Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identification and Authentication Lesson 11. Authentication & Access Controls.

Published byAllen Perkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Identification and Authentication Lesson 11. Authentication & Access Controls."— Presentation transcript:

1 Identification and Authentication Lesson 11

2 Authentication & Access Controls

3 Authentication  “Authentication is the process of determining whether information is trustworthy and genuine.”  Key question for computers and networks is how do you verify that the user is who they claim to be?  3 general methods to authenticate Something you know Something you have Something about you/that you are  Denning likes to add a fourth – location  Sandhu likes to add “what you do”, dynamic biometrics

4 Something you Know  Most common technique for Authentication -- userids/password combination Theoretically not a bad technique if chosen correctly Length and size of character set have direct relationship on the strength of the chosen password –For example, if lower case alphabet used:  1 character length = 26 possible passwords  2 character length = 26 x 26 = 676 possible passwords  3 character length = 26 x 26 x 26 = 17,576, and so on –If upper and lower case alphabetic characters used  1 character length = 52 possible passwords  2 character length = 52 x 52 = 2704 possible passwords  3 character length = 52 x 52 x 52 = 140,608 possible passwords

5 Three Reasons Default accounts are left active  The admin is not aware they exist or doesn’t know how to disable them.  The admin wants a “failsafe” mechanism (in case the vendor needs to access the system should a major problem occur)  The admin wants to make sure that he/she doesn’t get locked out

6 Passwords  The problem with passwords is that people don’t always pick good ones. Passwords cracked from a sample set of 13,797 Number of Type of passwordMatchesPercentage User/account name3682.7% Common names5484.0% Female Names1611.2% Male Names1401.0% Phrases & Patterns2531.8% Dictionary word10277.4% Machine names1321.0% Science fiction590.4% a total of 3340 passwords guessed From: Network and Internetwork Security by Stallings

7 Passwords Type of PasswordPercent Dictionary Word8% LengthPercent Common Names4%10.03% User/account name3%20.03% Phrases, patterns2%30.48% Male names1%41.36% Female Names1%52.30% Uncommon Names1%68.41% Machine names1%75.89% Place names1%85.65% King James Bible1% D.Klein “Foiling the Cracker: A Survey of, and Improvements to, Password Security”, 1990 USENIX UNIX Security Workshop

8 Passwords used in Morris Worm

9 Experience from Eric Cole (Author of Hackers Beware)  “I started tracking statistics when I performed security assessments and began to notice an interesting trend. Eighty percent of all the salespeople that I came in contact with had a password of either golf or bogey. If you know the user ID of a salesperson’s account and you want to get into his account, try these two passwords and your chances of success are very high.”

10 So you want to guess a password  If you know anything about the person you have a chance to guess the password. One textbook used the following examples for a user “John”, try: Sally (his wife) George (his child) Randoff (his wife’s maiden name) Tennis (John’s favorite sport) March9 (date of John’s, or his child’s or wife’s bday) Waterfall (a poster or some object seen in office) Alpha (the brand of computer John uses)

11 Rules for passwords  Don’t pick an easy one to guess mix upper and lower case, add special characters and numbers at least 6 characters in length, 8 better, 10 even better maybe use pass-phrases instead of dictionary words  Don’t write it down  Don’t reuse previous passwords (or just add a # to it)  Change it on a regular basis (but not too often), 45 days.  If you’re the sysadmin, run a password cracker periodically.  If one-time passwords are possible, consider using them (they have their own problems though)

12 An experience from Eric Cole, author Hackers Beware  “One common check was to look for passwords that were written down. Because most users wrote their password somewhere, just in case they forgot it, this turned into a battle to see how well the user could hide it and how well the reviewers would search to find it. The creative lengths users would go to always amazed me. Some users would hide their password in their rolodex under a certain name. One clever individual even wrote it on the bottom of his shoe… The key to remember is that users will get creative, but the creativity is limited, which means that if an attacker wants to find the password, he can.”

13 Password Management  Password management issues Default accounts Easily guessed or cracked passwords Unpassworded accounts Shared accounts Password aging Password policy enforcement Password auditing –Audit frequency –Control access to results

14 Cracking Passwords

15  Step 1: Obtain the password file NT: SAM file in %systemroot%\system32\config –Boot to alternate OS –Grab Backup SAM file from repair directory (rdisk run with /s argument)  %systemroot%\repair\SAM._  then expand it expand sam._ sam UNIX: /etc/passwd or /etc/shadow  Step 2: download and run one of the cracking tools.

