Chapter 2

Identification, Authentication
and Operational Security
Marks 10

1 Ganesh N.Jorvekar April 22, 2024

 Password Selection
• Password selection is very important for the
authorized users

• Proper selection of password leads to

enhanced security

• Whereas easy or incorrectly selected password

weaken or fully compromises the security.

2 Ganesh N.Jorvekar April 22, 2024

 Password Selection
In general passwords should be selected in such way that
1. They are sufficiently long. longer password increases
guessing combinations and makes its hacking difficult.
2. They are combination of uppercase, lowercase numeric
and special symbols.
3. They should not be dictionary words or easy, simple
and guessable words.
4. They should not relate to personal profile of the user as
profile is easily read accessible to everybody.
5. They should not be simple type matic sequences 'asdf',
'1234', 'abc123' etc.
3 Ganesh N.Jorvekar April 22, 2024
 Piggybacking
• Piggybacking is the simple approach of
following closely behind a person who has just
used their own access card or PIN to gain
physical access to a room or building.
• Attacker can gain access to the facility without
knowing the access code or acquiring an
access card.
• An authorized user piggybacks unauthorized
user.
4 Ganesh N.Jorvekar April 22, 2024
 Shoulder surfing
• This attack is by direct observation techniques
like looking over someone's shoulder to get
information.
• When entering a PIN or Password.
• Where an attackers position to themselves in such
a way that he is able to observe the authorized
user entering the correct access code.
• To prevent shoulder surfing, it is advised to shield
keypad or paperwork.
5 Ganesh N.Jorvekar April 22, 2024
 Dumpster Diving
• Dumpster diving is method by which attacker
searches for important system information by diving
into the dump.
• The search is carried out in paper waste, electronic
waste such as old HDD floppy and CD media, recycle
and trash bins on the system etc.
• Attacker tries to extract passwords system
configuration, network configuration, user lists from
these methods and gain access to these important
system detail.
6 Ganesh N.Jorvekar April 22, 2024
 Installing unauthorized
Software/Hardwareٍٍٍٍ
• Installing unauthorized hardware:
– It is carried out by either an insider with malicious intent on
by service person from third party under cover of
maintenance.
– unauthorized hardware then is used to intercept information
on system and network.
• Installing unauthorized software:
1. By inside user unintentionally as the user installs a Trojan
unknowingly
2. By a worm over the network compromising the system from
network, remotely.
3. By unauthorized user, by impersonation. i.e. logging as
somebody authorized, after duely cracking the password
4. by unauthorized user, by spoofing, i.e. fooling the system or
7 user launching phishing /man
Ganesh in middle attack.
N.Jorvekar April 22, 2024
 Security Awareness
• An unaware user is as dangerous to the system as the
attacker.
• an unaware security illiterate user can inflict damage
due to…
1. user runs programs: that allow the viruses or Trojans to gain
access to the system and spread their malicious intent.
2. Access network and internet unaware of the fact that, this act
may give change to the worms and spyware to compromise
the system security
3. opens emails and messages and unknowingly facilitating
malicious code to execute and spread and infect the system
4. login remotely, download applets and active X controls
executing underlying un trusted code
8 Ganesh N.Jorvekar April 22, 2024
 Security Policy
• Basic Requirements
1. Security policy
2. Marking
3. Identification
4. Accountability
5. Assurance
6. Continuous protection

