Werabe University

Institute of Technology
Department of Computer Science

Computer Science (Regular Program)

By:
Mr. Muktar A.

Computer Security
Chapter 6: Authentication and Access control

5/6/2023 1
Contents
• Authentication basics • AAA server
• Password and Passphrase • Smart card and
• Biometrics
memory cards
- Fingerprint
- Palm Scan
• Kerberos
- Hand Geometry • Access control basics
- Iris Scan • Access control models
- Signature Dynamics - Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Voice Print - Role-Based Access Control (RBAC)
- Facial Scan
- Hand Typography

5/6/2023 2
 Authentication basics
 In most computer security contexts, user authentication is the
fundamental building block and the primary line of defense

 RFC 4949 defines user authentication as the process of verifying an

identity claimed by or for a system entity

 An authentication process consists of two steps:

 identification step

 presenting an identifier to the security system

 verification step

 presenting or generating authentication information

that corroborates the binding between the entity and
the identifier

5/6/2023 3
Cont…..
 Something the individual
knows
 examples include a
password, a personal
identification number
(PIN), or answers to a
prearranged set of questions
 Something the
individual possesses
 examples include
electronic keycards, smart
cards, and physical keys
 referred to as a token
5/6/2023
 Something the individual is
(static biometrics)
 examples include
recognition by fingerprint,
retina, and face
 Something the individual
does (dynamic biometrics)
 examples include
recognition by voice
pattern, handwriting
characteristics, and typing
rhythm
4
Cont….
• Authentication mechanisms use any of three qualities to confirm a user’s
identity:
• Something the user knows. Passwords, PIN numbers, passphrases, a secret handshake, and
mother’s maiden name are examples of what a user may know.
• Something the user is. These authenticators, called biometrics, are based on a physical
characteristic of the user, such as a fingerprint, the pattern of a person’s voice, or a face (picture).
These authentication methods are old (we recognize friends in person by their faces or on a
telephone by their voices) but are just starting to be used in computer authentications.
• Something the user has. Identity badges, physical keys, a driver’s license, or a uniform are
common examples of things people have that make them recognizable.
• Two or more forms can be combined; for example, a bank card and a PIN combine something
the user has (the card) with something the user knows (the PIN).

• Authentication is based on something you know, are, or have.

5/6/2023 5
 Password and Passphrase

• Passwords have been used for decades as a way to protect sensitive data, but
they are no longer sufficient in today’s cyber threat landscape. Hackers use
increasingly sophisticated techniques, making it easier for them to crack
credentials and gain access to private information. When considering which one
to use passphrase vs. password the former has many advantages.

• Passphrases provide a more secure way to protect your accounts and data. In
this blog post, we will discuss five ways in which passphrases are better than
passwords, why passphrases were invented, and why cyber hygiene is critical for
organizations.

5/6/2023 6
Cont…..
• “Password length, character for character, is more important than
password complexity.” – National Institute of Standards and Technology
(NIST)
• A passphrase is a password composed of a sentence or combination of
words.
• Passphrases are longer than the average password, making them harder
to crack and increasing the overall security of a user’s account.
• While passphrases should be something that the user can remember, you
should not use common phrases—such as “AnAppleaDay.”
• An example of a strong passphrase with four random words stitched
together is “Purpl3ElephantPizzaIsDelicious!” This passphrase works
because:
• It has a personal reference
• It is difficult to guess
• It uses symbols and numbers
• It is longer than 16 characters

5/6/2023 7
Why Is It Important to Use Passphrases?

• Are passphrases more secure than passwords?

• We are in the age where simple passwords no longer retain the security they once did, which is why
passphrases have become so essential.

• Passwords can lead to account hijacking from a number of cyberattacks.

• The benefit of passphrases is that they make it easier for a user to generate entropy and a lack of order
and thus more security while still creating a memorable credential.

• Generating entropy or the measure of how unpredictable a password is through randomized characters
can be difficult, but this also makes it more difficult to launch a cyberattack against you.

• 91% of respondents understand the risks of using the same password across multiple accounts, but 59%
do it anyway. Once a password has been hacked, this information can be used to penetrate other
accounts with the same or similar passwords.

5/6/2023 8
Cont….
• Passphrases are more memorable and far more secure than a password, which typically seeks
security through a mix of numbers, special characters, and upper and lowercase letters. As an
example, passwords like “GenIusc0de123!” are in fact easier to crack while at the same time
more difficult to remember for the user.

• To create your own, consider using a site such as useapassphrase.com to help you generate a
completely random passphrase.

• Additionally, passphrases are more secure than passwords because they are more resilient to
cyberattacks such as the following:
1. Dictionary attacks

2. Simple brute force attacks

3. Credential stuffing

5/6/2023 9
Cont….
• Dictionary Attacks
• Dictionary attacks are a type of brute force attack/hacks in which
malicious actors use trial and error to crack passwords.
• When hackers deploy dictionary attacks, they make use of a database of
words and symbols to guess passwords. Since passphrases are made up
of multiple words and are more personalized, they are more difficult to
crack through this method.
• According to a NordPass study, people are still using weak and easily
guessable passwords as a form of account protection.
• In this study, researchers discovered the top five passwords used in 2022
were:
1. password
2. 123456
3. 123456789
4. guest
5. qwerty

5/6/2023 10
Cont…..
• Except for “guest,” which would take a hacker about ten seconds to
crack, the other four passwords in this list would take a bad actor less
than one second to get past.

