Chapter 2: Access Control and Site Security. Access Control. Access Control. ACIS 5584 E-Commerce Security Dr. France Belanger.

Similar documents
Authentication Objectives People Authentication I

Lecture 9 User Authentication

CSE 565 Computer Security Fall 2018

User Authentication. Modified By: Dr. Ramzi Saifan

CSCE 548 Building Secure Software Biometrics (Something You Are) Professor Lisa Luo Spring 2018

User Authentication. Modified By: Dr. Ramzi Saifan

CS530 Authentication

COMPUTER NETWORK SECURITY

Computer Security: Principles and Practice

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

CIS 4360 Secure Computer Systems Biometrics (Something You Are)

802.11a g Dual Band Wireless Access Point. User s Manual

A-1300 Biometric Access Control System USER'S MANUAL

In this unit we are continuing our discussion of IT security measures.

Keystroke Dynamics: Low Impact Biometric Verification

CSC 474 Network Security. Authentication. Identification

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 10 Security Essentials

Command Center Access Control Software

Access Controls. CISSP Guide to Security Essentials Chapter 2

Security+ SY0-501 Study Guide Table of Contents

Security Setup CHAPTER

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

U S E R M A N U A L b/g PC CARD

Identification, authentication, authorisation. Identification and authentication. Authentication. Authentication. Three closely related concepts:

MODULE NO.28: Password Cracking

Smart Card and Biometrics Used for Secured Personal Identification System Development

Passwords. EJ Jung. slide 1

BIOMETRIC IDENTIFICATION OF PERSONS A SOLUTION FOR TIME & ATTENDANCE PROBLEMS

Procedure: You can find the problem sheet on the Desktop of the lab PCs.

HumanAUT Secure Human Identification Protocols

Wireless Networks. Authors: Marius Popovici Daniel Crişan Zagham Abbas. Technical University of Cluj-Napoca Group Cluj-Napoca, 24 Nov.

Authentication. Chapter 2

Interworking Evaluation of current security mechanisms and lacks in wireless and Bluetooth networks ...

Package Content IEEE g Wireless LAN USB Adapter... x 1 Product CD-ROM.x 1

GHz g. Wireless A+G. User Guide. Notebook Adapter. Dual-Band. Dual-Band WPC55AG a. A Division of Cisco Systems, Inc.

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1

Wireless LAN USB Super G 108 Mbit. Manual

Integrated Access Management Solutions. Access Televentures

Home Computer and Internet User Security

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

Wireless LAN Security. Gabriel Clothier

ECDL / ICDL IT Security. Syllabus Version 2.0

Wireless g AP. User s Manual

Chapter 3: User Authentication

Information Security Identification and authentication. Advanced User Authentication II

CNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Identity and Access Management

SECURE USE OF IT Syllabus Version 2.0

CHAPTER 6 EFFICIENT TECHNIQUE TOWARDS THE AVOIDANCE OF REPLAY ATTACK USING LOW DISTORTION TRANSFORM

Biometric Security Roles & Resources

Running head: PROJECT PART VII: FINAL PROJECT PAPER WITH FINAL 1

Securing Wireless Networks by By Joe Klemencic Mon. Apr

Operating systems and security - Overview

Operating systems and security - Overview

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

Syllabus: The syllabus is broadly structured as follows:

Access Control Biometrics User Guide

INTUS 1600PS Palm Vein Authentication

Wireless LAN Card. User s Manual. Contents. A i

Tennessee Technological University Policy No Password Management

Biometrics. Something you are A characteristic of the body Presumed unique and invariant over time. Steven M. Bellovin February 5,

Advanced Biometric Access Control Training Course # :

54M Wireless LAN CardBus Card

Controlsoft Identity and Access Management Software Controlsoft Identity Access Management Software

Wireless technology Principles of Security

Biometrics. Overview of Authentication

Chapter 11: Networks

WRE6606. User s Guide. Quick Start Guide. Dual-Band Wireless AC1300 Access Point. Default Login Details. Version 1.00 (ABDU.0) Edition 1, 10/2016

1) Are employees required to sign an Acceptable Use Policy (AUP)?

Introduction: Broadcom BCM943142HM Wireless Communication Device User's Guide

Authentication System

5. Execute the attack and obtain unauthorized access to the system.

Configuring EAP for Wireless Network Connectivity By Victor Zapata

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Wireless# Guide to Wireless Communications. Objectives

USB Wireless Network Adapter User s Manual

: BIOMETRIC AUTHENTICATION TOOL FOR USER IDENTIFICATION

EnGenius Quick Start Guide

Light Mesh AP. User s Guide. 2009/2/20 v1.0 draft

Table of Contents. Chapter1 About g Wireless LAN USB Adapter...1

COPYRIGHT & TRADEMARKS

COPYRIGHT & TRADEMARKS

Evaluating Alternatives to Passwords

Allday PalmReader User Guide

300M Wireless-N Mini USB Adapter

Table of Contents. 1 Introduction. 2 Wireless Configurations. 3 Setting Up your LAN Administrator Station