• Implementation Concern

9 Ganesh N.Jorvekar April 22, 2024

 Hardware Concerns
Physical protection of equipment
1. Access
• Physical Access to system should be limited to
authorized users.
• Do not permit users to leave workstations.
• Install time locks that activate after interval
• Change all passwords immediately whenever an
employee leaves organization.
• Change password routinely for all employees.
2. Theft
• PC & their component parts are high value items and
subjected to theft.
• Secure the rooms where H/W located.
10 Ganesh N.Jorvekar April 22, 2024
 Security Policy (cont…)
• Environmental damage
1. Electric power
2. Smoking, eating and drinking
3. Static electricity
4. Magnetic media protection
5. Floppy disks
6. Hard disks
7. Media declassification or destruction
8. Electromagnetic emanations
9. Hardware modification
10.Trusted, authorized techniques
11 Ganesh N.Jorvekar April 22, 2024
 Security Policy (cont…)
Data Concerns
1. Classification
2. Labeling.
3. External classification labels and systems.
4. Floppy disk labels
5. Files
6. encryption.
Securing Data Media
1. Lock floppy disk
2. Use removable hard disk systems
3. Backup
4. Clearing memory
5. Data transmission
12 Ganesh N.Jorvekar April 22, 2024
 Access Control

13 Ganesh N.Jorvekar April 22, 2024

 Access Control
Access control is the ability to permit or deny
the use of a particular resource by a particular
.entity
Access control mechanisms can be used in
managing physical resources, logical
.resources, or digital resources
Eg. A private text document on a computer
which only contain users should be able to
.read
14 Ganesh N.Jorvekar April 22, 2024
 Access Control Example

Account 2 Account 1 File 4 File 3 File 2 File 1

Inquiry Own Own
Credit R, W R, W John

Inquiry Inquiry Own

Credit Debit R W R, W R Alice

Inquiry Own
Debit R, W R R, W Bob

15 Ganesh N.Jorvekar April 22, 2024

 Access Control Techniques
Discretionary Access Control

Mandatory Access Control

Role Based Access Control

16 Ganesh N.Jorvekar April 22, 2024

 Discretionary Access Control
• DAC is an access policy determined by the
owner of an object.
• The owner decides who is allowed to
access the object and what privileges they
have.
• DAC provide flexibility in allowing access
to database
• Linux has benefited from DAC

17 Ganesh N.Jorvekar April 22, 2024

 Discretionary Access Control
• Two important concepts
• File and data ownership:
• Every object in the system has an owner.
• In DAC systems, each objects initial owner is
the subject that caused it to be created.
• The access policy for an object determined by
its owner.
• Access rights and permissions:
• These are the controls that an owner can
assign to other subjects for specific resources.
18 Ganesh N.Jorvekar April 22, 2024
 Mandatory Access Control
• MAC is an access policy determined by the
system, not by owner.
• MAC used in multilevel systems that process
highly sensitive data, (govt. military)
• A multilevel system is a single computer
system that handles multiple classification
levels between subject and object.
• Why MAC is needed?
– Enhances security of database
– Gives consistent view of operations

19 Ganesh N.Jorvekar April 22, 2024

 Mandatory Access Control
• Sensitivity Labels:
– All subjects and objects must have labels assigned to
them.
– A Subjects sensitivity label specifies its level of trust.
– As Objects sensitivity label specifies the level of trust
required for access.
– In order to access a given object, the subject must
have a sensitivity level equal to or higher than the
requested object.
• Data import and export:
– Controlling the import of information from other
systems and export to other systems is critical
function of MAC based systems.
20 Ganesh N.Jorvekar April 22, 2024
 Mandatory Access Control
• MAC protects organizational data
• MAC deals with database queries, reports and
statistical studies
• Data protection for a class is determined by
its label
• Examples:
– Official reports
– Statistical analysis of medical records (providers and
researchers have different view of same data)
– Accounting records (updated by structured
programs and accessed by unstructured programs)

21 Ganesh N.Jorvekar April 22, 2024

 Role-based Access Control
• RBAC is an access policy determined by the system, not
the owner.
• It is used in commercial applications and also in military
system, where multi level security requirement also exist.
• RBAC differ from DAC in that DAC allows users to
control access to their resources, while in RBAC access is
controlled at system level, outside of the users control.
• RBAC is non discretionary
• MAC controls read and write permissions based on a users
clearance level and additional labels.
• RBAC controls collection of permissions that may include
complex operations such as e-commerce transaction.
• A role is RBAC is viewed as set of permissions

