Unit– II User Authentication & Access Control (06 Hrs.

) 10 Marks

Unit Outcomes (UOs)

2a. Explain the techniques of the given type of attack on passwords.
2b. Explain the mechanism of the given type of Biometric.
2c. Apply the relevant Authentication method for the given situation with an example.
2d. Describe the features of the given access control policy.

Topics and Sub-topics

2.1 Identification and Authentication: User name & Password, Guessing password,
Password attacks, Piggybacking, Shoulder surfing, Dumpster diving.
2.2 Biometrics: Fingerprints, Handprints, Retina patterns, Voice patterns, Signature
and Writing patterns, Keystrokes.
2.3 Access controls: Definition, Authentication Mechanism, Principle-Authentication,
Authorization, Audit, and Policies: DAC, MAC, and RBAC.
2.1 Identification and Authentication
Identification is the ability to identify uniquely a user of a system or an
application that is running in the system.
Authentication is the ability to prove that a user or application is genuinely who
that person or what that application claims to be.
For example, consider a user who logs on to a system by entering a user ID and
password. The system uses the user ID to identify the user. The system
authenticates the user at the time of logon by checking that the supplied
password is correct.

User Name: Username is a common security feature and widely adapted

authentication and authorization technique.
A username is a string, combination of characters used to uniquely identify a user
on any computing device or related service that requires user authentication.
A username is a distinctive alphabetical and numerical set of characters used to
identify and gain access to a computing system.
A username is also known as a login ID.
Username is created by the user and is between six and 14 characters in length.
Although they are an integral part of the information security mechanism, a
username alone cannot pose serious threats if it is discovered by a hacker or a
person with malicious intent, as the authorization depends on the correct input of
username and password.

Password: A password is a string of characters used for authenticating a user on

a computer system. Usernames are generally public information whereas
passwords are private to each user.
Passwords are comprised of several characters, which can typically include
letters, numbers, and most symbols, but not spaces. It is good to choose a
password that is easy to remember, but it must not be so simple that others will
guess it. The most secure passwords are a combination of letters and numbers
and do not contain actual words.
Guessing Password: Password guessing is the process of attempting to gain
access to a system through the systematic guessing of passwords in an attempt
to gain a login to a target system.
Generally there are two basic strategies followed by attacker to disclose
password.
• Exhaustive Search (Brute – Force): In this search attacker tries all
combinations to discover password.
• Intellectual Search: In this attacker tries password that may have relation
with user like, his name, relative or friends name, vehicle registration no,
contact numbers, etc., or tries some popular passwords like ‘admin’,
’manager’. Also tries all passwords from dictionary words.

Password Attacks: Password attacks are a critical segment of a penetration

testing in which preparation can make a major impact on the success or failure of
a penetration testing.
Common password security attacks:
 Trying Common Passwords
 Dictionary Attack
 Hybrid Attack
 Mask Attack
 Brute Force Attack
 Attacks on Hashes
 Brute Force Attack
 Phishing
 Rainbow Table Attack
 Credential Stuffing
 Password Spraying
 Key Logger Attack

Piggybacking: Piggybacking is the technique of closely following a person who

has just used an access card or PIN to gain physical access to a room or
building. Piggybacking is an unauthorized entry to a system (either physically or
logically) by using an authorized person's access code.
Piggyback can be done physically or electronically. Physical piggybacking is a
technique for gaining access to controlled access areas when the control is
achieved either by electronically or mechanically locked doors.
Piggybacking on Internet access is the practice of establishing a wireless Internet
connection by using another subscriber's wireless Internet access service without
the subscriber’s explicit permission or knowledge.
The usual purpose of piggybacking is simply to gain free network access rather
than any malicious intent, but it can slow down data transfer for legitimate users
of the network.
Prevention:
i. Piggybacking can be prevented by ensuring that encryption is enabled in
router by using Wireless Encryption Protocol (WEP) or Wireless Protected
Access (WPA) or WPA2.
ii. Using a strong password for encryption key, consisting of at least 14
characters and mixing letters and numbers.

Shoulder Surfing: Shoulder surfing is a form of data theft where criminals steal
personal information by observing victims when they're using devices such as
ATMs, computers, kiosks, or other electronics.
Shoulder surfing refers to a direct observation, such as looking over a person's
shoulder, to obtain information.
Shoulder surfing is a similar procedure in which attackers position themselves in
such a way as-to be-able to observe the authorized user entering the correct
access code or data.
Prevention:
i. Pick strong passwords so it’s hard for any observer to guess what you typed.
ii. Attach a screen protector on computers to obscure your screens.
iii. Lock your computer screen at work when you leave your desk.

