Presentation

on
Network And Information Security
(22620)

By

Ms.Pritee H. Raut
(Assistance Professor)

COMPUTER ENGINEERING DEPARTMENT

G. H. RAISONI POLYTECHNIC,NAGPUR
 UNIT-2
Authentication and Access control
(MARKS-10)
Identification

“Identification is the act of indicating a person or thing’s identity.”

Ex- Enter username and password

User authentication

Authentication is the process of verifying the identify of a user.

Prove That You Are Who Claim To Be.

Authentication of users can use Identification and authorization

 Something you know (passwords, PIN, . . . )
 Something you have (keys, badges, tokens, smart card, . . . )
 Something you are biometrics (handwriting, fingerprints, retina patterns, . . . )
 Authentication mechanism(4m)
 Authentication mechanism is used to prove the identity of the user.
 User authentication is performed during the log on process when user submits a username and password.
 The job of authentication mechanism is to make sure that only valid users are admitted.
 Generally there are three methods used in authentication.

A. Something-you-know: the most comman authentication mechanism is to provide a user ID and

password.password should not be shared with anybody else,only you should know your password.
B. Something-you-have: this method involves the use of something that only valid users should have like lock
and key.only those individuals with the correct key can be able to open the key.
C. Something-about-you:this method involves something that is unique about you like finger print,DNA
sample ect.
 PASSWORD ATTACK

1) Piggybacking
2) Shoulder surfing
3) Dumpster diving
 Piggybacking
 Piggybacking Is The Simple Approach Of Following Closely Behind A Person Who Has Just Used
Their own access card or PIN to gain physical access to a room or building.
 In this way an attacker can gain access to the facility without knowing the access code or acquiring
an access card.

Ex- Using a Wi-Fi hotspot of neighbors who have not secured their network.
 Shoulder Surfing
 Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get
information. Shoulder surfing is an effective way to get information in crowded places because it's
relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM
machine, or use a calling card at a public pay phone.
 Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing
devices.
 To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by
using your body or cupping your hand.
 Dumpster diving
Dumpster diving is the process of searching trash to obtain useful information about a person/business that
can later be used for the hacking purpose.
This assault mostly targets major companies or businesses in order to conduct phishing (mainly) by sending
victims false emails that look to come from a reputable source.

What does a hacker look for?

 Bank statements/financial statements
 Passwords and other social security numbers that we might have written on sticky notes for our
convenience
 Important documents
 Account login credentials
 Business secrets
 Marketing secrets
 Information of the employee base
 Information about the software/tools/technologies that is being used at the company
Preventive Measures:

• Destroy any CDs/DVDs containing personal data.

• In case you no longer need your PC, make sure you have deleted
all the data so that it can’t be recovered.

• Use of firewalls can prevent suspicious Internet users from accessing the
discarded data.

• Paper documents should be permanently destroyed/shredded.

• Companies should lock waste bins and should have a safe disposal policy.
 BIOMATRI

C
biometrics is the identification of a person by the measurement of their biological features.
 For example, users identifying themselves to a computer or building by their fingerprint or voice is
considered a biometrics identification. Compared to a password, this type of system is much more
difficult to fake since it is unique to the person.
 Other common methods of a biometrics scan are a person's face, hand, iris, and retina.
Types of biometric
 Finger Print
 Hand Print
 Retina scanner
 Patterns
 Voice
Fingerprints:
• Fingerprint recognition is widely considered to be one the oldest and most developed types of
biometric recognition. Fingerprints are easy to capture, and can verified by comparing the unique
loops, arches, and whorls in each pattern.
• After capturing the print, sophisticated algorithms use the image to produce a unique digital
biometric template. The template is then compared to new or existing scans to either confirm or deny
a match.

• Fingerprint scanners have become used in recent years due to their widespread deployment on
smartphones.

• Any device that can be touched, such as a phone screen, computer mouse or touchpad, or a door
panel, has the potential to become an easy and convenient fingerprint scanner.

• fingerprint scanning is the most common type of biometric authentication in the enterprise, used by
57 percent of companies.
Voice Recognition

• Physically speaking, the shape of a person’s vocal tract, including the nose, mouth, determines the sound
produced. Behaviorally, the way a person says something – movement variations, tone, pace, accent, and so
on – is also unique to each individual.