• If you or your employees are using any of these commonly used

passwords, changing them as soon as possible to a more cyber-secure
passphrase will create a strong protection layer over your accounts.

• Passphrases are so much more robust than passwords that the FBI
recommends using unique passphrases for at least users’ health,
financial, and email accounts.

5/6/2023 11
Cont…..
• Simple Brute Force Attacks
• In this type of attack, malicious actors don’t use a database, but
simply try to guess a user’s password by trying common ones such
as the ones listed above, birthdays, company names, etc.

• Cybercriminals can also perform this type of attack with the help
of some basic reconnaissance work, such as looking at someone’s
social media to find out their favorite places, animals, sports
teams, or any interest they feel strongly about.

5/6/2023 12
Cont…..
• Credential Stuffing
• 40% of confirmed data breaches in 2022 resulted from the use of stolen credentials. – Data
Breach Investigations Report, Verizon

• If you use the same password or passphrase to safeguard multiple accounts, you are susceptible to
a cyberattack known as credential stuffing.

• In this attack, bad actors use login names and passwords they acquired from a successful breach
and try them on other websites.

• For example, if your password was exposed in a social media breach and you use the same one
to protect your other accounts, a cybercriminal could use it to log in to sites such as your email
server, bank account, ecommerce sites, etc.

5/6/2023 13
Cont…..
• Below see how weak passwords or repeatedly-used passwords cause cybersecurity issues
for organizations:

• Human error is a key factor in the increasing volume of cyberattacks we’ve seen in recent
years.

• Cyberattacks rely on human error and weak credentials in order to exploit users.

• Password length, rather than character variety, is the primary component of a password’s
strength, meaning passphrases are far more secure than passwords even if they feature no
special characters at all.

• Passphrases prevent data breaches due to brute force attacks and help organizations
protect their customers’ private data.

5/6/2023 14
 Biometrics
• Biometrics is a technology used to identify, analyze, and measure an individual’s physical

and behavioral characteristics.

• Biometric technology, based on human attributes, something you are, aims to confirm a

person's identity by scanning a physical characteristic such as a fingerprint, voice, eye

movement, facial recognition, and others.

• It has probably been one of the oldest access control techniques. However, during the past

several years and with heightened security, biometric technology has become increasingly

popular.

• The technology, which can be used to permit access to a network or a building, has become

an increasingly reliable, convenient and cost-effective means of security.

5/6/2023 15
Cont…..
• Current technology has made biometric access control much more practical
than it has ever been in the past. Now a new generation of low-cost yet accurate
fingerprint readers is available for most mobile applications so that screening
stations can be put up in a few minutes.

• Technological advances have resulted in smaller, high-quality, more

accurate, and more reliable devices. Improvements in biometrics are essential
because bad biometric security can lull system and network administrators into
a false sense of safety. In addition, it can also lock out a legitimate user and admit
an intruder. So care must be taken when procuring biometric devices.

5/6/2023 16
Cont…..
• Each human being is unique in terms of characteristics, which make him or her
different from all others. The physical attributes such as finger prints, color of
iris, color of hair, hand geometry, and behavioral characteristics such as tone and
accent of speech, signature, or the way of typing keys of computer keyboard etc.,
make a person stand separate from the rest.

• This uniqueness of a person is then used by the biometric systems to −

• Identify and verify a person.

• Authenticate a person to give appropriate rights of system operations.

• Keep the system safe from unethical handling.

5/6/2023 17
Cont…..
 Biometrics are biological properties, based on some physical
characteristic of the human body. The list of biometric
authentication technologies is still growing. Now devices can
recognize the following biometrics:
• Fingerprint:
• Palm Scan:
• Hand Geometry:
• Iris Scan:
• Signature Dynamics:
• Voice Print:
• Facial Scan:
• Hand Typography:

5/6/2023 18
Cont…..
• Fingerprint: Fingerprint Recognition
• It is one of the oldest technologies of biometric recognition
in which the ridges and the furrows in the finger are used as
the identifying trait since it is immutable.

5/6/2023 19
Cont…..
• It uses the fingerprint scanner to get an image of user’s finger. The user simply places the

finger on a glass plate and a CCD (charged couple device) camera takes a picture. Before

matching the print to pre-scanned images, the scanner processor makes sure the CCD has

captured a clear image. It examines the average pixel darkness and rejects the scan if the

overall image is too dark or too light.

• If the image is rejected, the scanner adjusts the exposure time to let in more or less light

and then tries the scan again. If the processor finds that the image is crisp and properly

exposed, it proceeds to compare the captured fingerprint with fingerprints on file.

• There are a number of different ways to get an image of user’s finger. The most common

methods today are optical scanning and capacitance scanning.

5/6/2023 20
Cont…..
• Advantages

• High accuracy.

• Highly Economical.

• Disadvantages

• Users involved in heavy manual labor can have the ridges and
furrows in the finger changed.

• Dirty and marked fingers have a bad impact which might increase
the rate of rejection.

