Lecture 4 ~Authentication & Access Control~

Assalamualaikum w.b.t...

Lam kelas lecture 4 kami didedahkan dgn bab Authentication & Access Control.. Lam lecture ni kire pasal camner nk verify identity n password la... Topic yg cover lam lecture nie:-
~Authentication
•Password
•Biometric
~Access control
•Matrix
•List
•Unix access control

What is Authentication?
~Verification of identity of someone who generated some data
~Relates to identity verification
~classifications of identity verification:
•by something known e.g. password
•by something possessed e.g. smart card, passport
•by physical characteristics (biometrics) e.g. finger prints, palm prints, retina,
voice
•by a result of involuntary action : signature


Authentication
~Requirements – must be able to verify that:
•Message came from apparent source or author
•Contents have not been altered
•Sometimes, it was sent at a certain time or sequence
~Protection against active attack (falsification of data and transactions)


Password
~Protection of passwords
•Don’t keep your password to anybody
•Don’t write or login your password at everywhere
•Etc.
~Choosing a good password
•Criteria:
*Hard to guess and easy to remember
•Characteristics of a good password
*Not shorter than six characters
*Not patterns from the keyboard
*Etc.
~Calculations on password
•Password population, N =rs
•Probability of guessing a password = 1/N
•Probability of success, P=nt/N


Example of Password Calculation
~Assume you choose character from a-z and 0-9 and the number of characters required
are 5.
•Determine how much time will be needed to get the right password if your
capability of your computer is 400 MIPS.
•Give your opinion/conclusion from this problem.


Time taken to crack password




Techniques for guessing passwords
•Try default passwords.
•Try all short words, 1 to 3 characters long.
•Try all the words in an electronic dictionary(60,000).
•Collect information about the user’s hobbies, family names, birthday, etc.
•Try user’s phone number, social security number, street address, etc.
•Try all license plate numbers
•Use a Trojan horse
•Tap the line between a remote user and the host system.


Password Selecting Strategies
•User education
•Computer-generated passwords
•Reactive password checking
•Proactive password checking


Example of Password
~Based on the passwords given below, determine which passwords are good or bad,
include one reason for each password :
•UTeM1
•hon05da
•MyviT05
•haikal
•king
•zamrud


What is Biometric?
•The term is derived from the Greek words bio (= life) and metric (= to measure)
•Biometrics is the measurement and statistical analysis of biological data
•In IT, biometrics refers to technologies for measuring and analysing human body
characteristics for authentication purposes
•Definition by Biometrics Consortium – automatically recognising a person using
distinguishing traits


How does it works?
•Each person is unique
•What are the distinguishing traits that make each person unique?
•How can these traits be measured?
•How different are the measurements of these distinguishing traits for different
people?


Verification vs Identification
~Verification (one-to-one comparison) –confirms a claimed identity
•Claim identity using name, user id, …
~Identification (one-to-many comparison) – establishes the identity of a subject
from a set of enrolled persons
•Employee of a company?
•Member of a club?
•Criminal in forensics database?


Biometric Identifiers
•Universality
•Uniqueness
•Stability
•Collectability
•Performance
•Acceptability
•Forge resistance


Biometric Technologies
~Covered in ANSI X9.84-2003:
•Fingerprint biometrics – fingerprint recognition
•Eye biometrics – iris and retinal scanning
•Face biometrics – face recognition using visible or infrared light (called facial
thermography)
•Hand geometry biometrics – also finger geometry
•Signature biometrics – signature recognition
•Voice biometrics – speaker recognition


Other biometric methods
~Found in the literature:
•Vein recognition (hand)
•Palmprint
•Gait recognition
•Body odour measurements
•Ear shape
•DNA
•Keystroke dynamics


Static vs. dynamic biometric methods
~Static (also called physiological) biometric methods – authentication based on a
feature that is always present
~Dynamic (also called behavioural) biometric methods – authentication based on a
certain behaviour pattern


Classification of biometric methods
Static
•Fingerprint recognition
•Retinal scan
•Iris scan
•Hand geometry
Dynamic
•Signature recognition
•Speaker recognition
•Keystroke dynamics


Biometric system architecture
~Major components of a biometric system:
•Data collection
•Signal processing
•Matching
•Decision
•Storage
•Transmission


Biometric system model



Fingerprint Recognition
•Ridge patterns on fingers uniquely identify people
•Classification scheme devised in 1890s
•Major features: arch, loop, whorl
•Each fingerprint has at least one of the major features and many “small features”
•In an automated system, the sensor must minimise the image rotation
•Locate minutiae and compare with reference template
•Minor injuries are a problem
•Liveness detection is important (detached real fingers, gummy fingers, latent
fingerprints)



Features of fingerprints





Fingerprint authentication
~Basic steps for fingerprint authentication:
•Image acquisition
•Noise reduction
•Image enhancement
•Feature extraction
•Matching


Assessment – fingerprint recognition
Advantages
~Mature technology
~Easy to use/non-intrusive
~High accuracy (comparable to PIN authentication)
~Long-term stability
~Ability to enrol multiple fingers
~Comparatively low cost
Disadvantages
~Inability to enrol some users
~Affected by skin condition
~Sensor may get dirty
~Association with forensic applications


