Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security
Uploaded by Millioner jems

CHAPTER - 6 - Authentication and Access control

advertisement 
Assosa University
Department of computer science
Computer security
CHAPTER 6
Authentication and Access control
Prepared By: Azeze Kafa
Email: azeze100604@gmail.com
1
2
Authentication
 Authentication is the process of verifying someone's
identity.
 Authentication technology provides access control for
systems by checking to see if a user's credentials match
the credentials in a database of authorized users or in a
data authentication server.
 Authentication assures secure systems, secure processes
and enterprise information security.
3
Types of authentication
 There are different types of authentication systems which
are: –
1. Single-Factor authentication:




User has to enter the username and the password to
confirm whether that user is logging in or not.
It is the simplest form of authentication method
Most verification today uses this type of authentication
method.
Now if the username or password is wrong, then the user
will not be allowed to log in or access the system.
Cont…
4
 Advantage of the Single-Factor Authentication
System: –




It is a very simple to use and straightforward system.
it is not at all costly.
The user does not need any huge technical skills.
The disadvantage
Authentication


of
the
Single-Factor
It is not at all password secure. It will depend on the
strength of the password entered by the user.
The protection level in Single-Factor Authentication is
much low.
5
Cont…
 There are different types of authentication systems which
are: –
1. Two-Factor authentication:
 It uses the same password/username combination, but
with the addition of being asked to verify who a
person is by using something only he or she owns,
such as a mobile device.
 Putting it simply: it uses two factors to confirm
an identity.
6
Cont…
 Two-factor authentication is designed to prevent
unauthorized users from gaining access to an account with
nothing more than a stolen password.
 Users may be at greater risk of compromised passwords
than they realize, particularly if they use the same password
on more than one website.
 Two-factor authentication is a combination of two of the
following:
Something you know (your password)
 Something you have (such as a text with a code
sent to your smartphone or other device, or a
smartphone authenticator app)
 Something you are (biometrics using your
fingerprint, face, or retina)

7
Cont…
 Multi-factor Authentication (MFA) is an
authentication method that requires the user to
provide two or more verification factors to gain
access to a resource such as an application, online
account, or a VPN.
Cont…
8
⮚ Advantages



of the Two-Factor Authentication
The Two-Factor Authentication System provides
better security than the Single-factor Authentication
system.
The productivity and flexibility increase in the twofactor authentication system.
Two-Factor Authentication prevents the loss of trust.
⮚ Disadvantages

of Two-Factor Authentication
It is time-consuming.
Cont…
9
⮚ Any
type of keylogger or phishing attack will not
be possible in a Multi-Factor Authentication
system.
⮚ The advantage of the Multi-Factor Authentication
System are: –
No risk of security.
 No information could get stolen.
 No risk of any key-logger activity.
 No risk of any data getting captured.

⮚ The
disadvantage
of
Authentication System are: –
It is time-consuming.
 It can rely on third parties.

the
Multi-Factor
Password and Passphrase
10



A password and a passphrase are both pass-codes, a
string of characters used to secure your accounts.
They both are probably made of words and mixed up
with letters and characters.
The difference is how they are built.
Password


What most people refer to as a password is typically
composed of about 10 letters, numbers or symbols, or a
combination of letter, numbers and symbols. Some
examples of passwords are: "8c?0E,*J!qI/", "yourname",
"P@55w0rd".
A password is one word, maybe two, that is intended to
confuse and misdirect hackers attempting to access your
digital resources.
Cont…
11
Passphrase



A passphrase is a password composed of a sentence or
combination of words.
Passphrases generally tend to be longer and more
complex than the average password, which increases
overall security.
A passphrase can also contain symbols, and does not
have to be a proper sentence or grammatically correct.
12
Biometrics
 Biometrics is an ancient Greek word and is the combination of
two words (bio) means life, (-metric) means measurement.
 Biometric authentication systems employ unique physical
characteristics or behavioral characteristics of an individual
person in order to authenticate the person's identity.
 Physical attributes employed in biometric authentication
systems include: Fingerprints
 Palm scan,
 hand geometry,
 Facial Scan
 Iris scan or retina patterns
 hand-written signatures,
 voice patterns.
13




