Name : Modupe Yusuff

Student No: 1313775

Module : Computer Security

Module Code : CIS050-6

A. Role Based Access Control

One of the current technologies that can be used to manage multiple identities and roles is
Role Based access control model. Role based model identifies and grants access to users
based on their assigned role. In relation to the MPS case study each role can attain different
function and according to their responsibilities each user is given their relevant role hence,
reducing the job of the administrators (Longying & Chunyu 2011). One of the MPS
requirements is to control legitimate access to data, this model is a form of non discretionary
access control in the sense that the users are inevitably limited to the organization's protection
policy (Ferraiolo et al 2012).

The figure below shows different users can perform various actions in different roles. A user
can have different job roles and a role can be associated with one or more users. The actions
are usually imposed by the organisation, for instance in the MPS system a policeman is
associated with different roles and performs various operations within those roles.

User Roles Action

sers s

Sessions

RBAC provides the administrators with the capability to control what actions users can
perform, when they can perform these actions and the conditions. It meets the MPS
requirement as it is known to have flexible, reliable easily accessible and controls access to
data effectively (Zhu, et al., 2012).

Single Sign-on

Another technology that can be implemented in the MPS system is the Single sign-on
method. This method deals with issues relating to having multiple identities and allows
users provide their login details once and remain authorised all through the day. In addition, a
user can access various resources needed to perform different roles without having to supply
different credentials.

This is suitable for the MPS as it provides easy access for users and also administrators are
able to control one system that is in charge of all access requests (Harris, 2003). Furthermore,
it improves productivity in the sense that, users would have access to all applications,
programs, files needed to complete their task by signing in just once. Users would be able to
move around different applications or data without authenticating themselves numerous
times. It is secure as users are limited and would have access to only legitimate data.

B. Role of biometric techniques in user authentication

Biometric techniques are ways of identifying, distinguishing and verifying a human identity
by analyzing and measuring the biological information of a person. It is used to identify a
person by their biological attributes (Moi, et al., 2010). Biometric techniques can be used to
strengthen user authentication in the MPS through a method called biometric authentication.
Biometric authentication is a process of confirming identity by using the physical or
behavioural characteristics of a user such as face, iris, fingerprint, vein, signature, voice, etc
(Xiuyan, et al., 2011) . This technique also increases user accessibility, it eliminates the issue
of forgotten passwords strengthens the security relative to passwords, reduces errors during
identification (Moi, et al., 2009). Biometric techniques play a very important role in user
authentication as it is reliable because it is hard to compromise a person's biometrics than
passwords. Furthermore, this will strengthen the security weakness related to having multiple
passwords. In relation to the MPS case study, the use of biometrics for user authentication
will strengthen the security of their system by ensuring only authorised staff have access to
their assigned data.

Fingerprint Method

Fingerprint recognition is a personal identification technique that is used for verification and
identification. To verify, it compares an input fingerprint to a particular user to determine if
they match. For identifying, it compares the input finger with the database to verify that there
is no duplicate or false identity. Furthermore, because the fingerprint technique uses unique
features on a person's finger it can be used for access control in the MPS system. It is also
suitable at workstation level by requiring users to use their fingerprint to get into the system
in order to access data needed to perform daily duties. Some of the advantages of using this
technique for the mps system are; users are unable to share their fingerprint unlike passwords.
In terms of usability, it is convenient - no need to remember passwords or codes. In terms of
scalability, it is scalable enough as the authentication is at workstation level so there will not
be issues of time wasting or queue. This technique has been greatly relied on and has proven
reliable in many identity management and access control applications around the world (Jain,
et al., 2010). This method can also adopt a template free technique called ''cancellable
fingerprint''. Here the biometric is transformed using a one way function where the location
and orientation of the minutiae that are stored are transformed permanently (Ratha, et al.,
2007)

Iris Recognition

This technique uses pattern recognition algorithms to extract the distinctive pattern of
iris and encode it into a template. The iris is a very unique feature in a human which makes it
one of the most reliable techniques for authentication. One of its advantages is that the eye
remains stable over time and in different environmental conditions. It also possesses a high
degree of randomness and also able to identify a person without any physical contact
(Chowhan & Shinde, 2008). It can also be used as a template free biometric by distorting the
iris pattern using a non-invertible transform (Jinyu, et al.,2008) . This technique is suitable for
the MPS system as it is unique, users would have access to only the systems they have
privileges to and it makes it difficult for a user to replicate an iris for authentication.
According to (Khaw, 2002) this technique is known to have low error rates, high speed and
scalability and it is also very reliable for user authentication.