5/6/2023 21
Cont…..
• Voice or Sound Recognition
• Voice of a human is one more attribute which is unique.
• In this technique, the user speaks into the microphone, and an analog-to-digital
converter (ADC) creates digital sound files for the VR program to work with.
Then the VR programs accept the digital recording and parse it into small,
recognizable speech bits called phonemes.

5/6/2023 22
Cont…..
• Once the program has identified the phonemes, it begins a complex
process of identification and analysis, comparing each string of recorded
phonemes against the one recorded in its memory. It then accesses its
internal database and pairs up the recorded phonemes with the most
equivalent texts.
• Finally, the VR program provides the output on the screen.
• Advantages
• Since only the voice is taken as input, the person’s hand is free (helps
disabled).
• Flexible.
• Can also be used to control the simulation.
• Disadvantages
• An intruder can use a recorded voice.
• It is less accurate when there is a lot of noise in the background.

5/6/2023 23
Cont…..
• Palm Vein Recognition

• In this, a vein in the palm is used as an identification trait. In this technique, the user simply put his hand

above the sensor for less than a second. The sensor then records and examines the vein pattern of the

user, which stays unique over time, to provide a positive ID.

• It gives each test taker a single record that is virtually impossible to fake and prevents people from

testing under assumed identities.

• Advantages
• Quick and simple.
• Fast and highly accurate.
• No obstruction involved between the palm and sensor.
• Disadvantages
• The response time might be a complex issue.

5/6/2023 24
Cont…..
• IRIS Recognition
• The iris is unique to a human being. No two humans can have the same iris pattern even identical twins
have different iris patterns. The iris pattern of right eye differs from the left eye. Usually, the left eye is
used.
• It uses camera technology in which the iris is exposed to subtle infrared rays. The image of the eye is
captured and iris scanner analyzes the features in the iris which have more than 200 points that can be
used for comparison, including rings, furrows and freckles. Patterns are drawn and then matched with
that of the user.
• It is extensively used in airports as a substitute for the passport, computer login, ATMs, access to
buildings and database access.
• Advantages
• Iris is flat which makes it easily predictable. The false match rate is very low.
• Most accurate and robust biometric technology.
• Iris has a fine texture which remains stable always.
• Disadvantages
• The amount of light in the scanner should be taken care of.
• The distance between the scanner and the person’s eye can be bothersome.
• There are intruders who have used the high-quality image instead of the real iris.

5/6/2023 25
Cont…..
• Retina Scan Recognition
• It is similar to iris recognition but more stable than iris
recognition as it is less exposed to external environment.

5/6/2023 26
Cont…..
• It uses a low-intensity light source and a delicate sensor to
scan the pattern of blood vessels at the back of the retina, a
pattern unique to each individual. This pattern is then
matched against the one existing in the database.
• During a retinal scan, the user must remove glasses, stare at
a specific point, and hold their head still for the 10-15
seconds it takes to complete the scan.
• Advantages
• Highly reliable.
• Speedy results as it verified very quickly
• Disadvantages
• Expensive and not very user-friendly.
• Difficult to place the eye in front of the scanner.
5/6/2023 27
Cont…..
• Hand Geometry
• In this technique, the geometric shape of the hand – size of the palm,
length and width of the fingers, the distance between the knuckles, etc
are used.
• It uses the geometry scanner, the user simply puts his or her hand onto a
platen which consists of 5 pegs that help the user to position their fingers
properly.

5/6/2023 28
Face Detection and Recognition Systems

• Imagine standing in front of the entrance door to your office and see your face
flash up on a large screen. If the screen identifies you, it opens the doors; if it
doesn’t the doors don’t open.
• Your face is your digital ID. It allows you to enter your office and authenticate
your identity in a hoard of other places. Sounds uncanny, but is undeniably
remarkable! This not so old technology is on its way to becoming ubiquitous.
• Enter the world of face detection and recognition systems…recognizing the face
from all angles, with even more accuracy than a person can. Using machine
learning and other deep learning techniques, computers can recognize faces with
utmost accuracy. The facial recognition systems comprise of high-end hardware
components along with proficient software for identification and verification of a
person by comparing the facial features from the person present to the features
stored in the facial database.
• The facial detection and recognition system can verify a person from a digital
image or a frame/clips of a video. Numeric codes called faceprints are used for
detection along with identifying 80 nodal points (end to end measurements with
respect to nose, jaws etc.) on the face.

5/6/2023 29
Cont…..
• Application
• Web and desktop applications can also benefit from such facial recognition
systems to avoid hacking.

• Enforcement agencies can use this for locating an individual in a crowd.

• Companies can keep track of employees attendance.

• These systems are already being used by agencies targeting criminals, at

airports for security or to differentiate players during games.

• Marketing personalization makes use of billboards with software which

identify the demographics of passersby for targeted advertising.