22 Ganesh N.Jorvekar April 22, 2024

 Role-based Access Control
Three primary rules are defined for RBAC
1.Role Assignment:
– A subject can execute a transaction only if the subject
has selected or been assigned a role.
2.Role Authorization:
– A subjects active role must be authorized for subject.
– With rule 1 above this rule ensures that users can take
on only roles which they authorized.
3.Transaction Authorization:
– A subject can execute a transaction only if the transaction is
authorized for the subjects active role
– This rule ensures that users can execute only transactions for
which they are authorized

23 Ganesh N.Jorvekar April 22, 2024

 Role-based Access Control
• Databases are used by multiple users for multiple
applications
• Role-based access control (RBAC) is one way to handle
security for the users and applications
• Role of the user in the organization determines the access
level for the database
• DBAs create roles and assign permissions to roles
• DBAs and others can place users in appropriate roles
• Roles can define specific individuals allowed access or
extent of access to resources for multiple individuals

24 Ganesh N.Jorvekar April 22, 2024

 Role-based Access Control
RBAC supports the following security
principles:
–Least privilege (only the needed permissions are
assigned to roles)
–Separation of duties (use of mutually exclusive roles –
e.g., accountant writes check and manger signs the
check)
– Data Abstraction (instead of read/write/execute
permissions such as credit/debit are established)

25 Ganesh N.Jorvekar April 22, 2024

 Access Control

“Access control is the ability to permit

or deny the use of particular resource
by particular entity.”

27 Ganesh N.Jorvekar April 22, 2024

 Physical Access
• Physical access of a person may be allowed depending
on payment, authorization, etc.
• Enforced by personnel such as border guard, doorman,
ticket checker, etc.
• In physical security, the term access control refers to the
practice of restriction entrance to a property, building, or
a room to authorized persons.
• Physical access control can be achieved by a human
(guard), through mechanical means (lock & key),
technological means.
28 Ganesh N.Jorvekar April 22, 2024
 Biometrics
• Biometrics refers to study of methods for uniquely
recognizing humans based upon one or more
intrinsic physical/behavioral characteristics.
Biometrics

Physiological Behavioral

Face Iris Hand Keystroke Signature

Fingerprint DNA Voice

Biometric Characteristics
29 Ganesh N.Jorvekar April 22, 2024
 Biometrics
• Physiological are related to the body.
– Fingerprints, face, iris recognition, hand geometry
• Behavioral are related to behavior of a person.
– Signature, keystroke dynamics, voice.
• Even though voice is a physiological
characteristic because every person has a
different pitch
• Other biometric strategies are being developed
such as based on gait (way of walking), retina,
hand veins, ear canal, facial thermo gram, DNA,
odor, palm prints
30 Ganesh N.Jorvekar April 22, 2024
Comparison of various biometric technologies
• Universality each person should have the characteristic.
• Uniqueness is how well the biometric separates
individually from another.
• Permanence measures how well a biometric resists
aging.
• Performance accuracy, speed, and robustness of
technology used.
• Acceptability degree of approval of technology

31 Ganesh N.Jorvekar April 22, 2024

 Biometric Systems
Enrollment Stored
Biometric
Templates
System
Test

-Pre Feature Template Test

Matcher
processing Extractor Generator

Sensor Application
Block Diagram of Biometric System
Device
32 Ganesh N.Jorvekar April 22, 2024
33 Ganesh N.Jorvekar April 22, 2024
 Enrollment Stored
Templates

