Presentation is loading. Please wait.

Presentation is loading. Please wait.

Part II: Access Control

Published byLubomír Procházka Modified over 5 years ago

Similar presentations

Presentation on theme: "Part II: Access Control"— Presentation transcript:

1 Part II: Access Control
Part 2  Access Control

2 Access Control Two parts to access control…
Authentication: Are you who you say you are? Determine whether access is allowed or not Authenticate human to machine Or, possibly, machine to machine Authorization: Are you allowed to do that? Once you have access, what can you do? Enforces limits on actions Note: “access control” often used as synonym for authorization Part 2  Access Control

3 Chapter 7: Authentication
Guard: Halt! Who goes there? Arthur: It is I, Arthur, son of Uther Pendragon, from the castle of Camelot. King of the Britons, defeater of the Saxons, sovereign of all England!  Monty Python and the Holy Grail Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.  Judges 12:6 Part 2  Access Control

4 Are You Who You Say You Are?
Authenticate a human to a machine? Can be based on… Something you know For example, a password Something you have For example, a smartcard Something you are For example, your fingerprint Part 2  Access Control

5 Something You Know Passwords Lots of things act as passwords! PIN
Social security number Mother’s maiden name Date of birth Name of your pet, etc. Part 2  Access Control

6 Trouble with Passwords
“Passwords are one of the biggest practical problems facing security engineers today.” “Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed.)” Part 2  Access Control

7 Why Passwords? Why is “something you know” more popular than “something you have” and “something you are”? Cost: passwords are free Convenience: easier for sysadmin to reset pwd than to issue a new thumb Part 2  Access Control

8 Keys vs. Passwords Passwords
Space passwords are 8 characters, and 256 different characters Then 2568 = 264 pwds Users do not select passwords at random Attacker has far less than 263 pwds to try (dictionary attack) Crypto keys Space key is 64 bits Then 264 keys Choose key at random… …then attacker must try about 263 keys on average Part 2  Access Control

9 Good and Bad Passwords Good Passwords? Bad passwords jfIej,43j-EmmL+y
frank Fido Password incorrect Pikachu 102560 AustinStamp Ziad Mohammad etc. Good Passwords? jfIej,43j-EmmL+y P0kem0N FSa7Yago 0nceuP0nAt1m8 PokeGCTall150 Part 2  Access Control

10 Password Experiment Three groups of users  each group advised to select passwords as follows Group A: At least 6 chars, 1 non-letter Group B: Password based on passphrase Group C: 8 random characters Results Group A: About 30% of pwds easy to crack Group B: About 10% cracked Passwords easy to remember Group C: About 10% cracked Passwords hard to remember winner  Part 2  Access Control

11 Password Experiment User compliance hard to achieve
In each case, 1/3rd did not comply 10% of passwords are likely easy to crack. If passwords not assigned, best advice is… Choose passwords based on passphrase Use pwd cracking tool to test for weak pwds Require periodic password changes? Part 2  Access Control

12 Attacks on Passwords Attacker could… Common attack path
Target one particular account Target any account on system Target any account on any system Attempt denial of service (DoS) attack Common attack path Outsider  normal user  administrator Access any account and then upgrade her level of privilege. May only require one weak password! Part 2  Access Control

13 Password Retry Suppose system locks after 3 bad passwords. How long should it lock? 5 seconds Trudy might cycle through accounts!! 5 minutes Cause denial of service Until SA restores service No apparent solution to this dilemma. Part 2  Access Control

14 Password Verification
Bad idea to store passwords in a file But we need to verify passwords Solution? Hash passwords Store y = h(password) Can verify entered password by hashing If Trudy obtains the password file (the ones that are hashed), she does not (directly) obtain passwords ?! She obtained their hashed values, so what is the difference? But Trudy can try a forward search Guess x and check whether y = h(x) Part 2  Access Control

15 Dictionary Attack Trudy pre-computes h(x) for all x in a dictionary of common passwords Suppose Trudy gets access to password file containing hashed passwords She only needs to compare hashes to her pre-computed dictionary (what about one time hashed dictionary) After one-time work of computing hashes in dictionary, actual attack is trivial  Can we prevent this forward search attack? Or at least make it more difficult? And how? Part 2  Access Control

