4_Identification Methods_methodic_material_lesson_variant_1 (1)

Methodological Instructions

Theme: Identification Methods

Objective: 10.6.2.3 describe user data protection measures: passwords, accounts, authentication, biometric authentication

Assessment criteria

All learners will be able to:

Explain what the difference between terms authorization and authentication

Explain the purpose of different identification methods

Basic Level:

Multiplication table (7-9 grade)

Key words and phrases:

Subject vocabulary and terminology:

Data security, information privacy, data sustainability, data integrity, security measures, data integrity, information confidentiality, authorization and authentication

Speaking and writing helpful phrases:

Methods to identify….

Ways to protect …

I.                   THEORY

Identification Authentication and Authorization

Identification describes a method of ensuring that a subject is the entity it claims to be. E.g.: A user name or an account no.

Authentication is the method of proving the subjects identity. E.g.: Password, Passphrase, PIN

Authorization is the method of controlling the access of objects by the subject. E.g.: A user cannot delete a particular file after logging into the system

Note: There must be a three step process of Identification, Authentication and Authorization in order for a subject to access an object

Identification and Authentication

Identification Component Requirements

When issuing identification values to users or subjects, ensure that

•           Each value should be unique, for user accountability

•           A standard naming scheme should be followed

•           The values should be non-descriptive of the users position or task

•           The values should not be shared between the users.

Authentication Factors

There are 3 general factors for authenticating a subject.

•           Something a person knows- E.g.: passwords, PIN- least expensive, least secure

•           Something a person has – E.g.: Access Card, key- expensive, secure

•           Something a person is- E.g.: Biometrics- most expensive, most secure

Note: For a strong authentication to be in process, it must include two out of the three authentication factors- also referred to as two factor authentication.

Authentication Methods

Biometrics

•           Verifies an individuals identity by analyzing a unique personal attribute or behavior

•           It is the most effective and accurate method for verifying identification.

•           It is the most expensive authentication mechanism

•           Types of Biometric Systems

•           Finger Print- are based on the ridge endings, bifurcation exhibited by the friction edges and some minutiae of the finger

•           Palm Scan- are based on the creases, ridges, and grooves that are unique in each individuals palm

•           Hand Geometry- are based on the shape (length, width) of a persons hand and fingers

•           Retina Scan- is based on the blood vessel pattern of the retina on the backside of the eyeball.

•           Iris Scan- is based on the colored portion of the eye that surrounds the pupil. The iris has unique patterns, rifts, colors, rings, coronas and furrows.

•           Signature Dynamics- is based on electrical signals generated due to physical motion of the hand during signing a document

•           Keyboard Dynamics- is based on electrical signals generated while the user types in the keys (passphrase) on the keyboard.

•           Voice Print- based on human voice

•           Facial Scan- based on the different bone structures, nose ridges, eye widths, forehead sizes and chin shapes of the face.

•           Handy Topography- based on the different peaks, valleys, overall shape and curvature of the hand.

•           Types of Biometric Errors

•           Type I Error: When a biometric system rejects an authorized individual ( false rejection rate)

•           Type II Error: When a biometric systems accepts imposters who should be rejected (false acceptance rate)

•           Crossover Error Rate (CER): The point at which the false rejection rate equals false acceptance rate. It is also called as Equal Error Rate (EER).

Passwords

•           It is the most common form of system identification and authentication mechanism

•           A password is a protected string of characters that is used to authenticate an individual

•           Password Management

•           Password should be properly guaranteed, updated, and kept secret to provide and effective security

•           Passwords generators can be used to generate passwords that are uncomplicated, pronounceable, non-dictionary words.

•           If the user chooses his passwords, the system should enforce certain password requirement like insisting to use special char, no of char, case sensitivity etc. )

•           Techniques for Passwords Attack

•           Electronic monitoring- Listening to network traffic to capture information, especially when a user is sending her password to an authentication server. The password can be copied and reused by the attacker at another time, which is called a replay attack.

•           Access the password file- Usually done on the authentication server. The password file contains many users’ passwords and, if compromised, can be the source of a lot of damage. This file should be protected with access control mechanisms and encryption.

•           Brute force attacks Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password.

•           Dictionary attacks Files of thousands of words are used to compare to the user’s password until a match is found.