16 NT Password cracking  SAM file has two separately hashed versions of the password -- the LanMan version and the NT version.  LanMan is the weak method and can easily be cracked. It separates the password into two 7 character parts. Thus you really only have to crack two separate 7 character passwords instead of a 14 character password.  It also converts lower case characters to upper case.  Because of poor hashing technique, for NT, a 10 character password is actually potentially less secure than a 7 character the second half (last 3 characters) will quickly be cracked and then may provide clue for first part, ex: *******890

17 UNIX password cracking  Generally harder than NT to crack.  Unix passwords are stored in the form of a one-way hash function. One-way hash functions are unique in cryptography because, unlike the other fundamental techniques of cryptography, they use no key at all. They work by encrypting two strings and comparing them to see if they're the same in encrypted form.  3 step process used by cracking programs create file of possible passwords (dictionary file) Encrypt file of possible passwords Compare results with encrypted form of passwords  Obvious why it is harder to guess if you don’t use simple words. Dictionary created must include combinations of words with various connectors,...

18 One-Time Passwords  User given device that generates a password at certain time intervals (e.g. every minute)  The device is keyed with the server, so that both devices generate the same password at the same time.  If you want to log into the server, look at the display and type in the password you see.  Even if the password is sniffed, it was only good for the minute it was used.

19 Questionnaires  Another “something you know” method  user is validated based on a series of questions that an intruder is unlikely to know.  Examples include: name of pet, favorite teacher, favorite color… user may even be asked to write his/her own question  not likely to be used in high security situation, used as a secondary method frequently on the web.

20 Something you have  May combine this method and userid/password  Physical keys  Magnetic cards information stored on card, example is credit card  Smart cards more information stored, may be encrypted  “calculators” device that looks like (and may even function as) a calculator. Process may proceed as follows: –user presents userid or name –system responds with challenge –challenge punched into calculator and returns response –user supplies response to system

21 Something about you  Biometrics  Voice prints  Fingerprint  Retinal Scan  Hand Geometry  Signature analysis

22 Problems with the 3 basic Authentication Techniques  Something you know: people write things down, they choose poorly  Something you have requires additional hardware ($) People lose them  Something about you requires additional hardware ($$) things about you can change

23 Location-Based Authentication  Involves authenticating entities based on geodetic location (lat, long, alt).  Grounds cyberspace in the real world, aids in stopping spoofing attempts.  Uses GPS to compute and validate a location.  Best suited for fixed sites -- wouldn’t work for portable laptops.  Expensive equipment, potential for DoS if GPS signal jammed. May also be used offensively to track user’s location

24 “What you do”  Dynamic Biometrics – captures a dynamic process rather than a static characteristic of a person. A person’s signature –Concerned with more than just the shape or “look” of the signature. –Record the speed and acceleration of a person’s hand as they sign their name on a special tablet Voice Keystroke Dynamics (typing behavior)  Just like a password, we need to avoid somebody capturing and playing back our signature, voice, or other similar data.

25 Access Controls  “Access controls serve to enforce an authorization policy, which specifies what activity is allowed and who is allowed to initiate it.”  Governs not only activities by human actors but non-human actors as well.  Can apply to any media – print, tapes, networks, memory,...

26 Access modes  Read – allows entity to read the file or view the file’s attributes  Write – allows the entity to write to the file, which may include creating, modifying, or appending to the file.  Execute – the entity may load the file and run it.  Delete – the entity may remove the file from the system.  List – the entity may view the file’s attributes.

27 Protection Table  Illustrates what access controls are designed to do File 1File 2File 3Printer Disk User 1ReadWrite Write User 2ExecuteReadWriteRead Write Prog 1ReadRead Write Protection Table seems like an easy solution to access control problem but... Required table extremely large Table generally sparsely populated

28 File Passwords  In order to gain access to a file the user must present the system with the file’s password.  Initial assignment can be accomplished by sysadmin or creator of file.  In order to control the type of access granted to the file, multiple passwords for each file may be necessary.  Method is easy to implement and understand.

29 File passwords - problems  Since users will have to remember different passwords for each file it will mean LOTS of passwords to remember (or write down!).  No easy way to keep track of who has access to the password for a file. Passwords distributed manually which leaves no automated audit trail. Hard to control.  Revocation easy to do (change a password), problem is doing it without affecting all of the other users.  Files (programs) that require access to other files requires that all passwords be identified before program is executed or execution has to be interrupted to wait for a user to enter the required password.