Fingerprint recognition: overview
Sensors
•Optical sensors
•Ultrasound sensors
•Chip-based sensors
•Thermal sensors
Integrated products
•For identification – AFIS systems
•For verification


Fingerprint recognition: sensors (I)





Fingerprint recognition: integrated systems (I)




Which biometric method / product is best?
~Depends on the application
•reliability
•security
•performance
•cost
•user acceptance
•liveness detection
•users that are unsuitable
•size of sensor


How good are biometric products?
~How can we find out, how good a biometric product is?
•Empirical tests of the product
~In 2002, there were two independent test series of biometric products
•in Japan
•in Germany



Different threat scenarios




Biometric Conclusions
~Biometric technology has great potential
~There are many biometric products around, regarding the different biometric
technologies
~Since September 11th, biometric products are pushed forward
~Shortcomings of biometric systems due to
•Manufacturers ignorance of security concerns
•Lack of quality control
•Standardisation problems
~Manufacturers have to take security concerns serious



Access Control
~“The prevention of unauthorized use of a resource, including the prevention of use
of a resource in an unauthorized manner“
•central element of computer security
•assume have users and groups
*authenticate to system
*assigned access rights to certain resources on system


Access Control Principles




Access Control Requirements
~reliable input
~fine and coarse specifications
~least privilege
~separation of duty
~open and closed policies
~policy combinations, conflict resolution
~administrative policies



Access Control Elements
~subject - entity that can access objects
•a process representing user/application
•often have 3 classes: owner, group, world
~• object - access controlled resource
•e.g. files, directories, records, programs etc
•number/type depend on environment
~• access right - way in which subject accesses an object
•e.g. read, write, execute, delete, create, search



Discretionary Access Control
~often provided using an access matrix
•lists subjects in one dimension (rows)
•lists objects in the other dimension (columns)
•each entry specifies access rights of the specified
~subject to that object
•access matrix is often sparse
•can decompose by either row or column



Access Control Matrix
~Access Control Matrix or Access Matrix is an abstract, formal security model of
protection state in computer systems, that characterizes the rights of each subject
with respect to every object in the system



Access Control Matrix (ACM)
~An Access Control Matrix is a table in which
*each row represents a subject,
*each column represents an object, and
*each entry is the set of access rights for that subject to that object.

~ACM entry can also be a function that determines rights.
*E.g. one subject may not be able to access an object when another subject is
already writing modifying it



Access control List
In computer security, an access control list (ACL) is a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. In a typical ACL, each entry in the list specifies a subject and an operation: for example, the entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY.



UNIX File Concepts
~UNIX files administered using inodes
•control structure with key info on file
~attributes, permissions of a single file
•may have several names for same inode
•have inode table / list for all files on a disk
~copied to memory when disk mounted
~directories form a hierarchical tree
•may contain files or other directories
•are a file of names and inode numbers


UNIX File Access Control


~“set user ID”(SetUID) or “set group ID”(SetGID)
*system temporarily uses rights of the file owner / group in
~addition to the real user’s rights when making access
~control decisions
*enables privileged programs to access files / resources not
~generally accessible
~sticky bit
*on directory limits rename/move/delete to owner
~superuser
*is exempt from usual access control restrictions


UNIX Access Control Lists
•modern UNIX systems support ACLs
•can specify any number of additional users / groups and associated rwx permissions
•ACLs are optional extensions to std perms
•group perms also set max ACL perms
•when access is required
~select most appropriate ACL
•owner, named users, owning / named groups, others
~check if have sufficient permissions for access



File System Security
•in Linux everything as a file
~e.g. memory, device-drivers, named pipes, and
•other system resources
~hence why filesystem security is so important
•I/O to devices is via a “special” file
~e.g. /dev/cdrom
•have other special files like named pipes
~a conduit between processes / programs



Users and Groups
•a user-account (user)
~represents someone capable of using files
~associated both with humans and processes
•a group-account (group)
~is a list of user-accounts
~users have a main group
~may also belong to other groups
•users & groups are not files
•user's details are kept in /etc/password
maestro:x:200:100:Maestro Edward Hizzersands:/home/maestro:/bin/bash
• additional group details in /etc/group
conductors:x:100:
pianists:x:102:maestro,volodya
•use useradd, usermod, userdel to alter



File Permissions
~files have two owners: a user & a group
~each with its own set of permissions
~with a third set of permissions for other
~permissions are to read/write/execute in order user/group/other, cf.
-rw-rw-r-- 1 maestro user 35414
Mar 25 01:38 baton.txt
~set using chmod command



Directory Permissions
~read = list contents
~write = create or delete files in directory
~execute = use anything in or change working directory to this directory
~e.g.
$ chmod g+rx extreme_casseroles
$ ls -l extreme_casseroles drwxr-x--- 8 biff drummers 288 Mar 25 01:38
extreme_casseroles



Numeric File Permissions



Hmm... lecture nie bg aku xder la susah sgt.. simple jer... ermmm... pkir logik sudahh.. kekekkeeee....


alhamdulillah....

"Thank God for what you have -- Trust God for what you need.."