CS Chapter 7

Department of Computer Science
Chapter 7
Authentication and Access Control
Instructor: Shambel Ts.
5/25/2023 Computer Security 1

Basics Authentication
 Authentication is the process of recognizing a user’s
identity.
 Authentication is a process of verifying a user before

allowing access to a system or resources.
 Authentication or verification confirms or denies a

claimed identity.
 Identification or recognition establishes the identity

of a subject usually from a set enrolled persons.

Basics Authentication
 Personal identification object can be classified into
three:-
 Token-base: "something that you have" such as
passport, ID card, keys, a USB token and
smartcard.
 Knowledge-based: "something that you know",

such as PIN, password.
 Biometrics-based: "something that you are" by

using something that the individual identified
such as some physiological or behavioral
characteristic.
Password and Passphrase
 A passphrase is a sentence like string of words
used for authentication that is longer than a
traditional password, easy to remember but
difficult to crack.
 Typical passwords range, on average, from 8 to

16 characters, while passphrases can reach up to
100 characters or more.
 A passphrase is basically a longer than

password, usually at least 15 characters in
length, with spaces between words.

Password and Passphrase
 Passphrase is a memorized phrase consisting of a
sequence of mixed words with or without spaces.
 Your passphrase should be at least 4 words and 15

characters in length.
 While passwords and passphrases essentially serve

the same purpose providing access to secure services
or sensitive information.
 Passwords are generally short, hard to remember,

and easier to crack. Passphrases are easier to
remember and hard/ difficult to crack. .
Basic Biometric Technology
Basics Concept of Biometrics
 The word of biometrics is the combination of two

terms, bio and metrics.
 Bio means a Greek word (bios-life) meaning

biological of living beings.
 Metrics is a measuring-system or measurement.
 Thus, biometrics is the statistical measurement

of biological data.

Biometric Technology
Physiological
 Biometric Technology uses a physiological or Face Recognition
behavioral characteristic human body for Fingerprint
identification and authentication of an individual. Palm
Iris
 Biometric Technology have key properties:
 Universal common characteristic Behavioral
 Unique, no two persons have the same Voice
physiological or behavioral characteristic. Gait
 Unchanged /Never changing Lip Motion
 Collectable quantitatively measurable Signature


 Why we need Biometric Technology?
 To enhance security: "who you claim to be".
 Recognition is based in the inherent
characteristics of the human body.
 Recognize a person based on "what you are?" but not

"what you know“
 Convenient: fast, easy to use, reliable and less

expensive authentication
 Avoid: lost stolen duplicated or left at home.

Forgotten, share or observed
 Physiological biometrics are based on
measurements and data derived from direct
measurements of a part of the human body.
 Biometric system, is the integrated biometric

hardware and software used to conduct
biometric identification or verification.

 Some of the Biometric Technologies are:-
 Fingerprint
 Palm-Scan (Forensic use only)
 Hand Geometry
 Iris-Scan or Iris Recognition
 Signature-Scan or Signature Dynamics
 Voice Recognition or Voice Print
 Facial Recognition or Facial Scan

Application Domains of Biometrics

 To local services: money from a ATM machine
 To remote service: E-commerce and E-Business
 Time and attendance control
 Identification: Criminal person investigation
 Personal document e.g. Electronic driver’s license

or ID card
 Access Control: to devices logging into a computer,
laptop or PAD, cars, Guns
 Physical access control: to high security areas and
to public building or area

Basic Component and Process Biometric System

 Biometric system convert data derived from
behavioral or physiological characteristics
into templates, which are used for subsequent
matching.
 This is a multi-stage process whose mainly

stages are:-
 Enrolment
 Submission
 Acquisition Device

Basic Component and Process

Enrolment
 The process whereby a user's initial biometric
sample or samples are collected assessed, processed
and stored for ongoing use in a biometrics system.
Submission
 The process whereby a user provides behavioral or
physiology data in the form of biometric sample to
a biometric system.
 A submission may require looking in the direction

of a camera or placing a finger on a platen.

Acquisition Device
 The hardware used to acquire biometrics sample.
 The following acquisition devices are associated with
each biometric technology:-
 Fingerprint: chip or reader embedded in keyboard.
 Voice Recognition: Microphone, Telephone
 Facial recognition: video camera, PC camera
 Iris Recognition: Infrared-enabled Video camera
 Hand geometry: proprietary wall-mounted unit.
 Signature Verification: signature table
Fingerprint Biometric - - - Fingerprint Recognition
 Fingerprint recognition is one of the oldest and

most researched fields of biometric.
 The biological principles related to fingerprint

recognition, individual epidermal ridges and
furrows have different characteristics for different
fingerprints.
 The configuration and miniature details of furrows

are permanent and unchanging.

Fingerprints Formation
 Fingerprints are fully formed at about several months

of fetus development and finger ridge configuration
do not change throughout the life of an individual
except due to accidents such as bruises and cuts on
the fingertips.
 Unrelated persons of the same race have very little

generic similarity in their fingerprints.

