2.

Computer Security Techniques

Muchina S.K M. Sc.

 Overview
• Authentication
• Access Control
 Authentication
• Basis for most type of access control and
accountability
• Two steps
– Identification
– Verification
 Means of Authentication
• Traditionally listed as three factors
• Something you know
– Password, PIN
• Something you have
– Card, RFID badge
• Something you are
– Biometrics
 Biometrics expanded
• Recently Biometrics (something you are) has
been expanded into:
• Something the individual is
– Static Biometrics: Fingerprint, face
• Something the individual does
– Dynamic Biometrics: handwriting, voice
recognition, typing rhythm
 Password-Based Authentication
• Determines if user is authorized to access the
system
• Determines privileges for the user
• Discretionary access control may be applied
– For example, by listing the IDs of the other users, a
user may grant permission to them to read files
owned by that user.
 Hashed Passwords
• Widely used
technique for
storing passwords
• Secure against a
variety of
cryptanalytic
attacks
UNIX Password Scheme
 Salt
• Prevents duplicate passwords from being
visible in the password file.
• Greatly increases the difficulty of offline
dictionary attacks.
• It becomes nearly impossible to find out
whether a person with an account on multiple
systems has used the same password for all.
 Token-Based
Authentication
• Objects that a user possesses for the purpose
of user authentication are called tokens.
• Examples include
– Memory cards
– Smart cards
 Memory Cards
• Memory cards can store but not process data.
• Often used in conjunction with password
• Drawbacks include
– Requires a special reader
– Token loss
– User dissatisfaction
 Smart Cards
• Contains microprocessor, along with memory,
and I/O ports.
• Many types exist differing by three main
aspects:
– Physical characteristics
– Interface
• Static
• Dynamic password generator
• Challenge-response
 Static Biometric
Authentication
• Includes
– Facial characteristics
– Fingerprints
– Hand geometry
– Retinal pattern
• Based on pattern recognition,
– technically complex and expensive.
Dynamic Biometric Authentication
• Patterns may change
• Includes
– Iris
– Signature
– Voice
– Typing rhythm
Cost versus Accuracy
 Overview
• Authentication
• Access Control
 Access Control
• Dictates what types of access are permitted,
under what circumstances, and by whom.
– Discretionary access control
– Mandatory access control
– Role-based access control
 Access Control
• Discretionary access control (DAC):
– Controls access based on the identity of the
requestor and on access rules (authorizations)
stating what requestors are (or are not) allowed to
do.
– This policy is termed discretionary because an
entity might have access rights that permit the
entity, by its own volition, to enable another
entity to access some resource.
 Access Control
• Mandatory access control (MAC):
– Security labels indicate how sensitive or critical system
resources are
– Security clearances indicate which system entities are
eligible to access certain resources
– MAC controls access based on comparing security
labels with security clearances
– This policy is termed mandatory because an entity that
has clearance to access a resource may not, just by its
own volition, enable another entity to access that
resource.
 Access Control
• Role-based access control (RBAC):
• Controls access based on the roles that users
have within the system and on rules stating
what accesses are allowed to users in given
roles.
Not mutually exclusive
 Role Based
Access Control
• Effective implementation of the principle of
least privilege
• Each role should contain the minimum set of
access rights needed for that role.
• A user is assigned to a role that enables him or
her to perform what is required for that role.
– But only while they are performing that role
Roles
Access Control Matrix Representation of
RBAC
Access Control Matrix Representation of
RBAC