16 Salt Hash password with salt
adding random data to the input of a hash function A salt is added to the hashing process to: force their uniqueness, increase their complexity without increasing user requirements (no extra req. for the users) Choose random salt s and compute: y = h(password, s) store (s,y) in the password file Note: that the salt s is not secret Analogous to IV Still easy to verify salted password But lots more work for Trudy Why? For salted passwords, Trudy has to re-compute her dictionary of hashes for each specific password. Part 2  Access Control

17 Other Password Issues Too many passwords to remember
Results in password reuse Why is this a problem? Social engineering 34% of users will give their passwords if asked. “Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.” keystroke logging, spyware, ……etc. Failure to change default passwords Who suffers from bad password? ATM weak PIN: you lose Work password: whole company loses  Part 2  Access Control

18 Password Cracking Tools
Popular password cracking tools Password Crackers Password Portal L0phtCrack and LC4 (Windows) John the Ripper (Unix) Admins should use these tools to test for weak passwords since attackers will  Good articles on password cracking Passwords - Conerstone of Computer Security Passwords revealed by sweet deal Part 2  Access Control

19 Biometrics Part 2  Access Control

20 Something You Are Biometric Examples “You are your key”  Schneier
Fingerprint Handwritten signature Facial recognition Speech recognition Gait (walking) recognition “Digital doggie” (odor recognition) Many more! Are Have Know Part 2  Access Control

21 Why Biometrics? May be better than passwords
But, cheap and reliable biometrics needed Today, an active area of research Biometrics are used in security today Thumbprint mouse Palm print for secure entry Fingerprint to unlock car door Fascial recognition to unlock etc. But biometrics not too popular Has not lived up to its promise/ hype (yet?) Part 2  Access Control

22 Ideal Biometric Universal  applies to (almost) everyone
In reality, no biometric applies to everyone Distinguishing  distinguish with certainty In reality, cannot hope for 100% certainty Permanent  physical characteristic being measured never changes In reality, OK if it remains valid for long time Collectable  easy to collect required data Depends on whether subjects are cooperative Also, safe, user-friendly, and ??? Part 2  Access Control

23 Identification vs. Authentication
Identification  Who are you? Compare one-to-many Example: suspicious fingerprint is sent to the FBI database of fingerprints for comparison with millions of fingerprints. Authentication  Are you who you say you are? Compare one-to-one Example: Thumbprint mouse Username/Password i.e. is the used password matches the one that is saved on the system? Identification problem is more difficult More “random” matches since more comparisons We are (mostly) interested in authentication Part 2  Access Control

24 Enrollment vs. Recognition
Enrollment phase Subject’s biometric info are collected and put into database Must carefully measure the required info Since it is one-time work, it is OK if it is slow and multiple measurements are required Must be very precise Fielded vs. laboratory measurement: May be a weak point in real-world use Recognition phase Biometric detection, when used in practice Must be quick and simple But must be reasonably accurate Part 2  Access Control

25 Cooperative Subjects? Authentication  cooperative subjects
Identification  uncooperative subjects For example, facial recognition i.e. used in Las Vegas casinos to detect known cheaters i.e. terrorists in airports, etc. What about china’s social credits system, ??!! (link) Often, less than ideal enrollment conditions Subject will try to confuse in recognition phase Cooperative subject makes it much easier We are focused on authentication So, we can assume subjects are cooperative Part 2  Access Control

26 Biometric Errors Fraud rate vs. insult rate For any biometric,
Fraud  Trudy mis-authenticated as Alice Insult  Alice not authenticated as Alice For any biometric, we can decrease fraud or insult, but the other one will increase For example 99% voiceprint match  low fraud, high insult 30% voiceprint match  high fraud, low insult Equal error rate: rate where fraud == insult (balanced) A way to compare different biometrics Part 2  Access Control

27 Fingerprint Comparison
Some countries require fixed number of “points” (minutia التفاصيل التافهة) to match in criminal cases In Britain, at least 15 points In US, no fixed number of points Examples of loops, whorls, and arches Minutia extracted from these features Loop (double) Whorl Arch Part 2  Access Control

28 Fingerprint: Enrollment
Capture image of fingerprint Enhance image Identify “points” Part 2  Access Control

29 Fingerprint: Recognition
match Extracted points are compared with information stored in a database Is it a statistical match? Aside: Do identical twins’ fingerprints differ? Part 2  Access Control

30 Hand Geometry A popular biometric Measures shape of hand
Width of hand, fingers Length of fingers, etc. Human hands not so unique!!! Hand geometry sufficient for many situations OK for authentication Not useful for ID problem Part 2  Access Control

