Information & Computer Security (352ISM) 2024 PDF
Document Details
King Khalid University
2024
Tags
Summary
This document covers information and computer security, specifically authentication and access control. It details various methods like passwords, biometrics, and tokens. The document is part of a 352ISM course offered at King Khalid University in 2024.
Full Transcript
College of Computer Science Information Systems Department Information & Computer Security (352ISM) 2024 Chapter 2: Part I: Authentication 2 2.1 Authentication A computer system does not have the cues we do...
College of Computer Science Information Systems Department Information & Computer Security (352ISM) 2024 Chapter 2: Part I: Authentication 2 2.1 Authentication A computer system does not have the cues we do with face-to-face communication that let us recognize our friends. Instead computers depend on data to recognize others. 3 Identification & Authentication Someone is authorized to take some action on something. ❑ Identification is asserting who a person is. user name, Email ID ….. ❑ Authentication is proving that asserted identity. Passwords , security questions ? Identities are typically public or well known. Authentication should be private. 4 ◼ Authentication mechanisms use any of three qualities to confirm a user’s identity: ❑ Something you know. Passwords, PIN numbers, …… ? ❑ Something you are. These authenticators, called biometrics, are based on a physical characteristic of the user, such as a fingerprint, the pattern of a person’s voice, or a face (picture). ❑ Something you have. Identity badges, physical keys, a driver’s license, … 5 Authentication Based on: Something you know ◼ Password protection seems to offer a relatively secure system for confirming identity-related information, but human practice sometimes degrades its quality. ◼ The protection system requests a password from the user. If the password matches the one on file for the user, the user is authenticated and allowed access. 6 Passwords attack Attacker might try determine a password by some of these steps: ◼ Guessing No password Same as the user ID Derived from the user’s name On a common word list (for example, password,secret,private) plus common names and patterns for example aaaaaa ◼ Dictionary attack (word from a dictionary) ◼ Brute force attack 7 Dictionary Attack ◼ Several network sites post dictionaries of phrases, science fiction character names, places, or Chinese words. ◼ These lists help administrators identify users who have chosen weak passwords, but the same dictionaries can also be used by attackers. ◼ Tools to scan passwords The COPS, Crack, and SATAN utilities allow an administrator to scan a system for weak passwords. 8 Guessing Probable Passwords ◼ Trying many weak passwords by a computer takes a second! Even a person working by hand could try ten likely candidates in a minute or two. ◼ Common passwords such as qwerty or 123456 are used often. ◼ There are only 261+262+263=18,278 (not case sensitive) passwords of length 3 or less. Brute force attack: the attacker systematically checks all possible passwords and passphrases until the correct one is found. 9 Operating systems avoid that approach by storing passwords not in their public form but in a concealed form (using encryption). For example: User ID Password Encrypted password Jane qwerty 0x471aa2d2 10 Good Passwords ▪ Use characters other than just a–z. ▪ Choose long passwords. ▪ Avoid actual names or words. ▪ Use a string you can remember. ▪ Use variants for multiple passwords. ▪ Change the password regularly. ▪ Don’t write it down. ▪ Don’t tell anyone else. ▪ Security Questions ?? 11 Authentication Based on Biometrics: Something You Are fingerprint hand geometry (shape and size of fingers) retina and iris (parts of the eye) voice handwriting, signature, hand motion typing characteristics blood vessels in the finger or hand face facial features,such as nose shape or eye spacing. 12 13 Authentication Based on Tokens: Something you Have ❑ Active and Passive Tokens Passive tokens (photo or key) do not change. Active tokens communicate with a sensor. (cards with a magnetic stripe) ❑ Static and Dynamic Tokens ▪ Example of static tokens : Keys, identity cards, passports, credit and other magnetic-stripe cards, and radio transmitter cards (called RFID devices). ▪ A dynamic token is one whose value changes. (To overcome copying of physical tokens) 14 Some Authentication methods: Single sign-on process (SSO) ▪ All the login processes are done on behalf of the user except in the first login in a session. Multifactor Authentication ▪ authentication can use two, three, four, or more factors Secure Authentication ▪ think carefully about the problem we are trying to solve and the tools we have. ▪ think about blocking possible attacks and attackers. 15 Successful Identification and Authentication Shared secret. One-Time Password: is good for only one use. To use a one- time password scheme, the two end parties need to have a shared secret list of passwords. When one password is used, both parties mark the word off the list and usethe next word the next time. Out-of-Band Communication: For example, bank card PINs are always mailed separately from the bank card. Continuous Authentication: Encryption can provide continuous authentication, but care must be taken to set it up properly and guard the end points. 