• The most important properties used for speech authentication are nasal tone, fundamental frequency,
inflection, cadence. Combining data from both physical and behavioral biometrics creates a precise
voiceprint.
Retina Scan
Retinal scans capture capillaries deep within the eye by using unique near-infrared cameras. The raw image is first
preprocessed to enhance the image then processed again as a biometric template to use during both enrollment and
verification.

Keystroke Dynamics

• Keystroke dynamics leverage the fact that people follow a definite pattern while typing on a keyboard or keypad.
Their keystroke rhythm can be used to establish a biometric profile, which can be used to identify or authenticate
him/her.

• Time taken to press each key, pause between key presses, letters typed per second/minute, and several other measures
are taken to generate a keystroke profile of a user. When added with keystroke dynamics, password-based security
can improve multifold without introducing any more complexity.
Signature Recognition
Signature recognition is one type of biometric method used to analyze the physical activity of
signing by measuring special coordinates such as pen pressure, stroke order, inclination, and
speed. A measurements are digitally recorded, then that information is used to automatically
create a biometric profile for future authentication.

Hand Print

The use of the geometric features of the hand such as the lengths of fingers and the width of the
hand to identify an individual.
 Phases of Biometric System
 There are two phases of a Biometric System:
 1. Enrollment phase:
In the enrollment phase, biometric information of the user or person is recorded in a
database. It is a one-time process. Generally, in this phase, measurement of the
appropriate information is done very precisely.
 2. Recognition phase:
This is the second phase of the biometric system. This occurs when the detection part
begins based on the first phase of the authentication of the user. This phase must be quick,
accurate, and able to determine the authentication problem easily.
 Biometric System Architecture(sample)

1. Sensor: The sensor is the first block of the biometric system which collects all the important data for
biometrics. It is the interface between the system and the real world. Typically, it is an image acquisition system,
but it depends on the features or characteristics required that it has to be replaced or not.

2. Pre-processing: It is the second block that executes all the pre-processing. Its function is to enhance the
input and to eliminate artifacts from the sensor, background noise, etc. It performs some kind of normalization.
3. Feature extractor: This is the third and the most important step in the biometric system. Extraction of features is to be
done to identify them at a later stage. The goal of a feature extractor is to characterize an object to be recognized by
measurements.

4. Template generator: The template generator generates the templates that are used for authentication with the help of the
extracted features. A template is a vector of numbers or an image with distinct tracts. Characteristics obtained from the
source groups come together to form a template. Templates are being stored in the database for comparison and serve as
input for the match.

5. Matcher: The matching phase is performed by the use of a match. In this part, the procured template is given to a
matcher that compares it with the stored templates using various algorithms such as Hamming distance, etc. After matching
the inputs, the results will be generated.

6. Application device: It is a device that uses the results of a biometric system. The Iris recognition system and facial
recognition system are some common examples of application devices.
Access control

Access:
 Once authenticated and authorized, the person or computer can access the
resource.

Access control

 Access control is a method of restricting access to sensitive data. Only those that
have had their identity verified can access company data through an access
control gateway.
 Types of Access control

1. Discretionary Access Control (DAC)

2. Mandatory Access Control (MAC)
3. Role-Based Access Control (RBAC)
 Discretionary Access Control (DAC)

 DAC stands for Discretionary Access Control. The owner of the resource has the complete control
over who can have access to a specific resource. The resource can be a file, directory, or any other,
which can be accessed via the network. He can grant permission to other users to access the resource.
He can also allow them to perform operations such as read, write, execute or share the resource.
Moreover, he can transfer the ownership and determine the access type of other users.
 In general, DAC is an easy and flexible access control method. However, it is not very secure. As the
owner of the resource has the full control, one slip from him can give full control to others.
 Discretionary Access Control (DAC) is a type of access control system that gives control to the owner,
over any objects they own, to grant or restrict access
 Each entry point in the system has an Access Control List (ACL) that has information about access
permissions, that are based on specific rules.
 Owner of the data determine who can access the specific resources.
 Mandatory Access Control (MAC)
 The design and implementation of MAC is commonly used by the government. It uses a hierarchical approach to
control access to files/resources. Under a MAC environment, access to resource objects is controlled by the settings
defined by a system administrator. This means access to resource objects is controlled by the operating system based
on what the system administrator configured in the settings. It is not possible for users to change access control of a
resource.

