UNIT II

Authentication and Access Control

Contents:
2.1 Identification and Authentication: User name and Password, Guessing password, Password
attacks-Piggybacking, Shoulder surfing, Dumpster diving
2.2 Biometrics: Finger Prints, Hand prints, Retina, patterns, Voice patterns, Signature and Writing
patterns, Keystrokes,
2.3 Access controls: Definition, Authentication Mechanism, principle-Authentication,
Authorization, Audit, Policies: DAC, MAC RBAC.

Course Outcome:
Apply user identification and authentication methods.

References:
a) http://nptel.ac.in/courses/106105162/

b) https://www.tutorialspoint.com//computer security/computer security quick_guide.htm

c) http://learnthat.com/introduction-to-network-security/

d) https://freevideolectures.com/course/3027/cryptography-and-network-security

e)http://stylesuxx.github.io/steganography
f) https://smartninja-pgp.appspot.com/
g) http://www.cyberlawsindia.net/cyber-india.html

h) https://www.upcounsel.com/cyber-law
i) http://cyberlaws.net/cyber-law
 Authentication and Access Control

2.1 ldentification and Authentication

User Name and Password

When user logged on to a computer, he performs two tasks:

Identification : Enter username and password.

o Authentication: Prove that you are who claim to be.
After entering username and password, the computer will compare this input against the entries stored in password
file.

Login is successful if username and password is valid and if wrong then login is fail.

Many systems count the fail login attempts and prevent or deny next attempt when threshold has been reached.

Now a day, many computer systems use identification and authentication through username and password as first
step of protection.
This mechanism is widely accepted because it is not very difficult to implement.

But managing password security can be quite expensive and obtaining a valid password is a common way of gaining
unauthorized access to a computer system.
A password must be set to user account or else attacker can

Intercept the password when a new user account is created.

Attempt to guess the password.

Get password from user through attacks like spoofing or phishing.

o Get password from system by social engineering attack or by accessing password file.
User plays an important role in password protection. Authentication can be compromised when user disclose their
passwords either by telling to someone or by writing it down in some place where people can find it.

Guessing Password

Password selection is critical issue because of attacks of guessing a valid password.

Generally attackers are following two basic password guessing strategies

Exhaustive Search: Here attacker tries all possible combinations of valid symbols till certain length.
For Example Brute Force attack
-

Intelligent Search: Here attacker searches a password with the help of user's personal information like name,
birth date, family members name, phone number etc. Many times attacker tries popular passwords.
For Example -
Dictionary attack (trying all passwords from dictionary)

Some protections techniques which can be used by users:

O Default password: Many times the default accounts like admin has default passwords like admin. If such
passwords are not changed by system admin then it will help attacker to enter into the system easily.
Length of Password: To avoid exhaustive search, set the length of password like in UNIX System password
length is 8 characters long
Format of Password :
Password should have at least combination of the following elements
 1. One or more uppercase letters (A -Z)

2. One or more lowercase letters (a -z)

3. One or more numerals (0-9)

4. One or more special characters or punctuation marks (!@ #$ % A and *,.:;?)

Avoid obvious passwords May attackers have list of popular passwords and they can use dictionary attacks to
catch the obvious passwords, hence it is best practice to avoid such kind of passwords.
Techniques to improve password security
Password Checkers In this scheme the system periodically runs its own password cracker program to find out
guessable or weak passwords. If the systems find any such a password, then system cancels it. Here System can
notify and prevents the user from selecting such passwords. This scheme will prevent dictionary attacks against
the system. This method has a number of drawbacks It is resource intensive if the job is done right. Because a
-

strong-minded opponent who is able to steal a password file can dedicate full CPU time to the task for hours or
even days.

Password Generation: Many operating systems can produce Computer-generated passwords. The passwords are
reasonably random in nature and can be pronounceable. In scheme, users are not allowed to select their own
passwords. Drawback of this scheme is Even though the password is pronounceable, the user may have difficulty
in remembering it.

Password Aging: In many systems, the password can be set with its expiry dates. In such systems, they force their
users to change passwords at regular intervals. Some additional mechanisms can be provided to prevent users
from selecting previous password. For Example- list previous 10 passwords used by user.
Limit login attempts: In many systems, monitoring mechanisms can be used to check unsuccessful login attempts.
if found, then lock the user account completely or at least for certain time period. This will prevent and discourage
further attempts.
Many time users not in favour of remembering long and complicated passwords. Hence, they write it down on a piece
of paper which is kept near the computer, where it is useful for both legitimate users and to potential intruders.