Dumpster Diving: “Dumpster diving” is one of the easiest ways to find out
information about a company or its customers. Sometimes also referred to as
trashing.
“Dumpster Diving” means searching trash for useful information. The trash may
be in a public dumpster or in a restricted area requiring unauthorized entry.
 Dumpster diving depends on a human weakness: the lack of security knowledge.
Many things can be found dumpster diving (e.g., CDs, DVDs, hard drives,
company directories, and so forth).
Dumpster diving is an interesting attack that produces an immense amount of
information on an organization, firm, individual, or entity. A lot information can be
gathered about a person or company from the trash they throw away.
Prevention:
• Destroy any CDs/DVDs containing personal data.
• In case you no longer need your PC, make sure you have deleted all the data
so that it can’t be recovered.
• Use of firewalls can prevent suspicious Internet users from accessing the
discarded data.
• Paper documents should be permanently destroyed/shredded.
• Companies should lock waste bins and should have a safe disposal policy.

2.2 Biometrics:
Biometrics is idea to map measurements of human physical characteristics
to human uniqueness. Biometric refers study of methods for uniquely
recognizing humans based upon one or more intrinsic physical or behavioral
characteristics. Biometric identification is used on the basis of some unique
physical attribute of the user that positively identifies the user.
Example: finger print recognition, retina and face scan technique, voice synthesis
and recognition and so on. Physiological are related to shape of the body. For
example finger print, face recognition, DNA, palm print, iris recognition and so on.
Behavioral are related to the behavior of a person. For example: typing rhythm,
gait, signature and voice.
The major biometrics forms are:
• Finger Prints
• Handprint
• Retina Patterns
• Voice Patterns (Voice/Speech)
• Signature and Writing Patterns (Handwriting/Signature)
• Keystrokes
Figure: Various Types of Biometric Authentication Techniques

A biometric system provides the following two functions:

• Verification – Authenticates its users in conjunction with a smart card,
username or ID number. The biometric template captured is compared with
that stored against the registered user either on a smart card or database for
verification.
• Identification – Authenticates its users from the biometric characteristic alone
without the use of smart cards, usernames or ID numbers. The biometric
template is compared to all records within the database and a closest match
score is returned. The closest match within the allowed threshold is deemed
the individual and authenticated.

Construction:
The first time an individual uses a biometric system is called an enrollment.
During the enrollment, biometric information from an individual is stored. In the
subsequent uses, biometric information is detected and compared with the
information stored at the time of enrollment.
Biometric system consists of following blocks:
1. Sensor
2. Preprocessing
3. Feature Extractor
4. Template Generator
5. Stored Templates
6. Matcher
7. Application Device

Working:
1. The first block of the biometric system sensor is the interface between the real
world and the system which has to acquire all the necessary data.
2. The second block performs all the necessary pre-processing.
3. In the third block, necessary features are extracted. This step is an important
step as the better features was extracted in an optimal way.
4. A vector of numbers or an image with particular properties is used to create a
template.
5. During the enrollment phase, the template is simply stored in the database of
biometric system.
6. During the matching phase, the obtained template is passed to a matcher that
compares it with other existing stored templates.
7. The matching program will analyzes the template with the input.
8. This will then be output for any specified use or purpose like special entrance.
2.3 Access controls:
Access controls are security features that control how users and systems
communicate and interact with other systems and resources.
Access is the ability of a subject to interact with an object. Authentication deals with
verifying the identity of a subject. It is ability to specify, control and limit the
access to the host system or application, which prevents unauthorized use to
access or modify data or resources.
It can be represented using Access Control matrix or List:

Process 1 Process 2 File 1 File 2 Printer

Read, Write,
Process 1 --- Read Read Write
Execute
Read, Write,
Process 2 Execute Read Read, Write Write
Execute

Goals of access control:

 Granting access
 Limiting access
 Preventing access
 Revoking access

Policies: An authorization policy states the actions that persons are permitted to
do within a system.
Most recent operating systems execute authorization policies as official sets of
permissions that are modifications or expansions of three basic types of access:
Read (R): The subject can only
• Read file contents
• List directory contents
Write (W): The subject can alter the contents of a file or directory with the
following tasks:
• Add
• Update
• Delete
• Rename
Execute (X): If the file is a program, the person can initiate the program to run.
(In Unix- systems, the "execute" permission doubles as a "traverse directory"
permission when granted for a directory.)
These privileges and permissions are applied differently in the systems based on
discretionary access control (DAC), mandatory access control (MAC) and role-
based access control (RBAC).

