Authentication and Access control

 Password Authentication Protocol - user provides a

username and password, and these are compared
with values stored in a table to see if they match.
 Challenge Handshake Authentication Protocol
(CHAP) – the device doing the authenticating, usually
a network server, sends the client program an ID
value and a random number, and both the sender and
peer share a predefined secret word, phrase or value.
 Mutual authentication - can be thought of as two-way
authentication. The client authenticates to the server,
and then the server authenticates to the client or
workstation.
 One-time password - is a variation of the
username/password combination. With OTP, the
user creates a password, and the system creates a
variation of the password each time a password
is required.
 Per-session authentication - requires the client
to reauthenticate for each exchange of
information is burdensome, but it provides a
great deal of security.
 Tokens - A token or token card is usually a small
device that supplies the response to a challenge
that is received when trying to log on.
 Biometrics - using personal measurements
such as fingerprints, hand outlines, iris and
retina scanners, voice recognition, handwriting
analysis, and keyboard analysis can be a one-
stop shop for authentication, but it is seldom
used that way.
 Protecting passwords
Most security administrators protect passwords
in three important ways:
i. they make passwords hard to guess
ii. they make login controls hard to crack
iii. and they protect the file in which passwords
are stored.
 Sample login/password controls
System Most systems display warning banners and announcement
messages messages before and/or after you successfully log in.
Limited After a certain number of unsuccessful tries at logging into the
attempts system (the number can be specified by the system
administrator), the system locks you out and won’t let you log in
from that terminal.
Limited time Certain users or terminals may be limited to logging in during
periods business hours or other specified times.
Incrementing Each time a login fails, a longer time must pass before allowing
login failure another attempt. That is, after the first attempt, it takes one
wait times second to reset; after the second attempt, two seconds;

Last login When you log in, the system may display the date and time of
message your last login. Many systems also display the number of
unsuccessful login attempts since the time of your last successful
login.
User In many systems, you’re allowed to change your own
changeable password any time after its initial assignment by the system
passwords administrator and may be required to change it after a
certain interval.

System Some systems require you to use passwords generated

generated randomly by the system, rather than relying on your own
passwords selection of a difficult-to-guess password.

Password When a specified time is reached—for example, the end of

aging and the month—all passwords in the system may expire. The
expiration new passwords usually must not be identical to the old
passwords.

Minimum Because short passwords are easier to guess than long ones,
length some systems require that passwords be a certain length,
usually six to eight characters, but longer is better.

Password Locks allow the system administrator to restrict certain users

locks from logging in or to lock login accounts that haven’t been
used for an extended period of time.
 Password attacks
brute force attack - try to guess a password by
trying every possible combination of
characters, one attempt at a time
dictionary attack - With the help of online
dictionaries of common passwords (English
words, names of people, animals, cars,
fictional characters, places, and so on),
crackers are quite likely to be able to guess a
good many of the passwords most people are
likely to choose.
 II. Authorization
 Once you’ve been authenticated, the system uses your ID
(and the security information associated with it) to
determine what you’re allowed to do in the computer or
on the network. The process of determining your bounds
is called authorization.
 Systems typically maintain a file containing information
about your privileges and characteristics; in some
systems, this is called a security profile, an
authentication profile, or a user list.
 Most systems support several categories of users, or roles;
a typical set includes regular users, a system administrator,
and an operator.
 Access Control in Practice
There are at least three basic types of access
controls that provide different levels of
protection to the files in your system:
1. Discretionary access control (DAC)
2. Mandatory access control (MAC)
3. Role-based access control (RBAC)
 Discretionary access control
 an access policy that restricts access to files
(and other system objects such as directories
and devices) based on the identity of users
and/or the groups to which they belong.
 the file owner, can choose to give away your
data;
 it lets you specify the type of access allowed.
 Most systems support three basic types of access:

 Read - If you have read access for a file, you

can read the file.
 Write - If you have write access for a file, you
can write (change or replace) the file.
 Execute - The execute permission is relevant
only if the file is a program. If you have
execute permission for a file, you can run the
program.
 Ownership
 There are many types of discretionary access
control. One simple method involves ownership
of files, directories, and devices.
 If you create a file, you’re the owner of the file.
 If you’re the owner of the file, the system lets
you read and change the file.
 Virtually every system keeps track of file
ownership and bases many access decisions on it
 Self/group/public controls
 In many systems, you control access to your
files by dividing the world of users into three
categories and telling the system what the
users in each category can do to your file.
 Self - the creator or owner of the file.
 Group - A set of users.
 Public - Everyone else—users other than you
and the other members of your group.
 File permissions
 Each file has a set of bits called file permissions
associated with it.
 If you list your files (with the correct option) in a
Unix or Linux system, you’ll see such file
permissions as the following:

-rw-rw-r-- 1 frank r&d 81904 Nov 7 13:25 UPDATES

 Mandatory access control
 an access policy supported for systems that process especially
sensitive data (e.g., government classified information or
sensitive corporate data).
 Systems providing mandatory access controls must assign
sensitivity labels to all subjects (e.g., users, programs) and all
objects (e.g., files, directories, devices, windows, sockets) in the
system.
 A user’s sensitivity label specifies the sensitivity level, or level
of trust, associated with that user; it’s often called a clearance.
 A file’s sensitivity label specifies the level of trust that a user
must have to be able to access that file.
 MACs use sensitivity labels to determine who can access what
information in your system.
 Access decisions
 In a MAC system, all access decisions are made by the
system.
 MAC puts all such access decisions under the control of
the system.
 The label of the subject—for example, your clearance:
 TOP SECRET [VENUS TANK ALPHA]
 The label of the object—for example, a file named
LOGISTIC with a sensitivity label:
 SECRET [VENUS ALPHA]
 An access request—for example, your attempt to read
the LOGISTIC file.
 Role-based access control
 Determines a user’s access based on that user’s role.
 The role a user is assigned to is based on the least
privilege concept.
 The role is defined with the least amount of
permissions or functionalities that is required to get
the job done.
 If the privileges for a role change, permissions can be
added or removed.
 This offers greater flexibility by changing the role
instead of changing the user’s permissions.
 Access control lists
 Access control lists (ACLs) are lists of users and groups,
with their specific permissions.
<john.acct, r>
<jane.pay, rw>
where:
 john and jane are login IDs of users who are allowed
access to the PAYROLL file.
 acct and pay are group IDs of the users.
 r and w indicate the type of access allowed; r means that
the user can only read PAYROLL, w that he or she can
also change it.
 Directory Services
 One of the improvements to occur in login technology is
the integration of Authentication, Authorization, and
Accounting (AAA) technologies.
 These improved directory systems keep track of the
identity of each user, as well as attributes of that user,
such as contact information, personal attributes, including
what they can access, in some kind of directory services
database.
 A directory service is essentially a large database that
stores information about all the objects in a network and
information about how these objects interact. Objects
can be users, groups, hardware, or software.
 Active Directory
 used by Windows servers and domain controllers.
 The Active Directory implementation helps to organize all
objects and resources in the network environment while
acting as the central point for security as well.
 Active Directory provides a means to audit all the events
that happen on login servers (domain controllers).
 Audit policies can be set to monitor specific activities,
create reports, and notify specific personnel of these events.
 Group policies can be defined that govern groups of users
and computers.
 These policies can be applied to sites, domains, or
organizational units that are defined within the Active
Directory structure.
END