2-CH2_Authentication & Access Control.pdf

Full Transcript

College of Computer Science
Information Systems
Department

Information & Computer Security
(352ISM)

2024
 Chapter 2:

Part I: Authentication

2
 2.1 Authentication

A computer system does not have the cues
we do with face-to-face communication that
let us recognize our friends.

Instead computers depend on data to
recognize others.

3
 Identification & Authentication

Someone is authorized to take some action on something.

❑ Identification is asserting who a person is.
user name, Email ID …..
❑ Authentication is proving that asserted identity.
Passwords , security questions ?

Identities are typically public or well known. Authentication
should be private.

4
◼ Authentication mechanisms use any of three
qualities to confirm a user’s identity:

❑ Something you know. Passwords, PIN
numbers, …… ?
❑ Something you are. These authenticators, called
biometrics, are based on a physical characteristic
of the user, such as a fingerprint, the pattern of a
person’s voice, or a face (picture).
❑ Something you have. Identity badges, physical
keys, a driver’s license, …

5
Authentication Based on: Something you
know

◼ Password protection seems to offer a
relatively secure system for confirming
identity-related information, but human
practice sometimes degrades its quality.
◼ The protection system requests a password
from the user. If the password matches the
one on file for the user, the user is
authenticated and allowed access.
6
 Passwords attack

Attacker might try determine a password by some of these
steps:

◼ Guessing
 No password
 Same as the user ID
 Derived from the user’s name
 On a common word list (for example, password,secret,private) plus
common names and patterns for example aaaaaa
◼ Dictionary attack (word from a dictionary)
◼ Brute force attack

7
 Dictionary Attack
◼ Several network sites post dictionaries of phrases, science
fiction character names, places, or Chinese words.

◼ These lists help administrators identify users who have
chosen weak passwords, but the same dictionaries can also
be used by attackers.

◼ Tools to scan passwords
 The COPS, Crack, and SATAN utilities allow an administrator to
scan a system for weak passwords.

8
 Guessing Probable Passwords
◼ Trying many weak passwords by a computer takes a
second! Even a person working by hand could try ten likely
candidates in a minute or two.

◼ Common passwords such as qwerty or 123456 are used
often.

◼ There are only 261+262+263=18,278 (not case sensitive)
passwords of length 3 or less.
 Brute force attack: the attacker systematically checks all possible
passwords and passphrases until the correct one is found.

9
Operating systems avoid that approach by storing passwords
not in their public form but in a concealed form (using
encryption).
For example:
User ID Password Encrypted password
Jane qwerty 0x471aa2d2

10
 Good Passwords

▪ Use characters other than just a–z.
▪ Choose long passwords.
▪ Avoid actual names or words.
▪ Use a string you can remember.
▪ Use variants for multiple passwords.
▪ Change the password regularly.
▪ Don’t write it down.
▪ Don’t tell anyone else.

▪ Security Questions ??
11
 Authentication Based on Biometrics:
Something You Are
fingerprint
hand geometry (shape and size of fingers)
retina and iris (parts of the eye)
voice
handwriting, signature, hand motion
typing characteristics
blood vessels in the finger or hand
face
facial features,such as nose shape or eye spacing.

12
13
 Authentication Based on Tokens:
Something you Have
❑ Active and Passive Tokens
Passive tokens (photo or key) do not change.
Active tokens communicate with a sensor. (cards with a
magnetic stripe)

❑ Static and Dynamic Tokens
▪ Example of static tokens : Keys, identity cards,
passports, credit and other magnetic-stripe cards, and
radio transmitter cards (called RFID devices).
▪ A dynamic token is one whose value changes. (To
overcome copying of physical tokens)
14
 Some Authentication methods:

Single sign-on process (SSO)
▪ All the login processes are done on behalf of the user
except in the first login in a session.
Multifactor Authentication
▪ authentication can use two, three, four, or more factors

Secure Authentication
▪ think carefully about the problem we are trying to solve
and the tools we have.
▪ think about blocking possible attacks and attackers.
15
 Successful Identification and Authentication
Shared secret.
One-Time Password: is good for only one use. To use a one-
time password scheme, the two end parties need to have a shared
secret list of passwords. When one password is used, both parties
mark the word off the list and usethe next word the next time.

Out-of-Band Communication: For example, bank
card PINs are always mailed separately from the bank card.

