Authentication & Access Control

Lecture 3
What Is Access Control?
 Access Control Terminology
Access
The transfer of control between a user and system
Identification
 A user accessing a computer system would present credentials or
identification, such as a username
Authentication
 Checking the user’s credentials to be sure that they are authentic and not
fabricated, usually using a password
Authorization
 Granting permission to take the action
• Access Control:
– The process by which resources or services are granted or denied on a
computer system or network.
Access Control Terminology (continued)
Access Control Terminology (continued)

• Access control can take different forms

depending on the resources that are being
protected
• Other terminology is used to describe how
computer systems impose access control:
– Object – resource to be protected
– Subject – user trying to access the object
– Operation – action being attempted
Access Control Terminology (continued)
 Authentication Factors
• Authenticators are commonly based on at least one of the
following four factors:
• Something you know, such as a password or a personal
identification number (PIN). This assumes that only the owner of
the account knows the password or PIN needed to access the
account.
• Something you have, such as a smart card or security token. This
assumes that only the owner of the account has the necessary
smart card or token needed to unlock the account.
• Something you are, such as fingerprint, voice, retina, or iris scan,
hand geometry.
– Biometric system provides
– False acceptance rate: admits unauthorized person
– False rejection rate: reject authorized person
– Crossover error rate: the point where far and frr are equal. Low is good
 Access Control Models

• Mandatory Access Control

• Discretionary Access Control
• Role-Based Access Control
• Rule-Based Access Control
Mandatory Access Control (MAC) model

• Most restrictive model—used by the military

• Objects and subjects are assigned access
levels
• Unclassified, Classified, Secret, Top Secret
• The end user cannot implement, modify, or
transfer any controls
Discretionary Access Control (DAC) model