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

iconnect625w Copyright Disclaimer Enabling Basic Wireless Security

Wireless MAXg Technology

Configuring the Client Adapter through the Windows XP Operating System

An Overview of Biometric Image Processing

Top-Down Network Design

Configuring Cipher Suites and WEP

Message Networking 5.2 Administration print guide

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Undergraduate programme in Computer sciences

WUG2690 User s Manual

11N Wireless PCI Adapter User Guide -6-

Transcription:

Chapter 2: Access Control and Site Security ACIS 5584 E-Commerce Security Dr. France Belanger Panko, Corporate Computer and Network Security Copyright 2002 Prentice-Hall Access Control Definitions Access control is the policy-driven limitation of access to systems, data, and dialogs What to control? Who should have access? What can they do? 2 Access Control Elements of Access Control User authentication: whether a role or individual should have any access at all User authorization: exactly what the role or individual should be allowed to do to the resource. 3

Access Control Tools Physical access control Locks, monitoring tools, personnel, etc. Logical access control User profiles (IDs and passwords) Firewalls (Chapter 5) Biometrics 4 Physical Access Control: Building Security Basics Single point of (normal) entry to building Fire doors with closed-circuit television (CCTV) and alarms Security centers Interior doors: avoid piggybacking Training security personnel AND employees Dumpster diving Drive shredding programs for discarded disk drives that do more than reformat drives Data Wiring Security 5 Physical Access Control: Access Cards Technologies Magnetic Stripe Cards Smart Cards Tokens Card Cancellation Requires a central system PINs Can be short Provide two-factor authentication (PIN + card) 6

Access Control Tools Physical access control Locks, monitoring tools, personnel Logical access control User profiles (IDs and passwords) Firewalls (Chapter 5) Biometrics 7 Logical Access Control: User Profiles: Cracking Passwords Difficult Hacking Super accounts UNIX: Hacking root Windows: administrator NetWare: supervisor Hacking root rare; usually can only hack ordinary user account May elevate privileges of user account to take root action 8 Physical Access Password Cracking 10phtcrack Brute-force password guessing Alphabet, without case is fast Alphabet, with case takes much longer Alphanumeric (letters and digits) takes longer still All keyboard characters takes longest of all Dictionary attacks Try common words, or all words. Several languages There are only a few thousand of these Very rapidly cracked Hybrid attacks Common word with single digit at end, etc. 9

Figure 2-3: Password Length Password Length In Characters 1 2 4 6 8 10 Alphabetic, No Case (N=26) 26 676 456,976 308,915,776 2.08827E+11 1.41167E+14 Alphabetic, Case Sensitive (N=52) 52 2,704 7,311,616 19,770,609,664 5.34597E+13 1.44555E+17 10 Figure 2-2: Password Length Password Length In Characters 1 2 4 6 8 10 Alphanumeric: Letters And Digits (N=62) 62 3,844 14,776,336 56,800,235,584 2.1834E+14 8.39299E+17 All Keyboard Characters (N=80) 80 6,400 40,960,000 2.62144E+11 1.67772E+15 1.07374E+19 11 Password Policies Password duration Password sharing Disabling passwords no longer valid Lost passwords (password resets) issues Opportunities for social engineering attacks Leave changed password on answering machine Automated password resets (easily-guessed questions) Testing and enforcing password policies 12

Figure 2-4: Password Hashing [Encryption] 1. User = Lee Password = My4Bad 2. Hash My4Bad = 11110000 3. Hashes Match Client PC User Lee Server 4. Hashes Match, So User is Authenticated Hashed Password File Brown 11001100 Lee 11110000 Chun 00110011 Hatori 11100010 13 UNIX/etc/passwd File Entries Without Shadow Password File User Name User ID GCOS Shell plee:6babc345d7256:47:3:pat Lee:/usr/plee/:/bin/csh Password Group ID Home Directory With Shadow Password File Plee:x:47:3:Pat Lee:/usr/plee/:/bin/csh Asterisk instead of x indicates that the password is stored in a separate shadow password file 14 Password Policies (Cont.) Windows passwords Obsolete LAN manager passwords (7 characters maximum) should not be used Windows NTLM (NT LAN Manager) passwords are better Option (not default) to enforce strong passwords Avoid Shoulder Surfing Check for Keystroke Capture Software Professional versions of windows protect RAM during password typing Consumer versions do not Trojan horse throws up a login screen later, reports its finding to attackers 15