Continuous Authentication: Encryption can provide
continuous authentication, but care must be taken to set it up
properly and guard the end points.
16
Chapter 2 Part 2

Access Control
 Authentication vs Authorization
vs Accounting
(AAA)
◼ Authentication
 Who are you?
◼ Authorization (Access control)
 What are you allowed to do.
 Focus is policy
 Accounting: Auditing the access activity.

18
19
 Introduction
◼ In this section we discuss how to
protect general objects, such as files,
tables, access to hardware devices or
network connections, and other
resources.
◼ Subjects are human users.
◼ Objects are things on which an action
can be performed: Files, tables,
programs, memory objects, hardware
devices.
◼ Access modes are any controllable
actions of subjects on objects,
including, but not limited to, read, write,
modify, delete, execute, create,
destroy, copy, export, import, and so
forth.
◼ A subject is permitted to access an
object in a particular mode.
◼ What is the subject allowed to do?
◼ What may be done with an object? 20
 Account Types

◼ End user account
◼ Privileged Account
◼ Guest Account
◼ Service Account
◼ Shared Account

21
 2.2 Access Control

Access control: A process limiting who can
access what in what ways.
A given subject either can or cannot access a
particular object in a specified way. For example
some users can have Read only, while others
can have Full Control.
Permissions exists in NTFS in Windows for
example

❑ Access Policies
✓Effective Policy Implementation
❑ Protecting objects involves several
complementary goals.
Check every access.
Enforce least privilege
Verify acceptable usage. (Y/N)

22
❑ Tracking
determine whether Access Policy is
working as it should.

❑ Least Privilege
It is a management concept to
restraining users and processes (principle
of least privilege).

❑ Need to Know Policy
Access only what you need to know

23
❑ Access Log
◼ After making an access decision, Systems also record which
accesses have been permitted, creating what is called an audit log.

Several reasons for logging access include the following:
◼ Records of accesses can help plan for new or upgraded equipment.
◼ If the system fails, these records can help identify the cause of
failure.
◼ If a user misuses objects, the access log shows exactly which
objects the user did access.
◼ In the event of an external compromise, the audit log may help
identify how the assailant gained access and which data items were
accessed.

24
 This model is generally used to help understand
the various issues involved in access control.

The subject issues requests to access the object,
and protection is enforced by a reference monitor
that knows which subjects are allowed to issue
which requests

25
 Implementing Access Control
Access Control Directory

One list per user, naming all the Objects that a users allowed
to access.

26
 Access Control Matrix

The access matrix can be represented as a list of triples,
each having the form (subject, object, rights).

27
Access Control List

28
 Access Control Models

◼ Mandatory Access Control (MAC)
◼ Discretionary Access Control (DAC)
◼ Role-based Access Control (role-BAC)

29
 Mandatory Access Control
(MAC)
◼ It uses labels to identify access.
◼ Every subject needs to have a Clearance
to access the object.
◼ It is used widely in military to protect very
sensitive data.
◼ Labels:
❖ Top Secret Level
❖ Secret Level

❖ Confidential Level

❖ For Official Use Only 30
For example, John has a Top Secret clearance to access
Nuclear Power Plant file. However, he is not allowed to
access 007 and Happy Sumo files.
Since John has Top secret Clearance he can be granted
access to lower level files
Gibson, D. (2017). CompTIA Security+ get certified get
ahead SY0-501 study guide.
31
 Discretionary Access Control

◼ Every object has an owner and the owner
establishes access to other objects.
◼ Used widely by Windows and UNIX.
◼ NTFS uses DAC Model

32
 Discretionary Access Control

For example some users can have
Read only, while others can have Full
Control.
Every object has an owner. Windows
refers to each user using his SID
(Security ID). Use the command to get
the SID:
wmic useraccount get sid, name
Every object has a DACL that
identifies who can access it as shown
in the Figure.
Permissions exists in NTFS in
Windows for example
33
 Role-Based Access Control
(Role-BAC)
◼ Access control by role recognizes common needs of
all members of a set of subjects.
◼ We need to distinguished among kinds of users, we
want some users (such as administrators) to have
significant privileges, and we want others (guests) to
have lower privileges.

34
35
Role-BAC Example
◼ We define procedures for
◼ Crediting accounts (CA)
◼ Debiting accounts (DA)
◼ Objects are bank accounts ◼ Transferring funds between
◼ Subjects are bank employees accounts (TF)
◼ The set of bank accounts forms ◼ Creating new accounts (NA)
a data type
◼ We define roles ◼ We assign procedure
◼ Teller –CA and DA to the Teller role
◼ Clerk –TF to the Clerk role
◼ Administrator –NA to the Administrator role
–The Administrator role can run all

36