30 Capabilities Based Access Controls  Divides the protection table by rows.  Associated with each entity is a list of the objects the user may access along with its permissions. ObjectPermissions File 1Read, Write, List File 3Read, List PrinterWrite ObjectPermissions File 1Read, List File 2Read, Execute, List PrinterWrite User 1User 2

31 Capabilities based access controls  The system must maintain a list for each subject.  A single object may be accessible to all or a large number of subjects and will thus have its access information repeated many times. Thus, tremendous overhead  Revoking access to a file is cumbersome since it must be changed in a number of places.  Hard to answer the question “which subjects have access to this object?”

32 Access Control Lists (ACL)  Divides protection table by columns.  Instead of maintaining a separate list for each subject, ACLs are created for each object. User 1Execute User 2Read, Write, List User 4Read, List Program 1Write User 1Read User 2Read User 3Read, Execute, List Program 1Write File 1Disk 1

33 Access Control Lists  Can easily answer question “which subjects have access to a specific object?” This is the more frequently asked question. Hard to answer “which objects does a specific subject have access to?”  Access to a file can easily be revoked.  Storage space is saved. Generally more objects than subjects

34 Modified ACL  Divide users into groups. Smith.SalesRead, Execute *.SalesRead Jones.PersonnelRead, Execute, List *.*List File 1 Requires much less room Can also use this concept to easily restrict access by including “no access” entries which can be extended to restrict access to specific dates or times.

35 ACL with access restrictions Smith.SalesRead, Execute0800-1800 Smith.SalesReadlocal Jones.PersonnelRead, Execute, List *.*List File 1  ACL with multiple individual user access restrictions based on time and location.

36 NT Access Control Lists (ACL)  All securable objects are assigned a security descriptor when created. Descriptor controls who has what access to the object Consists of – Owner SID : The owner’s security ID – Group SID : The security ID fo the primary group. – Discretionary Access Control List (DACL): specifies who has what access to the object. – System Access Control List (SACL): Specifies which operations by which users should be logged in the security audit log.

37 NT ACLs  The access control list is made up of an ACL header and 0 or more access control entry (ACE) structures. An ACL with 0 ACEs is called a nullACL and indicates that no user has access to the object. File Object Security Descriptor Object headerAllow DAVEC Read data Allow TEAMA Read data Write Data Allow Everyone File Execute ACE Access Control List

38 Protection Bits  A modification of ACLs.  Protection bits are attached to each file but instead of providing a complete list of all users they specify permissions for specific classes.  Sometimes referred to as “permission bits”.  Example classes: Owner, Group, World File 1r,w,x,,, r,,x,,,,, x,,, File 2r,,x,d,, r,,x,,,,,,,,

39 Protection Bits Owner R W E D L Group R W E D L World R W E D L Generalized Example Owner R W E Group R W E World R W E UNIX Example UNIX Example: R W E, R,, E,,, E 1 1 1 1 0 1 0 0 1 7 5 1 Thus, permission set for this object can be contained in 9 bits

40 Nondiscretionary controls  Discretionary Access Controls are controls implemented at the discretion or option of the user/owner (e.g. protection bits)  Nondiscretionary Access Controls are controls that are determined by a central authority in the organization and can be based on the individual’s role or job. Role-based Access Controls : tied to the particular role the user performs Task-based Access Controls : tied to a particular assignment or responsibility

41 Summary  What is the Importance and Significance of this material?  How does this topic fit into the subject of “Voice and Data Security”?

Download ppt "Identification and Authentication Lesson 11. Authentication & Access Controls."

Similar presentations

Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Passwords, Authentication, and Access controls Lesson 11.

Passwords, Authentication, and Access controls Lesson 11.
Access Control Methodologies

Access Control Methodologies
6/2/2015B.Ramamurthy1 Security B.Ramamurthy. 6/2/2015B.Ramamurthy2 Computer Security Collection of tools designed to thwart hackers Became necessary with.

6/2/2015B.Ramamurthy1 Security B.Ramamurthy. 6/2/2015B.Ramamurthy2 Computer Security Collection of tools designed to thwart hackers Became necessary with.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Bilkent University Department of Computer Engineering

Bilkent University Department of Computer Engineering
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.

19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
SE571 Security in Computing

SE571 Security in Computing
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Authentication Approaches over Internet Jia Li

Authentication Approaches over Internet Jia Li
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Similar presentations

Ads by Google