Chapter 6: Authentication and Access control

6.1. Authentication basics

Introduction
Authentication the process of proving one's identity. (The primary forms of host-to-host authentication on
the Internet today are name-based or address-based, both of which are notoriously weak.).User
Authentication is a fundamental security building block, basis of access control & user accountability.
In most computer security contexts, user authentication is the fundamental building block and the first line
of defense. User authentication is the basis of most types of access control and for user accountability. RFC
2828 defines user authentication as:
The process of verifying an identity claimed by or for a system entity. An authentication process consists
of two steps:
A) Identification step: Presenting an identifier to the security system. (Identifiers should be assigned
carefully, because authenticated identities are the basis for other security services, such as access control
service.)
B) Verification step: Presenting or generating authentication information that corroborates the binding
between the entity and the identifier.
In essence, identification is the means by which a user provides a claimed identity to the system; user
authentication is the means of establishing the validity of the claim. Note that user authentication is
distinct from message authentication. Means of user authentication is four means of authenticating user's
identity, based one something the individual:
1. knows - e.g. password, PIN
2. possesses - e.g. key, token, smartcard
3. is (static biometrics) - e.g. fingerprint, retina
4. does (dynamic biometrics) - e.g. voice, sign
can also use alone or combined, all can provide user authentication, all have issues
There are four general means of authenticating a user's identity, which can be used alone or in
combination:
 Something the individual knows: Examples includes a password, a personal identification number
(PIN), or answers to a prearranged set of questions.
 Something the individual possesses: Examples include electronic keycards, smart cards, and
physical keys. This type of authenticator is referred to as a token.
 Something the individual is (static biometrics): Examples include recognition by fingerprint,
retina, and face.
 Something the individual does (dynamic biometrics): Examples include recognition by voice
pattern, handwriting characteristics, and typing rhythm.
All of these methods, properly implemented and used, can provide secure user authentication.
However, each method has problems. An adversary may be able to guess or steal a password.
Similarly, an adversary may be able to forge or steal a token. A user may forget a password or lose
a token. Further, there is a significant administrative overhead for managing password and token
information on systems and securing such information on systems. With respect to biometric
authenticators, there are a variety of problems, including dealing with false positives and false
negatives, user acceptance, cost, and convenience.
6.1.1. Password and Passphrase
Password Authentication. It is widely used user authentication method:
 user provides name/login and password
 system compares password with that saved for specified login
 authenticates ID of user logging
1|Page
  that the user is authorized to access system
 determines the user’s privileges
 is used in discretionary access control
The front line of defense against intruders is the password system. Virtually all multiuser systems require
that a user provide not only a name or identifier (ID) but also a password. The system compares the
password to a previously stored password for that user ID, maintained in a system password file. The
password serves to authenticate the ID of the individual logging on to the system. In turn, the ID determines
whether the user is authorized to gain access to a system, the privileges accorded to the user, and is used to
determine discretionary access controls.
passphrase an authentication component that consists of an expression known only to the user, from
which a virtual password is derived. password an authentication component that consists of a private
word or combination of characters that only the user should know.
smart card an authentication component similar to a dumb card that contains a computer chip to verify
and validate several pieces of information instead of just a PIN. strong authentication In access control,
the use of at least two different authentication mechanisms drawn from two different factors of
authentication.
synchronous token An authentication component in the form of a token a card or key fob that contains a
computer chip and a liquid crystal display and shows a computer-generated number used to support
remote login authentication. This token must be calibrated with the corresponding software on the central
authentication server. virtual password a password composed of a seemingly meaningless series of
characters derived from a passphrase.

