1

Authentication, Identification and

Access Control

Dr. Dhiren R. Patel

1
 2

Information Security Objectives

 Confidentiality
 Data integrity
 Entity authentication, identification, Access Control
 Non-repudiation (Preventing the denial of previous
commitments or actions)

 Often the objectives of information security cannot solely be achieved

through mathematical algorithms and protocols alone, but require
procedural techniques and abidance of laws to achieve the desired result.
 3

Authentication
 To ensure the integrity and safety of your information, it is
important to identify with whom you are dealing, and that
the data you are receiving is trustworthy.
 Authentication is the process to verify the identity of an
entity
 Authentication techniques seek to validate the authenticity of
someone or something
 In computer security, authentication is the process to verify
the digital identity of an entity
 4

Authentication
 More precisely, authentication is the process where a network
user establishes a right to an identity -- in essence, the right to
use a name.
 Authorization is the process of determining whether an identity
(plus a set of attributes associated with that identity) is
permitted to perform some action, such as accessing a
resource.
 5

Authentication - Authorization!!!
 authentication as the process of verifying an
entity's identity, while authorization is the
process of verifying that a known entity has the
authority to perform a certain operation.
Authentication, therefore, must precede
authorization.
 6

Access control
 access control is a much more general way of talking about
controlling access to a resource.
 Access can be granted or denied based on a wide variety of
criteria, such as the network address of the client, the time of
day, the phase of the moon, or the browser which the visitor is
using … etc.
 permission to perform an action does not guarantee that the
action can be performed; for example, a common practice in
cross-organizational licensing is to further limit access to a
maximum number of concurrent users from among an
authorized user community (e.g. online library access).
 7

Example: Access Control

 Restricting access to resources to privileged entities.
 The resources may be user accounts, directories, files, database
etc.
 An entity is an individual, organization, or process that may
access the resource.
 Different privileges may be assigned to an entity or group of
entities.
 Types of privileges include read, write, delete, view, or carrying
transactions.
 An example of access control would be restricting customers to
read only privileges for a database of products and prices, while
allowing authorized employees to add, delete or modify items.
 Example: RBAC in Banking
 8

Entity authentication techniques

 Something the user knows (e.g., a password, a pass phrase, a
personal identification number (PIN), and the secret or private
keys whose knowledge is demonstrated in challenge-response
protocols).
 Something the user has (e.g., ID card, security token, smart
cards or IC cards, cell phone and hand-held customized
calculators (password generators) which provide time-variant
passwords – secure ID).
 Something the user is - something inherent to a human
individual (e.g., fingerprint or retinal pattern, DNA sequence,
voice pattern, signature recognition, dynamic keyboarding
characteristics, unique bio-electric signals produced by the
living body, or other biometric identifier) - These techniques
are typically non-cryptographic
 9

Means of authentication
 in terms of “factors” of proof, such as:
 Something you know to prove your identity (e.g., a password)
 Something you have to prove your identity (e.g., a certificate)
 Something you are to prove your identity (e.g., a fingerprint)
 An individual providing any one of these factors on its own as proof of
their identity is said to be providing a “single-factor” authentication.
 Any two separate factors would be called “two-factor” authentication
and so on.
 Two of the most common approaches to providing two-factor
authentication for on-line access are: Time synchronous tokens; and
Combining digital identities with USB tokens, smartcards, or biometric
devices
 10

Personal identification numbers (PINs)

 fixed (time-invariant) passwords
 most often used in conjunction with “something possessed”,
typically a physical token such as a plastic banking card with a
magnetic stripe, or a chipcard.
 entry of the correct PIN is required when the token is used. This
provides a second level of security if the token is lost or stolen.
 For user convenience and historical reasons, PINs are typically
short and numeric
 A common technique is for the PIN to serve to verify the user to
the token, while the token contains additional independent
information allowing the token to authenticate itself to the
system
 11

Single-Use-Password Tokens
 Some passcode generators omit the user keypad, and use as an implicit
challenge a time value (with a typical granularity of one minute)
defined by a time clock loosely synchronized automatically between the
system and the passcode generator.
 The most common form of time varying pass code solution is a small
keychain fob (Secure ID device) that displays a six-character password
that changes every 60/120 seconds. Many organizations are using this
type of solution to control remote employee access and as a stronger
authentication solution for large corporate clients.
 12

CAPTCHA
 CAPTCHA (an acronym for "Completely Automated Public Turing test
to tell Computers and Humans Apart", trademarked by Carnegie
Mellon University) is a type of challenge-response test used in
computing to determine whether or not the user is human.
 A common type of CAPTCHA requires that the user type the letters of a
distorted image, sometimes with the addition of an obscured sequence
of letters or digits that appears on the screen.
 Because the test is administered by a computer, in contrast to the
standard Turing test that is administered by a human, a CAPTCHA is
sometimes described as a reverse Turing test.
 13

Authentication (using PKC)

 14
message authentication: Keyed HF  MAC
 message authentication is concerned with:
 protecting the integrity of a message
 validating identity of originator
 non-repudiation of origin (dispute resolution)

 A message authentication code or MAC is a function H that

satisfies the following 3 conditions:
 15

MAC
 1. The input M can be of arbitrary length and the result H(K,M) has
a fixed length of n bits. The function has as secondary input - key K,
with a fixed length of k bits.
 Append K at the end of message M, compute hash code h = H(K,M)
and send M and h.
 receiver performs same computation (with knowledge of K) on
message and checks it matches the MAC, provides assurance that
message is unaltered and comes from sender
 2. Given H, K and an input M, the computation of H(K,M) must be
„easy‟.
 3. Given a message M (but with unknown K), it must be „hard‟ to
determine H(K,X). Even when a large set of pairs {Mi, H(K, Mi)} is known,
it is `hard' to determine the key K or to compute H(K,M‟) for any new
message M‟  Mi.
 16

Biometric techniques
 Biometric techniques are based on the features that cannot
be lost or forgotten. It benefits users as well as system
administrators because it avoids the problems and cost
associated with lost, reissued, or temporary tokens, cards,
and passwords
 It is almost impossible to lose or forget biometrics, since they
are an intrinsic part of each person, and this is an
advantage which they hold over keys, passwords or codes.
 17

Technology
 Biometric technologies may be used in three ways:
 (a) to verify that people are who they claim to be,
 (b) to discover the identity of unknown people, and
 (c) to screen people against a watch-list.
 Biometric identification works in four stages: enrolment,
storage, acquisition and matching.
 It cannot rely on secrecy, since most biometric features are
either self-evident or easily obtainable.
18