Поделиться
4_4_Methods_of_identification_methodic_material_lesson_2_variant_1.docx
Identification Authentication and Authorization
Identification describes a method of ensuring that a subject is the entity it claims to be. E.g.: A user name or an account no.
Authentication is the method of proving the subjects identity. E.g.: Password, Passphrase, PIN
Authorization is the method of controlling the access of objects by the subject. E.g.: A user cannot delete a particular file after logging into the system
Note: There must be a three step process of Identification, Authentication and Authorization in order for a subject to access an object
Identification and Authentication
Identification Component Requirements
When issuing identification values to users or subjects, ensure that
· Each value should be unique, for user accountability
· A standard naming scheme should be followed
· The values should be non-descriptive of the users position or task
· The values should not be shared between the users.
Authentication Factors
There are 3 general factors for authenticating a subject.
· Something a person knows- E.g.: passwords, PIN- least expensive, least secure
· Something a person has – E.g.: Access Card, key- expensive, secure
· Something a person is- E.g.: Biometrics- most expensive, most secure
Note: For a strong authentication to be in process, it must include two out of the three authentication factors- also referred to as two factor authentication.
Authentication Methods
Biometrics
· Verifies an individuals identity by analyzing a unique personal attribute or behavior
· It is the most effective and accurate method for verifying identification.
· It is the most expensive authentication mechanism
· Types of Biometric Systems
· Finger Print- are based on the ridge endings, bifurcation exhibited by the friction edges and some minutiae of the finger
· Palm Scan- are based on the creases, ridges, and grooves that are unique in each individuals palm
· Hand Geometry- are based on the shape (length, width) of a persons hand and fingers
· Retina Scan- is based on the blood vessel pattern of the retina on the backside of the eyeball.
· Iris Scan- is based on the colored portion of the eye that surrounds the pupil. The iris has unique patterns, rifts, colors, rings, coronas and furrows.
· Signature Dynamics- is based on electrical signals generated due to physical motion of the hand during signing a document
· Keyboard Dynamics- is based on electrical signals generated while the user types in the keys (passphrase) on the keyboard.
· Voice Print- based on human voice
· Facial Scan- based on the different bone structures, nose ridges, eye widths, forehead sizes and chin shapes of the face.
· Handy Topography- based on the different peaks, valleys, overall shape and curvature of the hand.
· Types of Biometric Errors
· Type I Error: When a biometric system rejects an authorized individual ( false rejection rate)
· Type II Error: When a biometric systems accepts imposters who should be rejected (false acceptance rate)
· Crossover Error Rate (CER): The point at which the false rejection rate equals false acceptance rate. It is also called as Equal Error Rate (EER).
Passwords
· It is the most common form of system identification and authentication mechanism
· A password is a protected string of characters that is used to authenticate an individual
· Password Management
· Password should be properly guaranteed, updated, and kept secret to provide and effective security
· Passwords generators can be used to generate passwords that are uncomplicated, pronounceable, non-dictionary words.
· If the user chooses his passwords, the system should enforce certain password requirement like insisting to use special char, no of char, case sensitivity etc. )
· Techniques for Passwords Attack
· Electronic monitoring- Listening to network traffic to capture information, especially when a user is sending her password to an authentication server. The password can be copied and reused by the attacker at another time, which is called a replay attack.
· Access the password file- Usually done on the authentication server. The password file contains many users’ passwords and, if compromised, can be the source of a lot of damage. This file should be protected with access control mechanisms and encryption.
· Brute force attacks Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password.
· Dictionary attacks Files of thousands of words are used to compare to the user’s password until a match is found.
· Social engineering An attacker falsely convinces an individual that she has the necessary authorization to access specific resources
· Password checkers can be used to check the strength of the password by trying to break into the system
· Passwords should be encrypted and hashed
· Password aging should be implemented
· No of logon attempts should be limited
Cognitive Passwords
· Cognitive passwords are facts or opinion-based information used to verify an individual identity (e.g.: mothers maidens name)
· This is best used for helpdesk services, and occasionally used services.