5/6/2023 30
Cont…..
• Other Specifications
• No retraining − The training is usually done on the face and not to the existing images in the
database.
• Quick induction − As the new face is added to the database, it should not take more than
0.01 sec for the addition along with the training, made possible with the use of a single core
processor.
• Self-supporting Feature Database − Post the training, the facial feature database must be
different from the face image database. This is usually done to protect the (possibility of)
tampering of images in the facial database. Distance between jaw lines, nose tips, lips
contours, eye centers are all matched during face detection and recognition process.
• Resolution dependent − The images or the face recognition algorithm must be independent
of high resolution images; the videos however must be at or higher than 640*480 resolution.
• Robust − The face recognition system must be sturdy and not weak towards variations in
posture, facial expressions and luminescence (albeit within a certain limit).
• Face changes − Beards, moustaches and other such features can make a difference to the
actual image. Hence, the facial database must include the original image as well as one with
the additional features with the identical ID. Eyes and eyebrows are usually also used as
signatures of the image.
5/6/2023 31
Cont…..
• Other aspects − Eye glasses must be clear so as to reveal eyes clearly.
• Scalability − The images in the facial database must be scalable and
must have the capacity to store more than 1000 images. The format could
be in many versions such as JPEG, BMP, PNG etc.; whereas the videos
could be in MJPEG, MPEG4 etc.
• Accuracy − The face recognition must work at an extremely high
accuracy rate (more than 90%).
• Forensics − The image and the video must be watermarked as well as
encrypted for forensics, making it easier for authentication purposes.
• Finally, the database must be integrated and include demographics such
as name, age, sex, date of birth, nationality, address, employment history,
unique identification number etc. And the query for any person must not
take more than five seconds in a database of 5000.

5/6/2023 32
Cont…..
• Two basic types of pictures of the hand are captured:
• An image of the top of the hand; and
• An image of the side of the hand.
• The verification template is compared against the one existing in the
database, in the exact same fashion as fingerprint recognition. The
verification phase can be accomplished in just under one second.
• It is used by different companies for their buildings and even government
agencies to verify who is entering.
• Advantages
• Relatively easy to use and inexpensive.
• Good performance system with complex background.
• Disadvantages
• The irrelevant object might overlap with the hand.
• Not ideal for growing children.

5/6/2023 33
Cont…..
• Signature dynamics: is a behavioral biometric modality that analyzes dynamic characteristics of
an individual's signature, such as shape of signature, speed of signing, pen pressure when signing,
and pen-in-air movements, for recognition.

• Dynamic signature is a biometric modality that uses, for recognition purposes, the anatomic and
behavioral characteristics that an individual exhibits when signing his or her name (or other
phrase).

• There are two kinds of signature verification: static and dynamic.

• Static(offline) verification is verifying an electronic or paper signature after it has been made.

• In contrast, dynamic(online) verification occurs as a person creates their signature on a digital

tablet or a similar device.

5/6/2023 34
Cont…..
• Hand typography

• Hand lettering is an art form that involves drawing letters by hand. Hand lettering allows artists
to interpret letters in creative ways. The art of lettering varies depending on the style and the artist
doing the lettering.

• Hand lettering is an art form that focuses on drawing/illustrating the letters.

• Calligraphy is an art form that focuses on the beautiful writing of letters. Typography is an art
form that arranges letters (fonts) in a clear, readable, and visually appealing manner.

• Typography is actually a subset of lettering, because it is the study of letters applied to typefaces.
Many designers have also taken up letterpress printing as a hobby or side interest, which also
utilizes aspects of typography or typesetting, depending on the project.

5/6/2023 35
How Does Biometric Access Control Work?

• Biometric access control and its functioning are based on a lot of research and
technology. A biometric system primarily has three components −
• A sensor that detects the trait that will be used to identify you.
• Computer hardware to store and read data
• Software that evaluates the feature converts it to a graph or code and makes the
actual comparisons.
• The working of Biometrics primarily involves three basic steps −
• Enrolment − At first, a unique characteristic of yours is recorded, together with
other information such as your name, unique identification number, and so on.
• Storage − Most systems, contrary to widespread assumption, do not preserve the
whole image or video. A database is created, and your recorded characteristic is
maintained in the form of a graph or code in this database.
• Comparison − The next time you use it, the system compares the trait you
present to the information on file. Using the stored data, it then chooses whether
to grant or refuse your access request.

5/6/2023 36
Types of Biometrics
• Biometrics is mainly divided into two categories −

• Physiological Identifiers

• Fingerprints, facial ID, voice recognition, and other physiological identifiers are examples of
physiological identifiers.

• Behavioral Identifiers

• Individual behaviors such as typing habits, mouse and finger movements, website and social
media engagement patterns, walking gait, and other gestures are examples of behavioral
identifiers. Instead of a single, one-time authentication check, several behavioral identifiers can
be employed to offer continuous authentication. While it is still a younger method with lower
reliability ratings, it can evolve with other biometric technology advancements.
• Combination of physiological and behavioral

5/6/2023 37
Cont…..
• Physiological Modality: This modality pertains to the shape and size of the body. For
example −

• Fingerprint Recognition

• Hand Geometry Recognition system

• Facial Recognition System

• Iris Recognition System

• Hand Geometry Recognition System

• Retinal Scanning System

• DNA Recognition System

5/6/2023 38
Cont…..

• Behavioral Modality: This modality is related to

change in human behavior over time.

• For example −

• Gait (the way one walks)

• Rhythm of typing keys

• Signature

5/6/2023 39
Cont…..
• Combination of Both Modalities: This modality includes both traits,
where the traits are depending upon physical as well as behavioral
changes.

• For example −

• Voice Recognition

• It depends on health, size, and shape of vocal cord, nasal cavities, mouth
cavity, shape of lips, etc., and the emotional status, age, illness (behavior)
of a person.

