CHAPTER 2- IDENTIFICATION & AUTHENTICATION

USER NAME & PASSWORD

WHAT IS USERNAME ?

WHAT IS PASSWORD ?

USERNAME : IDENTIFICATION (WHO U ARE ? )

PASSWORD : AUTHENTICATION (PROOF FOR IDENTIFICATION )

 A USERNAME IS ALMOST ALWAYS PAIRED WITH A PASSWORD.

 THIS USERNAME/PASSWORD COMBINATION IS REFERRED TO AS A LOGIN, AND IS OFTEN REQUIRED FOR
USERS TO LOG IN TO WEBSITES.
 FOR EXAMPLE, TO ACCESS YOUR E-MAIL VIA THE WEB, YOU ARE REQUIRED TO ENTER YOUR USERNAME AND
PASSWORD.
 PASSWORD SELECTION

 • PASSWORD SELECTION IS VERY IMPORTANT FOR THE AUTHORIZED USERS

 • PROPER SELECTION OF PASSWORD LEADS TO ENHANCED SECURITY

 • WHEREAS EASY OR INCORRECTLY SELECTED PASSWORD WEAKEN OR FULLY COMPROMISES THE

SECURITY.

 IN GENERAL PASSWORDS SHOULD BE SELECTED IN SUCH WAY THAT

1. THEY ARE SUFFICIENTLY LONG. LONGER PASSWORD INCREASES GUESSING COMBINATIONS AND
MAKES ITS HACKING DIFFICULT.

2. 2. THEY ARE COMBINATION OF UPPERCASE, LOWERCASE NUMERIC AND SPECIAL SYMBOLS.

3. 3. THEY SHOULD NOT BE DICTIONARY WORDS OR EASY, SIMPLE AND GUESSABLE WORDS.

4. 4. THEY SHOULD NOT RELATE TO PERSONAL PROFILE OF THE USER AS PROFILE IS EASILY READ
ACCESSIBLE TO EVERYBODY. 5. THEY SHOULD NOT BE SIMPLE TYPE MATIC SEQUENCES 'ASDF', '1234',
'ABC123' ETC
 CHOOSING PASSWORD
Do’s
 Minimum 8 character
 Seemingly random but easy to remember Eg. “I have two project
partners : John and Jack”.
 Digits should be there. Eg. “john2212”.
 Use special symbols Eg. “john#2212”.
 Use lower and upper case letters Eg. “”JohN#2212”.
Don'ts
 Not be a dictionary word.
 Not be family member name only.
 CHARACTERISTICS OF GOOD PASSWORD

1.Password should be at least eight characters in length.

2. Password should have at least three of the following four elements:

i. One or more upper case letters (A-Z)

ii. One or more lower case letters (a-z)

iii. One or more numerical (0to9)

iv. One or more special character (!, @,#,$,&,:,.,;,?) 3. Password should not consist of dictionary words.

4. Password should not at all be the same as login name.

 PASSWORD SELECTION STRATEGIES

 User Education

 Computer generated

 Reactive Password checking

 Proactive Password checking

PASSWORD SELECTION STRATEGIES
User Education
The user education strategy tells users the importance of using hard-to-guess passwords and
provides guidelines for selecting strong passwords, but it needs their cooperation. The problem
is that many users will simply ignore the guidelines. Some guidelines for selecting a good
password are:
1.Use mix of upper and lower case letters, numbers, punctuation and special symbols
2.Don't use your login name
3.Don't use your first or last name
4.Don't use your spouse's or child's name.
5.Don't use other information easily obtained about you. This includes license plate numbers,
telephone numbers, social security numbers, the brand of your automobile, the name of the
street you live on, etc.
6.Don't use a password of all digits, or the entire same letter. This significantly decreases the
search time for a cracker.
7.Don't use a word contained in English or foreign language dictionaries, spelling lists, or other
lists of words.
8.Don't use a password shorter than six characters.
9.Use a password that is easy to remember, so you don't have to write it down.
10.Use a password that you can type quickly, without having to look at the keyboard. This makes
it harder for someone to steal your password by watching over your shoulder.
The main problem is that many users will simply ignore the guidelines.
GUESSING PASSWORD

 PASSWORD GUESSING IS THE PROCESS OF ATTEMPTING TO GAIN ACCESS TO A SYSTEM THROUGH THE

SYSTEMATIC GUESSING OF PASSWORDS (AND AT TIMES ALSO USERNAMES) IN AN ATTEMPT TO GAIN A LOGIN TO A TARGET

SYSTEM.