One-Time or Dynamic Passwords
· It is a token based system used for authentication purposes where the service is used only once
· It is used in environments that require a higher level of security than static password provides
· Types of token generators
· Synchronous (e.g.: SecureID) - A synchronous token device/generator synchronizes with the authentication service by any of the two means.
· Time Based: In this method the token device and the authentication service must hold the same time within their internal clocks. The time value on the token device and a secret key are used to create a one time password. This password is decrypted by the server and compares it to the value that is expected.
· Counter Based: In this method the user will need to initiate the logon sequence on the computer and push a button on the token device. This causes the token device and the authentication service to advance to the next authentication value. This value and a base secret are hashed and displayed to the user. The user enters this resulting value along with a user ID to be authenticated.
· Asynchronous: A token device that is using an asynchronous token-generating method uses a challenge/response scheme to authenticate the user. In this situation, the authentication server sends the user a challenge, a random value also called a nonce. The user enters this random value into the token device, which encrypts it and returns a value that the user uses as a one-time password. The user sends this value, along with a username, to the authentication server. If the authentication server can decrypt the value and it is the same challenge value that was sent earlier, the user is authenticated
· Example: SecureID
· It is one of the most widely used time-based tokens from RSA Security
· It uses a time based synchronous two-factor authentication
Cryptographic Keys
· Uses private keys and Digital Signatures
· Provides a higher level of security than passwords.
Passphrase
· A passphrase is a sequence of characters that is longer than a password and in some cases, takes the place of a password during an authentication process.
· The application transforms the pass phrase into a virtual password and into a format required by the application
· It is more secure than passwords
Memory Cards
· Holds information but cannot process them
· More secure than passwords but costly
· E.g.: Swipe cards, ATM cards
Smart Cards
· Holds information and has the capability to process information and can provide a two factor authentication (knows and has)
· Categories of Smart Cards
· Contact
· Contactless
· Hybrid- has 2 chips and supports both contact and contactless
· Combi- has a microprocessor that can communicate with both a contact as well as a contact reader.
· More expensive and tamperproof than memory cards
· Types of smartcard attacks
· Fault generation: Introducing of computational errors into smart card with the goal of uncovering the encryption keys that are being used and stored on cards
· Side Channel Attacks: These are non-intrusive attacks and are used to uncover sensitive information about how a component works without trying to compromise any type of flaw or weakness. The following are some of the examples
· Differential Power Analysis: Examining the power emission that are released during processing
· Electromagnetic Analysis: Examining the frequency that are emitted
· Timing: How long a specific process takes to complete
· Software Attacks: Inputting instructions into the card that will allow for the attacker to extract account information. The following are some of the examples
· Microprobing: Uses needles to remove the outer protective material on the cards circuits by using ultrasonic vibrations thus making it easy to tap the card ROM chip
· Smart Card Standards
· ISO/IEC
· 14443-1: Physical Characteristics
· 14443-2: Radio frequency power and signal interface
· 14443-3: Initialization and anti collision
· 14443-4: Transmission protocol
Identity Management
· Identity Management is a broad term that encompasses the use of different products to identify, authenticate and authorize users through automated means.
· Identity management system is the management of the identity life cycle of entities (subjects or objects) during which:
· The identity is established:
· a name (or number) is associated to the subject or object;
· the identity is re-established: a new or additional name (or number) is connected to the subject or object;
· The identity is described:
· one or more attributes which are applicable to this particular subject or object may be assigned to the identity;
· the identity is newly described: one or more attributes which are applicable to this particular subject or object may be changed;
· The identity is destroyed.
· Identity Management Challenges
· Identity Management Technologies
· Authorization Principles
Материалы на данной страницы взяты из открытых источников либо размещены пользователем в соответствии с договором-офертой сайта. Вы можете сообщить о нарушении.