So, this will add a task to security manager to search for such password notes posted on computer terminals and
notify to the user.

When passwords are changing frequently and users who find it difficult to change password are tempted to choose
passwords which are easy to remember.
If password is forgotten by user and asked for new password then user should follow all password precautions. When
changing any password, it is good advice to type it several times as well as not to change password before weekends
or holidays.

Password Attacks

What is Piggybacking & Shoulder Surfing?

Piggybacking is the simple approach of following closely behind a person who has just used their own access card or
PIN to gain physical access to a room or building.

In this way an attacker can gain access to the facility without knowing the access code or acquiring an access card.
E.g. Access of Wireless Internet connection by bringing one's own computer within range of another's Wireless
connection and using that without subscriber's explicit permission.

Shoulder Surfing
Shoulder surfing is a similar procedure, where an attackers position themselves in such a way that he is able to
observe the authorized user entering the correct access code.
This attack is by direct observation techniques, like looking over some one when he is entering a PIN or password etc.
 Both of these attacks can be easily countered by using simple procedures to ensure nobody follows you too closely or
is in a position to observe your actions.

What is Dumpster Diving? How it can be prevented?

Dumpster diving is the process of going through a target's trash in order to find little bits of information. In the world
of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out
an attack on a computer network.

Dumpster diving isn't limited to searching through the trash for obvious treasures like access codes or passwords
written down on sticky notes. Innocent information like a phone list, calendar, or organizational chart can be used to
assist an attacker to gain access to the network.
To prevent dumpster divers from learning anything valuable from the trash, experts recommend that the company
establish a disposal policy where all paper, including print-outs, is shredded in a cross-cut shredder before being
recycled, all storage media is erased, and all staff is educated about the danger of untracked trash.

Attackers always need a certain amount of information before attack. If the attacker is in the surrounding area of the
target, one common place to find this information is to go through the target's trash in order to find little bits of
information that could be useful. This process of going through a target's trash is known as dumpster diving

attackers are very lucky, and the target's security procedures are very poor, they may actually find user IDs and
If the
passwords. We have studied earlier that the users sometimes write their password down. When the password is
changed, they discard the paper where the old password was written on without shredding it and in this way the lucky
dumpster diver can get a valuable clue.

Even though the attacker is not lucky enough to obtain a password directly, they can found the name of employee and
from that it's not hard to determine user IDs for attackers.

From hardware or software manuals, which is purchased by user may also provide clues as what vulnerabilities exist on
the target's computer systems and networks. Like this by many ways the attacker may gather a variety of information,
which can be useful ina social engineering attack.

2.2 Biometrics

Biometrics is the idea to map measurements of human physical characteristics to human uniqueness. If this can be
accomplished in a reliable, repeatable fashion, the verification and identification of human individuals by machine
becomes a reality.

Enrollment Stored
templates
Biometric Test
system

Feature Template Test

Pre-processing Matcher
extractor generator

Application
Sensor device

Biometric system

Finger Print

Afingerprint is the pattern of ridges and furrows on the surface of the fingertip and it is unique across the entire human
population.

Fingerprint involves a finger size identification sensor with a very low cost biometric chip.
 Automated fingerprint recognition and matching system extracta number of features from the fingerprint for storage
as a numerical substitute for the full fingerprint pattern.

This is the best option for most uses of biometric verification and it is specially attached to specific computer and
network assets.

Hand Print

Handprint is usually most appropriate for fixed physical locations requiring very high assurance to identify, since it
combines the hand biometric with essentially five different fingerprints biometrics.

These systems identify features of the hand, including shape, and lengths and widths of fingers.

Handprints are used primarily for the traditional applications like data rooms, sensitive office zones/buildings, national
security/intelligence facilities, and vaults etc.

Retina

Retina scan involves the examination of the unique patterns on the back of a person's eye.

The Retina pattern formed by veins beneath the retinal surface. It is unique and hence suitable for identification.
A retinal biometric system obtains a digital image of the retinal pattern by projecting a low-intensity beam of visual or
infrared light into the eye.

Voice/Speech Patterns

This type of verification using speech/voice is uniquely interesting because no specialized recording device required.