 THE ATTACKER OR AUDITOR MAY BE SUCCEED ONLY IN THE EVENT THAT STRONG PASSWORDS ARE NOT USED.

 PASSWORD GUESSING MAY BE DETECTED BY MONITORING FAILED-LOGIN SYSTEM LOGS

 MOST METHODS OF PASSWORD CRACKING REQUIRE THE COMPUTER TO PRODUCE MANY CANDIDATE PASSWORDS, EACH OF

WHICH IS CHECKED.

 ONE EXAMPLE IS BRUTE-FORCE CRACKING, IN WHICH A COMPUTER TRIES EVERY POSSIBLE KEY OR PASSWORD UNTIL IT SUCCEEDS.

 MORE COMMON METHODS OF PASSWORD CRACKING, SUCH AS DICTIONARY ATTACKS, PATTERN CHECKING, WORD LIST

SUBSTITUTION, ETC
PASSWORD ATTACK -

 PIGGYBACKING

 SHOULDER SURFING

 DUMPSTER DIVING
 PASSWORD ATTACK….

PIGGYBACKING

 IT IS A SIMPLE APPROACH OF FOLLOWING CLOSELY BEHIND A PERSON WHO HAS JUST USED THEIR

OWN ACCESS CARD OR PIN TO GAIN PHYSICAL ACCESS.

 IN THIS WAY AN ATTACKER CAN GAIN ACCESS TO THE FACILITY WITHOUT KNOWING THE ACCESS

CODE.

 PIGGYBACKING, IN A WIRELESS COMMUNICATIONS CONTEXT, IS THE UNAUTHORIZED ACCESS OF A

WIRELESS LAN.

 PIGGYBACKING IS SOMETIMES REFERRED TO AS ―WI-FI SQUATTING.

 THE USUAL PURPOSE OF PIGGYBACKING IS SIMPLY TO GAIN FREE NETWORK ACCESS RATHER THAN

ANY MALICIOUS INTENT, BUT IT CAN SLOW DOWN DATA TRANSFER FOR LEGITIMATE USERS OF THE

NETWORK
 PASSWORD ATTACK…. SHOULDER SURFING

• is a procedure where an attacker position themselves in such a way that he is able to observe the
authorized user entering the correct access code.

• This attack is by direct observation techniques, like looking over someone when he is entering a PIN or
Password etc.

 THIS ATTACK IS BY DIRECT OBSERVATION TECHNIQUES LIKE LOOKING OVER SOMEONE'S

SHOULDER TO GET INFORMATION.

• WHEN ENTERING A PIN OR PASSWORD.

• WHERE AN ATTACKERS POSITION TO THEMSELVES IN SUCH A WAY THAT HE IS ABLE TO

OBSERVE THE AUTHORIZED USER ENTERING THE CORRECT ACCESS CODE.

• TO PREVENT SHOULDER SURFING, IT IS ADVISED TO SHIELD KEYPAD OR PAPERWORK.

 DUMPSTER DIVING

 SYSTEM ATTACKERS NEED CERTAIN AMOUNT OF INFORMATION BEFORE LAUNCHING THEIR ATTACK. ONE COMMON PLACE
TO FIND THIS INFORMATION, IS TO GO THROUGH THE TARGET‘S THRASH IN ORDER TO FIND LITTLE BITS OF INFORMATION
THAT COULD BE USEFUL. THE PROCESS OF GOING THROUGH TARGET‘S THRASH IS KNOWN AS ―DUMPSTER DIVING
OR
 DUMPSTER DIVING IS LOOKING FOR INFORMATION IN SOMEONE ELSE'S TRASH (A DUMPSTER IS A LARGE TRASH
CONTAINER).