Windows Client PC Software BIOS passwords allow boot-up security Can be disabled by removing battery Screen savers with passwords allow awayfrom-desk security Windows professional provides some security with required login 16 Logical Control: Biometrics Biometric Authentication Based on body measurements and motions Biometric Systems (Figure 2-10) Enrollment Later access attempts Acceptance or rejection 17 Figure 2-10: Biometric Authentication System 1. Initial Enrollment User Lee Scanning 2. Subsequent Access Applicant Scanning Processing (Key Feature Extraction) A=01, B=101, C=001 3. Match Index Decision Criterion (Close Enough?) Processing (Key Feature Extraction) A=01, B=111, C=001 User Lee Template (01101001) User Access Data (01111001) Template Database Brown 10010010 Lee 01101001 Chun 00111011 Hirota 1101110 18

Figure 2-9: Biometric Authentication Verification Versus Identification Verification: Are applicants who they claim to be? (compare with single profile) Identification: Who is the applicant? (no claim of identify; compare with all profiles stored) More difficult than verification Verification is good to replace passwords in logins Identification is good for door access (no need to enter ID) 19 Figure 2-9: Biometric Authentication Precision False acceptance rates (FARs): Percentage of unauthorized people allowed in False rejection rates (FRRs): Percentage of authorized people rejected Vendor claims tend to be exaggerated through tests under ideal circumstances User Acceptance is Crucial Fingerprint recognition has a criminal connotation Some methods difficult to use, require disciplined group 20 Figure 2-9: Biometric Authentication Biometric Methods Fingerprint recognition Simple, inexpensive, well-proven Can be defeated with copies Iris recognition Very low FARs High FRR rate can harm acceptance Signature recognition Pattern and writing dynamics 21

Figure 2-9: Biometric Authentication Biometric Methods Face recognition Can be in public places for surreptitious identification Hand geometry Voice recognition Keystroke recognition Rhythm of typing Normally restricted to passwords 22 Figure 2-9: Biometric Authentication Biometric Standards Poor standardization (ltd interoperability) Biometrics Effectiveness Airport face recognition mostly has false positives 4-week face recognition trial at Palm Beach International Airport Scanned 958 times; Only recognized 455 times Recognition rate fell if wore glasses (especially tinted), looked away Would be worse with larger database (250 pictures) Would be worse if photographs were not good 23 Figure 2-9: Biometric Authentication Can Biometrics be Fooled? DOD 270-person test indicates poor acceptance rates when subjects not attempting to evade Face recognition recognized person only 51 percent of time and Iris recognition only 94 percent of the time. Other research: evasion often successful for some methods German magazine fooled most face & fingerprint recognition systems Prof. Matsumoto fooled fingerprint sensors 80% of time with gelatin finger created from latent print on a glass 24

Biometrics Authentication The Revocation Problem What happens if the database template for a person is stolen? Cannot base design on confidentiality of the database 25 Wireless LAN (WLAN) Security: 802.11 Wireless LAN Ethernet Switch (3) (2) 802.3 Frame Containing Packet Access Point 802.11 Frame Containing Packet (1) Server Client PC Notebook With PC Card Wireless NIC 26 802.11 Wireless LAN Ethernet Switch (1) (2) 802.3 Frame Containing Packet Access Point 802.11 Frame Containing Packet (3) Server Client PC Notebook With PC Card Wireless NIC 27

Multiple 802.11 Standards Standard Rated Speed (a) Unlicensed Radio Band Effective Distance (b) 802.11b 11 Mbps 2.4 GHz ~30-50 meters 802.11a 54 Mbps 5 GHz ~10-30 meters 802.11g 54 Mbps 5 GHz? Notes: (a) Actual speeds are much lower and decline with distance. (b) These are distances for good communication; attackers can read some signals and send attack frames from longer distances. 28 Wireless LAN (WLAN) Operations Uses Spread Spectrum transmission Signal spread over a broad range of frequencies Methods used by military are hard to detect But in 802.11 does not provide security 802.11 methods easy to detect so devices can find each other; used to prevent frequencydependent propagation problems rather than for security SSIDs (service set identifier) Mobile devices must know access point s SSID 29 Wired Equivalent Privacy (WEP) Early WLAN security Not enabled by default!! Uses 40-bit or 128-bit encryption keys 40-bit too small; 128-bit OK Uses shared passwords (All stations AP) Difficult to change, so rarely changed Flawed security algorithms 30

802.1x and 802.11i (Figure 2-14) Basic Operations Authentication server: access decisions User data server: holds data on individuals Access point: gives out individual keys for secure exchange Authentication: Uses Extensible Authentication Protocol (EAP) Offers many options for authentication (MD5 CHAP, TLS, TTLS) 31 Figure 2-14: 802.1x Authentication for 802.11i WLANs Applicant (Lee) 1. Authentication Data 5. OK Use Key XYZ Access Point 2. Pass on Request to RADIUS Server 4. Accept Applicant Key=XYZ Directory Server or Kerberos Server RADIUS Server 3. Get User Lee s Data (Optional; RADIUS Server May Store This Data) 32 Assignments Thought Questions 2 and 4 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback