Sumy State University Department of Computer Science

Similar documents
Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

Jérôme Kerviel. Dang Thanh Binh

MODULE NO.28: Password Cracking

Lecture 3 - Passwords and Authentication

Lecture 3 - Passwords and Authentication

CSE 565 Computer Security Fall 2018

Lecture 14 Passwords and Authentication

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Pattern Recognition and Applications Lab AUTHENTICATION. Giorgio Giacinto.

In this unit we are continuing our discussion of IT security measures.

Chapter 4 Protection in General-Purpose Operating Systems

Computer Security: Principles and Practice

Authentication. Chapter 2

Pro s and con s Why pins # s, passwords, smart cards and tokens fail

Lecture 9 User Authentication

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Authentication Methods

Integrated Access Management Solutions. Access Televentures

Password Standard Version 2.0 October 2006

Chapter 3: User Authentication

Operating systems and security - Overview

Operating systems and security - Overview

TFS WorkstationControl White Paper

Meeting the requirements of PCI DSS 3.2 standard to user authentication

Information Security CS 526

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication EECE 412. Copyright Konstantin Beznosov

User Authentication. Modified By: Dr. Ramzi Saifan

Computer Security 4/12/19

MANAGING LOCAL AUTHENTICATION IN WINDOWS

OneID An architectural overview

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

5-899 / Usable Privacy and Security Text Passwords Lecture by Sasha Romanosky Scribe notes by Ponnurangam K March 30, 2006

Authentication Objectives People Authentication I

Multi-Factor Authentication (MFA)

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

User Authentication. Modified By: Dr. Ramzi Saifan

Password Policy Best Practices

MEETING HIPAA/HITECH DATA ACCESS AND PASSWORD REQUIREMENTS IN THE WINDOWS HEALTHCARE ENTERPRISE

HELPFUL TIPS: MOBILE DEVICE SECURITY

Information Security CS 526

Take Control of Your Passwords

Minimum Security Standards for Networked Devices

Radius, LDAP, Radius, Kerberos used in Authenticating Users

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Authentication Technology Alternatives. Mark G. McGovern Chief Technologist Smart Cards, Crypto, Stego, PKI Lockheed Martin

Cyber security tips and self-assessment for business

Complete document security

Tennessee Technological University Policy No Password Management

Paystar Remittance Suite Tokenless Two-Factor Authentication

CSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018

Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

Identity, Authentication, and Access Control

white paper SMS Authentication: 10 Things to Know Before You Buy

Network Security and Cryptography. 2 September Marking Scheme

Getting Into Mobile Without Getting Into Trouble

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

Radius, LDAP, Radius used in Authenticating Users

Information Security & Privacy

HIPAA Compliance Checklist

HOST Authentication Overview ECE 525

HumanAUT Secure Human Identification Protocols

Evaluating Alternatives to Passwords

COMPUTER PASSWORDS POLICY

Intruders, Human Identification and Authentication, Web Authentication

HY-457 Information Systems Security

Two-factor Authentication: A Tokenless Approach

6 Vulnerabilities of the Retail Payment Ecosystem

COPYRIGHTED MATERIAL. Chapter. Accountability and Access Control THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

Vidder PrecisionAccess

Chapter 4. Protection in General-Purpose Operating Systems. ch. 4 1

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Keywords security model, online banking, authentication, biometric, variable tokens

Outline Key Management CS 239 Computer Security February 9, 2004

Are You Flirting with Risk?

BTEC Level 3. Unit 32 Network System Security Password Authentication and Protection. Level 3 Unit 32 Network System Security

Wireless Attacks and Countermeasures

Are You Flirting with Risk?

Authentication KAMI VANIEA 1

Biometrics problem or solution?

Web Security, Summer Term 2012

Web Security, Summer Term 2012

HIPAA Assessment. Prepared For: ABC Medical Center Prepared By: Compliance Department

Wireless LAN Security (RM12/2002)

Remote Access Policy

Identification, authentication, authorisation. Identification and authentication. Authentication. Authentication. Three closely related concepts:

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Undergraduate programme in Computer sciences

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Remote Desktop Security for the SMB

User Authentication Best Practices for E-Signatures Wednesday February 25, 2015

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication


User Authentication. E.g., How can I tell you re you?

