2.

User Authentication and Access control

2.1 Identification and authentication
Identification is the ability to identify uniquely a user of a system or an
application that is running in the system.

Authentication is the ability to prove that a user or application is genuinely

who that person or what that application claims to be.

For example, consider a user who logs on to a system by entering a user ID

and password. The system uses the user ID to identify the user. The system
authenticates the user at the time of logon by checking that the supplied
password is correct.
 User authentication

Authentication is the process of verifying the identify of a user

There are two reasons to do this:
• To make access control decisions
• To enable audit trails
Authorization is sometimes based on role, not identity
Accountability is based on identity, since group accountability is
ineffective
 Authentication procedure
The most common procedure is as follows:
An individual arrives at a checkpoint (login dialog, door, . . .)
The individual claims an identity (username, Smart Card, token,. . .)
The individual presents the item needed to prove the identity
(password, PIN, . . .)
 Authentication of users can use
 Something you know (passwords, PIN, . . . )
 Something you have (keys, badges, tokens, smart card, . . . )
 Something you are biometrics (handwriting, fingerprints, retina patterns)
 Something you do (handwriting, . . . )
 Where you are
 Authentication of users can use
 Something you know (passwords, PIN, . . . )
 Something you know: Passwords
Username+password is the standard first line of defense
Widely accepted, not too difficult to implement
Can be expensive to manage password securely
Obtaining a valid password is a common attack
 Maintaining passwords

People can’t remember infrequently used, frequently changed, many

similar items
We can’t forget on demand
Recall is harder than recognition
Non-meaningful words are more difficult to remember
 Ways for an attacker to obtain a valid password
• Intercept it at creation
• Guess it
• Steal the note where it is written down
• Watch user enter it, or use a keylogger
• Eavesdrop on transmission
• Find it in a memory buffer
• Find it through a spoofing program, through phishing, or more general
social engineering
• Find it reused in another system
• Password recovery
 Password management
Requires proper routines for issuing
Requires properly trained staff, maybe round-the clock helpdesk
This can become a cost factor that needs to be taken into account
 Selecting a secure password
In general, when you want to protect something, you lock it up with a key.
Houses, cars and bicycle locks all have physical keys; protected files have
encryption keys; bank cards have PIN numbers; and email accounts have
passwords. All of these keys, physical and electronic, have one thing in
common: they open their respective locks just as effectively in the hands of
somebody else. You can install advanced firewalls, secure email accounts, and
encrypted disks, but if your password is weak, or if you allow it to fall into
the wrong hands, they will not do you much good.
 Selecting a secure password
Passwords should
• be long enough, and have enough variation to make guessing hard
• be easy to remember, without violating the points above
• be changed at reasonable intervals
Should not
• be anything you reveal outside
authentication
• be the same for two sites
• if one site is more sensitive
• if one site is less trusted
• be stored in plaintext
• be sent in plaintext
 Choose a Password you can’t remember,
and don’t write it down
Selecting a secure password
1. Generate (a real) random password
2. Write it on a piece of paper
3. Keep the now valuable piece of paper with the other valuable pieces of paper you
own in your wallet

An old study by D. Klein found that 25% of passwords could be guessed, roughly
Dictionary words: 7.4% Common names: 4% Combination of user and account name:
2.7% ...

Frequent password changes often backfire monthly changes: alice01, alice02, ...
checking against old passwords: rapid changes until the old password can be used
 Something you know: PIN
• Financial PINs are often four digits

• Some banks force PIN on the user, other allows you to choose
•
• Avoid 1111, 2222, and 1234, 2345, or birthdates and suchlike

• Many systems allow three attempts before locking card, giving a 0.06%
chance of guessing it

• being secret, the connection to the account number allows guessing the
PIN on the average in 15 attempts
 Ways for an attacker to obtain a PIN

• Phishing: Ask user for login and password under false

pretense
• Spoofing: Present false but genuine-looking login screen
• Other social engineering: Directed personal attacks aimed to
extract password, often aimed at support staff
 Authentication of users can use

 Something you have (keys, badges, tokens, smart card, . . . )

 Something you have
can be stolen
can be found by others, if lost
can be copied, if you know their correct properties
Skimming
guessing valid properties
radio eavesdropping on RFID
taking photos of metal key
 Something you have
Secure object:
Connects as a USB keyboard or via NFC
Issues one-time passwords
Contains secret AES key used to encrypt a counter
The AES key cannot be retrieved, so the key cannot be copied
Slightly better security than a physical, ordinary key
 Something you have
Other secure objects
• Modern car keys
• Passports
• Credit cards
• Mobile phone SIM
• Mobile BankID
• Identity cards
• Smart card
• Bank identification device
 Piggybacking
In security, piggybacking refers to when a person tags along with another person who is
authorized to gain entry into a restricted area, or pass a certain checkpoint.