31 Hand Geometry Advantages Disadvantages
Quick  1 minute for enrollment, 5 seconds for recognition Hands are symmetric  so what? The other hand can be used Disadvantages Cannot use on very young or very old Relatively high equal error rate Part 2  Access Control

32 Iris Patterns One of the best biometric authentication
Iris pattern development is “chaotic” Minor variations lead to large differences Little or no genetic influence Even for identical twins, uncorrelated Even the two eyes of one individual, wow Pattern is stable through lifetime, GOOD Part 2  Access Control

33 Iris Scan Needs sophisticated equipment and software.
First, the scanner locates the iris Then take black/white photo Then a 2-D wavelet transform The result is 256 bytes (2048-bit) iris code Two iris codes are compared based on the Hamming distance between them Part 2  Access Control

34 Measuring Iris Similarity
Based on Hamming distance Define d(x,y) to be: # of non-match bits / #ofbits compared d(0010,0101) = 3/4 and d(101111,101001) = 2/6 = 1/3 Compute d(x,y) on 2048-bit iris code Perfect match is d(x,y) = 0 Can be expected in practice ??? Under lab conditions, for same iris, expected distance is 0.08 At random, expect distance of 0.50 Accept iris scan as match if distance < 0.32 Part 2  Access Control

35 Iris Scan Error Rate 0.29 1 in 1.31010 0.30 1 in 1.5109 0.31
distance Fraud rate 0.29 1 in 1.31010 0.30 1 in 1.5109 0.31 1 in 1.8108 0.32 1 in 2.6107 0.33 1 in 4.0106 0.34 1 in 6.9105 0.35 1 in 1.3105 == equal error rate distance The overlap does NOT exist (or very small in practice), which mean very small error rate Part 2  Access Control

36 Attack on Iris Scan Good photo of eye can be scanned
Attacker could use photo of eye Eg. Afghan woman was authenticated by iris scan of an old photo Story can be found here ( To prevent attack, scanner could use light to be sure it is a “live” iris (pupil contracts). Part 2  Access Control

37 Equal Error Rate Comparison
Equal error rate (EER): the point at which the Fraud-Rate == Insult-Rate The best measure Fingerprint biometrics used in practice have EER ranging from about 10-3 Hand geometry has EER of about 10-3 Iris scan has EER of about 10-5 Enrollment phase may be critical to accuracy Biometrics useful for authentication… …but for identification, not so impressive today While fingerprints can be highly distinguishing, fingerprint biometrics vary a lot in quality some are really poor Part 2  Access Control

38 Biometrics: The Bottom Line
Biometrics are hard to forge But attacker could Steal Alice’s thumb Photocopy Bob’s fingerprint, eye, etc. Subvert software, database, “trusted path” … And how to revoke a “broken” biometric? Biometric use is relatively limited today That should change in the (near?) future Part 2  Access Control

39 Something You Have Something in your possession
Examples include following… Car key Laptop computer (or MAC address) Password generator (next) ATM card, smartcard, etc. A smartcard is a credit card sized device that includes a small mount of memory and computing resources, so that it is able to store cryptographic keys or other secrets, and perhaps even do some computations on the card. A special purpose smartcard reader is used to read the key stored on the card. Then the key can be used to authenticate the user. Since a key is used, and keys are selected at random, password guessing attacks can be eliminated Part 2  Access Control

40 Smart Cards The Private key is generated in the crypto module residing in the smart card. The key is kept in the memory of the smart card. The key is highly secured as it doesn’t leave the card, the message digest is sent inside the card for signing, and the signatures leave the card. The card gives mobility to the key and signing can be done on any system. (Having smart card reader)

41 Hardware Tokens They are similar to smart cards in functionality as
Key is generated inside the token. Key is highly secured as it doesn’t leave the token. Highly portable. Machine Independent. iKEY is one of the most commonly used token as it doesn’t need a special reader and can be connected to the system using USB port.