5/6/2023 40
Application Areas of Biometrics
• There are a number of applications where biometric systems are useful. Few of them are
given below −

• Controlling workplace access.

• Identity establishment of people for authentic citizenship and immigration systems.

• Applying access control to sensitive information and systems.

• Identifying criminals by forensics.

• Executing online e-commerce transactions.

• Fraud and theft reduction.

• Law enforcement.

5/6/2023 41
 AAA Server

5/6/2023 42
 Cont…..
• The administrator can take access to a router or a device through a
console but it is very inconvenient if he is sitting far from the place of
that device. So, eventually, he has to take remote access to that device.

• But as remote access will be available by using an IP address, therefore,

it is possible that an unauthorized user can take access using that same IP
address therefore for security measures, we have to put authentication.
Also, the packets exchanged between the device should be encrypted so
that any other person should not be able to capture that sensitive
information.

• Therefore, a framework called AAA is used to provide that extra

level of security.
5/6/2023 43
Cont…..
• AAA (Authentication, Authorization, Accounting/Audit) – AAA is a standard-based framework used

to control who is permitted to use network resources (through authentication), what they are

authorized to do (through authorization), and capture the actions performed while accessing the

network (through accounting/Auditing).

1. Authentication – The process by which it can be identified that the user, which wants to access the

network resources, valid or not by asking some credentials such as username and password. Common

methods are to put authentication on console port, AUX port, or vty lines. As network administrators, we

can control how a user is authenticated if someone wants to access the network. Some of these methods

include using the local database of that device (router) or sending authentication requests to an external

server like the ACS server. To specify the method to be used for authentication, a default or customized

authentication method list is used.

5/6/2023 44
Cont…..
2. Authorization – It provides capabilities to enforce policies on network resources after the user
has gained access to the network resources through authentication. After the authentication is
successful, authorization can be used to determine what resources is the user allowed to access and
the operations that can be performed. For example, if a junior network engineer (who should not
access all the resources) wants to access the device then the administrator can create a view that will
allow particular commands only to be executed by the user (the commands that are allowed in the
method list). The administrator can use the authorization method list to specify how the user is
authorized to network resources i.e. through a local database or ACS server.

3. Accounting/Auditing – It provides means of monitoring and capturing the events done by the
user while accessing the network resources. It even monitors how long the user has access to the
network. The administrator can create an accounting method list to specify what should be accounted
for and to whom the accounting records should be sent.

5/6/2023 45
Cont…..
• AAA implementation: AAA can be implemented by using the local database of the device or by using

an external ACS server.

• local database – If we want to use the local running configuration of the router or switch to implement

AAA, we should create users first for authentication and provide privilege levels to users for

Authorization.

• ACS server – This is the common method used. An external ACS server is used (can be ACS device or

software installed on VMware) for AAA on which configuration on both router and ACS is required.

The configuration includes creating a user, separate customized method list for authentication,

Authorization, and Accounting. The client or Network Access Server (NAS) sends authentication

requests to the ACS server and the server takes the decision to allow the user to access the network

resource or not according to the credentials provided by the user.

• Note – If the ACS server fails to authenticate, the administrator should mention using the local database

of the device as a backup, in the method list, to implement AAA.

5/6/2023 46
 Smart Card and Memory Cards
• Memory Card
• A memory card is a type of storage device that can store videos, photos, or other data files. It provide a
volatile and non-volatile medium to save data from the inserted device. It is also defined as a flash memory.
Generally, it is used in devices like phones, digital cameras, laptops, digital camcorders, game consoles,
MP3 players, printers, etc.

• A memory card is generally used as a primary and portable flash memory in mobile phones, cameras and
other portable and handheld devices. PC Cards (PCMCIA) were a predecessor of modern memory cards that
were introduced for commercial goals. Besides supporting non-volatile media storage, a memory card also
uses solid state media technology, which lowers the chances of mechanical issues, including those
discovered in traditional hard drives.

• The size of a memory card is fixed and cannot be enhanced. If the memory card is full, consider removing
some of the files stored on the memory card. It can consider moving the files to a multiple storage device, or
purchasing a memory card with more capacity and restore the memory card with the new card.
5/6/2023 47
Cont….
• Smart Card
• A smart card is a card that stores data on a microprocessor or memory chip instead of the magnetic stripe found on ATM and credit
cards. A smart card is a secure microcontroller that is generally used for generating, storing and operating on cryptographic keys.

• Smart card authentication supports users with smart card devices for the objective of authentication. Users linked their smart card
to a host computer. Software on the host computer communicate with the keys material and other secrets saved on the smart card to
authenticate the user.

• Smart cards are considered a powerful form of authentication because cryptographic keys and other secrets stored on the card are
very well secured both physically and logically, and are therefore extremely complex to steal.

• The added security supported by the smart card comes at the expense of the user experience, as smart cards required to be physically
carried around by the user and inserted into the host computer each time they required to authenticate with it. Users are also defined
to host devices that have the card interface software installed.

• Smart cards are also expensive to administrate, as they needed software installation on the host device and physical distribution to
the users. Smart cards offers computing and business systems the enormous advantage of portable and secure storage of information
and value. Concurrently, the integration of smart cards into the system introduces its own security management issues, as person
access card data far and wide in a variety of applications.