Fingerprints Formation
 Parent and child some generic similarity as they

share half the genes.
 The maximum generic similarity is observed in

monozygotic (identical) twins

Type of Fingerprints

Line Types Classification
 Bifurcation: it is the interaction of two or more

line-type which converge or diverge.
 Arch: They are found in most patterns,

fingerprint made up primarily of them are called
"Arch Prints".
 Loop: A recursive line-type that enter and leaves

from the same side of the fingerprint.

 Island: A line-type that stands alone. (i.e does
not touch another line-type).
 Ellipse: A circular or oval shape line-type

which is generally found in the center of the
fingerprint, it is general found in the Coil /
/Whorl print pattern.
 Tented Arch: It quickly rises and falls at a

steep angle.
 They are associated with "Tented Arch Print".


 Spiral: They spiral out from the center and are
generally associated with "Whorl Prints".
 Rod: it is generally forms a straight line. It has

little or no recurve feature. They are generally
found in the center.
 Sweat Gland: The moisture and oils the

produce actually allow the fingerprint to be
electronically imaged

Face Recognition
 Human face image are useful not only for person
recognition but for also revealing other attributes
like gender, age, ethnicity and emotional state of a
person.
 Face is an important biometric identifier in the

law enforcement and human-computer interaction
(HCI) communities.
 Face recognition is the most common biometric

used by humans

Face Recognition
 Some of the challenges of face recognition are
automatically locate the face, recognize the
face from a general view point under different
illumination condition, facial expression and
aging effects.
 Face recognition can be defined as the process

of establishing a person's identity based on
their facial characteristics.

Face Recognition
 In its simplest form, the problem if they are of the

same person two face images and determining if they
are of the same person.
 While humans seem to be adept in determining the

similarity between two face images acquired under
diverse conditions, the process of automated face
recognition is overcome several challenges.

Face Recognition
 Face images of a person may have variation in age
posture, illumination, color, occlusion, brightness and
facial expression as well as exhibit changes in
appearance due to make-up, facial hair or accessories
(sunglasses).
 The face image of an individual can exhibit a wide

variety of changes that make automated face
recognition a challenging task.

Face Recognition
 The face images in (b), (c) and (d) differ from the
frontal face image of the person in (a) in terms of
posture / pose, illumination and expression,
respectively.

Face Recognition
 The second row shows the

variability introduced due to
aging.
 Here the image in (e), (f) and (g)

were acquired when the person in
(a) was 32, 21 and 15 years
younger, respectively.

Face Recognition
 The third row depicts the problem of occlusion of some
facial features due to the person wearing accessories such
as (h) prescription glasses (i) sunglasses (j) cap and (k)
scarf.

Face Recognition
 There may be similarities between

the face images of different persons
especially if they are genetically (e.g
identical twins, father and son etc).

Face Recognition
 Such inter-class similarities further compound the
difficulty of recognizing people based on their faces.
 Despite these challenges significant progress has

been made in the field of automated face recognition
over the past two decades.
 Techniques for automated face recognition have

been developed for the purpose of person recognition
from still 2-dimensional (2-D) images, video (a
sequence of 2-D images) and 3-D range (depth)
images.

3D-Model

Voice Biometrics or Voices Recognition

 Speaker Recognition is the identification of a person
from characteristics of voices or voice biometrics, is
called voices recognition.
 There is a difference between speaker recognition

(recognizing who is speaking) and speech recognition
(recognizing what is being said).
 There is a difference between speaker recognition

(recognition who is speaking) and speaker diarisation
(recognizing when the same speaker is speaking).

Voice Biometrics or Voices Recognition
 Recognition the speaker can simplify the task of
translating speech in systems that have been trained on
specific person's voices of it can used to authenticate or
verify the identity of a speaker as part of a security
process.
 Voice recognition is comprised of two separate type of

technologies thus are voice scan and speech recognition.
 Voice Scan is to authenticate a user based on his /her

voice characteristics.
 Speech recognition is used for the technological
comprehension / understanding of spoken words
Voice Components
 Each individual has individual voice components
called phonemes.
 Each phoneme has a pitch, cadence and inflection

(variation).
 These three give each one of us a unique voice sound.
 The similarity in voice comes from cultural and

regional influences in the form of accents.
 Voice physiological and behavior biometric are

influenced by our body environment and age.
 It is possible that our voice does not always sound the
same.
Access Control
 Access controls (ACs): is set of rule that
verifying access rights resource to prevent
misuse of resources and granting access rights.
 In the context of network security, access

control is the ability to limit and control the
access to host systems and applications via
communications links.