6.1.2 Biometrics
A biometric authentication system attempts to authenticate an individual based on unique physical
characteristics. These include static characteristics, such as fingerprints, hand geometry, facial
characteristics, and retinal and iris patterns; and dynamic characteristics, such as voiceprint and
signature.
Compared to passwords and tokens, biometric authentication is both technically complex and expensive,
and have yet to mature as a standard tool for user authentication to computer systems. Figure 6.2 from the
text gives a rough indication of the relative cost and accuracy of the most common biometric measures:
• Facial characteristics: define characteristics based on relative location and shape of key facial features,
such as eyes, eyebrows, nose, lips, and chin shape.
• Fingerprints: the pattern of ridges and furrows on the surface of the fingertip, believed to be unique
across the entire human population. Automated fingerprint systems extract a number of features to use as
a surrogate for the full pattern.
• Hand geometry: identify features of hand, e.g. shape, lengths & widths of fingers.
• Retinal pattern: formed by veins beneath the retinal surface is unique and therefore suitable for
identification. Uses a digital image of the retinal pattern by projecting a low-intensity beam of visual or
infrared light into the eye.
• Iris: Another unique physical characteristic is the detailed structure of the iris.
• Signature: each individual has a unique style of handwriting, esp in signature.
• Voice: patterns are more closely tied to physical and anatomical characteristics of the speaker, but still
have a variation from sample to sample over time from the same speaker, complicating the biometric
recognition task.
2|Page
 Figure 6.2

From above figure 6.3 from the text illustrates the operation of a biometric system. Each individual who is
to be included in the database of authorized users must first be enrolled in the system. This is analogous to
assigning a password to a user. For a biometric system, the user presents a name and, typically, some type
of password or PIN to the system. At the same time the system senses some biometric characteristic of this
user (e.g. fingerprint of right index finger). The system digitizes the input and then extracts a set of features
that can be stored as a number or set of numbers representing this unique biometric characteristic; this set
of numbers is referred to as the user’s template. The user is now enrolled in the system, which maintains
for the user a name (ID), perhaps a PIN or password, and the biometric value. Depending on application,
user authentication on a biometric system involves either verification or identification.
Most of the technologies that scan human characteristics convert these images to some form of minutiae.
Each subsequent access attempt results in a measurement that is compared with an encoded value to verify
the user’s identity. A problem with this method is that some human characteristics can change over time
due to normal development, injury, or illness, which means that system designers must create fallback or
failsafe authentication mechanisms.
Signature and voice recognition technologies are also considered to be biometric access control measures.
Signature recognition has become commonplace; retail stores use it, or at least signature capture, for
authentication during a purchase. The customer signs a digital pad with a special stylus that captures the
signature. The signature is digitized and either saved for future reference or compared with a signature in a
database for validation.
Currently, the technology for signature capturing is much more widely accepted than that for signature
comparison because signatures change due to several factors, including age, fatigue, and the speed with
which the signature is written. Voice recognition works in a similar fashion; the system captures and stores
an initial voiceprint of the user reciting a phrase. Later, when the user attempts to access the system, the
authentication process requires the user to speak the same phrase so that the technology can compare the
3|Page
current voiceprint against the stored value.
For example, most people have experienced the frustration of having a credit card or ATM card fail to
perform because of problems with the magnetic strip. In the field of biometrics, similar problems can
occur when a system fails to pick up the various information points it uses to authenticate a prospective
user properly.
Strengths and Weakness
Table 1: Strengths
Technique Strengths
Retina Highly accurate
Highly accurate; works with
Iris eyeglasses; more acceptable to
users than retina scan
Mature technology; highly
Fingerprint accurate; low cost; small size,
becoming widely acceptable
accurate and flexible; widely
Hand/Finger Geometry
acceptable to users
Widely acceptable to users; low
Face Recognition
cost; no direct contact
Usable over existing telephone
Voice Recognition system; good for remote access
and monitoring;
Signature Recognition Widely acceptable to users
Widely acceptable to users; low
Keystroke Recognition
cost; uses existing hardware