• The least restrictive--used by Windows

computers in small networks
• A subject has total control over any objects that
he or she owns
• Along with the programs that are associated
with those objects
• In the DAC model, a subject can also change
the permissions for other subjects over objects
DAC Has Two Significant Weaknesses
– It relies on the end-user subject to set the
proper level of security
– A subject’s permissions will be “inherited”
by any programs that the subject executes
Role Based Access Control (RBAC) model
Sometimes called Non-Discretionary Access Control
Used in Windows corporate domains
Considered a more “real world” approach than the
other models
Assigns permissions to particular roles in the
organization, such as “Manager” and then assigns
users to that role
Objects are set to be a certain type, to which
subjects with that particular role have access
 Rule Based Access Control (RBAC) model
• Also called the Rule-
Based Role-Based
Access Control (RB-
RBAC) model or
automated
provisioning
• Controls access with
rules defined by a
custodian
– Example: Windows Live
Family Safety
Access Control Models (continued)
 Best Practices for Access Control
• Separation of duties
– No one person should control money or other
essential resources alone
• Network administrators often have too much power
and responsibility
• Job rotation
– Individuals are periodically moved from one job
responsibility to another
 Best Practices for Access Control
• Least privilege
– Each user should be given only the minimal
amount of privileges necessary to perform his
or her job function
• Implicit deny
– If a condition is not explicitly met, access is
denied
– For example, Web filters typically block
unrated sites
Logical Access Control Methods
 Access Control Methods
• The methods to implement access control are
divided into two broad categories
– Physical access control and
– Logical access control
• Logical access control includes
– Access control lists (ACLs)
– Group policies
– Account restrictions
– Passwords
 Access Control
List (ACL)
• A set of permissions
attached to an object
• Specifies which subjects
are allowed to access the
object
• And what operations they
can perform on it
• Every file and folder has an ACL
• Access control entry (ACE)
– Each entry in the ACL table in the Microsoft Windows,
Linux, and Mac OS X operating systems
 Windows Access Control Entries
(ACEs)
• In Windows, the ACE includes
– Security identifier (SID) for the user or
group
– Access mask that specifies the access rights
controlled by the ACE
– A flag that indicates the type of ACE
– A set of flags that determine whether
objects can inherit permissions
Advanced Security Settings in Windows 7
Beta
 Group Policy
• A Microsoft Windows feature that provides
centralized management and configuration of
computers and remote users
• Using the Microsoft directory services known as
Active Directory (AD)
• Group Policy is used in corporate domains to restrict
user actions that may pose a security risk
• Group Policy settings are stored in Group Policy
Objects (GPOs)
 Account Restrictions
• Time of day restrictions
– Limit when a user can log on to a system
– These restrictions can be set through a Group Policy
– Can also be set on individual systems
• Account expiration
– The process of setting a user’s account to expire
– Orphaned accounts are user accounts that remain
active after an employee has left an organization
• Can be controlled using account expiration
 Passwords
• The most common logical access control
• Sometimes referred to as a logical token
• A secret combination of letters and numbers
that only the user knows
• A password should never be written down
– Must also be of a sufficient length and
complexity so that an attacker cannot easily
guess it (password paradox)
Passwords Myths
 Attacks on Passwords
• Brute force attack
– Simply trying to guess a password through
combining a random combination of
characters
• Passwords typically are stored in an encrypted
form called a “hash”
– Attackers try to steal the file of hashed
passwords and then break the hashed
passwords offline
 How to Get the Hashes
• Easy way: Just use Cain
• Cracker tab, right-click, "Add to List"
 Attacks on Passwords
• Dictionary attack
– Guess passwords from a dictionary
– Works if the password is a known common password
• Rainbow tables
– Make password attacks faster by creating a large
pregenerated data set of hashes from nearly every
possible password combination
– Works well against Windows passwords because
Microsoft doesn't use the salting technique when
computing hashes
 Rainbow Tables
• Generating a rainbow table requires a significant
amount of time
• Rainbow table advantages
– Can be used repeatedly for attacks on other
passwords
– Rainbow tables are much faster than dictionary
attacks
– The amount of time needed on the attacking
machine is greatly reduced
Rainbow Table Attack
 Passwords (continued)
• One reason for the success of rainbow tables is how
older Microsoft Windows operating systems hash
passwords
• A defense against breaking encrypted passwords
with rainbow tables
– Hashing algorithm should include a random sequence of
bits as input along with the user-created password
• These random bits are known as a salt
– Make brute force, dictionary, and rainbow table attacks
much more difficult
 No Salt!
• To make hashing stronger, add a random "Salt" to
a password before hashing it
• Windows doesn't salt its hash!
• Two accounts with the same password hash to
the same result, even in Windows 7 Beta!
• This makes it possible to speed up password
cracking with precomputed Rainbow Tables
 Demonstration
• Here are two accounts on a Windows 7 Beta
machine with the password 'password'

• This hash is from a different Windows 7 Beta

machine
Linux Salts its Hashes
 Password Policy
• A strong password policy can provide several
defenses against password attacks
• The first password policy is to create and use strong
passwords
• One of the best defenses against rainbow tables is to
prevent the attacker from capturing the password
hashes
• A final defense is to use another program to help
keep track of passwords
 Domain Password Policy
• Setting password restrictions for a Windows domain
can be accomplished through the Windows Domain
password policy
• There are six common domain password policy
settings, called password setting objects
– Used to build a domain password policy
Physical Access Control
 Physical Access Control
• Physical access control primarily protects
computer equipment
– Designed to prevent unauthorized users
from gaining physical access to equipment
in order to use, steal, or vandalize it
• Physical access control includes computer
security, door security, mantraps, video
surveillance, and physical access logs
 Physical Computer Security
• Physically securing network servers in an
organization is essential
• Rack-mounted servers
– 4.45 centimeters (1.75 inches) tall
– Can be stacked with up to 50 other servers
in a closely confined area
• KVM (Keyboard, Video, Mouse) Switch
– Needed to connect to the servers
– Can be password-protected
KVM Switch
 Door Security
• Hardware locks
– Preset lock
• Also known as the key-in-knob lock
• The easiest to use because it requires only a key
for unlocking the door from the outside
• Automatically locks behind the person, unless it
has been set to remain unlocked
• Security provided by a preset lock is minimal
 Deadbolt lock