Voiceprint verification is completely a part of the algorithms and analysis software. This mechanism can be able to use
for phone-based applications such as voice response systems and time card entry.

The use of voice verification will increase the possibility to protect remote data reporting applications and hence it will
be more convenient in the criminal justice and healthcare industries.
Many databases could be made much more reliable if each criminal had to call in periodically to provide updated

contact information. The entry could be authenticated via his or her unique voice pattern and recorded. Any offenders
who missed their deadline to call in would be flagged for further investigation.

Signature and Writing Patterns

Every individual has a unique style of handwriting.

This is reflected especially in the signature, which is typically a frequently written sequence.

However, multiple signature samples from a single individual will not be identical. This complicates the task of
developing a computer representation of the signature that can be matched to future samples.

Biometric verification via handwriting or signature must be distinguished from simple signature capture pads.
A signature capture pad which simply records an image of what the person wrote, biometric enabled capture pads
actually record the pressure, distance of strokes, and speed of writing.

These data points enable biometrically verifying whether the person writing the signature is indeed the same person
who supplied the original enrollment sample.

Biometric signature verification is particularly interesting to the financial and legal communities because it is
substantially less obtrusive and requires less behavior modification. It still feels like a signature just digitally captured.
-

Keystrokes

Keystroke biometrics refers to the art and science of recognizing an individual based on an analysis of his typing
patterns.
 Biometrics based on typing patterns is distinctive in that they are cheaper to implement, more distributed, and more
unobtrusive than conventional biometric procedures.

Collecting data regarding a person's typing patterns simply requires a keyboard and some basic software to collect
data.

Data collection software is easily replicable whereas hardware is not. Because the primary hardware requirement for
keystroke biometrics is a keyboard, keystroke biometrics can be collected from virtually anywhere throughout the
world via an Internet connection without requiring an individual to be at certain locations with access to specialized
hardware.
Moreover, because each keystroke is captured entirely by the key pressed, the press time, and the release time, the
data can also be transmitted using low bandwidth.
The growth of Internet connectivity thus makes distributed mechanisms for authentication increasingly feasible and
attractive.
A final advantage of keystroke biometrics is that it is a relatively unremarkable measure. Fingerprint, retina, and face
scans all inconvenience the user by requiring him to place a particular body feature either within or in-front of some
machinery. By contrast, typing on a keyboard is alreadya daily activity for many people; thus, keystroke biometrics can
be easily integrated into a person's daily routine.

2.3 Access Control

Use of physical access controls is the same as that of computer and network access controls to restrict access to
unauthorized users. Physical access controls can be based on following points
(i) Something the individual has,
(ii) Something they know, or

ii) Something they are

The most common physical access control device is a lock. Combination locks are depends on something the individual
knows i.e. combination and the Locks with keys depend on something the individual has i.e. key. Each of these has
some advantages and disadvantages.
In addition to locks, there are some other common physical security devices like video cameras and sign-in logs.

Sign-in logS provides a record of access, and when these are used in combination with a security guard who checks an
individual's identity, they can put off potential adversaries from attempting to gain access to a facility.

Most common access control mechanism is a human security guard.

Many organizations employ a guard to provide an extra level of checking of individuals who want access, A human
guard can apply common sense to situations that might have been unexpected but other devices are limited to their
designed function. Having security guards also addresses the common practice of piggybacking.
Suppose one employee enters the combination and then opens the door, another individual may follow the employee

before the door closes to avoid re-entry of the combination. A security guard checking each individual's identification
will eliminate such a type of problem.

Definition

Access is the ability of a subject to interact with an object. Authentication, deals with verifying the identity of a
subject.

Access Control is the ability to specify, to control and to limit the access to the host systems or application in terms of
availability, integrity and confidentiality.

This is used to prevent the unauthorized user to access or modify the data or resources.

After authentication, an individual can actually access a system or application.

 After the verification of individual identity, access controls regulate what the individual can actually do on the system.

Authentication Mechanism

Authentication Mechanism is used to prove the identity of the use.

User authentication is performed during the log on process when user submits a username and password.

The job of authentication mechanisms is to make sure that only valid users are admitted.

Generally there are three methods used in authentication.

(a) Something-you-know: The most common authentication mechanism is to provide a user ID and password.
Password should not be shared with anybody else, only you should know your password.
(b) Something-you-have: This method involves the use of something that only valid users should have like lock and
key. Only those individuals with the correct key can be able to open the key.