Table 1: Weaknesses
Technique Weaknesses
Inconvenient for persons with
Retina eyeglasses; dislike contact
with device and light beam
New technology, cost,
Iris
although this is rapidly
changing
Users can create high froad;
Fingerprint
some persons dislike contact
with device
User interface is bulky; dislike
Hand/Finger Geometry
contact with device
Face recognition is less
Face Recognition
accurate than other methods
Less accuracy; subject to
Voice Recognition
background noise
Less accuracy; not widely used
Signature Recognition
yet, but has potential with
PDAs
Keystroke Recognition
Less accuracy;

4|Page
6.1.3 AAA server
Authentication, Authorization, and Accounting (AAA) Operation
 Authentication, Authorization, and Accounting (AAA) is a scalable system for access control.
 Authentication - users and administrators must prove that they are who they say they are.
 Authorization - determines which resources the user can access and which operations the user is
allowed to perform.
 Accounting - records what the user does and when they do it.
AAA Authentication
Two common AAA authentication methods include:
A) Local AAA Authentication - this method authenticates users against
locally stored usernames and passwords. Local AAA is ideal for small
networks.
B) Server-Based AAA Authentication-this method authenticates against a
central AAA server that contains the usernames and passwords for all users. Server-based AAA
authentication is appropriate for medium-to-large networks.
AAA Accounting Logs
Accounting provides more security than just authentication. AAA servers keep a detailed log of exactly
what the authenticated user does on the device.
The various types of accounting information that can be collected include:
i. Network Accounting - captures information such as packet and byte counts.
ii. Connection Accounting - captures information about all outbound connections.
iii. EXEC Accounting - captures information about user shells including username, date, start and stop
times, and the access server IP address.
iv. System Accounting - captures information about all system-level events.
v. Command Accounting - captures information about executed shell commands.
vi. Resource Accounting - captures "start" and "stop" record support for calls that have passed user
authentication.
6.1.4 Smart card and memory cards
Verification is analogous to a user logging on to a system by using a memory card or smart card coupled
with a password or PIN. For biometric verification, the user enters a PIN and also uses a biometric sensor.
The system extracts the corresponding feature and compares that to the template stored for this user. If
there is a match, then the system authenticates this user. For an identification system, the individual uses
the biometric sensor but presents no additional information. The system then compares the presented
template with the set of stored templates. If there is a match, then this user is identified. Otherwise, the user
is rejected. There are four general means of authenticating a user's identity, which can be used alone or in
combination:
• Something the individual knows: Examples includes a password, a personal identification number
(PIN), or answers to a prearranged set of questions.
• Something the individual possesses: Examples include electronic keycards, smart cards, and physical
keys. This type of authenticator is referred to as a token.
• Something the individual is (static biometrics): Examples include recognition by fingerprint, retina,
and face.
• Something the individual does (dynamic biometrics): Examples include recognition by voice pattern,
handwriting characteristics, and typing rhythm.
All of these methods, properly implemented and used, can provide secure user authentication. However,
each method has problems. An adversary may be able to guess or steal a password. Similarly, an
adversary may be able to forge or steal a token. A user may forget a password or lose a token. Further,
there is a significant administrative overhead for managing password and token information on systems
and securing such information on systems. With respect to biometric authenticators, there are a variety of
problems, including dealing with false positives and false negatives, user acceptance, cost, and
convenience.

5|Page
 6.1.5 Kerberos
Kerberos a remote authentication system that uses symmetric key encryption-based tickets managed in a
central database to validate an individual user to various network resources.A computer network
authentication protocol allows principals communicating over a non-secure network to prove their
identity to one another in a secure manner.
Kerberos Process

Kerberos two authentication systems can provide secure third-party authentication:

Kerberos and SESAME. Kerberos named after the three-headed dog of Greek mythology that guards the
gates to the underworld uses symmetric key encryption to validate an individual user to various network
resources. Kerberos, as described in RFC 4120, keeps a database containing the private keys of clients and
servers in the case of a client, this key is simply the client’s encrypted password. Network services running
on servers in the network register with Kerberos, as do the clients that use those services. The Kerberos
system knows these private keys and can authenticate one network node (client or server) to another. For
example, Kerberos can authenticate a user once at the time the user logs in to a client computer and then,
later during that session, it can authorize the user to have access to a
printer without requiring the user to take any additional action. Kerberos also generates
temporary session keys, which are private keys given to the two parties in a conversation.
The session key is used to encrypt all communications between these two parties. Typically,
a user logs into the network, is authenticated to the Kerberos system, and is then authenticated to other
resources on the network by the Kerberos system itself.
 Kerberos consists of three interacting services, all of which use a database library:
1. Authentication server (AS), which is a Kerberos server that authenticates clients and servers.
2. Key Distribution Center (KDC), which generates and issues session keys.
3. Kerberos ticket granting service (TGS), which provides tickets to clients who request
services. In Kerberos a ticket is an identification card for a particular client that verifies
to the server that the client is requesting services and that the client is a valid member of
the Kerberos system and therefore authorized to receive services. The ticket consists
of the client’s name and network address, a ticket validation starting and ending time,
and the session key, all encrypted in the private key of the server from which the client
is requesting services.
Kerberos is based on the following principles:
 The KDC knows the secret keys of all clients and servers on the network.
 The KDC initially exchanges information with the client and server by using these
6|Page
 secret keys.
 Kerberos authenticates a client to a requested service on a server through TGS and by
issuing temporary session keys for communications between the client and KDC, the
server and KDC, and the client and server.
 Communications then take place between the client and server using these temporary
session keys.From the above Figures 6.4 illustrate this process, if the Kerberos servers are
subjected to denial-of-service attacks, no client can request services. If the Kerberos servers,
service providers, or clients’ machines are compromised, their private key information may also
be compromised.
6.2. Access Control
“The prevention of unauthorized use of a resource, including the prevention of use of a resource in an
unauthorized manner“ a central element of computer security
This lesson focuses on access control enforcement within a computer system. We can view access control
as the central element of computer security. The principal objectives of computer security are to prevent
unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources
in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner.
We consider the situation of a population of users and user groups that are able to authenticate to a system
and are then assigned access rights to certain resources on the system.

Figure 6.1
This chapter deals with a narrower, more specific concept of access control which implements a security
policy that specifies who or what may have access to each specific system resource and the type of access
that is permitted in each instance. Figure 6.1 from the text shows the broader context of access control. In
addition to access control, this broader context involves the following entities and functions:
A) Authentication: the verification an identity claimed by or for a system entity.
B) Authorization: the granting of a right or permission to a system entity to access a system resource.
This function determines who is trusted for a given purpose.
C) Audit: an independent review and examination of system records and activities in order to test for
adequacy of system controls, to ensure compliance with established policy and operational procedures, to
detect breaches in security, and to recommend any indicated changes in control, policy and procedures.
An access control mechanism mediates between a user (or a process executing on behalf of a user) and
system resources, such as files and database. The system must first authenticate a user seeking access.
Then, the access control function determines if the specific requested access by this user is permitted. A
security administrator maintains an authorization database that specifies what type of access to which
resources is allowed for this user. The access control function consults this database to determine whether
to grant access. An auditing function monitors and keeps a record of user accesses to system resources.
All operating systems have at least a rudimentary, and in many cases a quite robust, access control
7|Page
component. Particular applications or utilities, such as a database management system, also incorporate
access control functions.

