Personal Data Classification and Controls (1000 words essay )

profilewfwfaf
CSC200-Week3-Lecture5.pdf

Authentication and

Access Control

1

Authentication

• The act of proving that a user is who he/she says he/she is

• Methods:

• Something the user knows

• Something the user is

• Something user has

2

Something You Know

• Passwords

• Security questions

• Attacks on “something you know”: • Dictionary attacks

• Inferring likely passwords/answers

• Guessing

• Defeating concealment

• Exhaustive or brute-force attack

• Rainbow tables

3

Distribution of Password Types

4

One character

0%

Two characters

2% Three characters

14%

Four characters,

all letters 14%

Five letters, all same case

22%

Six letters, l owercase

19%

Words in dictionaries or lists of names

15%

Other good

passwords

14%

Good Password

• Just not a word, could be sentences

• Use chars beyond a-z

• Choose long passwords

• Avoid actual names or words

• Use a string you can remember

• Use variants for multiple passwords

• Change a password regularly

• Don’t write it down

• Don’t tell anyone else.

5

Password Storage

Plaintext Concealed

6

Password Attack steps

• No password

• The same as the user ID

• is, or is derived from, the user’s name

• On a common word list (ex. Password, secret)

• Contained in a short college dictionary

• Contained in complete English word list

• Contained in common non-English-language dictionaries

• Contained in a short college, English, non-English dictionaries with capitalizations or substitutions (0 for O)

• Obtained by brute force – with English alphabetical characters and as next step, with the entire character set.

7

Biometrics: Something You Are

8

• Fingerprint

• Hand geometry

• Retina and iris

• Voice

• Handwriting, signature, hand motion

• Typing characteristics

• Blood vessels in the finger or hand

• Face

• Facial features, such as nose shape / eye spacing.

Problems with Biometrics

• Intrusive

• Expensive

• Single point of failure

• Sampling error

• False readings

• Speed

• Forgery

9

Really ?? – Doctor working with 16

fingers

• https://www.theguardian.com/world/video/2013/m ar/15/doctor-fake-fingers-work-video

10

Tokens: Something You Have

11

Time-Based Token Authentication

PASSCODE PIN TOKENCODE=

Login: mcollings

2468159759Passcode:

+

Clock

synchronized to

UCT

Unique seed

Token code:

Changes every

60 seconds

Federated Identity Management

12

User Identity Manager

(performs

authentication) Authenticated

Identity

Application

(no authentication)

Application

(no authentication)

Application

(no authentication)

Single Sign-On

13

User Single Sign-On

Shell Identification and

Authentication

Credentials

Application

Authentication

Token

AuthenticationAuthentication

ApplicationApplication

Password

Access Control

14

Access Policies

• Goals:

• Check every access

• Enforce least privilege

• Verify acceptable usage

• Track users’ access

• Enforce at appropriate granularity

• Use audit logging to track accesses

15

Implementing Access Control

• Reference monitor

• Access control directory

• Access control matrix

• Access control list

• Privilege list

• Capability

• Procedure-oriented access control

• Role-based access control

16

Reference Monitor

17

Access Control Directory

18

PROG1. C

PROG1.EXE

BIBLIOG

HELP.TXT

TEMP

ORW

ORW

ORW

OX

R

BIBLIOG

TEST.TMP

PRIVATE

HELP.TXT

R

ORW

OX

R

File NameFile Name Access Rights

Access Rights

File Pointer

File Pointer

User A Directory User B DirectoryFiles

Access Control Matrix

19

Access Control List

20

F

TEMP

BIBLIOG

HELP.TXT

File Access List

Pointer User

Access Rights

USER_S

USER_B

USER_A ORW

RW

R

BIBLIOG

TEMP

F

HELP.TXT

USER_A ORW

USER_S

USER_A ORW

R

USER_S

USER_B

USER_A R

R

R

USER_T R

SYSMGR

USER_SVCS

RW

O

Directory Access Lists Files