CS406: Identification, Authentication, and Authorization

Identification describes a method of ensuring that a subject is the entity it claims to be. E.g.: A user name or an account no.

Authentication is the method of proving the subjects identity. E.g.: Password, Passphrase, PIN.

Authorization is the method of controlling the access of objects by the subject. E.g.: A user cannot delete a particular file after logging into the system.

Note: There must be a three step process of Identification, Authentication and Authorization in order for a subject to access an object.

Identification and Authentication

Identification Component Requirements

When issuing identification values to users or subjects, ensure that

Each value should be unique, for user accountability
A standard naming scheme should be followed
The values should be non - descriptive of the users position or task
The values should not be shared between the users.

Authentication Factors

There are 3 general factors for authenticating a subject.

Something a person knows - E.g.: passwords, PIN - least expensive, least secure
Something a person has - E.g.: Access Card, key - expensive, secure
Something a person is - E.g.: Biometrics - most expensive, most secure

Note: For a strong authentication to be in process, it must include two out of the three authentication factors - also referred to as two factor authentication.

Authentication Methods

Biometrics

Verifies an individuals identity by analyzing a unique personal attribute or behavior
It is the most effective and accurate method for verifying identification.
It is the most expensive authentication mechanism
Types of Biometric Systems
- Finger Print - are based on the ridge endings, bifurcation exhibited by the friction edges and some minutiae of the finger
- Palm Scan - are based on the creases, ridges, and grooves that are unique in each individuals palm
- Hand Geometry - are based on the shape (length, width) of a persons hand and fingers
- Retina Scan - is based on the blood vessel pattern of the retina on the backside of the eyeball.
- Iris Scan - is based on the colored portion of the eye that surrounds the pupil. The iris has unique patterns, rifts, colors, rings, coronas and furrows.
- Signature Dynamics - is based on electrical signals generated due to physical motion of the hand during signing a document
- Keyboard Dynamics - is based on electrical signals generated while the user types in the keys (passphrase) on the keyboard.
- Voice Print - based on human voice
- Facial Scan - based on the different bone structures, nose ridges, eye widths, forehead sizes and chin shapes of the face.
- Handy Topography - based on the different peaks, valleys, overall shape and curvature of the hand.
Types of Biometric Errors

Type I Error: When a biometric system rejects an authorized individual ( false rejection rate)
Type II Error: When a biometric systems accepts imposters who should be rejected (false acceptance rate)
Crossover Error Rate (CER): The point at which the false rejection rate equals false acceptance rate. It is also called as Equal Error Rate (EER).

Passwords

It is the most common form of system identification and authentication mechanism
A password is a protected string of characters that is used to authenticate an individual
Password Management
- Password should be properly guaranteed, updated, and kept secret to provide and effective security
- Passwords generators can be used to generate passwords that are uncomplicated, pronounceable, non - dictionary words.
- If the user chooses his passwords, the system should enforce certain password requirement like insisting to use special char, no of char, case sensitivity etc. )
Techniques for Passwords Attack
- Electronic monitoring - Listening to network traffic to capture information, especially when a user is sending her password to an authentication server. The password can be copied and reused by the attacker at another time, which is called a replay attack.
- Access the password file - Usually done on the authentication server. The password file contains many users' passwords and, if compromised, can be the source of a lot of damage. This file should be protected with access control mechanisms and encryption.
- Brute force attacks Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password.
- Dictionary attacks Files of thousands of words are used to compare to the user's password until a match is found.
- Social engineering An attacker falsely convinces an individual that she has the necessary authorization to access specific resources
Password checkers can be used to check the strength of the password by trying to break into the system
Passwords should be encrypted and hashed
Password aging should be implemented
Number of logon attempts should be limited

Cognitive Passwords

Cognitive passwords are facts or opinion-based information used to verify an individual identity (e.g.: mothers maidens name)
This is best used for helpdesk services, and occasionally used services.

One - Time or Dynamic Passwords

It is a token based system used for authentication purposes where the service is used only once
It is used in environments that require a higher level of security than static password provides
Types of token generators
- Synchronous (e.g.: SecureID) - A synchronous token device/generator synchronizes with the authentication service by any of the two means.
  - Time Based: In this method the token device and the authentication service must hold the same time within their internal clocks. The time value on the token device and a secret key are used to create a one time password. This password is decrypted by the server and compares it to the value that is expected.
  - Counter Based: In this method the user will need to initiate the logon sequence on the computer and push a button on the token device. This causes the token device and the authentication service to advance to the next authentication value. This value and a base secret are hashed and displayed to the user. The user enters this resulting value along with a user ID to be authenticated.
- Asynchronous: A token device that is using an asynchronous token - generating method uses a challenge/response scheme to authenticate the user. In this situation, the authentication server sends the user a challenge, a random value also called a nonce. The user enters this random value into the token device, which encrypts it and returns a value that the user uses as a one - time password. The user sends this value, along with a username, to the authentication server. If the authentication server can decrypt the value and it is the same challenge value that was sent earlier, the user is authenticated
Example: SecureID

It is one of the most widely used time - based tokens from RSA Security
It uses a time based synchronous two - factor authentication

Cryptographic Keys

Uses private keys and Digital Signatures
Provides a higher level of security than passwords.

