Chapter 2

Authen ca on and access control

Iden fica on and Authen ca on

 Electronics User Authen ca on:
o This process verifies the iden ty of a user a emp ng to access system
electronically
o It ensures user is who they claim to be before gran ng access
o Various electronic authen ca on methods can be used to verify a user’s
iden ty from basic password to more advanced security measures that
incorporate mul factor authen ca on (MFA)
 Username and password
 Common method of iden fica on
 When user logged on to a computer, he performs 2 tasks
o Iden fica on: Enter username and password
o Authen ca on: prove that you are who claim to be
 A er entering username and password computer will compare this input against
entries stored in password file and login is successful if username and password is
valid
 Many systems count the failure login a empts and prevent or deny next a empt
when threshold has been reached
 User plays an important role in password protec on.
 If password is disclosed by telling someone or wri ng down in some place 
authen ca on is compromised
 Mul Factor Authen ca on (MFA)
 This method relies on 2 or more factors from 3 categories
o Something you know: password or PIN
o Something you have: OTP device, smartphone or security token
o Something you are: biometric iden fiers like fingerprints of facial
recogni on
 Use of login ID/Password is single factor authen ca on method
 ATM is example of Mul -Factor Authen ca on
 Token-Based Authen ca on
 Tradi onal method single layer security username password to grant access
 With increasing demands of security 2FA emerged with token-based authen ca on
 This reduces dependence on password -only system by adding addi onal layer of
security, enhancing overall protec on
 Token based authen ca on is a protocol that generates encrypted security tokens to
verify a user’s iden ty
  Upon successful authen ca on, the system generates a unique encrypted token,
gran ng the user access to the system or specific resource
 This token allows user to access these resources for a limited me without needing
to re-enter their username and password
 Authen ca on works through following process-
o Request
o Verifica on
o Token Submission
o Storage
o Expira on
 Biometrics –
 This authen ca on process is based on unique physical or behavioural characteris cs
o Physical: fingerprints, facial recogni on, re na scans
o Behavioural: voice recogni on, typing pa erns

Guessing password
 A ackers can guess valid password easily so password selec on is cri cal issue
 A ackers following two guessing strategies:
o Exhaus ve search
 A acker tries all possible combina ons of valid symbols ll certain
length.
 E.g. Brute Force A ack
o Intelligent search
 A acker searches password with the help of user’s personal
informa on like -name, birth date, family members name, phone
number, etc
 Many mes, a acker tries popular passwords
 E.g. Dic onary a ack(trying all passwords from dic onary)
 Protec on techniques for users:
1. Default password:

a. many mes, default accounts like Admin have default password

b. if such password is not changed by admin, it helps a acker to enter into the
system easily

2. Length of password

a. To avoid exhaus ve search set a par cular length of password

b. E.g. in UNX system length of password id 8 characters long

3. Format of password: password should have at least combina on of the following:

a. One or more upper case le ers(A-Z)

b. One or more lower case le ers(a-z)

c. One or more numerals (0-9)

d. One or more special characters or punctua on marks (! @#$%&*,.:;?)

4. Avoid obvious (easily seen or understood; clear) password:

a. A acker may have list of popular passwords

b. They can use dic onary to catch obvious passwords

c. Hence avoid such kind of passwords

 Techniques to improve password security:

1. Password checkers
1. This system periodically runs its own password cracker
program to fine out guessable or weak passwords
2. If such passwords are found system cancels it
3. System can no fy or prevent users from using such
passwords
4. This will prevent dic onary a acks
5. Drawbacks: strong minded opponent can steal
password file and spend full CPU me and spend hours
and days to find password
2. Password genera on
1. Many OS can produce computer generated password
2. These passwords are random in nature
3. Can be pronounceable
4. Users are not allowed to select their own passwords
5. Drawback: difficulty in remembering in system
generated passwords
 3. Password aging
1. Password can be set with expiry date
2. System forces users to change their password at regular
intervals
3. Addi onal mechanism is provided to prevent users
from used previous passwords
4. By lis ng previous 10 passwords used by users
4. Limit login a empts
1. Monitoring mechanism is used to check unsuccessful
login a empts
2. If found- lock the users completely or at least certain
period of me
3. This will prevent and discourage further a empts
 Many mes, users avoid remembering complicated passwords and write it on piece
of paper and keep it near computer
 This will help poten al intruder
 Security manager should search such password notes posted on computer terminals
and no fy to the users
 Because of Frequently changing password user are tempted to choose passwords
which are easy to remember
 If password is forgo en then user should follow all password precau ons while
selec ng new password
 Changing password is a good advice but don’t change passwords before weekends or
holidays