Template free biometric technology

There are some drawbacks associated with template biometric such as recreating a biometric
image from the original, updating and reissuing the template is difficult once it has been
compromised. To prevent issues such as stealing of the biometric template, template free
biometric technologies have been introduced. This is a process whereby keys are generated
from characteristics in the biometric data and compared with a threshold. Furthermore, all the
keys from the features are cascaded together and an encryption key is generated (Weiguo, et
al., 2008). One advantage of using this is that the key would only be reproduced only if the
correct biometric sample has been confirmed and the result of this is a key or an error
message. In template free biometrics, there is no storage of biometric image that is, it does
not make use of a template. Also the original template cannot be recreated from the stored
information. However, in the event that a biometric encryption has been stolen, the
techniques used allow for it to be cancelled which enhances authentication and security of
data. (Cavoukian & Snijder, 2009).

C. Biological vs. Digital Identity

Biological identity refers to the physiological features of a person for example face, eyes,
colour that differentiates them in a physical environment. Digital identity is a subset of the
identity of an entity which is expressed in an electronic format. Furthermore, a person can use
a computer to create an identity for themselves on the internet. An individual usually has
many digital identities which can be unique .

With an illustration to a member of a police computer crime unit who engages in other police
duties when not involved in his unit's work. In a scenario where the policeman is not in his
unit a digital identity will be used such as his user-id, password for authentication and
identification since he isn't physically present at his unit and his identification will be
represented in a digital format. However, when a policeman is in his crime unit majority of
his tasks will be completed on his computer. Biological identity such as fingerprint, iris
recognition will be used since his identification can be made through his/her physiological
features in the unit. In summary, a policeman involved in different roles will require a
different identity for authentication and identification depending on the duty he/she is
performing.

X.509 Digital Certificate

X.509 certificate is a form of electronic identification that is used to authenticate individuals

using PKI (Public Key Infrastructure). It uses encrypted keys for communication and also
holds information about the certificate owner. X.509 certificate contains certificate issuer's
name, public key associated with the certificate holder, private key of the certification
authority which issued it, holder's name, validity period and serial number. There is a third
party called certificate authority who verify that a certificate holder is who he/she is supposed
to be. In addition, the authority provide a public and private key that is used for
authentication (Lock & Sommerville, 2002). For validation of a user's identity, the
certification authority will only create a certificate for a user on a condition that it is satisfied
with the identity of the user. X.509 plays an important role in binding the identity of an
individual or an electronic resource to its public keys (Gerck, 2000). It can also be used in
both digital and biological identity implementation.

D. What is PKI ( Public key infrastructure)?

This joins public keys to entities by using a public key that is widely available and a private
key that is known to only the application or individual that owns the keys. Furthermore, other
individuals or entities can verify public key bindings by using PKI. In client server
messaging, security of information is critical. Asides using public and private key, it also uses
a certificate authority which is a trusted third party that issues digital certificate used to
identify users. Furthermore, it used the secure socket layer which uses a secure and encrypted
channel for transfer of messages (Lock & Sommerville, 2002).

One of the advantages of PKI is that the private keys cannot be shared or determined from
the public key. Furthermore, in client server messaging the use of PKI ensures that the client
and server are who they claim to be thereby confirming that an individual executed a specific
action The use of encryption also makes the process more secure that is, the information
being exchanged is private (Polk, 2005).

Is PKI breakable if properly installed and operated?

PKI uses a cryptographic algorithm to generate its public and private key. The length of these
two numbers determines the strength of the algorithm. For instance using a 128bit key, with
enough computing power it would take a very long time to check all the possible
combinations. In other words, the shorter the length of the bit used to generate the keys the
higher the likelihood of the algorithm being broken by checking every possible key
combination. Furthermore it's practically impossible to discover a private key from a public
key using RSA encryption therefore this makes this algorithm one of the most secure.
However, every system is vulnerable to attacks as there is no perfect system or a system with
100% security. It could be said that PKI is practically unbreakable when properly installed
that is using a long bit length keys making it hard to determine the combination (Milanov,
2009).

RSA be trusted ?

MPS can trust RSA which is an algorithm used as part of PKI because the security of RSA
depends on the complexity of factorising the set of prime numbers. In the sense that, as long
as the length of the keys is large, it would be difficult for the attack to be feasible. If this
condition is satisfied then MPS can be sure that any information being accessed is done by
the authorised staff. Furthermore, encryption keys are public however the decryption keys are
not therefore an individual can only decrypt a message if he/she has the decryption key. In
information exchange, digital signatures are a way to verify that information is from a
particular sender using the appropriate keys. One advantage of using this algorithm is the
ability to identify and verify who accessed or sent an information. MPS can trust RSA as it
uses a public-key cryptosystem that allows secure communications and digital signatures
(Milanov, 2009).