The act may be legal or illegal, authorized or unauthorized, depending on the

circumstances. However, the term more often has the connotation of being an illegal
or unauthorized act.

To describe the act of an unauthorized person who follows someone to a restricted

area without the consent of the authorized person, the term tailgating is also used.
"Tailgating" implies without consent (similar to a car tailgating another vehicle on the
freeway), while "piggybacking" usually implies consent of the authorized person.

Piggybacking is the tactic of closely following a person who has just used an access
card or PIN to gain physical access to a room or building.
 Shoulder surfing
In computer security, shoulder surfing refers to using direct observation techniques,
such as looking over someone's shoulder, to get information. It is commonly used to obtain
passwords, PINs, security codes, and similar data.

Shoulder surfing is particularly effective in crowded places because it is relatively easy to

observe someone as they:
• fill out a form
• enter their PIN at an automated teller machine or a POS terminal
• use a telephone card at a public payphone
• enter a password at a cybercafe, public and university libraries, or airport kiosks
• enter a code for a rented locker in a public place such as a swimming pool or airport
• public transport is a particular area of concern
 Dumpster Diving
Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large
trash container.) In the world of information technology, dumpster diving is a
technique used to retrieve information that could be used to carry out an attack on a
computer network.

Dumpster diving isn't limited to searching through the trash for obvious treasures like
access codes or passwords written down on sticky notes.

Seemingly innocent information like a phone list, calendar, or organizational chart can
be used to assist an attacker using social engineering techniques to gain access to the
network.

To prevent dumpster divers from learning anything valuable from your trash, experts
recommend that your company establish a disposal policy where all paper, including
print-outs, is shredded in a cross-cut shredder before being recycled, all storage media is
erased, and all staff is educated about the danger of untracked trash.
 Authentication of users can use

 Something you are biometrics (handwriting, fingerprints, retina patterns)

Something you do (handwriting, . . . )
 Something you are : Biometric
• Biometrics refers to metrics related to human characteristics and traits.
• Biometric identification (or biometric authentication) is used in computer science as a
form of identification and access control.
• It is also used to identify individuals in groups that are under surveillance.
• Biometric identifiers are the distinctive, measurable characteristics used to label and
describe individuals.
• Biometric identifiers are often categorized as physiological versus behavioral
characteristics.
• Physiological characteristics are related to the shape of the body.
• Examples include, but are not limited to fingerprint, palm veins, face recognition,
DNA,
palm print, hand geometry, iris recognition, retina and odour/scent.
• Behavioral characteristics are related to the pattern of behavior of a person,
including but not limited to typing rhythm, gait, and voice.
 USES
• Identification
• Determining who a person is, i.e. trying to find a match for a person's biometric
data in a database
• Requires time and a large amount of processing power, especially for large
databases

• Verification
• Determining if a person is who they say they are by comparing their biometric
data to previously recorded data.
• Requires less processing power and time, and is used for access control
 Types : Biometric
Finger Print
Fingerprint recognition or fingerprint authentication refers to the automated method of
verifying a match between two human fingerprints. Fingerprints are one of many forms of
biometrics used to identify individuals and verify their identity.

Retina Biometric
A retinal scan, commonly confused with the more appropriately named "iris scanner", is
a biometric technique that uses the unique patterns on a person's retina to identify them.
It is not to be confused with another ocular-based technology, iris recognition. The
biometric use of this scan is used to examine the pattern of blood vessels at the back of the
eye.
Voice Recognition
In computer science and electrical engineering, speech recognition (SR) is the
translation of spoken words into text. It is also known as "automatic speech
recognition" (ASR), "computer speech recognition", or just "speech to text" (STT).
Application of voice recognition - in a car system - Health care system - High
performance fighter aircraft - Helicopters - Training air traffic controller - Telephony
and other domains - Usage in education and daily life Writing pattern recognition
Keystroke dynamics, keystroke biometrics or typing dynamics, is the detailed timing
information that describes exactly when each key was pressed and when it was
released as a person is typing at a computer keyboard.
Data needed to analyze keystroke dynamics is obtained by keystroke logging. Normally,
all that is retained when logging a typing session is the sequence of characters
corresponding to the order in which keys were pressed and timing information is
discarded. When reading email, the receiver cannot tell from reading the phrase "I saw
3 zebras!" whether: That was typed rapidly or slowly
Voice Recognition

the sender used the left shift key, the right shift key, or the caps-lock key to make the
"i" turn into a capitalized letter "I"

the letters were all typed at the same pace, or if there was a long pause before the letter
"z" or the numeral "3" while you were looking for that letter

the sender typed any letters wrong initially and then went back and corrected them, or
if they got them right the first time.

Application: in commercial products