-Pre Feature Template

processing Extractor Generator

Sensor
Enrollment phase of Biometric system

34 Ganesh N.Jorvekar April 22, 2024

35 Ganesh N.Jorvekar April 22, 2024
 Stored
Templates
Test

Test
-Pre Feature Template
Matcher
processing Extractor Generator

Sensor Application
Verification phase of Biometric System Device

36 Ganesh N.Jorvekar April 22, 2024

 Biometric Systems
• Main operations are enrollment and test.
• During enrollment biometric information from an
individual is stored.
• During the test, biometric information is detected and
compared with the stored information.
• First block is interface between real world and our
system; it has to acquire necessary data.
• The second block performs all the necessary pre-
processing: it has to remove artifacts from the sensor, to
enhance input
• Third block features needed are extracted. (correct
features need to be extracted)
37 Ganesh N.Jorvekar April 22, 2024
 Biometric Systems
• A vector of numbers or an image with particular
properties is used to create a template.
• If enrollment is being performed the template is simply
stored somewhere (on card or database)
• If a matching phase is being performed, the obtained
template is passed to a matcher that compares it with
other existing templates, estimating distance between
them using algorithm.
• The matching program will analyze template with
input.
• 38This will be output forGanesh
anyN.Jorvekar
specified use or purpose.
April 22, 2024
 Biometric Systems Functions
Verification
 Authenticates its users in conjunction with smart card,
username, or ID number.
 Captured template is compared with that stored against
the registered user (card/db) for verification
Identification
 Authenticates its users from the biometric characteristics
alone without the use of smart cards, usernames, ID
numbers.
 The biometric template is compared to all records within
the database and a closest match score is returned.
 The closest match within the allowed threshold is
deemed the individual and authenticated.
39 Ganesh N.Jorvekar April 22, 2024
 Fingerprint Recognition
• Refers to automated method of verifying a match
between two human fingerprints.
• Used to identify an individual and verify its
identity.
• Analysis of fingerprints for matching purposes
requires comparison of several features of the
print pattern.
• These patterns are aggregate characteristics of
ridges, and minutia points, which are unique
features found within
40
the patterns.
Ganesh N.Jorvekar April 22, 2024
 Fingerprint Recognition

• Oldest form of Biometrics

• Highly Reliable
• Finger-scan biometrics is based on the distinctive
characteristics of the human fingerprint.
• A fingerprint image is read from a capture
device.
• Features are extracted from the image.
• A template is created for comparison.
41 Ganesh N.Jorvekar April 22, 2024
42 Ganesh N.Jorvekar April 22, 2024
 Patterns: Basic Ridge Patterns
• An arch is a pattern where the ridges enter from
one side of the finger, rise in the center forming
an arc, and then exit the other side of the finger.
• The loop is a pattern where the ridges enter from
one side of a finger, from a curve, and tend to
exit from the same side they enter.
• In the whorl pattern, ridges from circularly
around a center point on the finger.

43 Ganesh N.Jorvekar April 22, 2024

 Loop, Arch & Whorl

44 Ganesh N.Jorvekar April 22, 2024

 Fingerprint sensors
• Is an electronic device used to capture a digital
image of the fingerprint pattern.
• This captured image is called a live scan.
• This live scan is digitally processed to create a
biometric template which is stored and used for
matching.
Stages
• Fingerprint Scanning
• Fingerprint Matching
• Identification
45 Ganesh N.Jorvekar April 22, 2024
 Fingerprint Acquisition

46 Ganesh N.Jorvekar April 22, 2024

 Minutia Matching

47 Ganesh N.Jorvekar April 22, 2024

 Process

48 Ganesh N.Jorvekar April 22, 2024

 Fingerprint PC lock

49 Ganesh N.Jorvekar April 22, 2024

 Fingerprint Door Lock

50 Ganesh N.Jorvekar April 22, 2024

 Facial Recognition
• A computer application for automatically
identifying or verifying a person from a digital
image or a video frame from video source.
• This is done by comparing selected facial
features from the image and a facial database.
• Recognition algorithm includes eigenface,
fisherface, the hidden Markov model, & the
neuronal motivated dynamic link matching or
three dimensional face recognition.
51 Ganesh N.Jorvekar April 22, 2024
 Iris Recognition
• Iris is the green/grey/brown area.
• The other structure visible are the pupil in the
center and the while sclera surrounding the
iris.
• The overlying cornea is pictured, but not
visible, as it is transparent.
• It is Pattern recognition technique

52 Ganesh N.Jorvekar April 22, 2024

Iris is a protected internal organ whose
random texture is stable throughout life
53 Ganesh N.Jorvekar April 22, 2024
 IRIS SCAN IMAGE

54 Ganesh N.Jorvekar April 22, 2024

 Iris Recognition
• Iris recognition is a pattern recognition techniques
based on high-resolution images of the iris.
• Uses camera technology.
• Iris recognition efficacy is not impeded by glasses
or contact lenses.
• A key advantage of iris recognition is its stability,
or template longevity as, a single enrollment can
last a lifetime.