(c)Something-about-you: This method involves something that is unique about you like finger print, DNA samples
etc.

Authentication and Authorization

Access tells that the subject/principal is accessing a object with some access operations.

Reference monitor is used to grant or deny the access permissions.

Operation Reference
Subject Object
Monitor

Fundamental model of access control

Access control mainly consists of two steps:

o Authentication: Verification that the credentials of a user or other system entity are valid.
Authorization The granting of a right or permission to a system entity to access a system resource. This
function determines who is trusted for a given purpose.

Principle

The purpose of access control is to limit the actions or operations that a legitimate user of a computer system can
perform.

Access control limits what a user can do directly, as well what programs executing on behalf of the users are allowed
to do.
o Principle of Least Privilege: It states that if nothing has been specifically assigned for an individual or the
groups, then the user should not be able to access that resource i.e. Default no access.
Separation of Duties states that if something has been specifically assigned for an individual or the groups,
: It

then the user should be able to access that resource only.

Need to know: It states that the individuals should be given access to the specific information that they
absolutely require in order to perform their job duties.
Generally, in access control systems a difference is in between policies and mechanisms.

Policies are high level guidelines which determine how accesses are controlled and access decisions determined.

Mechanisms are low level software and hardware functions which can be configured to implement a policy.
Itmay be a case where the policies which are suitable for a given system may not be suitable for another system. For
example very strict access control policies, which are important and crucial for some systems but it, may bee
inappropriate for the systems where users require greater flexibility.
 Hence, the choice of access control policy should depend on the particular characteristics of the environment which
need to be protected.
The access controls can be implemented in computer systems and networks in several ways.

1. Access Control Matrix (ACM)

Activity in the system is initiated by entities known as subjects to access an object.

Subjects are typically users or programs executing on behalf of users. An object is a passive entity that contains the
information like Computer, Database, File, Program etc.
A user may sign on to the system as different subjects on different occasions, depending on the privileges the
user's wishes to exercise in a given session.
The subject-object difference is basic to access control. Subjects initiate actions or operations on objects. These
actions are permitted or denied according to the authorizations established in the system.

Authorization is given in terms of access rights or access modes. The meaning of access rights depends upon the
object in question. For example, Files the typical access rights are Read, Write, Execute and Own.
-

An Access Control Matrix (ACM) provides the simplest framework for showing the process. It is a conceptual model
which specifies the rights that each subject possesses for each object.

There is a row in this matrix for each subject, and a column for each object. Each cell of the matrix specifies the
access authorized for the subject in the row to the object in the column.

The task of access control is to ensure that only those operations authorized by the access control matrix that
actually get executed. This is achieved by means of a reference monitor, which is responsible for mediating all
attempted operations by subjects on objects.
The access control matrix model clearly separates the problem of authentication from that of authorization.

An example of an access control matrix is provided in Table

User Process 1 Process 2 File 1 File 2 Printer

John Read, Write, execute Read, Write Read Write
Alice Execute Read, Write, execute Read, write Read, write Write
L
In Table 2.3.1, the system is having a track of two processes, two files, and one hardware device.

lohn can read both File 1 and File 2, but can write only to File 1. John cannot access Process 2, but he can have
the ability to write to the printer.
Alice can execute Process 1 and Process 2. Alice can read as well as write both files.

na large system the access matrix will be huge in size, and most of its cells arelikely to be empty.
The access control matrix is rarely used in computer systems because it is extremely costly in terms of storage
space and processing

2. Access Control List (AC1)

The implementation of access controls in a system may vary, but the Access Control Lists (ACLs) are common.

An ACL is nothing more than a list that contains the subjects that have access rights to a particular object as
shown in Fig. 2.3.2. The list will identify not only the subject but also the specific access for the object.
Typical types of access include read, write, and execute as indicated in our example access control matrix.

In ACL, it is easy to determine what access the subjects are currently authorized for the object.

Means it is provided for convenient access review with respect to an object. Also, it is easy to revoke all access to
an object by replacing the existing ACL with an empty one.
 It is very important to examine the ACL of each object in the system to do access review with respect to a
subject.

Hence, the ACL has small fixed size sand it can be stored using a few bits associated with the file.