An access control policy, which is embodied in an authorization database, dictates what types of access
are permitted, under what circumstances, and by whom.
6.3 Access control models
Access control policies are generally grouped into the following access control categories:
A) Discretionary access control (DAC): based on the identity of the requestor and on access rules
(authorizations) stating what requestors are (or are not) allowed to do. This policy is termed discretionary
because an entity might have access rights that permit the entity, by its own volition, to enable another
entity to access some resource.It is allows users to control access to their data as owners of that data.
B) Mandatory access control (MAC): based on comparing security labels (which indicate how sensitive
or critical system resources are) with security clearances (which indicate system entities are eligible to
access certain resources). This policy is termed mandatory because an entity that has clearance to access
a resource may not, just by its own volition, enable another entity to access that resource. It is applies
the strictest access control, enabling user access based on security clearance.
C) Role-based access control (RBAC): based on the roles that users have within the system and on rules
stating what accesses are allowed to users in given roles.DAC is the traditional method of implementing
access control. MAC is a concept that evolved out of requirements for military information security and
is best covered in the context of trusted systems. BAC has become increasingly popular.
Access Control Requirements:
 Reliable input: it assumes that a user is authentic; thus, an authentication mechanism is needed as
a front end to an access control system. System administrators should also be able to choose
coarse-grain specification for some classes
of resource access.
 Least privilege: it should be implemented so that each system entity is granted the minimum
system resources and authorizations needed to do its work.
 Separation of duty: should divide steps in a system function among different individuals, so as to
keep a single individual from subverting the process.
 Open and closed policies: a closed policy only allows accesses that are specifically authorized;
an open policy allows all accesses except those expressly prohibited.
 Policy combinations and conflict resolution: may apply multiple policies to a given class of
resources, and need a procedure to resolves conflicts between policies.
 Administrative policies: to specify who can add, delete, or modify authorization rules, and also
need access control and other control mechanisms to enforce these administrative policies.
Access Control Elements:
The basic elements of access control are: subject, object, and access right.
A subject is an entity capable of accessing objects, usually a process. Any user or application actually
8|Page
 gains access to an object by means of a process that represents it. A subject is typically held accountable
for the actions they have initiated, and an audit trail may be used to associate with a subject and security
relevant actions performed on an object. Basis access control systems typically define three classes of
subject:
• Owner: This may be the creator of a resource, such as a file. For system resources, ownership may
belong to a system administrator. For project resources, a project administrator or leader my be assigned
ownership.
• Group: In addition to the privileges assigned to an owner, a named group of users may also be granted
access rights, such that membership in the group is sufficient to exercise these access rights.
• World: The least amount of access is granted to users who are able to access the system but are not
included in the categories owner and group for this resource.
An object is any resource to which access is controlled. In general, and object is an entity used to contain
and/or receive information. Examples include records, blocks, pages, segments, files, portions of files,
directories, directory trees, mailboxes, messages, and programs. The number and types of objects to be
protected by an access control system depends on the environment in which access control.
An access right describes the way in which a subject may access an object. Access rights could include
the following: read, write, execute, delete, create, search.
In general, all access control approaches rely on the following four mechanisms, which represent the four
fundamental functions of access control systems:
i. Identification: I am a user of the system.
ii. Authentication: I can prove I’m a user of the system.
iii. Authorization: Here’s what I can do with the system.
iv. Accountability: You can verify my use of the system.
Biometric access control
Biometric access control an access control approach based on the use of a measurable human characteristic
or trait to authenticate the identity of a proposed systems user (a supplicant) Biometric access control relies
on recognition the same thing you rely on to identify friends, family, and other people you know. The use
of biometric-based authentication is expected to have a significant impact in the future as technical and
ethical issues are resolved with the technology.
Biometric authentication technologies include the following:
 Fingerprint comparison of the supplicant’s actual fingerprint to a stored fingerprint
 Palm print comparison of the supplicant’s actual palm print to a stored palm print
 Hand geometry comparison of the supplicant’s actual hand to a stored measurement
 Facial recognition using a photographic ID card, in which a human security guard compares the
supplicant’s face to a photo
 Facial recognition using a digital camera, in which a supplicant’s face is compared to a
stored image
 Retinal print comparison of the supplicant’s actual retina to a stored image
 Iris pattern comparison of the supplicant’s actual iris to a stored image
Among all possible biometrics, only three human characteristics are usually considered truly
unique:
A) Fingerprints
B) Retina of the eye (blood vessel pattern)
C) Iris of the eye (random pattern of features found in the iris, including freckles, pits, striations,
vasculature, coronas, and crypts) depicts some of these human recognition characteristics.
9|Page