Password a acks

1. Piggybacking
 Following closely behind a person who has just
used their access card or PIN to gain physical
access to a room or building
 In this manner a acker can gain access to the
facility without knowing the access code or
without access card

2. Shoulder Surfing
 A ackers posi on themselves in such a way that
he is able to observe the authorised user
entering the correct access code
 This a ack used observa on techniques
  Both a acks are easily possible by simple
techniques of following and observing someone
closely
3. Dumpster diving
 a type of passive a ack where a hacker or
a acker searches through trash for sensi ve
informa on
 not only trash but access codes or passwords
wri en on s cky notes
 innocent informa on like- phone list calendar or
organiza onal order can be used to assist
a acker to gain access to network
 to prevent this a ack:- company should
establish a disposal policy
  where all papers, including printouts
are shredded in crosscut shredder
before being recycled
  all storage media is erased
  all staff is educated about the danger
of untracked trash
 Defini on: A ackers need certain amount of
informa on before a ack. If a acker is in
surrounding area of the target, one common
place to find informa on is to go through
target’s trash to find useful informa on. This
process of going through target’s trash is known
as Dumpster Diving
 If a ackers are lucky and targets security is
poor, they may find user ID and passwords
 When password is changes users discard the
paper where password was wri en without
shredding it and dumpster luckily gets the clue
 Even though a acker doesn’t get password
directly they can find the name of the employee
and guess ID of the user
Biometrics

 Access controls such as fingerprints can iden fy authorised users

 The something you are method is known as biometrics
 Individuals cannot be recognized with external measurements
 One method can be applied by using – handwri ng analysis, re na scan, iris scans,
voiceprints, hand geometry and facial geometry etc.
 Biometrics can be used to control access to computer systems and networks and also
to serve as a physical access control device
 Biometric takes advantage of uniqueness of human characteris cs
 This method is more reliable and repeatable
 Biometrics is combina on of human physiology, pure mathema cs and
engineering
 Hand geometry requires large device  which can be easily placed outside the door
for access control of specific room  but this will not be convenient to control access
to a computer system  because reader needs to be placed in front of each
computer or with a group of systems

Types of Biometrics

1. Fingerprint
 Fingerprint is the pa ern of ridges and furrows on the surface of the finger p and it
is unique across the en re human popula on
 Fingerprint involves a finger size iden fica on sensor with very low-cost biometric
chip
 Automated fingerprint recogni on and matching system extract a number of features
from fingerprint for storage as a numerical subs tute for the full fingerprint pa ern
 This system is specifically a ached to specific computer or network assets
 Limita ons:
o A person’s physical changes cannot be considered
o Cost of computer hardware and so ware can be expensive
o Fingerprint scanner can some mes lead to false rejec on or false acceptance
o Fingerprint can vary with dryness of skin or age
2. Hand Prints
 Hand prints are most appropriate for fixed physical loca on requiring very high
assurance to iden fy
 It combines hand biometric with 5 different fingerprint biometrics
 Iden fies features of hands like – shape, length, width of fingers
 Handprints are used for tradi onal applica ons like- data rooms, sensi ve office
zones/buildings, na onal security/intelligence facili es and vaults
3. Re na
 Re na Scan involves  examina on of the unique pa erns on the back of a person’s
eye
 Re na pa ern is formed by veins beneath the re nal surface
 It is unique and suitable for iden fica on
 Re na biometric system obtains a digital image of re nal pa ern by projec ng a low
intensity beam of visual or infrared light into the eye
4. Voice/Speech pa ern
 This type of verifica on is done without any specialized recording device
 Voiceprint recogni on is completely a part of algorithms and analysis so ware
 This mechanism is able to use phone-based applica on e.g. Voice response system
and me and card entry
 Use of voice verifica on will increase possibility to protect remote data repor ng
applica ons which will be more helpful in criminal jus ce and healthcare industry

5. Signature and Wri ng Pa erns
 Every individual as – unique handwri ng
 Reflected in signature  frequently wri en sequence
 Single user can have – mul ple – non-iden cal signatures
 This makes computer representa on of signature complicated
 Biometric verifica on of signature/handwri ng  is different that simple signature
capture pads
 Simple signature capture pad:
o Records an image of what person wrote
 Biometric enabled capture pad:
o Records the pressure
o Distance of strokes
 o Speed of wri ng
 This data verifies originally enrolled person
 Uses: financial and legal communi es

6. Keystrokes
 Art and science of recognizing typing pa erns
 This biometric type arising since past 2 decades
 Cheaper to implement
 Hardware required: only keyboard
 Data collec on
o Through so ware
o Virtually possible
 For each keystroke  press me and release me is considered
 Physical presence of user not required


Authoriza on

 “Process of gran ng or restric ng access to specific resource”

