IAAA.pdf

Full Transcript

IAAA (Identi cation and Authentication, Authorization
and Accountability)
fi
Identification

- Your name, username, ID number, employee
number, SSS etc.

- “I am Anthony”
AUTHENTICATION

“Prove you are Anthony”. – Should always be done with multi-factor
authentication!

*Something you know - Type 1 Authentication (passwords, pass phrase,
PIN, etc.).

*Something you have - Type 2 Authentication (ID, passport, smart card,
token, cookie on PC, etc.).

*Something you are - Type 3 Authentication (and Biometrics)
(Fingerprint, iris scan, facial geometry, etc.).
Something you know - Type 1 Authentication:

Passwords, pass phrase, PIN etc., also called Knowledge factors.
⬧ The subject uses these to authenticate their identity, if they know the
secret, they must be who they say they are.
⬧ This is the most commonly used form of authentication, and a
password is the most common knowledge factor.
⬧ The user is required to prove knowledge of a secret in order to
authenticate.
⬧ It is the weakest form of authentication and can easily be
compromised.
⬧ Secret questions like "Where were you born?" are poor examples of
a knowledge factor, it is known by a lot of people and can often be
researched easily.
▫ Sarah Palin had her email account hacked during the 2008 US
Presidential campaign using her secret questions. Since she
used basic ones (high school and birthday, …) the hackers
could easily find that information online, he reset her password
with the information and gained full control of her email
account.
⬧ Passwords:
▫ It is always easier to guess or steal passwords than it is to break
the encryption.
▫ We have password policies to ensure they are as secure as possible.
→ They should contain minimum length, upper/lower case letters, numbers, and
symbols, they should not contain full words or other easy to guess phrases.
→ They have an expiration date, password reuse policy and minimum use before
users can change it again.
→ Common and less secure passwords often contain:
The name of a pet, child, family member, significant other, anniversary dates,
birthdays,
birthplace, favorite holiday, something related to a favorite sports team, or the word
"password".
Winter2024 is not a good password, even if it does fulfil the password requirements.
Key Stretching – Adding 1-2 seconds to password verification.
▫ If an attacker is brute forcing a password and needs millions
of
tries it will become an unfeasible attack.
▫ Brute Force Attacks (Limit number of wrong logins):
▫ Uses the entire key space (every possible key), with enough
time any cipher text can be decrypted.
▫ Effective against all key based ciphers except the one-time
pad, it would eventually decrypt it, but it would also generate so
many false positives the data would be useless.
Clipping Levels: Clipping levels are in place to prevent
administrative overhead.
→ It allows authorized users who forget or mistype their
password to still have a couple of extra tries.
→ It prevents password guessing by locking the user
account for a certain timeframe (an hour), or until
unlocked by an administrator.
Password Management:
▫ We covered some password requirements, here are the official
recommendations by the U.S. Department of Defense and
Microsoft.
→ Password history = set to remember 24 passwords.
→ Maximum password age = 90 days.
→ Minimum password age = 2 days (to prevent users from
cycling through 24 passwords to return to their favorite
password again).
→ Minimum password length = 14 characters.
→ Passwords must meet complexity requirements = true.
→ Store password using reversible encryption = false.
Something you have: Type 2 Authentication

⬧ ID, passport, smart card, token, cookie on PC, these are called
Possession factors.
▫ The subject uses these to authenticate their identity, if they
have the item, they must be who they say they are.
▫ Simple forms can be credit cards, you have the card, and you
know the pin, that is multifactor authentication.
▫ Most also assume a shared trust, you have your passport, it
looks like you on the picture, we trust the issuer, so we assume
the passport is real.
⬧ Single-Use Passwords:
▫ Having passwords which are only valid once makes many potential attacks
ineffective, just like one-time pads.
▫ While they are passwords, it is something you have in your possession, not
something you know.
▫ Some are one-time-pads with a challenge-response or just a pin or phase sent
to your phone or email you need to enter to con rm the transaction or the login.
▫ Most users nd single use passwords extremely inconvenient.