Process11 John Alice

R,W,E E

Process1- John

R,W.E

File 1- John Alice

R,W R,W

File 2- John Alice

R R,W

Printer John Alice

W W

Access Control List

The mechanism used to implement access controls in a computer system or network is not important but the controls
should be based on a specific access model.

Audit

An independent review and examination of system records and activities in order to test for adequacy of system
controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to
recommend any indicated changes in control, policy and procedures.

Policies- DAC, MAC, RBAC

Several different models are discussed in security literature, including Discretionary Access Control (DAC), Mandatory
Access Control (MAC), and Role-Based Access Control (RBAC).

Different policies can be combined to provide a more suitable protection system as shown in Fig. 2.3.3.
 All Accesses

Dictionary Role-Based
Policy Policy

Mandatory
Policy

Multiple Access Control Policy

Each of the three inner circles represents a policy which allows a subset of all possible accesses. When the policies are
combined only the intersection of their accesses is allowed. Such combination of policies is relatively straightforward
so long as there are no conflicts where one policy states that a particular access must be allowed while another one
prohibits it. Such conflicts between policies need to be resigned by negotiations at an appropriate level of management.

Discretionary Access Control (DAC)

Discretionary access controls are "a means of restricting access to objects based on the identity of subjects and/or
groups to which they belong."
Itcontrols the access based on the identity of the requestor and on access rules (authorizations) stating what
requestors are or are not allowed to do.
Discretionary protection policies decide the access of users to the information on the basis of the user's identity
and authorizations (or rules) that specify, for each user (or group of users) and each object in the system, the access
modes (e.g., read, write, or execute) the user is allowed on the object. Each request of a user to access an object
is checked against the specified authorizations.

The controls are discretionary in the sense that a subject with certain access permission is capable of passing that
permission indirectly on to any other subject.

system is having discretionary access controls then, the owner of an object can decide which other subjects
If the
may have access to the object and what specific access they may have.

The permission bit used in UNIX-based systems is the common method to accomplish this. The owner of a file can
specify what permissions (read/ write/execute) members in the same group may have and also what permissions
all others may have.

Access Control Lists (ACL) is another common mechanism used to implement discretionary access control.

The flexibility of discretionary access control policies makes them suitable for a variety of systems and
applications.

For these reasons, they have been widely used in a variety of implementations, especially in the commercial and
industrial environments.

However, discretionary access control policies have the drawback that they do not provide real assurance on the
flow of information in a system. It is easy to bypass the access restrictions stated through the authorizations.

For example, a user who is able to read data can pass it to other users not authorized to read it without the
<nowledge of the owner.

2. Mandatory Access Control (MAC)

Mandatory policies decide access on the basis of classification of subjects and objects in the system. Each user
and each object in the system is assigned a security level
Generally, this system is used in environments where different levels of security classifications are there and is
much more restrictive of what a user is allowed to do.
 Definition for mandatory access controls is "a means of restricting access to objects based on the sensitivity of
the information contained in the objects and the formal authorization of subjects to access information of such
sensitivity".
In MAC, it is the job of operating system not a job of owner/ subject to decide which access is to be granted to
another subject.
In this type of system, the security mechanism controls the access given to all objects and individual subjects
cannot make any change to that access.
Here, the key is the label attached to every subject and object and this label will identify the level of classification
for that object and the level that the subject is entitled to.
Let us consider an example of military where the security classifications are Secret and Top Secret. Only individuals
with a Top Secret clearance may view Top Secret file. It is up to the access control mechanism to ensure that an
individual with only a Secret clearance never gains access to a file labeled as Top Secret. Similarly, a user cleared
for Top Secret access will not be allowed by the access control mechanism to change the classification of a file
labeled as Top Secret to Secret or to send that Top Secret file to a user cleared only for Secret information.
Mandatory access control can as well be applied for the protection of information integrity.

3 Role-Based Access Control (RBAC)

Role-based policies control the access of users to the information based of the activities the users execute in the
system.
Role Based Access Control is "a means of restricting access to objects based on the Role of the subject".

Role based policies require the identification of roles in the system. A role can be defined as a set of actions and
responsibilities associated with a particular working activity.
Here, instead of each user being assigned specific access permissions for the objects associated with the system
or network, that user is assigned a set of roles which the user need to perform

These roles are in turn assigned the access permissions, which are important to perform the tasks associated
with that role.

Therefore, the users will be granted permissions to objects in terms of the specific duties which they must
perform.