his/her signature on a digitized graphic table or
personal assistance.
• The system analyze signature dynamics such as speed,
relative speed, stroke order, stroke count and
pressure.
NJA
NJA

• Advantages : Little time for verification.

• Cheap technology.
• It is easy to copy the image of signature.
• Low false acceptance rate
• Normally peoples are sign different documents.
• Disadvantages : Person who are not
consistent writing may be difficult to identify.
• Not useful for Non literate peoples.

42
NJA

Key stroke Dynamics

• Key stroke or typing dynamic is the detail timing
information that describe exactly when each key was
pressed and when it was released as a person is typing
at a computer key board.
Working Principle: Keystroke dynamic use the manner and
rhythm in which an individual type characters on keyboard.
Key stroke can be recorded as Dwell time [The time key
pressed ] Flight time [Time between one “key down” and
next “key down” and time between one “key up” and
next “key up” ].
• Recorded key stroke timing data is then processed
through unique algorithm which then determine
pattern of comparison .
43
NJA

• Dwell-- Time How long a Key is pressed.

• Flight Time – How long it take to move
from one key to another.

44
NJA

Thank You !!

45