 THE SEARCH IS CARRIED OUT IN WASTE PAPER, ELECTRONIC WASTE SUCH AS OLD HDD, FLOPPY AND CD MEDIA RECYCLE
AND TRASH BINS.
 IN THE WORLD OF INFORMATION TECHNOLOGY, DUMPSTER DIVING IS A TECHNIQUE USED TO RETRIEVE INFORMATION
THAT COULD BE USED TO CARRY OUT AN ATTACK ON A COMPUTER NETWORK
 TO PREVENT DUMPSTER DIVERS, EXPERTS RECOMMEND THAT YOUR COMPANY SHOULD ESTABLISH
DISPOSAL POLICY
BIOMETRICS

 FINGER PRINTS

 HAND PRINTS

 RETINA

 PATTERNS

 VOICE PATTERNS

 SIGNATURE

 WRITING PATTERNS

 KEYSTROKES
BIOMETRICS
 Biometric refers study of methods for uniquely recognizing humans, based upon one or more physical or
behavioral characteristics
OR
 Biometrics is idea to map measurements of human physical characteristics to human uniqueness

 Advantages/Importance of biometrics
 i) Biometrics cannot be lost, stolen or forgotten. Barring disease or serious physical injury, the biometric is
consistent and permanent.
 ii) It is also secure in that the biometric itself cannot be socially engineered, shared or used by others.
 iii) There is no requirement to remember password or pins, thus eliminating an overhead cost.
 iv) Coupled with a smart card, biometrics provides strong security for any credentials on the smart card.
 v) It provides a high degree of confidence in user identity.
FINGER PRINTS ((PHYSICAL BIOMETRIC)

 During registration, first time an individual uses a biometric system is called an enrolment.
 During the enrolment, biometric information from an individual is stored.
 In the verification process, biometric information is detected and compared with the information stored at the
time of enrolment.
 Refers to automated method of verifying a match between two human fingerprints.
 • Used to identify an individual and verify its identity.
 • Analysis of fingerprints for matching purposes requires comparison of several features of the print pattern
 Stages • Fingerprint Scanning • Fingerprint Matching • Identification
 PROCESS:
 A fingerprint image is read from a capture device.
 Features are extracted from the image.
 A template is created for comparison
HAND-PRINTS (PHYSICAL BIOMETRIC)
 Everybody has unique hand-print.
 Hand-print or hand-geometry verification systems examine the unique measurement of
your hand and use that information to determine whatever you should be allowed access.
 Hand-geometry of a person registered in database on the basis of following parameters.
o Length of fingers
o thickness of hand
o shape of curves
o depth of skin
 With a hand-print verification system , you press your hand on a hand-geometry reader.
 aligning all of your fingers, sensor scan the hand on the basis of above said parameters.
 The information is digitized and compare again a hand-print template stored for you in the
system.
 System allows access if your hand-print sufficiently matches with stored template.
HAND-PRINTS (PHYSICAL BIOMETRIC)