• Extends a solid metal bar into the door frame

• Much more difficult to defeat than preset locks
• Requires that the key be used to both open
and lock the door
 Lock Best Practices
• Change locks immediately upon loss or theft of keys
• Inspect all locks on a regular basis
• Issue keys only to authorized persons
• Keep records of who uses and turns in keys
• Keep track of keys issued, with their number and
identification
• Master keys should not have any marks identifying
them as masters
 Lock Best Practices
• Secure unused keys in a locked safe
• Set up a procedure to monitor the use of all
locks and keys and update the procedure as
necessary
• When making duplicates of master keys, mark
them “Do Not Duplicate,” and wipe out the
manufacturer’s serial numbers to keep
duplicates from being ordered
 Cipher Lock
• Combination locks that use buttons that
must be pushed in the proper sequence to
open the door
• Can be programmed to allow only the code
of certain individuals to be valid on specific
dates and times
• Cipher locks also keep a record of when the
door was opened and by which code
• Cipher locks are typically connected to a
networked computer system
– Can be monitored and controlled from one
central location
 Cipher Lock Disadvantages

• Basic models can cost several hundred

dollars while advanced models can be
even more expensive
• Users must be careful to conceal which
buttons they push to avoid someone
seeing or photographing the
combination
 Tailgate Sensor
• Uses infrared beams that are aimed across a
doorway
• Can detect if a second person walks through
the beam array immediately behind
(“tailgates”) the first person
– Without presenting credentials
 Physical Tokens
• Objects to identify users
• ID Badge
– The most common types of physical tokens
– ID badges originally were visually screened by
security guards
– Today, ID badges can be fitted with tiny radio
frequency identification (RFID) tags
• Can be read by an RFID transceiver as the user walks
through the door with the badge in her pocket
Door Security (continued)
 Mantrap
• Before entering a secure area, a person must enter
the mantrap
– A small room like an elevator
• If their ID is not valid, they are trapped there until
the police arrive
• Mantraps are used at high-security areas where only
authorized persons are allowed to enter
– Such as sensitive data processing areas, cash
handling areas, critical research labs, security
control rooms, and automated airline passenger
entry portals
Mantrap
 Video Surveillance

• Closed circuit television (CCTV)

– Using video cameras to transmit a signal to a
specific and limited set of receivers
• Some CCTV cameras are fixed in a single
position pointed at a door or a hallway
• Other cameras resemble a small dome and
allow the security technician to move the
camera 360 degrees for a full panoramic view
 Physical Access Log

– A record or list of individuals who entered a

secure area, the time that they entered, and the
time they left the area
– Can also identify if unauthorized personnel have
accessed a secure area
• Physical access logs originally were paper
documents
– Today, door access systems and physical tokens
can generate electronic log documents
Authentication Protocols
 Password Authentication Protocol, or PAP
• PAP uses a two-way handshake process for
authentication using the following steps.
• Step 1. Client sends username and password to server.
• Step 2. Server accepts credentials and verifies.
• If the server is listening to authentication requests, it will
accept the username and password credentials and
verify that they match.
• If the credentials are sent correctly, the server will send
an authentication-ack response packet to the client. The
server will then establish the PPP session between the
client and server.
PAP
 Challenge Handshake Authentication
Protocol, or CHAP
• CHAP uses a three-way handshake process to
protect the authentication password from bad
actors. It works as follows.
• Step 1. After the link is established, the
authenticator sends an authentication challenge.
• Step 2. Client performs hostname lookup.
• The client uses the password that both the client
and server know to create an encrypted one-way
hash based on the challenge string.
 CHAP
• Step 3. Server decrypts hash and verifies.
• The server will decrypt the hash and verify
that it matches the initial challenge string. If
the strings match, the server responds with an
authentication-success packet. If the strings
do not match, the server sends an
authentication-failure message response, and
the session is terminated.
CHAP