Print this chapterPrint this chapter

Access Control Fundamentals

7. Identification Authentication and Authorization

7.1. Identification and Authentication

Identification Component Requirements


When issuing identification values to users or subjects, ensure that:

  • Each value should be unique, for user accountability;
  • A standard naming scheme should be followed;
  • The values should be non-descriptive of the user's position or task; and
  • The values should not be shared between the users.


Authentication Factors


There are 3 general factors for authenticating a subject.

  • Something a person knows- E.g.: passwords, PIN- least expensive, least secure
  • Something a person has – E.g.: Access Card, key- expensive, secure
  • Something a person is- E.g.: Biometrics- most expensive, most secure

Note: For a strong authentication to be in process, it must include two out of the three authentication factors- also referred to as two-factor authentication.


Authentication Methods


Biometrics
  • Verifies an individual's identity by analyzing a unique personal attribute or behavior
  • It is the most effective and accurate method for verifying identification.
  • It is the most expensive authentication mechanism
  • Types of Biometric Systems
    • Finger Print- are based on the ridge endings, bifurcation exhibited by the friction edges, and some minutiae of the finger.
    • Palm Scan- are based on the creases, ridges, and grooves that are unique in each individuals palm
    • Hand Geometry- are based on the shape (length, width) of a persons hand and fingers
    • Retina Scan- is based on the blood vessel pattern of the retina on the backside of the eyeball.
    • Iris Scan- is based on the colored portion of the eye that surrounds the pupil. The iris has unique patterns, rifts, colors, rings, coronas, and furrows.
    • Signature Dynamics- is based on electrical signals generated due to the physical motion of the hand during signing a document
    • Keyboard Dynamics- is based on electrical signals generated while the user types in the keys (passphrase) on the keyboard.
    • Voice Print- based on the human voice
    • Facial Scan- based on the different bone structures, nose ridges, eye widths, forehead sizes, and chin shapes of the face.
    • Handy Topography- based on the different peaks, valleys, and the overall shape and curvature of the hand.
  • Types of Biometric Errors
    • Type I Error: When a biometric system rejects an authorized individual ( false rejection rate)
    • Type II Error: When a biometric system accepts imposters who should be rejected (false acceptance rate)
    • Crossover Error Rate (CER): The point at which the false rejection rate equals false acceptance rate. It is also called as Equal Error Rate (EER).

Passwords
  • It is the most common form of system identification and authentication mechanism
  • A password is a protected string of characters that is used to authenticate an individual
  • Password Management
    • Password should be properly guaranteed, updated, and kept secret to provide effective security.
    • Passwords generators can be used to generate passwords that are uncomplicated, pronounceable, non-dictionary words.
    • If the user chooses his passwords, the system should enforce certain password requirements like insisting to use special char, no of char, case sensitivity, etc. )
  • Techniques for Passwords Attack
    • Electronic monitoring- Listening to network traffic to capture information, especially when a user is sending her password to an authentication server. The password can be copied and reused by the attacker at another time, which is called a replay attack.
    • Access the password file- Usually done on the authentication server. The password file contains many users’ passwords and, if compromised, can be the source of a lot of damage. This file should be protected with access control mechanisms and encryption.
    • Brute force attacks Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password.
    • Dictionary attacks Files of thousands of words are used to compare to the user’s password until a match is found.
    • Social engineering An attacker falsely convinces an individual that she has the necessary authorization to access specific resources
  • Password checkers can be used to check the strength of the password by trying to break into the system
  • Passwords should be encrypted and hashed
  • Password aging should be implemented
  • No of logon attempts should be limited

Cognitive Passwords
  • Cognitive passwords are facts or opinion-based information used to verify an individual identity (e.g.: mothers maidens name)
  • This is best used for helpdesk services, and occasionally used services.

One-Time or Dynamic Passwords
  • It is a token-based system used for authentication purposes where the service is used only once
  • It is used in environments that require a higher level of security than a static password provides
  • Types of token generators
    • Synchronous (e.g.: SecureID) - A synchronous token device/generator synchronizes with the authentication service by any of the two means.
      • Time-Based: In this method, the token device and the authentication service must hold the same time within their internal clocks. The time value on the token device and a secret key are used to create a one-time password. This password is decrypted by the server and compares it to the value that is expected.
      • Counter Based: In this method, the user will need to initiate the logon sequence on the computer and push a button on the token device. This causes the token device and the authentication service to advance to the next authentication value. This value and a base secret are hashed and displayed to the user. The user enters this resulting value along with a user ID to be authenticated.
    • Asynchronous: A token device that is using an asynchronous token-generating method uses a challenge/response scheme to authenticate the user. In this situation, the authentication server sends the user a challenge, a random value also called a nonce. The user enters this random value into the token device, which encrypts it and returns a value that the user uses as a one-time password. The user sends this value, along with a username, to the authentication server. If the authentication server can decrypt the value and it is the same challenge value that was sent earlier, the user is authenticated
  • Example: SecureID
    • It is one of the most widely used time-based tokens from RSA Security
    • It uses a time based synchronous two-factor authentication

Cryptographic Keys
  • Uses private keys and Digital Signatures
  • Provides a higher level of security than passwords.

Passphrase
  • A passphrase is a sequence of characters that is longer than a password and in some cases, takes the place of a password during an authentication process.
  • The application transforms the passphrase into a virtual password and into a format required by the application
  • It is more secure than passwords

Memory Cards
  • Holds information but cannot process them
  • More secure than passwords but costly
  • E.g.: Swipe cards, ATM cards

Smart Card
  • Holds information and has the capability to process information and can provide a two factor authentication (knows and has)
  • Categories of Smart Cards
    • Contact
    • Contactless
      • Hybrid- has 2 chips and supports both contact and contactless
      • Combi- has a microprocessor that can communicate with both a contact as well as a contact reader.
  • More expensive and tamperproof than memory cards
  • Types of smartcard attacks
    • Fault generation: Introducing of computational errors into smart card with the goal of uncovering the encryption keys that are being used and stored on cards
    • Side Channel Attacks: These are non-intrusive attacks and are used to uncover sensitive information about how a component works without trying to compromise any type of flaw or weakness. The following are some of the examples
      • Differential Power Analysis: Examining the power emission that are released during processing
      • Electromagnetic Analysis: Examining the frequency that are emitted
    • Timing: How long a specific process takes to complete
    • Software Attacks: Inputting instructions into the card that will allow for the attacker to extract account information. The following are some of the examples
      • Microprobing: Uses needles to remove the outer protective material on the cards circuits by using ultrasonic vibrations thus making it easy to tap the card ROM chip
  • Smart Card Standards
    • ISO/IEC
      • 14443-1: Physical Characteristics
      • 14443-2: Radio frequency power and signal interface
      • 14443-3: Initialization and anti collision
      • 14443-4: Transmission protocol