Disadvantages

1. High cost device required to scan complete hand.

2. Large amount of memory required to store sample hand-print template

3. More time required to compare.

4. Swelling , presence of rings in fingers affect system ability.

5. Because of cuts in hands and rough work handled by user it may create error while reading data
RETINA PATTERNS(PHYSICAL)
 The human retina is a thin tissue composed of neural cells that is located in the posterior portion of
the eye.
 Because of the complex structure of the capillaries that supply the retina with blood, each persons
retina is unique.
 Even the identical twins also not share same eye retina
 The retina typically remains unchanged from birth until death.
 Advantages
 Very high accuracy.
 Speedy results.
 Disadvantages
 Some disease such as diabetic and retinal disorder cause to change eye retina after some age.
 High equipment cost
 As per change in age and physical conditions and accidents there may be problem in accessing
VOICE PATTERS (BEHAVIORAL )
 Everybody has a unique vocal and acoustic pattern.
 The system converts the voice in to component frequency and analyzes how they are distributed.
 Voice print / voice signature constructed by sampling , digitizing and storing several repetitions of
particular phrase.
 Voice prints are not recorded words.
Advantages :
o Users do not have to install any devices.
o Easy to use.
o Only with the help of telephones remote user can interact with voice biometric application.
Disadvantages
o Respiratory diseases, throat infection, background noises may affect the systems ability to match a voice
print.
o because health problem illness there is variation in voice even because of weather change it may cause
errors.
KEYSTROKES ((BEHAVIORAL )
 Keystroke biometric uses the manner and rhythm of in which an individual types characters on a keyboard
or keypad, for user identification.
 Timing Data
 Some kind of timing data is also stored which is as follows
 Dwell time- Time a key pressed
 Flight time - Time between a key-up and the next key down.
 So we can say the manner , rhythm and timing data used to develop the unique sample of the user.
 Advantages
 Keystroke can be captured continuously.
 Not just at start time.
 Disadvantages
 Temporal variation : persons typing varies substantially during a day and between different day.
SIGNATURE & WRITING PATTERN
 Signature recognition is a behavioral biometric.
 It can be operated in two different ways:
Static: In this mode, users write their signature on paper, digitize it through an optical scanner or a
camera, and the biometric system recognizes the signature analyzing its shape. This group is also
known as "off-line".
Dynamic:
1)In this mode, users write their signature in a digitizing tablet, which acquires the signature in real
time. Another possibility is the acquisition by means of stylus-operated PDAs.
2)Some systems also operate on smart-phones or tablets with a capacitive screen, where users can
sign using a finger or an appropriate pen.
3)Dynamic recognition is also known as "on-line".
 Dynamic information usually consists of the following information:
spatial coordinate x(t)
spatial coordinate y(t)
pressure p(t)
inclination in(t)
pen up/down
ACCESS CONTROLS
 Access control is the ability to permit or deny the use of a particular resource by a particular entity.
 Access control mechanisms can be used in managing physical resources, logical resources, or digital
resources.
ACCESS CONTROLS

Access Control Principles

• Authentication

• Authorization

• Audit
ACCESS CONTROLS

 An access control mechanism mediates between a user and system resources(such as applications,

operating systems, firewalls, routers, files, and databases).

 The system must first authenticate an entity seeking access.

 Typically, the authentication function determines whether the user is permitted to access the system at all.

 Then the access control function determines if the specific requested access by this user is permitted.

 A security administrator maintains an authorization database that specifies what type of access to

which resources is allowed for this user.

 The access control function consults this database to determine whether to grant access.

 An auditing function monitors and keeps a record of user accesses to system resources .
ACCESS CONTROLS
AUTHENTICATION VS AUTHORIZATION
AUTHENTICATION

 Authentication is the process of verifying the communicating entity is claim to be. OR Process of

determining the identity of user

 The process of identifying an individual, usually based on a username and

password

 It ensures that only valid users are admitted.

AUTHENTICATION MECHANISM
 Authentication is one of the five pillars of information assurance (IA).
 The other four are integrity, availability, confidentiality and nonrepudiation.
 Authentication begins when a user tries to access information.
 First, the user must prove his access rights and identity.
 When logging into a computer, users commonly enter usernames and passwords
for authentication purposes.
 This login combination, which must be assigned to each user, authenticates access.
 A better form of authentication is biometrics, depends on the user’s presence and
biological makeup (i.e., retina or fingerprints). This technology makes it more
difficult for hackers to break into computer systems
 The Public Key Infrastructure (PKI) authentication method uses digital certificates to
prove a user’s identity.
 Authentication MECHANISM

METHODS/TYPES OF AUTHENTICATION

SOMETHING YOU KNOW: EG. USER ID & PASSWORD

SOMETHING YOU HAVE: EG. LOCK & KEY, CARDS, IDS

SOMETHING ABOUT YOU: EG. FINGERPRINT, FACE ETC.