Cont…
Behavioral biometrics is voice recognition, gaits,
keystroke-scan, and signature-scan
Fingerprints and handprints are the most widely used
biometric method in use today.
Many laptops include fingerprint readers and fingerprint
readers are also available on USB flash drives.
Biometric authentication systems based upon these
physical attributes have been developed for computer
login applications.
14

Cont…
Biometric authentications are widely used and have
much strength:
 Relieve user of difficult task of recalling passwords.
 Biometric is unique and is simple.
 Very difficult to replicate biometric feature.
 Biometric characteristics cannot be lost.
 Biometric is used at major places such as at airports,
immigrations purpose and at prisons.
 Fingerprint scan is small and inexpensive.
 Can be used over the phone lines.
 Eye scan are accuracy in identifying users
Fingerprints
15
⮚ The
most common biometric is finger print scanner
⮚ The fingerprint scanner identifies the image on the
user‘s finger and then matches with the data in the
database.
⮚ Every
user has different finger pattern
characteristics.
⮚ When the user‘s finger-print pattern is saved in the
database, the system covert it to into binary.
Vulnerabilities with Biometric Authentication
16
fingerprint scan is very secure since it‘s hard to
guess the fingerprint pattern.
⮚ While biometrics does provide the strongest
authentication, it is susceptible to errors.
⮚ Injury on fingers can interfere with the scanning
process
⮚ No real standard because of vendor specific
formats.
⮚A
17
Palm scan
⮚ Palm vein recognition scans the veins inside a candidate's hand
and creates a digital template representing their unique vein
pattern.
⮚ Candidates simply place a hand on the device containing the
sensor, which records the pattern of their palm veins on a digital
template.
⮚ This biometric template can be stored on a database or locally
on the device.
⮚ If the palm of the user matches the stored biometric data, the
user is authenticated.
Hand geometry
18
⮚ Hand
geometry is a biometric that identifies users
from the shape of their hands.
⮚ Hand geometry refers to the shape of the human
hand, size of the palm, and the lengths and widths
of the fingers.
⮚ Hand geometry readers measure a user's palm and
fingers along many dimensions including length,
width, deviation, and angle and compare those
measurements to measurements stored in a file.
What is a biometric face scan?
Facial Scan
19
⮚A
facial recognition system is a technology
capable of matching a human face from a digital
image or a video frame against a database of faces.
⮚ Such
a
system
is
typically
employed
to authenticate users through ID verification
services, and works by pinpointing and measuring
facial features from a given image.
Iris recognition
20
⮚ Iris
recognition systems take images of the eye using
infrared light
⮚ Iris recognition is a relatively secure biometric method of
recognizing people.
Signature Dynamics
21
⮚ Signature
recognition
is
an
example
of
behavioral biometrics that identifies a person based on
their handwriting.
⮚ It can be operated in two different ways:
⮚
Static: users write their signature on paper, and after
the writing is complete, it is digitized through an optical
scanner or a camera to turn the signature image into bits.
also known as "off-line".
⮚
Dynamic: users write their signature in a digitizing
tablet, which acquires the signature in real time.
⮚ Dynamic recognition is also known as "on-line".
22
⮚ Retinal
Retina recognition
scanning is a different, ocular-based biometric
technology that uses the unique patterns on a person's
retina blood vessels and is often confused with iris
recognition.
23
Cont…
⮚ Features of iris recognition
 Highly accurate and fast, iris recognition boasts of having top-class
precision among different types of biometric authentication
technologies.
 Remains unchanged throughout life. (This does not constitute a
guarantee.)
 Since the iris is different between the left and right eye, recognition
can be performed separately by each eye.
 Possible to distinguish twins.
 As long as the eyes are exposed, iris recognition can be used even
when the subject is wearing a hat, mask, eyeglasses or gloves.
 Because of using an infrared camera, recognition is available even at
night or in the dark.
 Without the need to touch the device, contactless authentication is
possible, making it hygienic to use.
24
⮚ Voice
Voice recognition
recognition is one part of an application that allows
a device to recognize spoken words by digitizing words
and matching digital signals with a particular pattern
stored in a device.
⮚ Biometric Voice Recognition is the use of the human
voice to uniquely identify biological characteristics to
authenticate an individual unlike passwords or tokens that
require physical input.
⮚ Voice recognition (also called speaker recognition or
voice authentication, speaker recognition, voice printing)
applies analyzes of a person's voice to verify their
identity.
25
⮚ An
AAA server
AAA server is a server program that handles user
requests for access to computer resources and, for an
enterprise, provides authentication, authorization and
accounting (AAA) services.
⮚ Authentication is the process of identifying an individual,
usually based on a username and password.
⮚ Authorization is the process of granting or denying a user
access to network resources once the user has been
authenticated through the username and password.
⮚ Accounting is the process of keeping track of a user's
activity while accessing the network resources, including
the amount of time spent in the network, the services
accessed while there and the amount of data transferred
during the session.
⮚ Accounting data is used for trend analysis, capacity
planning, billing, auditing and cost allocation.
26
⮚ The
Cont…
AAA server typically interacts with network access
and gateway servers and with databases and directories
containing user information.
⮚ The current standard by which devices or applications
communicate with an AAA server is Remote
Authentication Dial-In User Service (RADIUS).
27
⮚ Accounting.
Retina recognition
From a security perspective, it would be nice
to be able to collect information on who is attempting to
authenticate into networks or systems, whether
authentication was successful or not, and other
information, such as the following:
⮚ the amount of time an authenticated session lasted;
⮚ the amount of data transmitted and received during an
authenticated session;
⮚ if and when a user attempts to access a higher level of
system access; and
⮚ system commands performed within the authenticated
session.
⮚ This is precisely what the accounting phase of AAA
accomplishes. It acts as a logging mechanism when
authenticating to AAA-configured systems.
The Benefits of AAA
28
⮚ Central management and control of individual
⮚ Easy to organize users into groups based on
credentials;
the level of
access to systems that is required;
⮚ A logging mechanism that is useful for troubleshooting
and cybersecurity purposes; and
⮚ A highly scalable, flexible and redundant architecture.
A smart card
29
⮚A
smart card, chip card, or integrated circuit
card (ICC or IC card) is a physical electronic
authentication device, used to control access to a resource.
⮚ A smart card is a card that stores data on a
microprocessor or memory chip instead of the magnetic
stripe found on ATM and credit cards.
⮚ A smart card is a secure microcontroller that is generally
used for generating, saving and working on cryptographic
keys.
⮚ Smart card authentication supports users with smart card
devices for the goals of authentication.
⮚ Users linked their smart card to a host device.
Cont…
30
⮚ Software
on the host computer connect with the keys
material and other secrets saved on the smart card to
authenticate the user.
⮚ Smart cards are considered a very powerful form of
authentication because cryptographic keys and other
secrets stored on the card are very well secured both
physically and logically, and are extremely difficult to
steal.
⮚ The inside of a smart card usually contains an embedded
microprocessor.
⮚ The microprocessor is under a gold contact pad on one
side of the card.
⮚ Smart cards can be used with a smart-card reader
attachment to a personal computer to authenticate a user.
Cont…
31
⮚ The