5/6/2023 48
Cont…..
• There are several applications of smart card which are as follows −

• A smart card is a device generally the size and shape of a credit card and includes one or more integrated chips
that implements the functions of a computer with a microprocessor, memory, and input/output.

• Smart cards can be used to offer increased functionality and an increased level of security over memory
cards when used for recognition and authentication.

• Smart Cards are plastic cards that have integrated circuits or storage receptacles embedded in them.

• Smart cards with integrated circuits that can perform transactions and are defined as “active” smart cards.

• A smart card can process, and store, data through its microprocessor; thus, the smart card itself (against the
reader/writer device), can control access to the data stored on the card.

• This can be particularly useful for applications including user authentication in which security of the information
should be maintained. The smart card can execute the password or PIN comparisons within the card.

5/6/2023 49
Cont….
• The smart card can restore conventional password security with better, a PIN, which is checked by the card versus the computer
system, which cannot have as sophisticated a means for user recognition and authentication.

• As an authentication method, the smart card is the customer possesses. With current advances, a password or PIN can be added for
more security and a fingerprint or photo for even more security. As contrasted with memory cards, an important and beneficial feature
of a smart card is that it can be manufactured to provide the security of its own memory, thus lowering the risk of lost or stolen cards.

• Use of smart devices define the added expense of the card itself, and the special reader devices. Careful decisions as to what systems
warrant the need of a smart card should be made. The value of manufacturing smart cards is larger than that of memory cards but the
disparity will get less and less as progressively manufacturers switch to this technology.

• On the other hand, it should be remembered that smart cards, against memory only cards, can effectively connect with relatively
‘dumb’, low-cost reader devices.

• The card can be programmed to limit the multiple login attempts and ask biographic questions, or produce a biometric check to
provide that only the smart card’s owner can use it. Furthermore, non-repeating challenges can be used to foil a method in which an
attacker attempt to login using a password or PIN he observed from a previous login. In addition, the difficulty of smart card
manufacturing creates forgery of the card’s contents virtually impossible.

5/6/2023 50
 Kerberos
• Kerberos provides a centralized authentication
server whose function is to authenticate users
to servers and servers to users.
• In Kerberos authentication server and database
is used for client authentication.
• Kerberos runs as the key distribution center(KDC)
• The main components of Kerberos are:
• Authentication Server(AS): performs initial authentication and
ticket for ticket granting service
• Database: the AS verifies the access rights of the users in the
database
• Ticket Granting Server(TGS): issues the ticket for the server

5/6/2023 51
 Cont…..
• Users wish to access services on servers
• Three threats exist:
• User pretend to be another user
• User alter the network address of a workstation
• User eavesdrop on exchanges and use a replay attack
• Kerberos provides centralized authentication server
to authenticate users to servers and servers to
users
• Relies on conventional encryption, making no use of public-key
encryption
• Two versions: version 4 and 5
• Version 4 makes use of DES

5/6/2023 52
Cont…..
• Kerberos is a user authentication protocol for client-
server applications.
• It uses a Key Distribution Center (KDC) to generate
session keys that clients and servers can use to
communicate with one another.
• Kerberos protocol makes it easier for users to access
multiple services in a network on the basis of a single
initial authorization from the KDC

5/6/2023 53
Cont…..
• [Kerberos was named after Cerberus, the three-headed dog of Greek
mythology, because of its three components:]

• A Key Distribution Center (KDC), which is a server

that has two components: an Authentication Server

and a Ticket Granting Service.

• The client (user)

• The server that the client wants to access

5/6/2023 54
Kerberos – How it works

5/6/2023 55
Cont…..

5/6/2023 56
 Access Control
• Access control is a process to determine “Who does what to what,” based on
a policy.
• It is controlling access of who gets in and out of the system and who uses
what resources, when, and in what amounts.
• Access control is restricting access to a system or system resources based on
something other than the identity of the user
• Access control consists of four elements:
o subjects

o objects

o operations

o a reference monitor

5/6/2023 57
 Cont….
• Access Control: Generalized View
• Access control: Verifying access rights to prevent misuse of
resources
• Authorization: Granting access rights

5/6/2023 58
Cont…..
• Through the user access control procedure (login), a user can be
identified to the system

• Associated with each user, there can be a profile that specifies

permissible operations and accesses

• The operating system can enforce rules based on the user profile

5/6/2023 59
Access Control Model
• General access control model
 Access control matrix (ACM)

 Access control list (ACL)

 Capability list (CL)

• Basic elements of ACM

 Subject: An entity capable of accessing objects, the concept of subject equates with
that of process

 Object: Anything to which access is controlled (files, programs, memory segments, …)

 Access right: The way in which an object is accessed by a subject (read, write,
execute, …)

5/6/2023 60
Cont…..
• In the ACM, each subject is represented by a row and each object as a column

• In the ACM, each subject is represented by a row and each object as a column

• ACM [s, o] lists precisely which operations subject s can request to be carried out on

object o

• The drawback of this system is that the Matrix will have many empty entries

 Another widely used approach is to use Access Control Lists in which each object

maintains a list of access rights of subjects

 Another approach is to give each subject a Capability List (access rights to objects) that

are digitally signed

5/6/2023 61
Access Control Matrix
• In the ACM, each subject is represented by
a row and each object as a column

5/6/2023 62
Access Control List
• Decomposition of the matrix by columns

• An access control list lists users and their permitted

access right
• The list may contain a default or public entry

5/6/2023 63
Capability List
• Decomposition of the matrix by rows

• A capability ticket specifies authorized objects and

operations for a user
• Each user has a number of such tickets

5/6/2023 64
Cont…..