PRINCIPLE – AUTHENTICATION
 The process of identifying an individual, usually based on a username and password.
 authorization is the process of giving individuals access to system objects
(resources)based on their identity.
 Authentication says nothing about the access rights of the individual.
 Identity should be verified as long and as frequently as access to a resource is
permitted.
 If access is ongoing then identity verification should be continuous.
 Authentication is about validating whether or not someone is who they claim to be, and
about determining whether that person intends to authenticate and is not.
 During authentication, credentials provided by the user are compared to those on file in
a database of authorized users' information either on the local operating system or
through an authentication server.
 If the credentials match, and the authenticated entity is authorized to use the resource,
the process is completed and the user is granted access.
AUTHORIZATION
 Authorization is a security mechanism to determine access levels of user/client related
to system resources including files, services, computer programs, data and application
features.
 This is the process of granting or denying access to a network resource which allows the
user access to various resources based on the user's identity.
 Authorization is a process by which a server/computer determines if the client has
permission to use a resource or access a file.
 Authorization is usually coupled with authentication so that the server/computer
understands who the client is ,that is requesting access.
 The type of authentication required for authorization may vary; passwords may be
required in some cases but not in others.
 In some cases, there is no authorization; any user may be use a resource or access a file
simply by asking for it. Most of the web pages on the Internet require no authentication
or authorization
AUTHORIZATION - PRINCIPLE
Authorization provides the framework for determining whether, and to what extent,
personnel should have access to computer resources. Information resources must be
configured to ensure that no user is allowed access to an information resource (e.g.,
transaction, data, and process) unless authorized by management.
Authorization Principles
Access must be granted based on personnel roles and the security principles of clearance,
need to know, separation of duties, and least privilege.
1 Clearances
For personnel without appropriate clearances or background investigations, access is
restricted to information services. Managers must use eAccess to request access
authorization for individuals who do not have the appropriate clearance .
2 Need to Know
For sensitive, and critical information resources access must be limited in a manner that is
sufficient to support business functions. Access to sensitive information resources must be
limited to personnel who need to know the information to perform their duties.
AUTHORIZATION - PRINCIPLES
3 Separation of Duties
Only authorized personnel are approved for access to information resources. This approval
must be specific to an individual’s roles and responsibilities in the performance of his or her
duties and must specify the type of access (e.g., read, write, delete, and execute); specific
resources and information; and time periods for which the approval is valid. Separation of
duties and responsibilities are considered when defining roles. For special situations
where additional control is required, dual authorization can be implemented.
4 Least Privilege
For sensitive and critical information resources access is based on providing user details
with the minimum level of information resources
Systems and applications must define many levels of access to prevent misuse of system
resources and protect the integrity and confidentiality of information.
AUDIT AND AUDIT PRINCIPLES
 Audit is process by which unauthorized or abnormal activities ae detected.

 Auditing is needed to detect 1)malicious actions by subjects 2) attempted intrusion 3) system failure

4) Problem report and analysis.

 Auditing refers to logging of events such as login/logout

 Logging attempt to perform a privileged(right data access by right user) actions

 Monitoring is related to audit ,which refers to the examination of the behavior and health of the system and
network to ensure high availability and also act as a security control to detect malicious activities.

 Auditing is usually used to support ‘accountability’(user responsibility in information sharing/access)

 Audit logs provide best support for’ non repudiation’

ACCESS CONTROL TYPES/ POLICIES

 Access control is a way of limiting access to a system or to physical or virtual resources.

 Access control is a process by which users are granted access and certain privileges to systems,
resources or information.

 Access control is a security technique that regulates who or what can view or use resources in a
computing environment.

 TYPES/POLICIES….

DAC -Discretionary Access Control

MAC - Mandatory Access Control

RBAC - Role Based Access Control

DAC -Discretionary Access Control
  Discretionary Access Control ..DAC

 With DAC models, the data owner decides on access. DAC is a means of assigning access rights based on rules that
users specify.
 DAC systems are generally easier to manage than MAC systems.
 The distrusted administrative model puts less of a burden on the administrator.
 The administrator is not responsible for setting the permissions on objects and application
 Since the administrator does not control all object access, it's possible that permissions can be incorrectly set, possibly
leading to a breach of information.
.
 This access control model is called discretionary because individual users or applications have the option of
specifying access control requirements on specific objects that they own
 Basically, the owner of the access control object is allowed to decide how they want their data protected or shared.
 The primary use of DAC is to keep specific objects restricted from users who are not authorized to access them
 end user has complete control over how these permissions are assigned and can change them at will.
 DAC allows for a distributed access control system to be used because the owner of the object has the ability to change
the access control permission on objects without regard to a central authority
 Discretionary Access Control ..DAC

 This is a very common access control model. It is used in UNIX, Windows, Linux, and many other

network operating systems.

 These systems use an access control list (ACL) to set permissions on access control objects.

