Lecture 4 - AUTHENTICATION & ACCESS CONTROL & Lab 4 - DES (Review Question)

What is Authentication?

• Verification of identity of someone who generated some data
• Relates to identity verification
• Classifications of identity verification:
by something known e.g. password
by something possessed e.g. smart card, passport
by physical characteristics (biometrics) e.g. finger prints, palm prints, retina, voice
by a result of involuntary action : signature

Authentication

Requirements – must be able to verify that:
Message came from apparent source or author
Contents have not been altered
Sometimes, it was sent at a certain time or sequence
Protection against active attack (falsification of data and transactions)

Password

Protection of passwords
Don’t keep your password to anybody
Don’t write or login your password at everywhere
Etc.
Choosing a good password
Criteria:
Hard to guess and easy to remember
Characteristics of a good password
Not shorter than six characters
Not patterns from the keyboard
Etc.
Calculations on password
Password population, N =rs
Probability of guessing a password = 1/N
Probability of success, P=nt/N


Time taken to crack password




Techniques for guessing passwords

Try default passwords.
Try all short words, 1 to 3 characters long.
Try all the words in an electronic dictionary(60,000).
Collect information about the user’s hobbies, family names, birthday, etc.
Try user’s phone number, social security number, street address, etc.
Try all license plate numbers
Use a Trojan horse
Tap the line between a remote user and the host system.

Password Selecting Strategies

User education
Computer-generated passwords
Reactive password checking
Proactive password checking

Example of Password Calculation

Assume you choose character from a-z and 0-9 and the number of characters required are 5.
Determine how much time will be needed to get the right password if your capability of your computer is 400 MIPS.
Give your opinion/conclusion from this problem.


Access Control Matrix



Access Control List

ACM is simple and straightforward, but if a system supports thousands of users and millions of objects, the ACM will be a very sparse matrix.
An ACL (Access Control List) is a column of ACM with empty entries removed, each object is assumed to have its own associated ACL.
Another approach is to distribute the matrix row-wise by giving each subject a list of CL (Capability List).

ACCESS CONTROL MATRIX

Access Control Matrix or Access Matrix is an abstract, formal security model of protection state in computer systems, that characterizes the rights of each subject with respect to every object in the system


Access Control Matrix (ACM)

An Access Control Matrix is a table in which
each row represents a subject,
each column represents an object, and
each entry is the set of access rights for that subject to that object.

ACM entry can also be a function that determines rights.
E.g. one subject may not be able to access an object when another subject is already writing modifying it

Boolean Expression Evaluation

ACM controls access to database fields
Subjects have attributes (name, role, membership in group, access to programs)
Verbs define type of access
Rules associated with objects, verb pair
Subject attempts to access object
Rule for object, verb evaluated, grants or denies access
Example

Subject annie
Attributes role (artist), groups (creative)
Verb paint
Default 0 (deny unless explicitly granted, the verb “view” might have a default “1”)
Object picture
Rule:
paint: ‘artist’ in subject.role and
‘creative’ in subject.groups and
time.hour ≥ 0 and time.hour < onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW2-Ll1phrV9jtKQA5R4V0_0PXyPItdOzLYn8i5XepgQQJ09ab5epunwxtWOsgZUEuh9hMUhEPNNsYK3oeljBaMzzrzNcCLBzA9f0-WfVSddCKuUz3znr-lpXtyGaVlSlhhs1Gxzi75pE/s1600-h/biometric+system+model.bmp">


Fingerprint Recognition

Ridge patterns on fingers uniquely identify people
Classification scheme devised in 1890s
Major features: arch, loop, whorl
Each fingerprint has at least one of the major features and many “small features”
In an automated system, the sensor must minimise the image rotation
Locate minutiae and compare with reference template
Minor injuries are a problem
Liveness detection is important (detached real fingers, gummy fingers, latent fingerprints)

Features of fingerprints




Assessment – fingerprint recognition

Advantages
Mature technology
Easy to use/non-intrusive
High accuracy (comparable to PIN authentication)
Long-term stability
Ability to enrol multiple fingers
Comparatively low cost
Disadvantages
Inability to enrol some users
Affected by skin condition
Sensor may get dirty
Association with forensic applications

Which biometric method / product is best?

Depends on the application
reliability
security
performance
cost
user acceptance
liveness detection
users that are unsuitable
size of sensor

Biometric Conclusions

Biometric technology has great potential
There are many biometric products around, regarding the different biometric technologies
Since September 11th, biometric products are pushed forward
Shortcomings of biometric systems due to
Manufacturers ignorance of security concerns
Lack of quality control
Standardisation problems
Manufacturers have to take security concerns serious

END OF LECTURE 4

Review Question - Lab 4