5/6/2023 65
Protection Domain
• An Access Control List or a Capability List can
still become too large
• One way of reducing ACLs is to make use of
protection domains
• A protection domain is a set of (object, access
rights)
• Requests for carrying out an operation are
always issued within a domain
• A user should be a member of a domain that
has the required access rights to invoke an
object

5/6/2023 66
Multilevel Security
• Multilevel security (E.g.. Military)
Protection of data and resources on the basis of
levels of security
Users can be granted access to certain categories
of data
• A multilevel secure system must enforce:
No read up: A subject can only read an object of
less or equal security level (Simple Security
Property)
No write down: A subject can only write into an
object of greater or equal security level (*-Property)

5/6/2023 67
Trusted System: Reference
Monitor
• Reference Monitor
Controlling element in the hardware and
operating system that regulates the access
of subjects to objects on the basis of
security parameters
The monitor has access to a file (security
kernel database)
The monitor enforces the security rules (no
read up, no write down)

5/6/2023 68
Trusted System: Reference
Monitor Concept

5/6/2023 69
Cont….
• Properties of the Reference Monitor
Complete mediation: Security rules are
enforced on every access
Isolation: The reference monitor and database
are protected from unauthorized modification
Verifiability: The reference monitor’s
correctness must be provable
• A system that can provide such verifications
(properties) is referred to as a trusted system

5/6/2023 70
Trojan Horse and Trusted
Systems
• Secure, trusted operating systems are one
way to secure against Trojan Horse attacks
on access control.
• A Trojan Horse is used to get around the
standard security mechanism used by most
file management and operating systems:
the access control list.

5/6/2023 71
Trojan Horse Attack on Access Control
and a Defense by Reference Monitor

5/6/2023 72
Access Control Techniques and Technologies
 Because a system, especially a network system, may have
thousands of users and resources, the management of access
rights for every user per every object may become complex.
 Several control techniques and technologies have been
developed to deal with this problem; they include:
◦ Access Control Matrix,
◦ Capability Tables,
◦ Access Control Lists,
◦ Role-Based Access Control,
◦ Rule-Based Access Control,
◦ Restricted Interfaces,
◦ Content-Dependent Access Control.
◦ Discretionary Access Control (DAC)
◦ Mandatory Access Control (MAC)
5/6/2023 73
 Discretionary Access Control (DAC):

• DAC is identity-based access control. DAC mechanisms will be controlled by user identification such as
username and password. DAC is discretionary because the owners can transfer objects or any
authenticated information to other users. In simple words, the owner can determine the access
privileges.

• Attributes of DAC –

1. Users can transfer their object ownership to another user.

2. The access type of other users can be determined by the user.

3. Authorization failure can restrict the user access after several failed attempts.

4. Unauthorized users will be blind to object characteristics called file size, directory path, and file name.
• Examples- Permitting the Linux file operating system is an example of DAC.

5/6/2023 74
 Mandatory Access Control (MAC):
• The operating system in MAC will provide access to the user based on their identities and data. For gaining
access, the user has to submit their personal information. It is very secure because the rules and restrictions are
imposed by the admin and will be strictly followed. MAC settings and policy management will be established in
a secure network and are limited to system administrators.

• Attributes of MAC –

• MAC policies can help to reduce system errors.

• It has tighter security because only the administrator can access or alter controls.

• MAC has an enforced operating system that can label and delineate incoming application data.

• Maintenance will be difficult because only the administrator can have access to the database.

• Examples- Access level of windows for ordinary users, admins, and guests are some of the examples of MAC.

5/6/2023 75
Role-Based Access Control (RBAC):

• The changing size and technology of computer and communication networks are creating
complex and challenging problems in the security management of these large networked
systems.
• The changing technology and large numbers of users joining the networks are making the administration of
systems extremely costly and prone to error when it is based solely on access control lists for each user on the
system individually.

• System security in role-based access control (RBAC) is based on roles assigned to each user in an
organization. For example, one can take on a role as a chief executive officer, a chief information officer,
or chief security officer.

• A user may be assigned one or more roles, and each role is assigned one or more privileges that are permitted to
users in that role. Access decisions are then based on the roles individual users have as part of an organization.

• The process of defining roles is based on a thorough analysis of how an organization operates and include input
from a wide spectrum of users in an organization.

5/6/2023 76
Cont…..
• Access rights are grouped by role name, and the use of resources is restricted to individuals
authorized to assume the associated role.

• Users are granted membership into roles based on their competencies and responsibilities in the
organization.

• The types of operations that a user is permitted to perform in the role he or she assumes are based
on that user's role. User roles are constantly changing as the user changes responsibilities and
functions in the organizations, and these roles can be revoked.

• Role associations can be established when new operations are instituted, and old operations can be
deleted as organizational functions change and evolve.

• RBAC is also based on the concept of least privilege that requires identifying the user's job
functions, determining the minimum set of privileges required to perform that function, and
restricting the user to a domain with those privileges and nothing more.

