Access Control Fundamentals

In information security, access control is imperative to ensure confidentiality, integrity, and availability. Controlling who has access to a system and the breadth of access a user has is vital to ensure the security of systems and data on the systems. Read this article to understand the terms access control, access, subject, and resource. Note the challenges, the principles, the criteria, and the practices used in access control.

7. Identification Authentication and Authorization

7.1. Identification and Authentication

Identification Component Requirements


When issuing identification values to users or subjects, ensure that:

  • Each value should be unique, for user accountability;
  • A standard naming scheme should be followed;
  • The values should be non-descriptive of the user's position or task; and
  • The values should not be shared between the users.


Authentication Factors


There are 3 general factors for authenticating a subject.

  • Something a person knows- E.g.: passwords, PIN- least expensive, least secure
  • Something a person has – E.g.: Access Card, key- expensive, secure
  • Something a person is- E.g.: Biometrics- most expensive, most secure

Note: For a strong authentication to be in process, it must include two out of the three authentication factors- also referred to as two-factor authentication.


Authentication Methods


Biometrics
  • Verifies an individual's identity by analyzing a unique personal attribute or behavior
  • It is the most effective and accurate method for verifying identification.
  • It is the most expensive authentication mechanism
  • Types of Biometric Systems
    • Finger Print- are based on the ridge endings, bifurcation exhibited by the friction edges, and some minutiae of the finger.
    • Palm Scan- are based on the creases, ridges, and grooves that are unique in each individuals palm
    • Hand Geometry- are based on the shape (length, width) of a persons hand and fingers
    • Retina Scan- is based on the blood vessel pattern of the retina on the backside of the eyeball.
    • Iris Scan- is based on the colored portion of the eye that surrounds the pupil. The iris has unique patterns, rifts, colors, rings, coronas, and furrows.
    • Signature Dynamics- is based on electrical signals generated due to the physical motion of the hand during signing a document
    • Keyboard Dynamics- is based on electrical signals generated while the user types in the keys (passphrase) on the keyboard.
    • Voice Print- based on the human voice
    • Facial Scan- based on the different bone structures, nose ridges, eye widths, forehead sizes, and chin shapes of the face.
    • Handy Topography- based on the different peaks, valleys, and the overall shape and curvature of the hand.
  • Types of Biometric Errors
    • Type I Error: When a biometric system rejects an authorized individual ( false rejection rate)
    • Type II Error: When a biometric system accepts imposters who should be rejected (false acceptance rate)
    • Crossover Error Rate (CER): The point at which the false rejection rate equals false acceptance rate. It is also called as Equal Error Rate (EER).

Passwords
  • It is the most common form of system identification and authentication mechanism
  • A password is a protected string of characters that is used to authenticate an individual
  • Password Management
    • Password should be properly guaranteed, updated, and kept secret to provide effective security.
    • Passwords generators can be used to generate passwords that are uncomplicated, pronounceable, non-dictionary words.
    • If the user chooses his passwords, the system should enforce certain password requirements like insisting to use special char, no of char, case sensitivity, etc. )
  • Techniques for Passwords Attack
    • Electronic monitoring- Listening to network traffic to capture information, especially when a user is sending her password to an authentication server. The password can be copied and reused by the attacker at another time, which is called a replay attack.
    • Access the password file- Usually done on the authentication server. The password file contains many users’ passwords and, if compromised, can be the source of a lot of damage. This file should be protected with access control mechanisms and encryption.
    • Brute force attacks Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password.
    • Dictionary attacks Files of thousands of words are used to compare to the user’s password until a match is found.
    • Social engineering An attacker falsely convinces an individual that she has the necessary authorization to access specific resources
  • Password checkers can be used to check the strength of the password by trying to break into the system
  • Passwords should be encrypted and hashed
  • Password aging should be implemented
  • No of logon attempts should be limited

Cognitive Passwords
  • Cognitive passwords are facts or opinion-based information used to verify an individual identity (e.g.: mothers maidens name)
  • This is best used for helpdesk services, and occasionally used services.

One-Time or Dynamic Passwords
  • It is a token-based system used for authentication purposes where the service is used only once
  • It is used in environments that require a higher level of security than a static password provides
  • Types of token generators
    • Synchronous (e.g.: SecureID) - A synchronous token device/generator synchronizes with the authentication service by any of the two means.
      • Time-Based: In this method, the token device and the authentication service must hold the same time within their internal clocks. The time value on the token device and a secret key are used to create a one-time password. This password is decrypted by the server and compares it to the value that is expected.
      • Counter Based: In this method, the user will need to initiate the logon sequence on the computer and push a button on the token device. This causes the token device and the authentication service to advance to the next authentication value. This value and a base secret are hashed and displayed to the user. The user enters this resulting value along with a user ID to be authenticated.
    • Asynchronous: A token device that is using an asynchronous token-generating method uses a challenge/response scheme to authenticate the user. In this situation, the authentication server sends the user a challenge, a random value also called a nonce. The user enters this random value into the token device, which encrypts it and returns a value that the user uses as a one-time password. The user sends this value, along with a username, to the authentication server. If the authentication server can decrypt the value and it is the same challenge value that was sent earlier, the user is authenticated
  • Example: SecureID
    • It is one of the most widely used time-based tokens from RSA Security
    • It uses a time based synchronous two-factor authentication

Cryptographic Keys
  • Uses private keys and Digital Signatures
  • Provides a higher level of security than passwords.

Passphrase
  • A passphrase is a sequence of characters that is longer than a password and in some cases, takes the place of a password during an authentication process.
  • The application transforms the passphrase into a virtual password and into a format required by the application
  • It is more secure than passwords

Memory Cards
  • Holds information but cannot process them
  • More secure than passwords but costly
  • E.g.: Swipe cards, ATM cards

Smart Card
  • Holds information and has the capability to process information and can provide a two factor authentication (knows and has)
  • Categories of Smart Cards
    • Contact
    • Contactless
      • Hybrid- has 2 chips and supports both contact and contactless
      • Combi- has a microprocessor that can communicate with both a contact as well as a contact reader.
  • More expensive and tamperproof than memory cards
  • Types of smartcard attacks
    • Fault generation: Introducing of computational errors into smart card with the goal of uncovering the encryption keys that are being used and stored on cards
    • Side Channel Attacks: These are non-intrusive attacks and are used to uncover sensitive information about how a component works without trying to compromise any type of flaw or weakness. The following are some of the examples
      • Differential Power Analysis: Examining the power emission that are released during processing
      • Electromagnetic Analysis: Examining the frequency that are emitted
    • Timing: How long a specific process takes to complete
    • Software Attacks: Inputting instructions into the card that will allow for the attacker to extract account information. The following are some of the examples
      • Microprobing: Uses needles to remove the outer protective material on the cards circuits by using ultrasonic vibrations thus making it easy to tap the card ROM chip
  • Smart Card Standards
    • ISO/IEC
      • 14443-1: Physical Characteristics
      • 14443-2: Radio frequency power and signal interface
      • 14443-3: Initialization and anti collision
      • 14443-4: Transmission protocol