CS406: Information Security

Identification describes a method of ensuring that a subject is the entity it claims to be. E.g.: A user name or an account no.

Authentication is the method of proving the subjects identity. E.g.: Password, Passphrase, PIN.

Authorization is the method of controlling the access of objects by the subject. E.g.: A user cannot delete a particular file after logging into the system.

Note: There must be a three step process of Identification, Authentication and Authorization in order for a subject to access an object.

Identification and Authentication

Identification Component Requirements

When issuing identification values to users or subjects, ensure that

• Each value should be unique, for user accountability
• A standard naming scheme should be followed
• The values should be non - descriptive of the users position or task
• The values should not be shared between the users.

Authentication Factors

There are 3 general factors for authenticating a subject.

• Something a person knows - E.g.: passwords, PIN - least expensive, least secure
• Something a person has - E.g.: Access Card, key - expensive, secure
• Something a person is - E.g.: Biometrics - most expensive, most secure

Note: For a strong authentication to be in process, it must include two out of the three authentication factors - also referred to as two factor authentication.

Authentication Methods

Biometrics

• Verifies an individuals identity by analyzing a unique personal attribute or behavior
• It is the most effective and accurate method for verifying identification.
• It is the most expensive authentication mechanism
• Types of Biometric Systems
  • Finger Print - are based on the ridge endings, bifurcation exhibited by the friction edges and some minutiae of the finger
  • Palm Scan - are based on the creases, ridges, and grooves that are unique in each individuals palm
  • Hand Geometry - are based on the shape (length, width) of a persons hand and fingers
  • Retina Scan - is based on the blood vessel pattern of the retina on the backside of the eyeball.
  • Iris Scan - is based on the colored portion of the eye that surrounds the pupil. The iris has unique patterns, rifts, colors, rings, coronas and furrows.
  • Signature Dynamics - is based on electrical signals generated due to physical motion of the hand during signing a document
  • Keyboard Dynamics - is based on electrical signals generated while the user types in the keys (passphrase) on the keyboard.
  • Voice Print - based on human voice
  • Facial Scan - based on the different bone structures, nose ridges, eye widths, forehead sizes and chin shapes of the face.
  • Handy Topography - based on the different peaks, valleys, overall shape and curvature of the hand.
• Types of Biometric Errors
• Type I Error: When a biometric system rejects an authorized individual ( false rejection rate)
• Type II Error: When a biometric systems accepts imposters who should be rejected (false acceptance rate)
• Crossover Error Rate (CER): The point at which the false rejection rate equals false acceptance rate. It is also called as Equal Error Rate (EER).

Passwords

• It is the most common form of system identification and authentication mechanism
• A password is a protected string of characters that is used to authenticate an individual
• Password Management
  • Password should be properly guaranteed, updated, and kept secret to provide and effective security
  • Passwords generators can be used to generate passwords that are uncomplicated, pronounceable, non - dictionary words.
  • If the user chooses his passwords, the system should enforce certain password requirement like insisting to use special char, no of char, case sensitivity etc. )
• Techniques for Passwords Attack
  • Electronic monitoring - Listening to network traffic to capture information, especially when a user is sending her password to an authentication server. The password can be copied and reused by the attacker at another time, which is called a replay attack.
  • Access the password file - Usually done on the authentication server. The password file contains many users' passwords and, if compromised, can be the source of a lot of damage. This file should be protected with access control mechanisms and encryption.
  • Brute force attacks Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password.
  • Dictionary attacks Files of thousands of words are used to compare to the user's password until a match is found.
  • Social engineering An attacker falsely convinces an individual that she has the necessary authorization to access specific resources
• Password checkers can be used to check the strength of the password by trying to break into the system
• Passwords should be encrypted and hashed
• Password aging should be implemented
• Number of logon attempts should be limited

Cognitive Passwords

• Cognitive passwords are facts or opinion-based information used to verify an individual identity (e.g.: mothers maidens name)
• This is best used for helpdesk services, and occasionally used services.

One - Time or Dynamic Passwords

• It is a token based system used for authentication purposes where the service is used only once
• It is used in environments that require a higher level of security than static password provides
• Types of token generators
  • Synchronous (e.g.: SecureID) - A synchronous token device/generator synchronizes with the authentication service by any of the two means.
    • Time Based: In this method the token device and the authentication service must hold the same time within their internal clocks. The time value on the token device and a secret key are used to create a one time password. This password is decrypted by the server and compares it to the value that is expected.
    • Counter Based: In this method the user will need to initiate the logon sequence on the computer and push a button on the token device. This causes the token device and the authentication service to advance to the next authentication value. This value and a base secret are hashed and displayed to the user. The user enters this resulting value along with a user ID to be authenticated.
  • Asynchronous: A token device that is using an asynchronous token - generating method uses a challenge/response scheme to authenticate the user. In this situation, the authentication server sends the user a challenge, a random value also called a nonce. The user enters this random value into the token device, which encrypts it and returns a value that the user uses as a one - time password. The user sends this value, along with a username, to the authentication server. If the authentication server can decrypt the value and it is the same challenge value that was sent earlier, the user is authenticated
• Example: SecureID
• It is one of the most widely used time - based tokens from RSA Security
• It uses a time based synchronous two - factor authentication

Cryptographic Keys

• Uses private keys and Digital Signatures
• Provides a higher level of security than passwords.

Passphrase

• A passphrase is a sequence of characters that is longer than a password and in some cases, takes the place of a password during an authentication process.
• The application transforms the passphrase into a virtual password and into a format required by the application
• It is more secure than passwords

Memory Cards

• Holds information but cannot process them
• More secure than passwords but costly
• E.g.: Swipe cards, ATM cards

Smart Card

• Holds information and has the capability to process information and can provide a two factor authentication (knows and has)
• Categories of Smart Cards
  • Contact
  • Contactless
    • Hybrid - has 2 chips and supports both contact and contactless
    • Combi - has a microprocessor that can communicate with both a contact as well as a contact reader.
• More expensive and tamperproof than memory cards
• Types of smartcard attacks
  • Fault generation: Introducing of computational errors into smart card with the goal of uncovering the encryption keys that are being used and stored on cards
  • Side Channel Attacks: These are non - intrusive attacks and are used to uncover sensitive information about how a component works without trying to compromise any type of flaw or weakness. The following are some of the examples
    • Differential Power Analysis: Examining the power emission that are released during processing
    • Electromagnetic Analysis: Examining the frequency that are emitted
  • Timing: How long a specific process takes to complete
  • Software Attacks: Inputting instructions into the card that will allow for the attacker to extract account information. The following are some of the examples
    • Microprobing: Uses needles to remove the outer protective material on the cards circuits by using ultrasonic vibrations thus making it easy to tap the card ROM chip
• Smart Card Standards
• ISO/IEC
• 14443 - 1: Physical Characteristics
• 14443 - 2: Radio frequency power and signal interface
• 14443 - 3: Initialization and anti collision
• 14443 - 4: Transmission protocol

Identity Management

• Identity Management is a broad term that encompasses the use of different products to identify, authenticate and authorize users through automated means.
• Identity management system is the management of the identity life cycle of entities (subjects or objects) during which:
• The identity is established:
  • a name (or number) is associated to the subject or object;
  • the identity is re-established: a new or additional name (or number) is connected to the subject or object;
• The identity is described:
  • one or more attributes which are applicable to this particular subject or object may be assigned to the identity;
  • the identity is newly described: one or more attributes which are applicable to this particular subject or object may be changed;
• The identity is destroyed.
• Identity Management Challenges
• Identity Management Technologies
• Authorization Principles

Source: https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Access_Control_Systems#Identification_Authentication_and_Authorization
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.