16 Chapter 2 Part 2 Access Control Authentication vs Authorization vs Accounting (AAA) ◼ Authentication Who are you? ◼ Authorization (Access control) What are you allowed to do. Focus is policy Accounting: Auditing the access activity. 18 19 Introduction ◼ In this section we discuss how to protect general objects, such as files, tables, access to hardware devices or network connections, and other resources. ◼ Subjects are human users. ◼ Objects are things on which an action can be performed: Files, tables, programs, memory objects, hardware devices. ◼ Access modes are any controllable actions of subjects on objects, including, but not limited to, read, write, modify, delete, execute, create, destroy, copy, export, import, and so forth. ◼ A subject is permitted to access an object in a particular mode. ◼ What is the subject allowed to do? ◼ What may be done with an object? 20 Account Types ◼ End user account ◼ Privileged Account ◼ Guest Account ◼ Service Account ◼ Shared Account 21 2.2 Access Control Access control: A process limiting who can access what in what ways. A given subject either can or cannot access a particular object in a specified way. For example some users can have Read only, while others can have Full Control. Permissions exists in NTFS in Windows for example ❑ Access Policies ✓Effective Policy Implementation ❑ Protecting objects involves several complementary goals. Check every access. Enforce least privilege Verify acceptable usage. (Y/N) 22 ❑ Tracking determine whether Access Policy is working as it should. ❑ Least Privilege It is a management concept to restraining users and processes (principle of least privilege). ❑ Need to Know Policy Access only what you need to know 23 ❑ Access Log ◼ After making an access decision, Systems also record which accesses have been permitted, creating what is called an audit log. Several reasons for logging access include the following: ◼ Records of accesses can help plan for new or upgraded equipment. ◼ If the system fails, these records can help identify the cause of failure. ◼ If a user misuses objects, the access log shows exactly which objects the user did access. ◼ In the event of an external compromise, the audit log may help identify how the assailant gained access and which data items were accessed. 24 This model is generally used to help understand the various issues involved in access control. The subject issues requests to access the object, and protection is enforced by a reference monitor that knows which subjects are allowed to issue which requests 25 Implementing Access Control Access Control Directory One list per user, naming all the Objects that a users allowed to access. 26 Access Control Matrix The access matrix can be represented as a list of triples, each having the form (subject, object, rights). 27 Access Control List 28 Access Control Models ◼ Mandatory Access Control (MAC) ◼ Discretionary Access Control (DAC) ◼ Role-based Access Control (role-BAC) 29 Mandatory Access Control (MAC) ◼ It uses labels to identify access. ◼ Every subject needs to have a Clearance to access the object. ◼ It is used widely in military to protect very sensitive data. ◼ Labels: ❖ Top Secret Level ❖ Secret Level ❖ Confidential Level ❖ For Official Use Only 30 For example, John has a Top Secret clearance to access Nuclear Power Plant file. However, he is not allowed to access 007 and Happy Sumo files. Since John has Top secret Clearance he can be granted access to lower level files Gibson, D. (2017). CompTIA Security+ get certified get ahead SY0-501 study guide. 31 Discretionary Access Control ◼ Every object has an owner and the owner establishes access to other objects. ◼ Used widely by Windows and UNIX. ◼ NTFS uses DAC Model 32 Discretionary Access Control For example some users can have Read only, while others can have Full Control. Every object has an owner. Windows refers to each user using his SID (Security ID). Use the command to get the SID: wmic useraccount get sid, name Every object has a DACL that identifies who can access it as shown in the Figure. Permissions exists in NTFS in Windows for example 33 Role-Based Access Control (Role-BAC) ◼ Access control by role recognizes common needs of all members of a set of subjects. ◼ We need to distinguished among kinds of users, we want some users (such as administrators) to have significant privileges, and we want others (guests) to have lower privileges. 34 35 Role-BAC Example ◼ We define procedures for ◼ Crediting accounts (CA) ◼ Debiting accounts (DA) ◼ Objects are bank accounts ◼ Transferring funds between ◼ Subjects are bank employees accounts (TF) ◼ The set of bank accounts forms ◼ Creating new accounts (NA) a data type ◼ We define roles ◼ We assign procedure ◼ Teller –CA and DA to the Teller role ◼ Clerk –TF to the Clerk role ◼ Administrator –NA to the Administrator role –The Administrator role can run all 36