The authentication process consists of two broad steps:
Identification Step
- Presenting an identifier to the security system
Verification Step
- Presenting authentication information that corroborates the binding between the entity and identifier
Means of Authentication
- Something the individual KNOWS (passwords, PIN, answers)
- Something the individual POSSESSES, TOKEN (smartcard, electronic keycard, physical key)
- Something the individual IS, STATIC BIOMETRICS (fingerprint, retina, face)
- Something the individual DOES DYNAMIC BIOMETRICS (voice patterns, handwriting)
What is password authentication and What does an ID determine?
- Used to in defence against intruders
- Requires login/password
- System compares password with the one stored in the system
The user ID determines:
- User is authorised to gain access
- Determines user’s privileges
- Any discretionary control
Password vulnerabilities
- Office dictionary attack
- Specific account attack
- Popular password attack
- Password guessing against a single user
- Workstation hacking
- Exploring user’s mistakes
- Exploring password use
- **Electronic monitoring **
What is Countermeasures?
Controls and prevents unauthorised access
- Intrusion detection measures
- Account lockout mechanisms
- Automatic logout workstation
Policies against passwords on network devices
Password Implementation schemes
- Hashed Passwords
- Unix Implementation
UNIX Implementation
- Original scheme
- 8 printable characters In length
- 12-bit salt used to modify **DES encryption **
Improved Implementation
- Stronger hash/salt scheme available for Unix
- Recommended for MD5
- Password length is unlimited
- Produces 128 hash tag
What is Password cracking?
Dictionary attacks
- Develops large dictionary of possible passwords and try each against the password file
- All passwords must be hashed using salt value and compared to stored hash values
Rainbow table attacks
- Pre-compute tables of each hash value for all salts
- A marathon table of hash values
- Can be countered using large salt value and **large hash length **
What is Password File Access Control?
- Can be offline guessing attacks by denying access to encrypted passwords
- Make available for privilege users
- Shadow password file
Vulnerabilities of passwords
- Weakness in the OS allows access to files
- Accident permission making it readable
- Users with the same passwords
- Access from backup media
- Sniff passwords in network traffic
- Workstation vulnerabilities
- Password guessing
Password Selection Techniques
User education
- Users being told the importance of hard-to-guess passwords and provide guidelines and strong passwords
Computer generated passwords
- Users have trouble remembering them
Reactive password checking
- System runs its own password cracker to find guessable passwords
Proactive password checking
- Users are allowed to select their own passwords; the system checks if the password is allowable > X reject it.
- Eliminate guessable passwords
Proactive Password Checking is?
Rule Enforcement
- Specific rules you need to adhere to
Password cracker
- Compile **large dictionary **of passwords not to use
Bloom Filter
- Build a table using dictionary using hashes
- Check desired password against the table
Token authentication for: Memory Card and Smart Cards
Memory Cards
Uses black magnetic black strip card
Can be used alone or physical access
- Hotel room
- ATM
Provides greater security
Drawbacks: Loss of token, special reader
Smart Cards
- Looks like a bank card (Looks like calculators, keys)
- Interface: electronic display
Biometric Authentication (Examples)
Authenticating a user using unique physical characteristics
- Based on pattern recognition
- Complex and Expensive
Includes:
- Facial characteristics
- Fingerprints
- Hand geometry
- Retina pattern
- Signature
- Voice
Remote User authentication, name for the 4 four protocols
Authentication Over a network/internet/communications link is more complex
Additional security threats:
- Eavsdropping
- Capturing password
- Password protocol
- Token protocol
- Static Biometric Protocol
- Dynamic Biometric Protocol
What are the Access Control Policies?
- Discretionary access control policy
- **Mandatory **access control policy
- Rule-based access control policy
Access control requirements
- Prevent unauthorised users from gaining access to resources
- Prevent legitimate users from gaining access to resources in an unauthorised manner
Reliable Control Basic Elements
- Subject: entity capable of accessing objects
- Capable of accessing objects
- Equates with that of process
- Held accountable to initiate
- Three classes: owner, group and world
Object: resource to which access is controlled
- Entity used to contain/receive information
- Protection depends on the environment in which access control operates
Access rights: Describes the way in which a subject may access object
- Read, write, delete, execute, create, etc.
UNIX File Access Control
Contains:
- ID
- Belongs to a group ID
- 12 protection bits
ALL PART OF THE FILE’S INODES
- UNIX are administrated using inodes
- Controls structures with key information needed for a particular file
- Several file names are associated with a single inode
Active inode is associated with exactly ONE FILE
Protection Domains
Set of objects together with access rights to those objects
- Flexible when associated to protect domains
- Matrix domains = defines a protection domain
- Can be static or dynamic
- In kernel mode, it can be executed and protect areas of memory when accessed
Discretionary Access Control (DAC)
Controls access based on identity
- Scheme which the entity may enable another entity to access the resource
- Uses access matrix
- Every matrix indicates the access rights of a **particular object **
What are the threee Access Controls?
1 . Discretionary Access Control (DAC)
Controls access based on identity
- Scheme which the **entity may enable another entity** to access the resource
- Uses access matrix
- Every matrix indicates the access rights of a particular object
- Mandatory access control policy (MAC)
Controls access based on security labels - Role-Based File Access Control (RBC)
Controls access based on Roles
Constraints of RBAC
1. Mutually Exclusive Roles
User can only be assigned to ONE ROLE in the set
2. Cardinality
Setting a maximum number with respect to roles
3. Prerequisite roles
Dictates that a user can only be assigned to a particular role if already assigned to some other specified role