⬧ They are widely implemented in online banking, where they are known as
TANs (Transaction Authentication Numbers).
▫ Most private users only do a few transactions each week, the single-use
passwords has not led to customers refusing to use it.
→ It is their money; they actually care about keeping those safe
fi
fi
⬧ Smart Cards and Tokens (contact or contactless):
▫ They contain a computer circuit using an ICC (Integrated Circuit
Chip).
▫ Contact Cards - Inserted into a machine to be read.
→ This can be credit cards you insert into the chip reader
or the DOD CAC (Common Access Card).
▫ Contactless Cards - can be read by proximity.
→ Key fobs (mostly used in automobiles) or credit cards where
you just hold it close to a reader.
→ They use a RFID (Radio Frequency Identi cation) tag
(transponder) which is then read by a RFID Transceiver.

fi
Magnetic Stripe Cards:
→ Swiped through a reader, no circuit.
- A magnetic stripe card is generally used in
transportation tickets, identity cards, and credit cards
→ Very easy to duplicate.
Tokens:
▫ HOTP and TOTP can be either hardware or software
based.
▫ Cellphone software applications are more common now.
→ HOTP (HMAC-based One-Time Password):
Shared secret and incremental counter,
generate code when asked, valid till used.
→ TOTP (Time-based One-Time Password):
Time based with shared secret, often generated
every 30 or 60 seconds, synchronized clocks are
critical.
Something you are - Type 3 Authentication (Biometrics)
⬧ Fingerprint, iris scan, facial geometry etc., these are also called
realistic
authentication.
▫ The subject uses these to authenticate their identity, if they are
that, they must be who they say they are.
▫ Something that is unique to you, this one comes with more issues
than the two other common authentication factors.
▫ We can allow unauthorized people into our facilities or systems if
we accept someone by mistake. (False Accept)
▫ We can prevent our authorized peoplefrom entering our facilities
if we refuse them by mistake. (False Reject).
Errors for Biometric Authentication:
⬧ FRR (False rejection rate)
Type 1 error:
▫ Authorized users are rejected.
▫ This can be too high settings - 99% accuracy on
biometrics.

⬧ FAR (False accept rate) Type 2 error:
▫ Unauthorized user is granted access.
▫ This is a very serious error.
⬧ We want a good mix of FRR and FAR where they meet on the
graph is the CER (Crossover Error Rate), this is where we want
to be.
▪ Biometric identi ers are often categorized as physiological
and behavioral characteristics.
⬧ Physiological Characteristics uses the shape of the body,
these do not change unless a drastic event occurs.
▫ Fingerprint, palm veins, facial recognition, DNA, palm print,
hand geometry, iris recognition, retina, and odor.

⬧ Behavioral Characteristics uses the pattern of behavior of
a person, these can change, but most often revert back to
the baseline.
▫ Typing rhythm, how you walk, signature and voice.
fi
▪ Issues with Biometric Authentication:

⬧ We also need to respect and protect our employee’s privacy:
▫ Some ngerprint patterns are related to chromosomal diseases.
▫ Iris patterns could reveal genetic sex, retina scans can show if aperson is pregnant
or diabetic.
⬧ Hand vein patterns could reveal vascular diseases.
⬧ Most behavioral biometrics could reveal neurological diseases, etc.
⬧ While passwords and smart cards should be safe because you keep them a secret
and secure, biometrics is inherently not and something others can easily nd out.
⬧ Attackers can take pictures of your face, your ngerprints, your hands, your ears
and print good enough copies to get past a biometric scan.
▫ The US Of ce of Personnel Management got hacked and lost 5.6 million federal
employees’ ngerprints.
fi
fi
fi
fi
fi
 ⬧ It is possible to copy ngerprints from your high-resolution social media
posts if you do a peace sign like the one on the right here.
⬧ How you type, sign your name and your voice pattern can be recorded,
also not too dif cult to cheat biometrics if it is worth the effort.
⬧ Some types are still inherently more secure, but they are often also
more invasive.
⬧ Lost passwords and ID cards can be replaced with new different ones,
biometrics can’t.
⬧ Which should make us question even more the mass collection of
biometric data.
▫ When Home Depot loses 10 million credit card numbers it is bad, but they can be reissued.
▫ The FBI has a database with 52 million facial images and Homeland Security and U.S.
Customs and Border Patrol is working on adding the iris scans and 170 million foreigner
ngerprints to the FBI’s database.
▫ The compromises of the future will have much more wide-reaching rami cations than the
ones we have seen until now.
fi
fi
fi
fi
AUTHORIZATION
 Authorization
▪ What are you allowed to access?
▪ We use Access Control models. What and how we implement depends
on the organization and what our security goals are.
▪ More on this in later when we cover DAC,
MAC, RBAC, ABAC, and RUBAC.