Security Awareness. Chapter 2 Personal Security

BEST PRACTICES FOR IMPLEMENTING ACCESS CONTROL SYSTEMS

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

PASSWORD SECURITY GUIDELINE

Introduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras

Transcription:

Sumy State University Department of Computer Science

Lecture 1 (part 2). Access control. What is access control? A cornerstone in the foundation of information security is controlling how resources are accessed so they can be protected from unauthorized modification or disclosure. The controls that enforce access control can be technical, physical, or administrative in nature. These control types need to be integrated into policy-based documentation, software and technology, network design, and physical security components. 2

Lecture 1 (part 2). Access control. What is access control? Access controls are security features that control how users and systems communicate and interact with other systems and resources. They protect the systems and resources from unauthorized access and can be components that participate in determining the level of authorization after an authentication procedure has successfully completed. Although we usually think of a user as the entity that requires access to a network resource or information, there are many other types of entities that require access to other network entities and resources that are subject to access control. It is important to understand the definition of a subject and an object when working in the context of access control. 3

Lecture 1 (part 2). Access control. A subject is an active entity that requests access to an object or the data within an object. A subject can be a user, program, or process that accesses an object to accomplish a task. When a program accesses a file, the program is the subject and the file is the object. An object is a passive entity that contains information or needed functionality. An object can be a computer, database, file, computer program, directory, or field contained in a table within a database. When you look up information in a database, you are the active subject and the database is the passive object. 4

Lecture 1 (part 2). Access control. What is access control? Access control is extremely important because it is one of the first lines of defense in battling unauthorized access to systems and network resources. When a user is prompted for a username and password to use a computer, this is access control. Once the user logs in and later attempts to access a file, that file may have a list of users and groups that have the right to access it. If the user is not on this list, the user is denied. This is another form of access control. 5

Identification, Authentication, Authorization. What is identification? For a user to be able to access a resource, he first must prove he is who he claims to be, has the necessary credentials, and has been given the necessary rights or privilege to perform the actions he is requesting. Once these steps are completed successfully, the user can access and use network resources. Identification describes a method of ensuring that a subject (user, program, or process) is the entity it claims to be. Identification can be provided with the use of a username or account number. 6

Identification, Authentication, Authorization. What is authentication? To be properly authenticated, the subject is usually required to provide a second piece to the credential set. This piece could be a password, passphrase, cryptographic key, personal identification number (PIN), anatomical attribute, or token. These two credential items are compared to information that has been previously stored for this subject. If these credentials match the stored information, the subject is authenticated. 7

Identification, Authentication, Authorization. What is authorization? Once the subject provides its credentials and is properly identified, the system it is trying to access needs to determine if this subject has been given the necessary rights and privileges to carry out the requested actions. The system will look at some type of access control matrix or compare security labels to verify that this subject may indeed access the requested resource and perform the actions it is attempting. If the system determines that the subject may access the resource, it authorizes the subject. 8

Identification, Authentication, Authorization. Although identification, authentication and authorization have close and complementary definitions, each has distinct (різні) functions that fulfill a specific requirement in the process of access control. A user may be properly identified and authenticated to the network, but he may not have the authorization to access the files on the file server. On the other hand, a user may be authorized to access the files on the file server, but until she is properly identified and authenticated, those resources are out of reach. Figure 1 illustrates the three steps that must happen for a subject to access an object. 9

Identification, Authentication, Authorization. Three steps must happen for a subject to access an object: identification, authentication and authorization. 10

Identification, Authentication, Authorization. An individual s identity must be verified during the authentication process. The authentication process usually involves a two-step process: entering public information (a username, employee number, account number, or department ID), and then entering private information (a password, smart token, one-time password, or PIN). Entering public information is the identification step, while entering private information is the authentication step of the two-step process. Each technique used for identification and authentication has its pros and cons. Each should be properly evaluated to determine the right mechanism for the correct environment. 11