 The ACL shows which users have access to an object and what they can do with the object.

 These ACLs are basically a list of user IDs or groups with an associated permission level.
 Mandatory Access Control ..MAC
MAC - MANDATORY ACCESS CONTROL
 In a MAC model, access is controlled strictly by the administrator.

 The administrator is the one who sets all permissions.

 Users cannot set permissions themselves, even if they own the object.

 Because of this, MAC systems are considered very secure.

 This is because of the centralized administration.

 Centralized administration makes it easier for the administrator to control who has
access to what. The administrator doesn't have to worry about someone else setting
permissions improperly.

 Because of the high-level security in MAC systems, MAC access models are often used in
government systems.

 Mandatory Access Control (MAC) is the strictest of all levels of control.

MAC - MANDATORY ACCESS CONTROL
 MAC takes a hierarchical approach to controlling access to resources.
. Under a MAC environment access to all resource objects (such as data files) is controlled by by the
system administrator.
 all access to objects is strictly controlled by the operating system based on system administrator
settings.
 It is not possible under MAC environment for users to change the access control of a resource.
 Mandatory Access Control begins with security labels assigned to all resource objects(data) on the
system. These security labels contain two pieces of information - a classification (top secret,
confidential etc) and a category (which is an indication of the management level, department or
project to which the object is available).
 Similarly, each user account on the system also has classification and category properties from
the same set of properties applied to the resource objects(data).
 When a user attempts to access a resource under Mandatory Access Control the operating system
checks the user's classification and categories and compares them to the properties of the
object's security label.
 If the user's credentials match the security label of the object access is allowed.
 It is important to note that both the classification and categories must match.
 MAC is a policy in which access rights are assigned based on regulations from a central
authority.
ROLE-BASED ACCESS CONTROL - RBAC
ROLE-BASED ACCESS CONTROL - RBAC
 Role-based access control (RBAC) is a method of access security that is based on a person’s role
within a business.
 Role-based access control is a way to provide security because it only allows employees to access
information they need to do their jobs, while preventing them from accessing additional
information that is not relevant to them.
 An employee's role determines the permissions he or she is granted and ensures that lower level
employees are not able to access sensitive information or perform high-level tasks.
 Application access based on assigned user permissions, which differ according to the user’s role
within your organization.
 Each group has its own permissions; however, users are not restricted to just one group—they can
belong to several groups to ensure they have access to exactly the tools and permissions they
need.
 All access is controlled through roles that people are given, which is a set of permissions.
 An employee's role determines what permissions he or she is granted.
 For example, a CEO will be given the role of CEO and have any permissions associated
with that role, while network administrators will be given the role of network
administrator and will have all the permissions associated with that role.
ROLE-BASED ACCESS CONTROL - RBAC

In RBAC, there are three rules:

1)A person must be assigned a certain role in order to conduct a certain action, called

a transaction.

2)A user needs a authorization to be allowed to hold that role or to perform

transaction.

3)Transaction authorization allows the user to perform certain transactions.. Users won’t be

able to perform transactions other than the ones they are authorized for.
ROLE-BASED ACCESS CONTROL - RBAC

 RBAC supports the following security principles:

–Least privilege (only the needed permissions are assigned to roles)

–Separation of duties (Administrator/CEO/HR/ACCOUNTANT)

–
BENEFITS OF RBAC STRATEGY

 Pre-established authorization policies reduce the mistakes resulting from human error

 Teams can easily determine exactly who has access to what at any point in time

 Members of your extended enterprise (contractors,partners, vendors, and customers)

can be easily accommodated with the appropriate level of access

 IT can spend less time for granting and restricting user access
ROLE-BASED ACCESS CONTROL - RBAC
 Role-based access control (RBAC) refers to the idea of assigning permissions to users
based on their role within an organization.

 It provides fine-grained control and offers a simple, manageable approach to access

management that is less prone to error than assigning permissions to users individually.

 When using RBAC, you analyze the system needs of your users and group them into
roles based on common responsibilities and needs.

 You then assign one or more roles to each user and one or more permissions to each
role.

 The user-role and role-permissions relationships make it simple to perform user

assignments since users no longer need to be managed individually, but instead have
privileges that conform to the permissions assigned to their role(s).