▪ Least Privilege and Need to Know.
 Least Privilege – (Minimum necessary access) Give users/systems
exactly the access they need, no more, no less.
 Need to Know – Even if you have access, if you do not need to know,
then you should not access the data.
▪ DAC (Discretionary Access Control) - Often used when
Availability is most important:

⬧ Access to an object is assigned at the discretion of the
object owner.
⬧ The owner can add, remove rights, commonly used by
most OS’s’.
- The most common example is file and folder permissions
that exist in Windows and Unix-based operating systems
⬧ Uses DACL’s (Discretionary ACL), based on user identity.
MAC (Mandatory Access Control) - Often used when
Con dentiality is most important:
Access to an object is determined by labels and clearance, this is often used in the military
or in organizations where con dentiality is very important.

⬧ Labels: Objects have Labels assigned to them; the subject's clearance must dominate the
object's label.
▫ The label is used to allow Subjects with the right clearance access them.
▫ Labels are often more granular than just “Top Secret”, they can be “Top Secret – Nuclear”.

⬧ Clearance: Subjects have Clearance assigned to them.
▫ Based on a formal decision on a subject's current and future trustworthiness.
▫ The higher the clearance the more in depth the background checks should be.
fi
fi
▪ RBAC (Role-Based Access Control) - Often used
when Integrity is most important:
⬧ Policy neutral access control mechanism de ned around roles and privileges.
⬧ A role is assigned permissions, and subjects in that role are added to the group, if they
move to another position they are moved to the permissions group for that position.
⬧ It makes administration of 1,000's of users and 10,000's of permissions much easier
to manage.
⬧ The most commonly used form of access control.
⬧ If implemented right, it can also enforce separation of duties and prevent
authorization/privilege creep.
▫ We move employees transferring within the organization from one role to another and
we do not just add the new role to the old one.
fi
ABAC (Attribute-Based Access Control):
⬧ Access to objects is granted based on subjects, objects, AND
environmental conditions.

⬧ Attributes could be:
▫ Subject (user) – Name, role, ID, clearance, etc.
▫ Object (resource) – Name, owner, and date of creation.
▫ Environment – Location and/or time of access, and threat levels.
Ex: A doctor may have access to a patient's medical records only during
their shift and only if they are in the hospital premises

⬧ Can also be referred to as policy-based access control (PBAC) or
claims-based access control (CBAC).
▪ Context-Based Access Control:
⬧ Access to an object is controlled based on certain
contextual parameters, such as location, time,
sequence of responses, access history.
⬧ Providing the username and password combination
followed by a challenge and response mechanism such
as CAPTCHA, ltering the access based on MAC
addresses on wireless, or a rewall ltering the data
based on packet analysis are all examples of context-
dependent access control mechanisms
fi
fi
fi
▪ Content-Based Access Control:
⬧ Access is provided based on the attributes or content of an
object, then it is known as a content-dependent access
control.
⬧ In this type of control, the value and attributes of the content
that is being accessed determine the control requirements.
⬧ Hiding or showing menus in an application, views in
databases, and access to confidential information are all
content-dependent.
ACCOUNTABILITY
Also known as Auditing
▪ Traces an Action to a Subject's Identity:

⬧ Proves who performed given action, it provides non-
repudiation.
⬧ Group or shared accounts are never OK, they have
zero accountability.
⬧ Uses audit trails and logs, to associate a subject with its
actions.
▪ Non-repudiation.
 A user cannot deny having performed a certain action.
This uses both Authentication and Integrity.

▪ Subject and Object.
 Subject – (Active) Most often users but can also be
programs – Subject manipulates Object.
 Object – (Passive) Any passive data (both physical paper
and data) – Object is manipulated by Subject.
 Some can be both at different times, an active program is
a subject; when closed, the data in program can be object.