most common smart card applications are:
Credit cards
Electronic cash
Computer security systems
Wireless communication
Loyalty systems (like frequent flyer points)
Banking
Satellite TV
Government identification
Kerberos authentication
32
⮚ Kerberos
is a protocol for authenticating service
requests between trusted hosts across an untrusted
network, such as the internet.
⮚ Kerberos uses symmetric key cryptography and
requires trusted third-party authorization to verify
user identities.
⮚ Kerberos was developed for Project Athena at the
Massachusetts Institute of Technology (MIT).
⮚ The name was taken from Greek mythology;
Kerberos (Cerberus) was a three-headed dog who
guarded the gates of Hades.
Cont…
33
⮚ The
strong cryptography and third-party ticket
authorization make it much more difficult for
cybercriminals to infiltrate your network.
⮚ Kerberos support is built in to all major computer
operating systems, including Microsoft Windows, Apple
macOS, FreeBSD and Linux.
⮚ The three heads of the Kerberos protocol represent the
following:
1. The client or principal;
2. The network resource, which is the application
server that provides access to the network resource;
and
3. A key distribution center (KDC), which acts as
Kerberos' trusted third-party authentication service.
Access control basics
34
⮚ ITU-T
Recommendation X.800 defines access control as
follows:
“The prevention of unauthorized use of a resource,
including the prevention of use of a resource in an
unauthorized manner.”
⮚ RFC 2828 defines computer security as:
“Measures that implement and assure security services
in a computer system, particularly those that assure
access control service”.
Cont…
35
⮚ In
general, Access Control involves:
 Preventing unauthorized users from gaining access to
resources (deals more with authentication)
 Preventing legitimate users from accessing resources
in an unauthorized manner
 Enabling legitimate users to access resources in an
authorized manner.
Cont…
36
Cont…
37
Access control basics
38
⮚ Access
control is a security technique that regulates who
or what can view or use resources in a computing
environment.
⮚ There are two types of access control:
1.
2.
physical and
logical.
⮚ Physical access control limits access to campuses, buildings,
rooms and physical IT assets.
⮚ Logical access control limits connections to computer
networks, system files and data.
⮚ To secure a facility, organizations use electronic access control
systems that rely on user credentials, access card readers,
auditing and reports to track employee access to restricted
business locations and proprietary areas, such as data centers.
Access control basics
39
⮚ Logical
access
control
systems
perform
identification, authentication and authorization of users
and entities by evaluating required login credentials that
can
include
passwords,
personal
identification
numbers, biometric scans, security tokens or
other authentication factors.
Access control Policies
40
⮚ Access Control Policies