References :

Cavoukian, A., Snijder, M., 2009. The Relevance of Untraceable Biometrics and Biometric
Encryption: A Discussion of Biometrics for Authentication Purposes [pdf] Available at:
<http://www.ipc.on.ca/images/Resources/untraceable-be.pdf> [Accessed 13 November 2013]

Chowhan, S.S.; Shinde, G. N., "Iris Biometrics Recognition Application in Security

Management," Image and Signal Processing, 2008. CISP '08. Congress on , vol.1, no.,
pp.661,665, 27-30 May 2008 [Accessed 29 October 2013]
David, F.Ferraiolo, Janet, A. Cugini, D. Richard Kuhn ''Role-Based Access Control (RBAC):
Features and Motivations'' National Institute of Standards and Technology U. S. Department
of Commerce [Accessed 4 November 2013]

Gerck, Ed., 2000. Overview of Certification Systems: X.509, PKIX, CA, PGP [pdf] Available at :
< http://www.thebell.net/papers/certover.pdf > [Accessed 6 November 2013

Harris, S., 2003 ''Mike Meyers' CISSP Certification Passport'' [pdf] McGraw-Hill Available
at: <http://www.mhprofessional.com/downloads/products/0072225785/0072225785_ch02.pdf>
[Accessed 6 November 2013]

Jain K, Feng J, Nandakumar K 2010 ''Fingerprint Matching'' [pdf] IEEE Computer society
Available at:
<http://biometrics.cse.msu.edu/Publications/Fingerprint/JainFpMatching_IEEEComp10.pdf >
[Accessed 29 October 2013]

Jinyu Zuo; Ratha, N.K.; Connell, J.H., "Cancelable iris biometric," Pattern Recognition,
2008. ICPR 2008. 19th International Conference on , vol., no., pp.1,4, 8-11 Dec. 2008
[Accessed 28 November 2013]

Khaw, P., 2002. Iris Recognition Technology for Improved Authentication [online] Sans
Institute Available at: <https://www.sans.org/reading-room/whitepapers/authentication/iris-
recognition-technology-improved-authentication-132> [Accessed 29 October 2013]

Li Xiuyan; Miao Changyun; Liu Tiegen; Yuan Chenhu, "Research on Personal Identity
Verification Based on Hand Vein Iris and Fingerprint," Computer Science and Society
(ISCCS), 2011 International Symposium on , vol., no., pp.16,19, 16-17 July 2011 [Accessed
29 October 2013]

Lock, R., Prof Sommerville, I., 2002. Grid Security and its use of X.509 Certificates [pdf]
Available at:
<http://www.comp.lancs.ac.uk/computing/research/cseg/projects/dirc/papers/gridpaper.pdf >
[Accessed 6 November 2013]

Longying Lian; Chunyu Song, "Research of RBAC access control model based on LDAP
tree storage," Electronic and Mechanical Engineering and Information Technology (EMEIT),
2011 International Conference on , vol.3, no., pp.1363,1365, 12-14 Aug. 2011 [Accessed 4
November 2013]

Milanov, E., 2009. The RSA Algorithm [pdf] Available at :

<http://www.math.washington.edu/~morrow/336_09/papers/Yevgeny.pdf > [Accessed 11
November 2013]

Moi, S.H.; Saad, Puteh; Rahim, N.A.; Ibrahim, S., "Error Correction on IRIS Biometric
Template Using Reed Solomon Codes," Mathematical/Analytical Modelling and Computer
Simulation (AMS), 2010 Fourth Asia International Conference on , vol., no., pp.209,214, 26-
28 May 2010 [Accessed 29 October 2013]
Moi, S.H.; Rahim, N.B.A.; Saad, Puteh; Sim, P.L.; Zakaria, Z.; Ibrahim, S., "Iris Biometric
Cryptography for Identity Document," Soft Computing and Pattern Recognition, 2009.
SOCPAR '09. International Conference of , vol., no., pp.736,741, 4-7 Dec. 2009 [Accessed
29 October 2013]

Polk, T., 2005. Introduction to Public Key Infrastructure [pdf] Available at:
<http://www.ncvhs.hhs.gov/050113p3.pdf > [Accessed 8 November 2013]

Ratha, N.K.; Chikkerur, S.; Connell, J.H.; Bolle, R.M., "Generating Cancelable Fingerprint
Templates," Pattern Analysis and Machine Intelligence, IEEE Transactions on , vol.29, no.4,
pp.561,572, April 2007 [Accessed 28 November 2013]

Rui-Feng Zhu; Jie Ning; Pei Yu, "Application of role-based access control in information
system," Wavelet Active Media Technology and Information Processing (ICWAMTIP), 2012
International Conference on , vol., no., pp.426,428, 17-19 Dec. 2012 [Accessed 4 November
2013]

identity in a multi-national environment," Technology and Society (ISTAS), 2010 IEEE

International Symposium on , vol., no., pp.484,490, 7-9 June 2010 [Accessed 6 November
2013]

Weiguo Sheng; Howells, G.; Fairhurst, Michael; Deravi, F., "Template-Free Biometric-Key
Generation by Means of Fuzzy Genetic Clustering," Information Forensics and Security,
IEEE Transactions on , vol.3, no.2, pp.183,191, June 2008 [Accessed 30 October 2013]