4. 1
Access control
1. Identification
– Who you say you are?
2. Authentication (1)
– Prove it!
3. Authorisation (1 & 2 & ACL/Capability List)
– OK, so here is what you can do.
4. Accountability (1 & 2 & Audit trail)
– You are responsible for this!
5. 1
Identification methods
• User ID
• Account number
• PIN
• Badge
• Biometrics
6. 1
Identifier characteristics
• Unique to each user
• Not relating to a job function
• Standardised naming conventions
7. 1
Authentication
• Knowledge based
– Something only you know
• Ownership based
– Something only you have
• Characteristics based
– Something only you are
8. 1
Traditional means of identification
and authentication
• People knew each other in person
– They used face recognition
– Something only you are (biometrics)
• Internet made it useless
– More need for proving identity
– Impossible to know people in person
9. 1
Authentication
Each single factor is fairly
easy to compromise
Lets use 2 factors!
11. 1
Classic examples of 2FA
ATM (Automated Teller Machine)
– Something you have (card)
– Something you know (PIN)
Credit card and signature
– Something you have (card)
– Something you are (signature)
13. 2. Knowledge
Password/PIN
• Free
• Easy to use
– People got used to it and understand it
• The weakest factor
– Easily guessable/bruteforcable or complex
• To complex ones get written down
– One password everywhere or many to remember
• If there is to many, they get written down
14. 2. Knowledge
Cognitive password
• Series of random personal questions
• Takes longer to authenticate
• No need to remember a password
• Fairly weak if based on personal information
15. 2. Knowledge
Passphrase
• Longer to enter than a password
• Less susceptible to brute forcing and guessing
• Still sniff-able and susceptible to key logging
16. 2. Knowledge
SYK Pros/Cons
• No need to carry anything
• Susceptible to classic attacks
– Key logging
– Social engineering/shoulder surfing
– Brute force/dictionary attacks
– Sniffing and replay attacks
– IT Staff abuse of privileges
– Man in the middle attacks
http://img.alibaba.com/photo/11475911/KeyShark_Hardware_Keylogger.jpg
http://www.phuketgazette.com/newsimages/bull8282007-5914-4.jpg
17. 2. Knowledge
SYK Pros/Cons
• No strong accountability
– Easily shareable
• Frequently written down
in predictable places
http://klaatu.anastrophe.com/wp-images/postit.jpg
19. 3. Ownership
PKI Certificate
• Transfers trust
– Make sure the signer is trustworthy!
• Usually server authenticates to the user
– Mutual authentication may cause significant
administrative overhead
• Something not only you have
– Google: quot;index ofquot; +ovpn
– Courtesy Aleksander P.
20. 3. Ownership
One Time Password (OTP) list
• Session based authentication
• Valid only once
– Usually only for a short period of time
• Not reusable by design
– Not susceptible to replay attacks
• A paper list or an electronic generator
22. 3. Ownership
Asynchronous token
(challenge – response)
Usually requires user to
retype the challenge
into the token
http://www.cc.com.pl/img/vasco/300photo.gif
27. 3. Ownership
Synchronous token
• Generates a deterministic random-looking
value every minute/button push
• The value is cryptographically derived from:
– The previous value
– A shared secret known only to a token and to
an authentication server
v1 = f(seed, secret); v2 = f(v1, secret); etc.
• The secret is unrecoverable from the
token*
* With today’s technology
28. 3. Ownership
Synchronous token
• Time-based synchronisation
– De-syncing in time if not used
– Clock drift is corrected
– Server accepts neighbouring values
• Event-based synchronisation
– Easily de-synced by issuing to many values
ahead
http://www.radiocomputerguy.com/images/paypal_token.gif
http://admin.avisian.com/images/rsa1.gif
http://en.wikipedia.org/wiki/Image:RSA-SecurID-Tokens.jpg
http://www.comprosec.ch/fileadmin/images/rsa/securid/SD520_450x297_72dpi_crop.jpg
29. 3. Ownership
Software tokens
• Java (J2ME) applets
• More convenient
• Easier to reverse engineer
the secret out
http://www.developer.com/img/2006/06/Marcia6.JPG
30. 3. Ownership
Man in the Middle (MITM)
• None of the factors solve the MITM problem
• Insecure connection allows for credentials
disclosure
– SSL allows only for a TCP link authentication
37. 3. Ownership
Phishing case
• A customised attack
• A time-limited OTP is better but still
not enough
38. 3. Ownership
Out of band channel
• E.g. mobile text messaging (SMS)
• Adresses the MITM problem
• Allows for mutual end-to-end authentication
• Convenient
46. 3. Ownership
Memory card
• Also called a swipe card or a magnetic
stripe card
• Equipped with a magnetic stripe
• Interacts with a reader
• Stores authentication information
• Relatively inexpensive
• Fairly easy to duplicate
– Harder then a password, though
48. 3. Ownership
Smartcard
• Interacts through a reader
• Contains authentication information
– e.g. PKI certificate
• Is able to do crypto on-board
• Allows for continous authentication
• Tamper-proof solves the duplication
problem
http://gallery.hd.org/_exhibits/money/_more2003/_more02/UK-bank-and-credit-cards-smartcard-smartcards-VISA-Mastercard-Nationwide-Barclaycard-Egg-cropped-JR.jpg
50. 3. Ownership
Contactless Smartcard