Access Control (Operating System Access Control Example)

Access Control Matrix (ACM)
 ACM : describes access right of an object by the subject
in the system using a matrix.
 Basic Elements of ACM: Subject, object and access
right.
 Subject: An entity capable of accessing objects (e.g.
users)
 Object: Anything to which access is controlled (files,

programs, memory segments, …)
 Access Right: The way in which an object is accessed by

a subject (read, write, execute)

 In the ACM, each subject is represented by a
row and each object as a column.
 ACM [s, o] lists precisely which operations
subject S can request to be carried out on
object O.
Access Control Matrix – Example

 Subject (Row): Three users (Bob, Alice, and

Hana) and one program (Finance System.)
 Object (Column): Five objects (OS, Accounting

Program, Accounting Data, Insurance Data, and
Payroll Data)
 Access Rights (each cell): Read, Write, Execute,

Not Allowed)

Problems of Access Control Matrix (ACM)
 The number of subjects and objects will be large

so that the matrix will use significant amount of
storage.
 Most entries in the matrix will be either blank

(indicating no access) or the same (because
implementations often provide a default
setting).
 The creation and deletion of subjects and objects

will require the matrix to manage its storage
carefully, adding to the complexity of the code.
Problems of Access Control Matrix (ACM)
We can solve the of Problems of ACM through:
 Optimizations (variants based on the access control
matrix that eliminate many of the problems
mentioned) are used.
 Access Control Lists: in which each object maintains
a list of access rights of subjects.
 Capability List: where each subject is given access

rights to objects.
 There are two types of access control models (ACM)

 Flexible/Discretionary Access Control Model
 Non-Discretionary Access Control Model
 Discretionary Access Controls (DACs) is an access

policy determined by the owner of an object.
 The owner decides who is allowed to access the

object and with what privileges.
 Non-Discretionary Access Controls (NDACs) are

controls that cannot be changed by users, but only
through administrative action.
 Users cannot pass access permissions on to other

users at their discretion.

Non-Discretionary Access Control Model (ACM)
 NDACM has three popular forms of access

control policies
 Mandatory Access Control (MAC)
 Role-Based Access Control (RBAC)
 Temporal Authorization (TA)

 Mandatory Access Control (MAC) is a means of
restricting access to objects based on the sensitivity of the
information contained in the objects and the formal
authorization of subjects to access information of such
sensitivity.
 In MAC, decisions are made by a central authority, not by

the individual owner of an object, and the owner cannot
change access rights.
 An example of MAC occurs in military security, where an

individual data owner does not decide who has a Top
Secret clearance, nor can the owner change the
classification of an object from Top Secret to Secret.
 Role-Based Access Control (RBAC) bases access
control decisions on the functions/roles of a user that
he/she is allowed to perform within an organization.
 This includes the specification of duties,

responsibilities, and qualifications. For example, the
role “individual associated with a hospital” can include
doctor, nurse and patient
 Temporal Authorization (TA) are formal statements of

access policies that involve time-based access
restrictions.

5/25/2023 Computer Security

CS Chapter 7

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CS Chapter 7

Uploaded by

Copyright:

Available Formats

Department of Computer Science

Authentication and Access Control

Instructor: Shambel Ts.

5/25/2023 Computer Security 1

 Authentication is a process of verifying a user before

 Authentication or verification confirms or denies a

 Identification or recognition establishes the identity

5/25/2023 Computer Security 2

 Knowledge-based: "something that you know",

 Biometrics-based: "something that you are" by

 Typical passwords range, on average, from 8 to

 A passphrase is basically a longer than

5/25/2023 Computer Security 4

 Your passphrase should be at least 4 words and 15

 While passwords and passphrases essentially serve

 Passwords are generally short, hard to remember,

 The word of biometrics is the combination of two

 Bio means a Greek word (bios-life) meaning

 Metrics is a measuring-system or measurement.

 Thus, biometrics is the statistical measurement

5/25/2023 Computer Security 6

5/25/2023 Computer Security 7

5/25/2023 Computer Security 8

 Recognize a person based on "what you are?" but not

 Convenient: fast, easy to use, reliable and less

 Avoid: lost stolen duplicated or left at home.

 Biometric system, is the integrated biometric

5/25/2023 Computer Security 10

5/25/2023 Computer Security 11

Application Domains of Biometrics

 Identification: Criminal person investigation

 Personal document e.g. Electronic driver’s license

5/25/2023 Computer Security 12

Basic Component and Process Biometric System

 This is a multi-stage process whose mainly

5/25/2023 Computer Security 13

Basic Component and Process

 A submission may require looking in the direction

5/25/2023 Computer Security 14

Fingerprint Biometric - - - Fingerprint Recognition

 Fingerprint recognition is one of the oldest and

 The biological principles related to fingerprint

 The configuration and miniature details of furrows

5/25/2023 Computer Security 16

 Fingerprints are fully formed at about several months

 Unrelated persons of the same race have very little

5/25/2023 Computer Security 17

 Parent and child some generic similarity as they

 The maximum generic similarity is observed in

5/25/2023 Computer Security 18

5/25/2023 Computer Security 19

Line Types Classification

 Bifurcation: it is the interaction of two or more

 Arch: They are found in most patterns,

 Loop: A recursive line-type that enter and leaves

5/25/2023 Computer Security 20

 Ellipse: A circular or oval shape line-type

 Tented Arch: It quickly rises and falls at a

 They are associated with "Tented Arch Print".

5/25/2023 Computer Security 21

Line Types Classification

 Rod: it is generally forms a straight line. It has

 Sweat Gland: The moisture and oils the

5/25/2023 Computer Security 22