Chapter-Four

Authentication and Access Control

Information Assurance and Security 2015 E.C
 4.1. Authentication basics

• Authentication-is the process by which you verify that someone is who he claims to be.

It is a step you announce who you are.

• Authentication does not determine what tasks the individual can do or what files the
individual can see.

• Authentication merely identifies and verifies who the person or system is.

• Generally, Authentication means to confirm your own identity.

• Most systems use identification and authentication through user name and password.
 4. 1. Authentication Basics…
Authentication technology provides access control for systems by checking to
see if a user's credentials match the credentials in a database of authorized users or
in a data authentication server.
• 4.1.1. Password
• Password is a word, phrase, or string of characters intended to differentiate an
authorized user or process (for the purpose of permitting access) from an
unauthorized user, or put another way, a password is used to prove one’s
identity, or authorize access to a resource.
• A password is usually paired with a username or other mechanism to provide
authentication, Generally it is hard to remember, and easier to crack.
 Authentication Basics…

4.1.2 . Biometrics
• The term biometrics is derived from the Greek words bio, meaning life, and
metric, meaning to measure.
• Biometrics is the measurement and statistical analysis of people's unique
characteristics.
• The technology is mainly used for identification and access control or for
identifying individuals who are under surveillance.
• The basic premise of biometric authentication is that every person can be
accurately identified by intrinsic physical or behavioral traits.
 Authentication Basics…
Biometrics are largely used because of two major benefits:
• The convenience of use: Biometrics are always with you and cannot be lost or
forgotten.
• Difficult to steal or impersonate: Biometrics can’t be stolen like a password or
key can.
• Two main types of biometrics: Biometric recognition is the individual's
presentation of his unique biometric parameter and the process of comparing it
with the entire database of available data.
 Physical identification
 Behavioral identification
 Biometrics ….
Physical

•Face shape Behavioral

•The shape and structure of the skull • Signature recognition

•Retina (rarely used as an identifier) • Voice recognition
•The iris of the eye • Gait recognition
•Palm, hand, or finger geometry • Keystroke dynamics
•Fingerprint

•Drawing of veins on the palm or finger

•DNA

•Ear Shape
 Authentication Basics…

4.1.3. AAA server

AAA (Authentication, Authorization and Accounting) is a standard-based

framework used to control who is permitted to use network resources
(through authentication), what they are authorized to do (through
authorization), and capture the actions performed while accessing the network
(through accounting).
 AAA server

Authentication
Authenticators are based on at least one of the following 4 factors:
• Something you know: password or a personal identification number (PIN).
This assumes that only the owner of the account knows the password or PIN.
• Something you have: smart card or security token. The owner is assumed to
have the smart card needed to unlock the account.
• Something you are: fingerprint, voice, or retina.
• Where you are: inside or outside a company.
 AAA server
• Authorization
• Authorization-determines what a subject can do, means to grant access to the system.

• Authorization is a process by which a server determines if the client has permission

to use a resource or access a file.

• The type of authentication required for authorization may vary; what does it mean ?

• Passwords may be required in some cases but not in others. ( E.g., SIMS, ATM
card, Credit card, web page)In some cases, there is no authorization; any user may
be use a resource or access a file simply by asking for it.

• Most of the web pages on the Internet require no authentication or authorization

 AAA server

• Accountability-identifies what a subject (or all subjects associated with a user) did.

• It uses system components such as audit trails (records) and logs to associate a
subject with its actions.

• The information recorded should be sufficient to map the subject to a controlling

user.

• Authentication use a trusted third party, such as a bank, key distribution center
(KDC), Authentication Server (AS) ,Ticket Granting Server (TGS) , etc.
 Smart cards and memory cards

•How Smart cards can provide authentication and access control ?

•Smart cards is a physical card that contains a microprocessor and memory.
•The microprocessor can be used to process data, and the memory can be used to
store data.
•It used to control access to a resource. For example, a cardholder can use a PIN code
or biometric data for authentication.
•They also provide a way to securely store data on the card and protect
communications with encryption.
 4.2. Access control basics

• Access control is identifying a person doing a specific job, authenticating them

by looking at their identification, then giving that person only the key to the door
or computer that they need access to and nothing more.

• In the world of information security, one would look at this as granting an

individual permission to get onto a network via a username and password,
allowing them access to files, computers, or other hardware or software the
person requires, and ensuring they have the right level of permission (i.e., read-
only) to do their job.
 Access control models

• Access control models are methods which enables one to grant the right level of
permission to an individual so that they can perform their duties based on the rated
permission. Access control models have four flavors:

• Mandatory Access Control (MAC),

• Discretionary Access Control (DAC), and

• Rule-Based Access Control (RBAC or RB-RBAC).

• Role-Based Access Control (RBAC),

 Mandatory Access Control (MAC)
• Is a method of limiting access to resources based on the sensitivity of the information
that the resource contains and the authorization of the user to access information with
that level of sensitivity.

• MAC criteria are defined by the system administrator, strictly enforced by the
operating system or security kernel, and are unable to be altered by end users.

• When a person or device tries to access a specific resource, the OS or security kernel
will check the entity's credentials to determine whether access will be granted.

• Classifications include confidential, secret and top secret.

• Often employed in government and military facilities

 Discretionary access control (DAC)
• DAC is a type of security access control that grants or restricts object access via
an access policy determined by an object's owner group and/or subjects.

• Unlike Mandatory Access Control (MAC) where access to system resources is

controlled by the operating system (under the control of a system administrator).

• Discretionary Access Control (DAC) allows each user to control access to their
own data.

• DAC is typically the default access control mechanism for most desktop
operating systems.
 Discretionary access control (DAC)…

• Instead of a security label in the case of MAC, each resource object on a DAC
based system has an Access Control List (ACL) associated with it.

• An ACL contains a list of users and groups to which the user has permitted
access together with the level of access for each user or group.

• For example, User A may provide read-only access on one of her files to User
B, read and write access on the same file to User C and full control to any user
belonging to Group 1.
 Discretionary access control (DAC)…

• Discretionary Access Control provides a much more flexible environment than

Mandatory Access Control but also increases the risk that data will be made
accessible to users that should not necessarily be given access.

• Example is the Unix file mode which represent write, read, and execute in each of
the 3 bits for each of User.
 Rule-Based Access Control (RBAC or RB-RBAC)
• As with MAC, access control cannot be changed by users. All access permissions
are controlled solely by the system administrator.

• As with DAC, access properties are stored in Access Control Lists (ACL)
associated with each resource object. When a particular group attempts to access a
resource, the OS checks the rules contained in the ACL for that object.

• Rule-based models set rules that apply, regardless of job roles.

• Rule-based access controls are preventative – they don’t determine access levels
for employees. Instead, they work to prevent unauthorized access.

• Rule-based models are generic – they apply to all employees, regardless of role.
 Role-Based Access Control (RBAC)

• This model is set and managed by security administrators, employees cannot

change their permissions or control access.

• Role-based models are proactive – they provide employees with a set of

circumstances in which they can gain authorized access. 

• Role-based models apply to employees on a case-by-case basis, determined by

their role. Roles differ from groups in that while users may belong to multiple
groups, a user under RBAC may only be assigned a single role in an organization.

• For instance, the accountant gets the same permissions as all other accountants,
nothing more and nothing less.
Thank You!!!