Personal Data Classification and Controls (1000 words essay )
Authentication and
Access Control
1
Authentication
• The act of proving that a user is who he/she says he/she is
• Methods:
• Something the user knows
• Something the user is
• Something user has
2
Something You Know
• Passwords
• Security questions
• Attacks on “something you know”: • Dictionary attacks
• Inferring likely passwords/answers
• Guessing
• Defeating concealment
• Exhaustive or brute-force attack
• Rainbow tables
3
Distribution of Password Types
4
One character
0%
Two characters
2% Three characters
14%
Four characters,
all letters 14%
Five letters, all same case
22%
Six letters, l owercase
19%
Words in dictionaries or lists of names
15%
Other good
passwords
14%
Good Password
• Just not a word, could be sentences
• Use chars beyond a-z
• Choose long passwords
• Avoid actual names or words
• Use a string you can remember
• Use variants for multiple passwords
• Change a password regularly
• Don’t write it down
• Don’t tell anyone else.
5
Password Storage
Plaintext Concealed
6
Password Attack steps
• No password
• The same as the user ID
• is, or is derived from, the user’s name
• On a common word list (ex. Password, secret)
• Contained in a short college dictionary
• Contained in complete English word list
• Contained in common non-English-language dictionaries
• Contained in a short college, English, non-English dictionaries with capitalizations or substitutions (0 for O)
• Obtained by brute force – with English alphabetical characters and as next step, with the entire character set.
7
Biometrics: Something You Are
8
• Fingerprint
• Hand geometry
• Retina and iris
• Voice
• Handwriting, signature, hand motion
• Typing characteristics
• Blood vessels in the finger or hand
• Face
• Facial features, such as nose shape / eye spacing.
Problems with Biometrics
• Intrusive
• Expensive
• Single point of failure
• Sampling error
• False readings
• Speed
• Forgery
9
Really ?? – Doctor working with 16
fingers
• https://www.theguardian.com/world/video/2013/m ar/15/doctor-fake-fingers-work-video
10
Tokens: Something You Have
11
Time-Based Token Authentication
PASSCODE PIN TOKENCODE=
Login: mcollings
2468159759Passcode:
+
Clock
synchronized to
UCT
Unique seed
Token code:
Changes every
60 seconds
Federated Identity Management
12
User Identity Manager
(performs
authentication) Authenticated
Identity
Application
(no authentication)
Application
(no authentication)
Application
(no authentication)
Single Sign-On
13
User Single Sign-On
Shell Identification and
Authentication
Credentials
Application
Authentication
Token
AuthenticationAuthentication
ApplicationApplication
Password
Access Control
14
Access Policies
• Goals:
• Check every access
• Enforce least privilege
• Verify acceptable usage
• Track users’ access
• Enforce at appropriate granularity
• Use audit logging to track accesses
15
Implementing Access Control
• Reference monitor
• Access control directory
• Access control matrix
• Access control list
• Privilege list
• Capability
• Procedure-oriented access control
• Role-based access control
16
Reference Monitor
17
Access Control Directory
18
PROG1. C
PROG1.EXE
BIBLIOG
HELP.TXT
TEMP
ORW
ORW
ORW
OX
R
BIBLIOG
TEST.TMP
PRIVATE
HELP.TXT
R
ORW
OX
R
File NameFile Name Access Rights
Access Rights
File Pointer
File Pointer
User A Directory User B DirectoryFiles
Access Control Matrix
19
Access Control List
20
F
TEMP
BIBLIOG
HELP.TXT
File Access List
Pointer User
Access Rights
USER_S
USER_B
USER_A ORW
RW
R
BIBLIOG
TEMP
F
HELP.TXT
USER_A ORW
USER_S
USER_A ORW
R
USER_S
USER_B
USER_A R
R
R
USER_T R
SYSMGR
USER_SVCS
RW
O
Directory Access Lists Files