• Contains an RF transciver (RFID)
• Works in close proximity to a reader
– Up to 10cm (ISO 14443)
– Up to 50cm (ISO 15693)
• Quick and hands-free
• Contactless credit card
– No PIN required
– Small amounts $5-50
51. 3. Ownership
Potential issues with smartcards
• Privacy concerns
– Contactless smartcards make it
possible to track individuals without
their knowledge
• Easy to damage the chip
53. 3. Ownership
Form factor
• Feasibly small and convenient
• Attachable to something you
usually have with you
– Key-dongles
– Wallet size cards
– Credit-card size tokens
– Phone applets or a phone itself
54. 3. Ownership
SYH Pros/Cons
• Not susceptible to classic attacks
– Key logging
– Shoulder surfing
– Brute force/dictionary attacks
– Sniffing and replay attacks
• Hinders social engineering attacks
• Impedes IT Staff abuse of privileges
• Stronger accountability
– Responsibility of the owner
– Although still not strong enough
58. 4. Characteristics
Static
Physiological characteristics of a human body
• Fingerprints
• Iris granularity
• Retina blood vessels
• Facial looks
• Hand geometry
59. 4. Characteristics
Dynamic
Behavioral characteristics of a human body
• Voice inflections
• Keyboard strokes
• Signature dynamics
63. 4. Characteristics
Fingerprint
static
• Characteristic points are marked on a print
• Positions are specified relatively to other
marks
http://shs.westport.k12.ct.us/forensics/04-fingerprints/fingerprint_parts.jpg
64. 4. Characteristics
Fingerprint and palm print
static
• Compares computed pattern with a stored
one
• High accuracy
– Fairly simple for small sets of potential matches
• Good acceptance
• 5 – 7 seconds for reaction
65. 4. Characteristics
Fingerprint scanner types
• Static picture scanner
• Line scanners
– Scan is dynamic
– Harder to fool
http://www.trustedreviews.com/images/article/inline/3331-6.jpg
http://www.mrgadget.com.au/catalog/images/targus_defcon_authenticator_usb.jpg
67. 4. Characteristics
Hand geometry scan
static
• Measures hand features
– Length, width, thickness and contour of fingers
• Not very accurate
– Not good in large populations
• Hand shape is not as unique as a finger print
– Good in combination with another factor
• Well accepted
• Very fast reaction (3 – 5 seconds)
• Reader is quite large
68. 4. Characteristics
Diagram of a human eye
http://en.wikipedia.org/wiki/Image:Human_eye_cross-sectional_view_grayscale.png
72. 4. Characteristics
Iris scan
static
• Compares retina texture with a reference
• Very high accuracy (IrisCode algorithm)
– No false match reported ever
– Iris texture remain stable over decades
• Good acceptance
– No need to touch anything
• Very fast reaction (1 – 2 seconds)
• Allows for continuous monitoring
– Distance from 10 cm to a few meters
– Needs cooperation
73. 4. Characteristics
Dynamic characteristics
• Measures confidence level
– Instead of the traditional pass/fail
• Allows for explicitly defined individual risk
appetite
– By changing accepted confidence level
74. 4. Characteristics
Voice pattern
dynamic
• Compares a speech sample with a
reference material
• Low accuracy
– Even lower with a background noise
• Well accepted
• Long response time (10 – 14 seconds)
http://en.wikipedia.org/wiki/Image:Human_voice_spectrogram.jpg
75. 4. Characteristics
Facial recognition
dynamic
• Measures certain features of
the face
– 14 of measurable 80 features
are selected
– Distance between eyes
– Shape of chin and jaw
– Length and width of the nose
– Shape of cheek bones and eye
sockets
http://www.wpi.edu/News/Transformations/2002Spring/Images/recognition1.jpg
76. 4. Characteristics
Facial recognition
dynamic
• Good for authentication
– Accurate in controlled environment
– Could provide continuous authentication
– Less invasive then retinal scan
• Not very good for identification
– Less accurate in moving crowd
– Not well accepted due to privacy reasons
77. 4. Characteristics
Signature dynamics
dynamic
• Records pen stroke dynamics
– Speed
– Direction
– Pressure
• Accurate
• Well accepted
• Way better then a static signature
– More features can be observed
– No physical leftovers
78. 4. Characteristics
Typing rhythm (keystroke dynamics)
dynamic
• Measures key dwell- and flight time
• Well accepted
• Accurate
• Very easy to deploy
• Provides continuous authentication
– Helps to identify account sharing
• Temporal variations may render false negatives
– Gazillion of reasons
79. 4. Characteristics
SYA Pros/Cons
• Not easily transferable between humans
– Very good accountability (nothing to lose)
– Although one can lose their finger
• Immune to most of the classic attacks
– Key logging
– Shoulder surfing
– Brute force/dictionary attacks
• Hinders social engineering attacks
• Impedes IT Staff abuse of privileges
80. 4. Characteristics
SYA Pros/Cons
• May be used to track individuals (privacy
concerns)
• The most intrusive factor
• Susceptible to sniffing and replay attacks
– Suitable for local authentication
82. What is 2FA again?
Combination of any
2 of the 3 available
factors
83. And what’s not a 2FA?
• Finger scanner on your laptop
• Door pass at the premises
• Thumb-locked pendrive
http://www.turbogadgets.com/wp-content/uploads/2007/03/fingerprint-pendrive.jpg