42 Password Generator 3. PIN, R 4. h(K,R) password generator Alice Bob, K
1. “I’m Alice” 2. R 5. h(K,R) 3. PIN, R 4. h(K,R) password generator K Alice receives random “challenge” R from Bob Alice enters PIN and R in password generator Password generator has symmetric key K with R Alice sends “response” h(K,R) back to Bob Bob verifies response Both Bob and the password generator have to have the key K If the response is correct, Bob is convinced that he's indeed talking to Alice, since only Alice is supposed to have the password generator Note: Alice has pwd generator and knows PIN since the password generator needs the key to compute the hash, and Bob needs the key to verify Alice's response. Alice accesses the key K only indirectly—by entering her PIN into the key generator Part 2  Access Control

43 2-factor Authentication
Requires any 2 out of 3 of Something you know Something you have Something you are Examples ATM: Card and PIN Credit card: Card and signature Password generator: Device and PIN Smartcard with password/PIN Part 2  Access Control

44 Single Sign-On (SSO) Why SSO? With the number of websites and services rising, a centralized login system has become a necessity Multiple systems typically require multiple sign-on dialogues E.g. Desktop logon, , library systems, external resources … Multiple sets of credentials (usernames/passowrd) Presenting credentials multiple times Headache for administration & users The more security domains, the more sign-ons required A hassle to enter password(s) repeatedly Alice would like to authenticate only once  “Credentials” stay with Alice wherever she goes Subsequent authentications transparent to Alice Part 2  Access Control

45 Simple SSO operation Alice Authentication Domain Secondary domain
Application/resource SSO Application 1. Access application Alice 2. Refer for authn. 4. Transfer to application 3. Ask for credentials SSO Session (Ticket Granting Ticket (TGT)) Transfer/Service ticket

46 Different protocols Different SSO protocols share session information in different ways, but the essential concept is the same: there is a central domain, through which authentication is performed, and then the session is shared with other domains in some way. For instance, the central domain may generate a signed JSON Web Token (which may be encrypted). This token (TGT) may then be passed to the client and used by the authentication domain as well as any other domains.  There are many different implementations: OpenID Connect, Facebook Connect, Security Assertion Markup Language (SAML) Microsoft Account (formerly known as Passport), etc.

47 Single Sign-On (SSO) Security implications
Credentials never leave the authentication domain Secondary (affiliated) domains have to trust the authentication domain Credentials must be asserted correctly Protected from unauthorised use Authentication transfer has to be protected against Replay attack Interception/masquerade attacks, ….etc. SSO system relies on other infrastructure Authentication system Requires interface with web server (HTTP/HTTPS) Identity management/registration E.g. Kerberos  a single sign-on protocol Part 2  Access Control

48 Other considerations Session management
Most SSO systems are HTTP based Browser Cookies (must be enabled, restricted to the authentication domain) HTTP redirects Placement of tokens in query-string May require integration with application Agent-based architecture SSO protocol Needs protocol between authentication domain & target application Token/ticket-based SAML POST/artifact profiles Session management The SSO application maintains a session for the user The target application usually maintains a session Logging out the target application may not log you out of the SSO application Single Sign-On  Single Sign-Out! Application specific

49 Web Cookies Cookie is provided by a Website and stored on user’s machine Numerical values that are stored and managed by a web browser. Cookie indexes a database at Website and retains information about a user. Cookies maintain state across sessions Web uses a stateless protocol: HTTP Cookies also maintain state within a session Sort of a single sign-on for a website But, very, very weak form of authentication Cookies also create privacy concerns ??? Part 2  Access Control

Download ppt "Part II: Access Control"

Similar presentations

Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Access Control Methodologies

Access Control Methodologies
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Computer Science 653 --- Lecture 3 Biometrics Professor Wayne Patterson Howard University Fall 2009.

Computer Science Lecture 3 Biometrics Professor Wayne Patterson Howard University Fall 2009.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.

GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Access Control 1 Access Control Access Control 2 Access Control  Two parts to access control  Authentication: Who goes there? o Determine whether access.

Access Control 1 Access Control Access Control 2 Access Control  Two parts to access control  Authentication: Who goes there? o Determine whether access.
Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.

Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.
Biometric Authentication Presenter: Yaoyu, Zhang Presenter: Yaoyu, Zhang.

Biometric Authentication Presenter: Yaoyu, Zhang Presenter: Yaoyu, Zhang.
Biometrics Part 2  Access Control 1.

Biometrics Part 2  Access Control 1.
Karthiknathan Srinivasan Sanchit Aggarwal

Karthiknathan Srinivasan Sanchit Aggarwal
Authentication Approaches over Internet Jia Li

Authentication Approaches over Internet Jia Li
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,

1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.

Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant

Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant
 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.

 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.

Similar presentations

Ads by Google