Access control is used to identify an individual who does a specific job,

authenticate them, and then proceed to give that individual only the key to the
door or workstation that they need access to and nothing more. Access control
systems come in three variations:
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Role Based Access Control (RBAC)

Discretionary Access Control (DAC):

In a Discretionary Access Control (DAC) environment, resource owners and
administrators jointly control access to resources. Discretionary Access Control
(DAC) is a type of access control in which user have total control over all the
programs it owns and executes, and too decides the permissions other users
have those files and programs. Since DAC needs permissions to be allocated to
the individuals who need access, DAC is often depicted as "need-to-know"
access model. A DAC access control model often exhibits one or more of the
following attributes.
• Data Owners can transfer ownership of information to other users
• Data Owners can determine the type of access given to other users (read,
write, copy, etc.)
• Repetitive authorization failures to access the same resource or object
generates an alarm and/or restricts the user's access
• Special add-on or plug-in software required to apply to an HTTP client to
prevent indiscriminant copying by users ("cutting and pasting" of information)
• Users who do not have access to information should not be able to determine
its characteristics (file size, file name, directory path, etc.)
• Access to information is determined based on authorizations to access control
lists based on user identifier and group membership.

Mandatory Access Control (MAC):

Mandatory Access Control (MAC) ensures that the enforcement of organizational
security policy does not rely on voluntary web application user compliance. MAC
secures information by assigning sensitivity labels on information and comparing
this to the level of sensitivity a user is operating at. In general, MAC access
control mechanisms are more secure than DAC yet have tradeoffs in
performance and convenience to users. MAC mechanisms assign a security level
to all information, assign a security clearance to each user, and ensure that all
users only have access to that data for which they have a clearance. MAC is
usually appropriate for extremely secure systems including multilevel secure
military applications or mission critical data applications. A MAC access control
model often exhibits one or more of the following attributes.
• Only administrators, not data owners, make changes to a resource's security
label.
• All data is assigned security level that reflects its relative sensitivity,
confidentiality, and protection value.
• All users can read from a lower classification than the one they are granted (A
"secret" user can read an unclassified document).
• All users can write to a higher classification (A "secret" user can post
information to a Top Secret resource).
• All users are given read/write access to objects only of the same classification
(a "secret" user can only read/write to a secret document).
• Access is authorized or restricted to objects based on the time of day
depending on the labeling on the resource and the user's credentials (driven
by policy).
• Access is authorized or restricted to objects based on the security
characteristics of the HTTP client (e.g. SSL bit length, version information,
originating IP address or domain, etc.)

Role Based Access Control (RBAC):

In Role-Based Access Control (RBAC), access decisions are based on an
individual's roles and responsibilities within the organization or user base. Each
user can be allotted specific access permission for objects connected with
computer or network. Set of roles are defined. Role in turn assigns access
permissions which are necessary to perform role. Different users will be granted
different permissions to do specific duties as per their classification.
Role-based access control (RBAC) is a technique of controlling access to
computer or network resources based on the roles of individual users inside an
enterprise. In this, the access is the ability of an individual user to do a certain
task, such as view, create, or modify a file. Roles are defined as per job
competency, authority, and responsibility within the enterprise.
In RBAC, roles are easily created, changed, or discontinued as per the needs of
the enterprise development, without having to individually update the privileges
for every user. The following aspects exhibit RBAC attributes to an access control
model.

• Roles are assigned based on organizational structure with emphasis on the

organizational security policy
• Roles are assigned by the administrator based on relative relationships within
the organization or user base. For instance, a manager would have certain
authorized transactions over his employees. An administrator would have
certain authorized transactions over his specific realm of duties (backup,
account creation, etc.)
• Each role is designated a profile that includes all authorized commands,
transactions, and allowable information access.
• Roles are granted permissions based on the principle of least privilege.
• Roles are determined with a separation of duties in mind so that a developer
Role should not overlap a QA tester Role.
• Roles are activated statically and dynamically as appropriate to certain
relational triggers (help desk queue, security alert, initiation of a new project,
etc.)
• Roles can be only be transferred or delegated using strict sign-offs and
procedures.
• Roles are managed centrally by a security administrator or project leader.