Identification, Authentication, Authorization. General factors for authentication Once a person has been identified through the user ID or a similar value, she must be authenticated, which means she must prove she is who she says she is. Three general factors can be used for authentication: 1)something a person knows, 2) something a person has, and 3)something a person is. They are also commonly called authentication by knowledge, authentication by ownership, and authentication by characteristic. 12

Identification, Authentication, Authorization. Something a person knows (authentication by knowledge) can be, for example, a password, PIN, mother s maiden name, or the combination to a lock. Authenticating a person by something that she knows is usually the least expensive to implement. The downside to this method is that another person may acquire this knowledge and gain unauthorized access to a resource. 13

Identification, Authentication, Authorization. Something a person has (authentication by ownership can be a key, swipe card, access card, or badge. This method is common for accessing facilities, but could also be used to access sensitive areas or to authenticate systems. A downside to this method is that the item can be lost or stolen, which could result in unauthorized access. 14

Identification, Authentication, Authorization. Something specific to a person (authentication by characteristic) becomes a more interesting. This is based on a physical attribute. Authenticating a person s identity based on a unique physical attribute is referred to as biometrics. 15

Identification, Authentication, Authorization. Strong authentication contains two out of these three methods: something a person knows, has, or is. Using a biometric system by itself does not provide strong authentication. For a strong authentication process to be in place, a biometric system needs to be coupled with a mechanism that checks for one of the other two methods. For example, many times the person has to type a PIN number into a keypad before the biometric scan is performed. This satisfies the what the person knows category. 16

Identification, Authentication, Authorization. Whatever identification system is used, for strong authentication to be in the process, it must include two out of the three categories. This is also referred to as two-factor authentication. Strong authentication is also sometimes referred to as multiauthentication, which just means that more than one authentication method is used. Three-factor authentication is possible, which includes all authentication approaches. 17

Something the user knows: Password-Based Authentication Password-Based Authentication The use of passwords is fairly straightforward, as you probably already know from experience. A user enters some piece of identification, such as a name or an assigned user ID; this identification can be available to the public or can be easy to guess because it does not provide the real protection. The protection system then requests a password from the user. If the password matches the one on file for the user, the user is authenticated and allowed access. If the password match fails, the system requests the password again, in case the user mistyped. 18

Password-Based Authentication What Is Password? Definition: Password a private word or combination of characters that only the user knows. Password a secret data value, usually a character string, that is used as authentication information. A password is usually matched with a user identifier that is explicitly presented in the authentication process, but in some cases, the identity may be implicit. 19

Password-Based Authentication Today, there are several methods used to break into a password-protected system. 1. Brute Force Attack 2. Dictionary Attack 3. Password Cracker/ Password Crack 4. Key Logger Attack 5. Password Sniffing... 20

Password-Based Authentication You can use these links or other What is Password Sniffing? - http://www.wisegeek.org/what-ispassword-sniffing.htm Types of Password Attacks - http://windowsitpro.com/security/typespassword-attacks 3 Types of Password Security Attacks - http://insights.scorpionsoft.com/3-types-of-password-security-attacksand-how-to-avoid-them What is a Keylogger? - https://blog.kaspersky.com/keylogger/1573/ 21

Password-Based Authentication 22

Password-Based Authentication Other Common Characteristics of Passwords Most use only alphanumeric characters Most are in (password) dictionaries Many users re-use passwords across systems Some very common passwords: 123456, password, 12345678, qwerty, abc123, letmein,... When forced to change passwords, most users change a single character 23

Password-Based Authentication Password Selection Strategies User education Ensure users are aware of importance of hard-toguess passwords Computer-generated passwords Generate random or pronounceable passwords (but poorly accepted by users) Reactive password checking Regularly check user s passwords, inform them if weak passwords Proactive password checking Advise user on strength when selecting a password 24

Worst passwords of 2016 The 2016 list of worst passwords demonstrates the importance of keeping names, simple numeric patterns, sports and swear words out of your passwords. * SplashData s fifth annual Worst Passwords List shows people continue putting themselves at risk. *https://www.teamsid.com/worst-passwords-2016/?nabe=4561770576609280:1,5716650381017088:0,5767892520140800:2 25

Token-Based Authentication 26

Token-Based Authentication 27

Token-Based Authentication 28

Biometric Authentication 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback