Identification, Authentication, and Authorization

To maintain access control, there must be a way to provide or deny access to users. In this section, you will learn what it means to identify, authenticate, and authorize a user. For example, when you log into a system you identify yourself, then you authenticate or prove who you are by providing a password. If the username and password match, the system will authorize your access provided you were previously approved for access to the system. Read the section on identification, authentication, and authorization to learn the terms and to be able to differentiate between them. You will also learn identification component requirements, authentication factors, and authentication methods such as biometrics, passwords, cryptographic keys, passphrases, memory cards, and smart cards.

Identification describes a method of ensuring that a subject is the entity it claims to be. E.g.: A user name or an account no.

Authentication is the method of proving the subjects identity. E.g.: Password, Passphrase, PIN.

Authorization is the method of controlling the access of objects by the subject. E.g.: A user cannot delete a particular file after logging into the system.

Note: There must be a three step process of Identification, Authentication and Authorization in order for a subject to access an object.

Identification and Authentication

Identification Component Requirements

When issuing identification values to users or subjects, ensure that

  • Each value should be unique, for user accountability
  • A standard naming scheme should be followed
  • The values should be non - descriptive of the users position or task
  • The values should not be shared between the users.

Authentication Factors

There are 3 general factors for authenticating a subject.

  • Something a person knows - E.g.: passwords, PIN - least expensive, least secure
  • Something a person has - E.g.: Access Card, key - expensive, secure
  • Something a person is - E.g.: Biometrics - most expensive, most secure

Note: For a strong authentication to be in process, it must include two out of the three authentication factors - also referred to as two factor authentication.

Authentication Methods

  • Verifies an individuals identity by analyzing a unique personal attribute or behavior
  • It is the most effective and accurate method for verifying identification.
  • It is the most expensive authentication mechanism
  • Types of Biometric Systems
    • Finger Print - are based on the ridge endings, bifurcation exhibited by the friction edges and some minutiae of the finger
    • Palm Scan - are based on the creases, ridges, and grooves that are unique in each individuals palm
    • Hand Geometry - are based on the shape (length, width) of a persons hand and fingers
    • Retina Scan - is based on the blood vessel pattern of the retina on the backside of the eyeball.
    • Iris Scan - is based on the colored portion of the eye that surrounds the pupil. The iris has unique patterns, rifts, colors, rings, coronas and furrows.
    • Signature Dynamics - is based on electrical signals generated due to physical motion of the hand during signing a document
    • Keyboard Dynamics - is based on electrical signals generated while the user types in the keys (passphrase) on the keyboard.
    • Voice Print - based on human voice
    • Facial Scan - based on the different bone structures, nose ridges, eye widths, forehead sizes and chin shapes of the face.
    • Handy Topography - based on the different peaks, valleys, overall shape and curvature of the hand.
  • Types of Biometric Errors
    • Type I Error: When a biometric system rejects an authorized individual ( false rejection rate)
    • Type II Error: When a biometric systems accepts imposters who should be rejected (false acceptance rate)
    • Crossover Error Rate (CER): The point at which the false rejection rate equals false acceptance rate. It is also called as Equal Error Rate (EER).

  • It is the most common form of system identification and authentication mechanism
  • A password is a protected string of characters that is used to authenticate an individual
  • Password Management
    • Password should be properly guaranteed, updated, and kept secret to provide and effective security
    • Passwords generators can be used to generate passwords that are uncomplicated, pronounceable, non - dictionary words.
    • If the user chooses his passwords, the system should enforce certain password requirement like insisting to use special char, no of char, case sensitivity etc. )
  • Techniques for Passwords Attack
    • Electronic monitoring - Listening to network traffic to capture information, especially when a user is sending her password to an authentication server. The password can be copied and reused by the attacker at another time, which is called a replay attack.
    • Access the password file - Usually done on the authentication server. The password file contains many users' passwords and, if compromised, can be the source of a lot of damage. This file should be protected with access control mechanisms and encryption.
    • Brute force attacks Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password.
    • Dictionary attacks Files of thousands of words are used to compare to the user's password until a match is found.
    • Social engineering An attacker falsely convinces an individual that she has the necessary authorization to access specific resources
  • Password checkers can be used to check the strength of the password by trying to break into the system
  • Passwords should be encrypted and hashed
  • Password aging should be implemented
  • Number of logon attempts should be limited

Cognitive Passwords
  • Cognitive passwords are facts or opinion-based information used to verify an individual identity (e.g.: mothers maidens name)
  • This is best used for helpdesk services, and occasionally used services.

