Housekeeping Notice and Course Information PDF

Housekeeping Notice Please mute your handphone during the class Books: 1. Michael Fairhurst, (2018). Biometrics: A Very Short Introduction. Oxford University Press. ISBN-13: 978- 0198809104. 2. Anil Jain, Ruud Bolle, Sharath Pankanti, (2013). Biometrics. Springer. ISBN: Course 1475782950. 3. Information Resources Management Informati Association, (2016). Biometrics. IGI Global. ISBN: 1522509844. on 4. Zhang, David, (2017). Advanced Biometrics. Springer International Publishing Ag. ISBN: 3319615440. 5. Robert Newman, (2010). Security and Access Control Using Biometric Technologies. Cengage Learning. ISBN- 13: 978-1-4354-4105-7. TPB 6323 Password Authentication and Biometrics Chapter 1 Access Control: Introduction to Authentication Objectives Look at various security concepts and processes Understanding the core concept of access control: authentication, authorization Identify various techniques which can be used for hardening access control The CIA of Security Confidentiali ty Integrity Availability CIA: Confidentiality Prevents unauthorized disclosure of data Ensures that data is only viewable by authorized users Such as Personally Identifiable Information (PII) Some methods Encryption Ex: Advanced Encryption Standard (AES) Access controls Identification Username: Who are you? Acces A claim, not proof Authentication s Proof of identity Contr Often by providing a ols password Authorization Granting access to resources CIA: Integrity Assures that data has not been modified, tampered with, or corrupted Only authorized users should modify data Hashing assures integrity Hash types: MD5, SHA-1, HMAC, SHA-2 If data changes, the hash value changes Hash Value for Download Makes a legal Like a agreement handwritten Digital signature Signatu res Provides Also provides authentication non- repudiation Non-Repudiation Prevents entities from denying that they took an action Examples: signing a home loan, making a credit card purchase Techniques Digital signatures Audit logs Certificates and PKI (Public Key Infrastructure) Certificates prove the identity of a Contain encryption keys server or user A group of companies that Certificates issue and verify certificates are managed Analogous to credit card by the PKI companies CIA: Availability Data and services are Techniques: available when needed Disk redundancies (RAID) Remove SPOF (Single Server redundancies Point of Failure) (clusters) Load balancing Site redundancies Backups Alternate power Cooling systems Balancing CIA You can never have perfect security Increasing one item lowers others Increasing confidentiality generally lowers availability Example: long ,complex passwords that are easily forgotten Exploring Authentication Concepts Access control: Identification, Authentication, and Authorization Identification State your name (without proving it) Authentication Proves your identity (with a password, fingerprint, etc.) Authorization Grants access to resources based on the user's proven identity Identity Proofing Verifying that people are who they claim to be prior to issuing them credentials Or when replacing lost credentials Five Factors of Authentication Something you know (weakest) Such as a password Something you have Such as a smart card Something you are (strongest) Biometri Such as a fingerprint cs Something you do Such as gestures on a touch screen Somewhere you are Such as geolocation Password Rules Passwords should be strong At least 10 characters, with combinations of: uppercase, lowercase, numbers, and symbols Change passwords regularly Verify a user's identity before resetting a password Password Rules Don't reuse passwords Implement account lockout policies Change default passwords Don't write down passwords Don't share passwords Password Rules Password history Remembers previous passwords so users cannot re-use them Account Lockout Policies Account lockout threshold The maximum number of times a wrong password can be entered (typically 5, ATM Malaysia = 3) Account lockout duration How long an account is locked (typically 30 min.) Previous Logon Notification Gmail has it, at the bottom of the screen Creating Strong Passwords At least 10 characters long Isn't in a dictionary Contains at least three of these character types: Uppercase letters A-Z Lowercase letters a-z Numbers 0-9 Special characters like @#$% Changing Default Passwords Many devices have default passwords Like routers These must be changed before use "Hardening" Something You Have Smart Card Contains a certificate Read by a card reader Embedded certificate Public Key Infrastructure Allows issuance and Smar management of certificates t CAC (Common Access Card) Cards i.e., door access/ to replace the usage of key, hotel common room access, etc. PIV (Personal Identity Verification) card i.e., MMU smart card, Malaysia IC, ATM card, etc. Something You Have Token or Key Fob or Smart Phone HOTP (HMAC-based One-Time Password) Open standard