•           Social engineering An attacker falsely convinces an individual that she has the necessary authorization to access specific resources

•           Password checkers can be used to check the strength of the password by trying to break into the system

•           Passwords should be encrypted and hashed

•           Password aging should be implemented

•           No of logon attempts should be limited

Cognitive Passwords

•           Cognitive passwords are facts or opinion-based information used to verify an individual identity (e.g.: mothers maidens name)

•           This is best used for helpdesk services, and occasionally used services.

One-Time or Dynamic Passwords

•           It is a token based system used for authentication purposes where the service is used only once

•           It is used in environments that require a higher level of security than static password provides

•           Types of token generators

•           Synchronous (e.g.: SecureID) - A synchronous token device/generator synchronizes with the authentication service by any of the two means.

•           Time Based: In this method the token device and the authentication service must hold the same time within their internal clocks. The time value on the token device and a secret key are used to create a one time password. This password is decrypted by the server and compares it to the value that is expected.

•           Counter Based: In this method the user will need to initiate the logon sequence on the computer and push a button on the token device. This causes the token device and the authentication service to advance to the next authentication value. This value and a base secret are hashed and displayed to the user. The user enters this resulting value along with a user ID to be authenticated.

•           Asynchronous: A token device that is using an asynchronous token-generating method uses a challenge/response scheme to authenticate the user. In this situation, the authentication server sends the user a challenge, a random value also called a nonce. The user enters this random value into the token device, which encrypts it and returns a value that the user uses as a one-time password. The user sends this value, along with a username, to the authentication server. If the authentication server can decrypt the value and it is the same challenge value that was sent earlier, the user is authenticated

•           Example: SecureID

•           It is one of the most widely used time-based tokens from RSA Security

•           It uses a time based synchronous two-factor authentication

Cryptographic Keys

•           Uses private keys and Digital Signatures

•           Provides a higher level of security than passwords.

Passphrase

•           A passphrase is a sequence of characters that is longer than a password and in some cases, takes the place of a password during an authentication process.

•           The application transforms the pass phrase into a virtual password and into a format required by the application

•           It is more secure than passwords

Memory Cards

•           Holds information but cannot process them

•           More secure than passwords but costly

•           E.g.: Swipe cards, ATM cards

Smart Cards

•           Holds information and has the capability to process information and can provide a two factor authentication (knows and has)

•           Categories of Smart Cards

•           Contact

•           Contactless

•           Hybrid- has 2 chips and supports both contact and contactless

•           Combi- has a microprocessor that can communicate with both a contact as well as a contact reader.

•           More expensive and tamperproof than memory cards

•           Types of smartcard attacks

•           Fault generation: Introducing of computational errors into smart card with the goal of uncovering the encryption keys that are being used and stored on cards

•           Side Channel Attacks: These are non-intrusive attacks and are used to uncover sensitive information about how a component works without trying to compromise any type of flaw or weakness. The following are some of the examples

•           Differential Power Analysis: Examining the power emission that are released during processing

•           Electromagnetic Analysis: Examining the frequency that are emitted

•           Timing: How long a specific process takes to complete

•           Software Attacks: Inputting instructions into the card that will allow for the attacker to extract account information. The following are some of the examples

•           Microprobing: Uses needles to remove the outer protective material on the cards circuits by using ultrasonic vibrations thus making it easy to tap the card ROM chip

•           Smart Card Standards

•           ISO/IEC

•           14443-1: Physical Characteristics

•           14443-2: Radio frequency power and signal interface

•           14443-3: Initialization and anti collision

•           14443-4: Transmission protocol

Identity Management

•           Identity Management is a broad term that encompasses the use of different products to identify, authenticate and authorize users through automated means.

•           Identity management system is the management of the identity life cycle of entities (subjects or objects) during which:

•           The identity is established:

•           a name (or number) is associated to the subject or object;

•           the identity is re-established: a new or additional name (or number) is connected to the subject or object;

•           The identity is described:

•           one or more attributes which are applicable to this particular subject or object may be assigned to the identity;

•           the identity is newly described: one or more attributes which are applicable to this particular subject or object may be changed;

•           The identity is destroyed.

•           Identity Management Challenges

•           Identity Management Technologies

•           Authorization Principles

VISUAL AIDS AND MATERIALS.

1.                  Slides

2.                  https://www.techopedia.com/definition/10282/information-security-is

3.                  https://zerde.gov.kz/en/activity/information-security/

4.                  https://searchsecurity.techtarget.com/definition/information-security-infosec

5.                  Скачано с www.znanio.ru