55 Ganesh N.Jorvekar April 22, 2024

 Iris Recognition
• High degree of Randomness
• No two Iris are alike
• Stable in a persons life
• Doesn't vary with changes
• Uses Infra red light to illuminate

56 Ganesh N.Jorvekar April 22, 2024

 Advantages
• Internal organ that is well protected against
damage.
• Iris is mostly flat & its geometric configuration is
only controlled by two complementary muscles
which control the diameter of pupil.
• An iris scan is similar to taking a photograph &
can be performed from about 10 cm to few metrs.
• Overall shape of the iris, the fine texture
remarkably stable over many years.

57 Ganesh N.Jorvekar April 22, 2024

 Disadvantages
• Iris scanning is relatively new technology & is
incompatible with the fingerprint recognition
• Iris recognition is difficult to perform at a
distance larger than a few meters & if the person
to be identified is moving.
• Iris recognition is susceptible to poor image
quality, with associated failure to enroll rates.

58 Ganesh N.Jorvekar April 22, 2024

 AVIATION – IRIS DEVICES

59 Ganesh N.Jorvekar April 22, 2024

 Retinal Scan
• A retinal scan is a biometric technique that uses the
unique patterns on a persons retina to identify them
• The human retina is a thin tissue composed of neural
cells that is located in the posterior portion of eye.
• Each persons retina is unique.
• The network of blood vessels in the retina is so
complex that identical twins do not share similar
pattern.
• The retina typically remains unchanged from birth
until death.
60 Ganesh N.Jorvekar April 22, 2024
 Retinal Scan
• Most precise and reliable biometric.
• Its error rate is estimated to be only one in a million.
• Blood vessels within the retina absorb light.
• A retinal scan is performed by casting an undetectable ray
of low energy infrared light into a persons eye as they look
through scanners eyepiece
• This beam of light outlines a circular path on retina.
• Because retinal blood vessels are more sensitive to light
than the rest of eye, the amount of reflection fluctuates.
• The results of the scan are converted to computer code and
stored
61
in a database. Ganesh N.Jorvekar April 22, 2024
Advantage
• Extremely low false positive rates
• Highly reliable because no two people have
the same retinal pattern.
• Speedy results: Identity of the subject is
verified very quickly

62 Ganesh N.Jorvekar April 22, 2024

Disadvantage
• Measurement accuracy can be affected by
diseases such as cataracts and glaucoma
• Not very user friendly
• Limited govt., corporate, other funding
• Subject being scanned must focus on the
scanner from about three inches away
• High equipment cost
• Poor lighting can affect results
• Retinal vessel pattern can change with
systemic and other ocular disease, especially
63 diabetes Ganesh N.Jorvekar April 22, 2024
 Keystroke Dynamics
“Keystroke dynamics or typing dynamics is the
detailed timing information that describes exactly
when each key was depressed and when it was
released as a person is typing at a keyboard.”

64 Ganesh N.Jorvekar April 22, 2024

 Keystroke Dynamics
Working principle
• Uses the manner & rhythm in which an
individual types characters on keyboard.
• The keystroke rhythms of a user are measured to
develop a unique biometric template of users
typing pattern for future authentication.
• Raw measurements available from most every
keyboard can recorded to determine Dwell time
(the time a key pressed) & Flight time (time
between key down and next key down and time
between key up and next key up)
65 Ganesh N.Jorvekar April 22, 2024
 Keystroke Dynamics
Working principle (cont…)
• The recorded keystroke timing data is then
processed through a unique neural algorithm,
which determines a primary pattern for future
comparison.
• Data needed to analyze keystroke dynamics is
obtained by keystroke logging.

66 Ganesh N.Jorvekar April 22, 2024