Authentication and Access Control
What is Authentication?
Techniques for guessing passwords
Major components of a biometric system:
Fingerprint Recognition
Fingerprint Authentication
Basic steps for fingerprint authentication:
Biometric Threats:
Access Control
Define as “The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner“
Access Control Requirements
Access control List
File System Security
Numeric File Permissions
- Verification of identity of someone who generated some data
- Relates to identity verification
- Classifications of identity verification:
- by something known e.g. password
- by something possessed e.g. smart card, passport
- by physical characteristics (biometrics) e.g. finger prints, palm prints, retina, voice
- by a result of involuntary action : signature
- Requirements – must be able to verify that:
- Message came from apparent source or author
- Contents have not been altered
- Sometimes, it was sent at a certain time or sequence
- Protection against active attack (falsification of data and transactions)
- Protection of passwords
- Don’t keep your password to anybody
- Don’t write or login your password at everywhere
- Etc.
- Choosing a good password
- Hard to guess and easy to remember
- Characteristics of a good password
- Not shorter than six characters
- Not patterns from the keyboard
- Calculations on password
- Password population, N =rs
- Probability of guessing a password = 1/N
- Probability of success, P=nt/N
Techniques for guessing passwords
- Try default passwords.
- Try all short words, 1 to 3 characters long.
- Try all the words in an electronic dictionary(60,000).
- Collect information about the user’s hobbies, family names, birthday, etc.
- Try user’s phone number, social security number, street address, etc.
- Try all license plate numbers
- Use a Trojan horse
- Tap the line between a remote user and the host system.
- User education
- Computer-generated passwords
- Reactive password checking
- Proactive password checking
- Biometric is derived from the Greek words bio (= life) and metric (= to measure)
- Biometrics is the measurement and statistical analysis of biological data
- In IT, biometrics refers to technologies for measuring and analysing human body characteristics for authentication purposes
- Definition by Biometrics Consortium – automatically recognising a person using distinguishing traits
- Universality
- Uniqueness
- Stability
- Collectability
- Performance
- Acceptability
- Forge resistance
- Fingerprint biometrics – fingerprint recognition
- Eye biometrics – iris and retinal scanning
- Face biometrics – face recognition using visible or infrared light (called facial thermography)
- Hand geometry biometrics – also finger geometry
- Signature biometrics – signature recognition
- Voice biometrics – speaker recognition
- Vein recognition (hand)
- Palmprint
- Gait recognition
- Body odour measurements
- Ear shape
- DNA
- Keystroke dynamics
- Static (also called physiological) biometric methods – authentication based on a feature that is always present
- Dynamic (also called behavioural) biometric methods – authentication based on a certain behaviour pattern
- Static
- Fingerprint recognition
- Retinal scan
- Iris scan
- Hand geometry
- Dynamic
- Signature recognition
- Speaker recognition
- Keystroke dynamics
Major components of a biometric system:
- Data collection
- Signal processing
- Matching
- Decision
- Storage
- Transmission
Fingerprint Recognition
- Ridge patterns on fingers uniquely identify people
- Classification scheme devised in 1890s
- Major features: arch, loop, whorl
- Each fingerprint has at least one of the major features and many “small features”
- In an automated system, the sensor must minimise the image rotation
- Locate minutiae and compare with reference template
- Minor injuries are a problem
- Liveness detection is important (detached real fingers, gummy fingers, latent fingerprints)
Fingerprint Authentication
Basic steps for fingerprint authentication:
- Image acquisition
- Noise reduction
- Image enhancement
- Feature extraction
- Matching
- Advantages
- Mature technology
- Easy to use/non-intrusive
- High accuracy (comparable to PIN authentication)
- Long-term stability
- Ability to enrol multiple fingers
- Comparatively low cost
- Disadvantages
- Inability to enrol some users
- Affected by skin condition
- Sensor may get dirty
- Association with forensic applications
Biometric Threats:
Access Control
Define as “The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner“
- central element of computer security
- assume have users and groups
- authenticate to system
- assigned access rights to certain resources on system
Access Control Requirements
- reliable input
- fine and coarse specifications
- least privilege
- separation of duty
- open and closed policies
- policy combinations, conflict resolution
- administrative policies
- subject - entity that can access objects
- a process representing user/application
- often have 3 classes: owner, group, world
- object - access controlled resource
- e.g. files, directories, records, programs etc
- number/type depend on environment
- access right - way in which subject accesses an object
- e.g. read, write, execute, delete, create, search
- often provided using an access matrix
- lists subjects in one dimension (rows)
- lists objects in the other dimension (columns)
- each entry specifies access rights of the specified
- subject to that object
- access matrix is often sparse
- can decompose by either row or column
- Access Control Matrix or Access Matrix is an abstract, formal security model of protection state in computer systems, that characterizes the rights of each subject with respect to every object in the system
- An Access Control Matrix is a table in which
- each row represents a subject,
- each column represents an object, and
- each entry is the set of access rights for that subject to that object.
- ACM entry can also be a function that determines rights.
- E.g. one subject may not be able to access an object when another subject is already writing modifying it
Access control List
- In computer security, an access control list (ACL) is a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. In a typical ACL, each entry in the list specifies a subject and an operation: for example, the entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY.
- UNIX files administered using inodes
- control structure with key info on file
- attributes, permissions of a single file
- may have several names for same inode
- have inode table / list for all files on a disk
- copied to memory when disk mounted
- directories form a hierarchical tree
- may contain files or other directories
- are a file of names and inode numbers
- “set user ID”(SetUID) or “set group ID”(SetGID)
- system temporarily uses rights of the file owner / group in
- addition to the real user’s rights when making access
- generally accessible
- control decisions
- enables privileged programs to access files / resources not
- sticky bit
- on directory limits rename/move/delete to owner
- superuser
- is exempt from usual access control restrictions
- modern UNIX systems support ACLs
- can specify any number of additional users / groups and associated rwx permissions
- ACLs are optional extensions to std perms
- group perms also set max ACL perms
- when access is required
- select most appropriate ACL
- owner, named users, owning / named groups, others
- check if have sufficient permissions for access
- in Linux everything as a file
- e.g. memory, device-drivers, named pipes, and
- other system resources
- hence why filesystem security is so important
- I/O to devices is via a “special” file
- e.g. /dev/cdrom
- have other special files like named pipes
- a conduit between processes / programs
- a user-account (user)
- represents someone capable of using files
- associated both with humans and processes
- a group-account (group)
- is a list of user-accounts
- users have a main group
- may also belong to other groups
- users & groups are not files
Numeric File Permissions
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home