Discretionary Access Control (DAC)
Controls access based on the identity of the requestor (subject)
and on access rules stating what the requestor is (or is not)
allowed to do.
The owner of a resource (object) can delegate access permissions
to other users (subjects).

Mandatory Access Control (MAC)
Subjects and Objects are assigned security clearances
A subject having an equal or higher security clearance than the
object can only access the object.
A subject that has clearance to access an object cannot enable
another subject to access that object (access control decisions are
taken at the admin level; not at the subject-level)

Role-based Access Control (RBAC)
Controls access based on the roles that users (subjects) have
within the system
There are rules stating what accesses are allowed to each role.
Cont…
41
⮚ High-level requirements that specify how access is managed and who
may access information under what circumstances.
⮚ It takes the form of a document offering a high-level overview, and is
then implemented via more specific rules and procedures.
Eg.
 Password polices
 Physical Access Policy
 Remote Access Policy
 Audit Policy
 Email Policy.
 Internet Acceptable Usage Policy.
 Software Policy.
 Computer, Telephone, and Desk Use Policy.
 Removable Media Policy.
 Information Protection Policy.
 Human Resources Information Security Standards.
 Information Security Incident Management Policy.
 IT Infrastructure Policy.
 Communications and Operation Management Policy.
Access control Model
42
⮚ General access control model
 Access control matrix(ACM)
 Access control list(ACL)
 Capability list(CL)
⮚ Basic



elements of ACM
Subject: An entity capable of accessing objects, the
concept of subject equates with that of process
Object: Anything to which access is controlled
(files, programs, memory segments, …)
Access right: The way in which an object is
accessed by a subject (read, write, execute, …)
Access control Matrix (ACM)
43
⮚ In
the ACM, each subject is represented by a row and
each object as a column
⮚ ACM [s,o] lists precisely which operations subject s can
request to be carried out on object o
⮚ The draw back of this system is that the Matrix will have
many empty entries
 Another widely used approach is to use Access
Control Lists in which each object maintains a list
of access rights of subjects
 Another approach is to give each subject a
Capability List (access rights to objects) that are
digitally signed
44
Cont…
45
Cont…
Access control List (ACL)
46
⮚ ACL
can be created by splitting the access matrix column-
wise.
⮚ A list of permissions
resource (object)
associated
with
a
system
Capability List (CL)
47
⮚ Capability
lists can be created by splitting the access
matrix row-wise.
48
Related documents
– Fall 2010 IT442 Bruce Mahfood Project 2 Part 2
– Fall 2010 IT442 Bruce Mahfood Project 2 Part 2
Activity 4- Final (Evidence)
Activity 4- Final (Evidence)
CS 2813 - Loyola College
CS 2813 - Loyola College
Sample final 3
Sample final 3
Download
advertisement