Passphrase

A passphrase is a sequence of characters that is longer than a password and in some cases, takes the place of a password during an authentication process.
The application transforms the passphrase into a virtual password and into a format required by the application
It is more secure than passwords

Memory Cards

Holds information but cannot process them
More secure than passwords but costly
E.g.: Swipe cards, ATM cards

Smart Card

Holds information and has the capability to process information and can provide a two factor authentication (knows and has)
Categories of Smart Cards
- Contact
- Contactless
  - Hybrid - has 2 chips and supports both contact and contactless
  - Combi - has a microprocessor that can communicate with both a contact as well as a contact reader.
More expensive and tamperproof than memory cards
Types of smartcard attacks
- Fault generation: Introducing of computational errors into smart card with the goal of uncovering the encryption keys that are being used and stored on cards
- Side Channel Attacks: These are non - intrusive attacks and are used to uncover sensitive information about how a component works without trying to compromise any type of flaw or weakness. The following are some of the examples
  - Differential Power Analysis: Examining the power emission that are released during processing
  - Electromagnetic Analysis: Examining the frequency that are emitted
- Timing: How long a specific process takes to complete
- Software Attacks: Inputting instructions into the card that will allow for the attacker to extract account information. The following are some of the examples
  - Microprobing: Uses needles to remove the outer protective material on the cards circuits by using ultrasonic vibrations thus making it easy to tap the card ROM chip
Smart Card Standards

ISO/IEC

14443 - 1: Physical Characteristics
14443 - 2: Radio frequency power and signal interface
14443 - 3: Initialization and anti collision
14443 - 4: Transmission protocol

Identity Management

Identity Management is a broad term that encompasses the use of different products to identify, authenticate and authorize users through automated means.
Identity management system is the management of the identity life cycle of entities (subjects or objects) during which:
The identity is established:
- a name (or number) is associated to the subject or object;
- the identity is re-established: a new or additional name (or number) is connected to the subject or object;
The identity is described:
- one or more attributes which are applicable to this particular subject or object may be assigned to the identity;
- the identity is newly described: one or more attributes which are applicable to this particular subject or object may be changed;
The identity is destroyed.
Identity Management Challenges
Identity Management Technologies
Authorization Principles

Source: https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Access_Control_Systems#Identification_Authentication_and_Authorization
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

Last modified: Thursday, April 15, 2021, 4:21 PM

General

Course Syllabus

Unit 1: Introduction to Information Security

1.1: The History and Evolution of Information Security

Information Security History

Timeline of the History of Information Security

1.2: Confidentiality, Integrity, and Availability – The CIA Triad

The CIA Triad

1.3: Threats, Vulnerabilities, and Risks

Threats and Vulnerabilities

The Elements of Security: Vulnerability, Threat, Risk

1.4: The Risk Management Process

NIST SP 800-39

Risk Management

More on Risk Management

1.5: The Incident Response Process

NIST SP 800-61

Incident Response

1.6: Security Control

Security Control

Security Control Types

Security Control Functions

1.7: Defense-in-Depth

Introduction to Defense-in-Depth

Defense-in-Depth Example

Defense-in-Depth

1.8: Human Behavioral Risks

The Human Factor

Humans are the Weakest Link

Security Awareness, Training, and Education

Security Threats and the Human Factor

1.9: Security Frameworks

Security Frameworks

Center for Internet Security (CIS) Controls

Payment Card Industry Data Security Standard (PCI DSS)

Unit 1 Assessment

Unit 1 Assessment

Unit 2: Threats and Attack Modes

2.1: Threat Terminology

Threat Terminology

An Overview of Threats

Privacy Threats

2.2: Types of Attacks

Types of Attacks

Classifying Threats

Birthday Attacks

What is a Botnet?

More on Botnets

Man-in-the-Middle Attacks

Teardrop Attacks

What is War Dialing?

More on War Dialing

Zero-Day Exploits

2.3: Spoofing Attacks

Spoofing Attacks

A Comprehensive Analysis of Spoofing

Email Spoofing

Caller ID Spoofing

IP Address Spoofing

2.4: Social Engineering

An Overview of Social Engineering

Dumpster Diving

One Man's Trash is Another Man's Treasure

Shoulder Surfing

Tailgating

How to Protect Against Tailgating

Phishing, Spear-phishing, and Whaling

Pretexting

2.5: Application Attacks

Application Attacks

Types of Application Attacks

The Basics of Buffer Overflows

More on Buffer Overflows

Time of Check to Time of Use

Application and Escalation of Privilege

Escalation of Privilege

2.6: Web Application Attacks

Types of Application Attacks

Cross-Site Scripting

Examples of Cross-Site Scripting