 To the trusted user
 A er verifica on of iden ty  permissions are evaluated

Goals of Authoriza on

 Protect Data: preven ng unauthorised access to sensi ve data

 Implemen ng Security Policies: authoriza on helps in implemen ng security policies
 Restric ng Access: access minimal amount of data as per requirement
 Reducing Risk: of misuse of data by limi ng access according to roles

Access control

Defini ons

Access: ability of a subject to interact with an object

Authen ca on: verifying the iden ty of the subject

Access control: ability to specify, to control and to limit the access of the host system
or applica on in terms of accessibility, integrity, confiden ality

Authen ca on: verifica on that the creden als of users or other system are valid
Authen ca on mechanism

 Used to prove iden ty of the user

 To make sure only valid users are admi ed
 3 methods used in authen ca on
1. Something-you-know: user ID and Password
2. Something-you-have: lock and key or OTP
3. Something-about-you: finger prints , DNA etc

Principle, access rights and permissions

 Purpose of access control is to limit the ac ons or opera ons that authorised user
can perform

1. Principle of least privilege: if not officially assigned user should not be able to access
that resource no default access to all

2. Separa on of du es: if du es are specially assigned then one should be able to

access that resource only

3. Need to know: access to that resource should be given according to specific

requirements to perform their du es

Policies: are high level guidelines which determines how accesses are controlled and
access decisions determined

Mechanism: are low level so ware and hardware func ons which can be configured to
implement the policy.

1. Access control Matrix (ACM) – provides the simplest framework for showing the
process.

 Ac vity in the system – ini ated by en es known as subjects accessing objects

 Subjects – users or programs
 Objects- computer, database, file programs
 Subjects ini ate ac ons on the object
 These ac ons are permi ed or denied based on authoriza on
 E.g files- read, write, execute, own
 Row denotes – subject
 Column denotes – objects.
 Access control matrix separates problem of authen ca on from authoriza on
 E.g.

 In a large system the matrix will be huge i.e. big company big matrix.

2. Access Control List (ACL) – it contains subject that have access rights to par cular
object.

 It is a list that contains subjects having access rights to a par cular object
  Accesses provided- read, write, execute same as ACM
 List will iden fy not only subject but also specific access to the object
 Easy to revoke exis ng accesses by replacing empty ACL
 It is important to examine ACL while reviewing system
 ACL- small in size- stored in few bits
 Used in computer system or network system

Audit: An independent review and examina on of system records and ac vi es

 in order

to test the adequacy of system control.

ensure compliance with established policies & opera onal procedures

 to detect breaches in security

 to recommend any indicated changes in control, policy and procedures.

Policies –DAC, MAC, RBAC

1. DAC – Discre onary Access Control

 “a means of restric ng access to object based on the iden ty of subject or groups

which they belong”
 Controls access- based on iden ty of the requestor and on access rules
 Object or group is checked against the specified authoriza on
 In discre onary approach – owner can decide  which other subjects may have
access to the object and which specific access they may have
 E.g. permission bits used in UNIX
Permissions- read/write/execute
Owner of the file can specify these permissions
 Access Control List (ACL) – another mechanism used to implement DAC
 DAC – suitable for variety of systems and applica ons
 Commercial and industrial environments
 Drawback- it does not provide real assurance on the flow of informa on in a system
 - easy to bypass
 - authorised user can pass data to unauthorised user

2. MAC – Mandatory Access Control

 Decides access on the basis of classifica on of subjects and objects

 Each user is assigned a security level
 Used in environments where different levels of security is requires
 Defini on : “ a means of restric ng access to objects based on the sensi vity of the
informa on contained in the objects and the formal authoriza on of the subject to
access informa on of such sensi vity”
 This is the job of OS not owner/subject to decide access gran ng
 Individual subject cannot make changes to the access
 E.g. military – security classifica on  secret, top secret
 Individuals with top secret clearance can view top secret file
 MAC is applied to the protec on of informa on integrity

3. RBAC – Role Based Access Control

 Access is based upon the ac vi es users execute in the system

 “ a means of restric ng access to objects based on the Role of the subject”
 Users are assigned – set of roles
 Roles are assigned- access permissions
 Permissions are granted based on specific du es which they must perform

4. ABC – A ribute based access control

 New control policy
 Based on a ributes associated with iden ty
 A ributes- user details, resource informa on, environmental factors(loca on or
me), user creden als
 “an access control method where subject requests to perform opera ons on the
objects which are granted or denied based on assigned a ributes of the subjects,
assigned a ributes of the objects , environmental condi ons, and set of policies that
are specified in terms of those a ributes or condi ons”
 ABAC – implemented using standards like eXtensible Access Control Markup
Language(XACML)
 Uses a ributes and policies to decide access rights
 E.g.