5/6/2023 77
Rule-based access control
• Rule-based access control (RBAC), also known as policy-based access control (PBAC), is based on the
least privileged concept.

• It is also based on policies that can be algorithmically expressed.

• RBAC is a multi-part process where one process assigns roles to users just like in the role-based access
control techniques.

• The second process assigns privileges to the assigned roles based on a predefined policy.

• Another process is used to identify and authenticate the users allowed to access the resources.

• It is based on a set of rules that determine users’ access rights to resources within an organization’s system.

• Many organizations, for example limit the scope and amount, sometimes the times, employees, based on
their ranks and roles , can retrieve from the site.

• Such limits may be specified based on the number of documents that can be downloaded by an employee

during a certain time period and on the limit of which part of the Web site such an employee can access.

5/6/2023 78
Restricted Interfaces
• As the commercial Internet grows in popularity, more and more organizations and
individuals are putting their data into organization and individual databases and restricting
access to it.

• For the user to get access to restricted data, the user has to go via an interface. Any outside
party access to restricted data requires a special access request, which many times requires
filling in an online form. The interfaces restrict the amount and quality of data that can be
retrieved based on filter and retrieval rules. In many cases, the restrictions and filters are
instituted by content owners to protect the integrity and proprietary aspects of their data.

• The Web site itself and the browser must work in cooperation to overcome the over-
restriction of some interfaces. Where this is impossible, hidden data is never
retrievable.

5/6/2023 79
Content-Dependent Access Control

• In content-dependent access control, the decision is based on

the value of the attribute of the object under consideration.

• Content-dependent access control is very expensive to

administer because it involves a great deal of overhead
resulting from the need to scan the resource when access is
to be determined. The higher the level of granularity, the
more expensive it gets. It is also extremely labor-intensive.

5/6/2023 80
Physical Access Control
• Most accesses to an organization systems are expected to originate
from remote sites and, therefore, access the system via the network
access points In a limited number of cases, system access can come
from intruders physically gaining access on the system itself, where
they can install password cracking programs.
• Studies have shown that a great majority of system break-ins originate
from inside the organization. Access to this group of users who have
access to the physical premises of the system must be appropriate

5/6/2023 81
Access Control Systems - Access Cards

• Cards as access control devices have been in use for sometime now. Access cards
are perhaps the most widely used form of access control system worldwide.

• With advanced digital technology, cards now contain magnetic strips and
embedded microchips.

• Many companies require their employees to carry identity cards or identity

badges with a photograph of the card holder or a magnetic strip for quick
identification.

• Access cards are used in most e-commerce transactions, payment systems, and in
services such as health and education. These types of identification are also known
as electronic keys.

5/6/2023 82
Access Control Systems - Electronic Surveillance

• Electronic surveillance consists of a number of captures such as video recordings, system logs, keystroke and
application monitors, screen-capture software commonly known as activity monitors, and network packet sniffers.

• Video recordings capture the activities at selected access points. Increasingly these video cameras are now connected
to computers and actually a Web, a process commonly now referred to as webcam surveillance. Many of these
cameras are now motion-activated and they record video footage shot from vantage points at the selected points. For
access control, the selected points are system access points. The video footage can be viewed live or stored for later
viewing. These captures can also be broadcast over the Internet or transmitted to a dedicated location or sent by e-
mail.

• Keystroke monitors are software or hardware products that record every character typed on keyboards. Software-
based keystroke monitors capture the signals that move between keyboard and computer as they are generated by all
human-computer interaction activities that include Packet sniffers work at a network level to sniff at network
packets as they move between nodes. Based on the analysis, they can monitor e-mail messages, Web browser usage,
node usage, traffic into a node, nature of traffic, and how often a user accesses a particular server, application, or
network.

5/6/2023 83
Access Control Systems - Biometrics

• Biometric technology, based on human attributes, something you are, aims to confirm a person's identity by
scanning a physical characteristic such as a fingerprint, voice, eye movement, facial recognition, and others.

• It has probably been one of the oldest access control techniques. However, during the past several years and with
heightened security, biometric technology has become increasingly popular. The technology, which can be used to
permit access to a network or a building, has become an increasingly reliable, convenient and cost-effective means
of security.

• Current technology has made biometric access control much more practical than it has ever been in the past. Now a
new generation of low-cost yet accurate fingerprint readers is available for most mobile applications so that
screening stations can be put up in a few minutes.

• Technological advances have resulted in smaller, high-quality, more accurate, and more reliable devices.
Improvements in biometrics are essential because bad biometric security can lull system and network
administrators into a false sense of safety. In addition, it can also lock out a legitimate user and admit an intruder. So
care must be taken when procuring biometric devices.

5/6/2023 84
Access Control Systems - Event Monitoring

• Event monitoring is a cousin of electronic monitoring in which the

focus is on specific events of interest. Activities of interest can be
monitored by video camera, webcam, digital or serial sensors, or a
human eye.
• It can be used to capture screenshots; monitor Internet activity; and
report a computer's use; keystroke by keystroke; and human voice,
including human movement.
• The activities recorded based on selected events can be stored,
broadcast on the Internet, or sent by e-mail to a selected remote
location or user.

5/6/2023 85
 The End of Chapter Six

Thank You!!!
5/6/2023 86