One - Time or Dynamic Passwords
  • It is a token based system used for authentication purposes where the service is used only once
  • It is used in environments that require a higher level of security than static password provides
  • Types of token generators
    • Synchronous (e.g.: SecureID) - A synchronous token device/generator synchronizes with the authentication service by any of the two means.
      • Time Based: In this method the token device and the authentication service must hold the same time within their internal clocks. The time value on the token device and a secret key are used to create a one time password. This password is decrypted by the server and compares it to the value that is expected.
      • Counter Based: In this method the user will need to initiate the logon sequence on the computer and push a button on the token device. This causes the token device and the authentication service to advance to the next authentication value. This value and a base secret are hashed and displayed to the user. The user enters this resulting value along with a user ID to be authenticated.
    • Asynchronous: A token device that is using an asynchronous token - generating method uses a challenge/response scheme to authenticate the user. In this situation, the authentication server sends the user a challenge, a random value also called a nonce. The user enters this random value into the token device, which encrypts it and returns a value that the user uses as a one - time password. The user sends this value, along with a username, to the authentication server. If the authentication server can decrypt the value and it is the same challenge value that was sent earlier, the user is authenticated
  • Example: SecureID
    • It is one of the most widely used time - based tokens from RSA Security
    • It uses a time based synchronous two - factor authentication

Cryptographic Keys
  • Uses private keys and Digital Signatures
  • Provides a higher level of security than passwords.

  • A passphrase is a sequence of characters that is longer than a password and in some cases, takes the place of a password during an authentication process.
  • The application transforms the passphrase into a virtual password and into a format required by the application
  • It is more secure than passwords

Memory Cards
  • Holds information but cannot process them
  • More secure than passwords but costly
  • E.g.: Swipe cards, ATM cards

Smart Card
  • Holds information and has the capability to process information and can provide a two factor authentication (knows and has)
  • Categories of Smart Cards
    • Contact
    • Contactless
      • Hybrid - has 2 chips and supports both contact and contactless
      • Combi - has a microprocessor that can communicate with both a contact as well as a contact reader.
  • More expensive and tamperproof than memory cards
  • Types of smartcard attacks
    • Fault generation: Introducing of computational errors into smart card with the goal of uncovering the encryption keys that are being used and stored on cards
    • Side Channel Attacks: These are non - intrusive attacks and are used to uncover sensitive information about how a component works without trying to compromise any type of flaw or weakness. The following are some of the examples
      • Differential Power Analysis: Examining the power emission that are released during processing
      • Electromagnetic Analysis: Examining the frequency that are emitted
    • Timing: How long a specific process takes to complete
    • Software Attacks: Inputting instructions into the card that will allow for the attacker to extract account information. The following are some of the examples
      • Microprobing: Uses needles to remove the outer protective material on the cards circuits by using ultrasonic vibrations thus making it easy to tap the card ROM chip
  • Smart Card Standards
    • ISO/IEC
      • 14443 - 1: Physical Characteristics
      • 14443 - 2: Radio frequency power and signal interface
      • 14443 - 3: Initialization and anti collision
      • 14443 - 4: Transmission protocol

Identity Management

  • Identity Management is a broad term that encompasses the use of different products to identify, authenticate and authorize users through automated means.
  • Identity management system is the management of the identity life cycle of entities (subjects or objects) during which:
  • The identity is established:
    • a name (or number) is associated to the subject or object;
    • the identity is re-established: a new or additional name (or number) is connected to the subject or object;
  • The identity is described:
    • one or more attributes which are applicable to this particular subject or object may be assigned to the identity;
    • the identity is newly described: one or more attributes which are applicable to this particular subject or object may be changed;
  • The identity is destroyed.
  • Identity Management Challenges
  • Identity Management Technologies
  • Authorization Principles

Creative Commons License This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

Last modified: Thursday, April 15, 2021, 4:21 PM