Jom Belajar Keselamatan Rangkaian

1Rangkaian!,Kebolehcapaian didahulukan,Keselamatan diutamakan!!

Thursday, October 29, 2009

Authentication and Access Control

What is Authentication?
  • Verification of identity of someone who generated some data
  • Relates to identity verification
  • Classifications of identity verification:
    • by something known e.g. password
    • by something possessed e.g. smart card, passport
    • by physical characteristics (biometrics) e.g. finger prints, palm prints, retina, voice
    • by a result of involuntary action : signature
  • Requirements – must be able to verify that:
    • Message came from apparent source or author
    • Contents have not been altered
    • Sometimes, it was sent at a certain time or sequence
  • Protection against active attack (falsification of data and transactions)
  • Protection of passwords
    • Don’t keep your password to anybody
    • Don’t write or login your password at everywhere
    • Etc.
  • Choosing a good password
    • Hard to guess and easy to remember
    • Characteristics of a good password
    • Not shorter than six characters
    • Not patterns from the keyboard
  • Calculations on password
    • Password population, N =rs
    • Probability of guessing a password = 1/N
    • Probability of success, P=nt/N
Time taken to crack password

Techniques for guessing passwords
  • Try default passwords.
  • Try all short words, 1 to 3 characters long.
  • Try all the words in an electronic dictionary(60,000).
  • Collect information about the user’s hobbies, family names, birthday, etc.
  • Try user’s phone number, social security number, street address, etc.
  • Try all license plate numbers
  • Use a Trojan horse
  • Tap the line between a remote user and the host system.
Password Selecting Strategies
  • User education
  • Computer-generated passwords
  • Reactive password checking
  • Proactive password checking
  • Biometric is derived from the Greek words bio (= life) and metric (= to measure)
  • Biometrics is the measurement and statistical analysis of biological data
  • In IT, biometrics refers to technologies for measuring and analysing human body characteristics for authentication purposes
  • Definition by Biometrics Consortium – automatically recognising a person using distinguishing traits
Biometric Identifiers
  • Universality
  • Uniqueness
  • Stability
  • Collectability
  • Performance
  • Acceptability
  • Forge resistance
Biometric Technologies
  • Fingerprint biometrics – fingerprint recognition
  • Eye biometrics – iris and retinal scanning
  • Face biometrics – face recognition using visible or infrared light (called facial thermography)
  • Hand geometry biometrics – also finger geometry
  • Signature biometrics – signature recognition
  • Voice biometrics – speaker recognition
Other Biometric That Can Be Use
  • Vein recognition (hand)
  • Palmprint
  • Gait recognition
  • Body odour measurements
  • Ear shape
  • DNA
  • Keystroke dynamics
Static vs. dynamic biometric
  • Static (also called physiological) biometric methods – authentication based on a feature that is always present
  • Dynamic (also called behavioural) biometric methods – authentication based on a certain behaviour pattern
Classification of biometric methods
  • Static
    • Fingerprint recognition
    • Retinal scan
    • Iris scan
    • Hand geometry
  • Dynamic
    • Signature recognition
    • Speaker recognition
    • Keystroke dynamics
Biometric system architecture
Major components of a biometric system:
  • Data collection
  • Signal processing
  • Matching
  • Decision
  • Storage
  • Transmission
Biometric system model

Fingerprint Recognition
  • Ridge patterns on fingers uniquely identify people
  • Classification scheme devised in 1890s
  • Major features: arch, loop, whorl
  • Each fingerprint has at least one of the major features and many “small features”
  • In an automated system, the sensor must minimise the image rotation
  • Locate minutiae and compare with reference template
  • Minor injuries are a problem
  • Liveness detection is important (detached real fingers, gummy fingers, latent fingerprints)
Paterns of fingerprints

Fingerprint Authentication
Basic steps for fingerprint authentication:
  • Image acquisition
  • Noise reduction
  • Image enhancement
  • Feature extraction
  • Matching
Fingerprints Authentication Advantage and Disadvantage
  • Advantages
    • Mature technology
    • Easy to use/non-intrusive
    • High accuracy (comparable to PIN authentication)
    • Long-term stability
    • Ability to enrol multiple fingers
    • Comparatively low cost
  • Disadvantages
    • Inability to enrol some users
    • Affected by skin condition
    • Sensor may get dirty
    • Association with forensic applications
Fingerprint Recongnition Sensors:
Biometric Threats:
Access Control
Define as “The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner“
  • central element of computer security
  • assume have users and groups
    • authenticate to system
    • assigned access rights to certain resources on system
Access Controls Principles
Access Control Requirements
  • reliable input
  • fine and coarse specifications
  • least privilege
  • separation of duty
  • open and closed policies
  • policy combinations, conflict resolution
  • administrative policies
Access Control Elements
  • subject - entity that can access objects
    • a process representing user/application
    • often have 3 classes: owner, group, world
  • object - access controlled resource
    • e.g. files, directories, records, programs etc
    • number/type depend on environment
  • access right - way in which subject accesses an object
    • e.g. read, write, execute, delete, create, search
Discretionary Access Control
  • often provided using an access matrix
    • lists subjects in one dimension (rows)
    • lists objects in the other dimension (columns)
    • each entry specifies access rights of the specified
  • subject to that object
    • access matrix is often sparse
    • can decompose by either row or column
  • Access Control Matrix or Access Matrix is an abstract, formal security model of protection state in computer systems, that characterizes the rights of each subject with respect to every object in the system
  • An Access Control Matrix is a table in which
    • each row represents a subject,
    • each column represents an object, and
    • each entry is the set of access rights for that subject to that object.
  • ACM entry can also be a function that determines rights.
    • E.g. one subject may not be able to access an object when another subject is already writing modifying it
Access control List

Access control List
  • In computer security, an access control list (ACL) is a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. In a typical ACL, each entry in the list specifies a subject and an operation: for example, the entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY.
UNIX File Concepts
  • UNIX files administered using inodes
    • control structure with key info on file
  • attributes, permissions of a single file
    • may have several names for same inode
    • have inode table / list for all files on a disk
  • copied to memory when disk mounted
  • directories form a hierarchical tree
    • may contain files or other directories
    • are a file of names and inode numbers
UNIX File Access Control

  • “set user ID”(SetUID) or “set group ID”(SetGID)
    • system temporarily uses rights of the file owner / group in
  • addition to the real user’s rights when making access
  • generally accessible
  • control decisions
    • enables privileged programs to access files / resources not
  • sticky bit
    • on directory limits rename/move/delete to owner
  • superuser
    • is exempt from usual access control restrictions
UNIX Access Control Lists
  • modern UNIX systems support ACLs
  • can specify any number of additional users / groups and associated rwx permissions
  • ACLs are optional extensions to std perms
  • group perms also set max ACL perms
  • when access is required
    • select most appropriate ACL
  • owner, named users, owning / named groups, others
    • check if have sufficient permissions for access
File System Security
  • in Linux everything as a file
    • e.g. memory, device-drivers, named pipes, and
  • other system resources
    • hence why filesystem security is so important
  • I/O to devices is via a “special” file
    • e.g. /dev/cdrom
  • have other special files like named pipes
    • a conduit between processes / programs
Users and Groups
  • a user-account (user)
    • represents someone capable of using files
    • associated both with humans and processes
  • a group-account (group)
    • is a list of user-accounts
    • users have a main group
    • may also belong to other groups
  • users & groups are not files

Numeric File Permissions


Post a Comment

Subscribe to Post Comments [Atom]

<< Home