 On the other end of the spectrum, mandatory access control systems (MAC) are the most secure type of access control.
Only owners and custodians have access to the systems. All the access control settings are preset by the system
administrator and can’t be changed or removed without his or her permission.
 Access rights are regulated by central authority.
 A user may only access a resource if their security label matches the resource’s security label.
 Due to its strict control, Mandatory Access Control (MAC) is usually implemented in buildings that have confidential
information to protect and require a high level of security such as military institutions and government organizations.
 For example, if the user requires accessing a secret file, he should have a secret clearance or a higher clearance to
access the resource.
 Banks and insurans, for example, may use MAC to control access to customer account data.
 Role-Based Access Control (RBAC)
 Role-based access control grants access privileges based on the work that individual users do.
 Role-based access control (RBAC) is quickly becoming the most popular type of access control.
Instead of assigning permissions to individual users like in a MAC system, an RBAC system works by
assigning permissions to a specific job title.
 This gives an individual only the access needed to do their job, since access is connected to their job.
 For example, if you have 20 salespeople, two managers, and three accountants, you wouldn’t have to
create 25 individual security profiles in the system. You’d only have to create three: one for each
separate job title. When employees gets promoted, just give them credentials that fit the new role and
they’re good to go.
 For example, rather than assigning access permissions to an individual who is a project manager, access
permissions are assigned to the project manager position.
 Features of Discretionary Access Control(4m)

Some of the features of discretionary access control include:

 Flexibility
Discretionary access control systems feature the ability to allow users to customize their access policies individually.
A discretionary access control example is determining the last person that will have access to your resources or space.
 Ease of Control
All networks are connected to a central device. From this centralized device, users generate security policies to
determine entry. This security system also allows easy monitoring of the access points. This is done using DAC
devices such as keycards to permit and monitor access into a particular position of the organization.
 Backup
For organizations that integrate access controls into their security system, scheduled backups are vital. Discretionary
access control allows organizations to backup security policies and data to ensure effective access points. This is also
important to prevent the loss of information from a server crash.
 Usability
Discretionary access control is easy to use. It allows easy policing and granting permissions for each access point.
The complexity of access control is minimized to achieve better management of the network's resources.
What is Authentication

Authentication is the process of identifying users and validating who they claim to be. One of the most common
and obvious factors to authenticate identity is a password. If the user name matches the password credential, it
means the identity is valid, and the system grants access to the user.

Interestingly, with enterprises going passwordless, many use modern authentication techniques like one-time
passcodes (OTP) via SMS, or email, single sign-on (SSO), multi-factor authentication (MFA) and biometrics, etc.
to authenticate users and deploy security beyond what passwords usually provide.

What is Authorization
Authorization happens after a user’s identity has been successfully authenticated. It is about offering full or partial
access rights to resources like database, funds, and other critical information to get the job done.

In an organization, for example, after an employee is verified and confirmed via ID and password authentication,
the next step would be defining what resources the employee would have access to.
 AUTHENTICATION AUTHORIZATION

Checks the person's identity to grant access to the Checks the person's privileges or permissions to
system. access the resources.

Verifying user credentials. Validating the user permissions.

Authentication is performed at the very first step. Authorization is usually performed after
authentication.

In the online banking applications, the identity of the In a multi-user system, the administrator decides
person is first determined with the help of the user ID what privileges or access rights do each user have.
and password.
 Summer-2022
 Explain the mechanism of figure and voice pattern in biometrics. (4m)
 Describe the features of DAC access control policy. (4m)
 Define access control and explain authentication mechanism for access control. (4m)
 Describe the working of biometric system with neat sketch.(sample)(4m)
 Shoulder surfing and piggybacking(4m)
 List any four features of DAC (2M)(SAMPLE)
 DESCRIBE DUMPSTER DIVING WITH ITS PREVENTION MECHANISM.(4M)(SAMPLE)
 Winter-2022
(2m)
1. Explain shoulder surfing attack.
2. Describe sniffing attack.

(4m)
3. Explain working of biometric access control with any type of example.
4. Explain authorization and authentication with respect to security
5. Write short notes on DAC and MAC
 Summer-19
(2m)
1. explain piggybacking and shoulder surfing.
(8m)
2. Explain access control policies
(4m)
3. Explain figure print and retina pattern in biometric.
4. Explain sniffing and spoofing attack.