using a secret key and an incrementing counter HMAC hash used to create 6- or 8-digit value Password remains valid till it is used TOTP (Time-based One-Time Password) Uses a timestamp instead of a counter Password expires every 30 seconds Something You Are (Biometrics) Fingerprint, handprint, palm scanner Built-in features for most of the smartphones and laptops Retinal scanners Uncomfortable for some people Iris scanners Easier to use False Acceptance and False Rejection False Acceptance Rate (FAR) Incorrectly identifying an unauthorized user as authorized False Rejection Rate (FRR) Incorrectly rejecting an authorized user Crossover Error Rate (CER)/ Equal Error Rate (EER) Cross over value of FAR and FRR Somewhere You Are IP address Gives general location May block logins from unexpected nations MAC address Identifies a specific device Something You Do Windows 8 picture passwords Gestures such as tapping or drawing lines Keystroke dynamics when typing The way you walk The way you sign your name Also called "behavioral Multifactor Authentication More than one of Something you know Something you have Something you are Two similar factors is NOT two- factor authentication Such as password and PIN Comparing Authentication Services Authentication Services Kerberos Used in Windows Active Directory Domains Used in UNIX realms Developed at MIT Prevents Man-in-the-Middle attacks and replay attacks Kerberos Requirements A method of issuing Time A database of tickets used for synchronization subjects or users authentication Key Distribution Center within five minutes Microsoft's Active Directory (KDC) grants ticket-granting- tickets, which are presented to request tickets used to access objects Kerberos Details The KDC issues a ticket- When a user logs granting-ticket (TGT) on with a lifetime of ten hours Kerberos uses port 88 (TCP & UDP) Kerberos uses symmetric cryptography Single Sign-On Users can access multiple systems after providing credentials only once SSO and Transitive Trusts Parent domain trusts two child domains Training and Blog Therefore, the two child domains trust one another This is called a Transitive Trust SSO and Transitive Trusts SSO and a Federation Federated Identity Management System You can log into a blog comment system with Facebook Identity information from one system is accepted at another without repeating the login process SSO and SAML Security Assertion Markup Language (SAML) An Extensible Markup Language (XML)-based data format used for SSO on Web browsers SAML defines three roles Principal – typically a user Identity provider – manages identity information Service provider – provides service to principals SAML and Authorization SAML provides authentication Authorization is a separate issue However, SAML can be So, it can be used for SSO used to transfer authentication and authorization data authorization between systems Authenticating RAS (Remote Access Service) Clients Remote Access Clients connect through A VPN allows a client to VPN (Virtual Private access a private network Network) or dial-up over a public network, usually the Internet Remote Access Authentication Methods CHAP PAP (Password (Challenge Authentication MS-CHAP Handshake Protocol) Protocol) Passwords sent Server Microsoft's in cleartext, challenges the implementatio rarely used client n of CHAP Client Deprecated responds with appropriate authentication information Remote Access Authentication Methods MS-CHAPv2 More secure than MS-CHAP Seriously broken by Moxie Marlinspike at Defcon in 2012 https://www.cloudcracker.com/blog/ 2012/07/29/cracking-ms-chap-v2/ He recommends using certificate authentication instead Remote Access Authentication Methods RADIUS (Remote Authentication Dial-in User Service) Central authentication for multiple remote access servers Encrypts passwords, but not the entire authentication process Uses UDP Diameter An improvement over RADIUS Supports Extensible Authentication Protocol (EAP) Remote Access Authentication Methods TACACS (Terminal Access TACACS+ Controller Access-Control System) Was used in UNIX systems, rare today Cisco proprietary alternative to RADIUS Interacts with Kerberos Encrypts the entire authentication process Uses TCP Uses multiple challenges and responses during a session AAA Protocols: Authentication, Authorization, and Accounting Verifies a user's Authentication identification Determines if a user Authorization should have access Accounting (can be Tracks user access with viewed as a logs nonrepudiation) AAA Protocols: Authentication, Authorization, and Accounting Kerberos doesn't RADIUS and provide TACACS+ are accounting, but is both AAA sometimes called protocols an AAA protocol Fill up the team's name & members Form Maximum number of members allowed: 4 in Assignm total (including leader) ent Remain in the same Group group for all group- based assessments

Housekeeping Notice and Course Information PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue