.:: || Authentication & Access Control || ::.

Authentication?

Authentication (from Greek: αυθεντικός ; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true ("authentification" is a variant of this word). This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what its packaging and labeling claims to be, or assuring that a computer program is a trusted one.

Requirement of Authentication

In authentication must able to verify that:

1.Message came from apparent source or author.
2.Contents have not been altered.
3.Sometimes, it was sent at a certain time or sequence.

Password

Protection of passwords
Don’t keep your password to anybody
Don’t write or login your password at everywhere
Etc.

Choosing a good password
Criteria:
Hard to guess and easy to remember
Characteristics of a good password
Not shorter than six characters
Not patterns from the keyboard
Etc.

Calculations on password
Password population, N =rs
Probability of guessing a password = 1/N
Probability of success, P=nt/N

Biometric Identifiers

Biometrics refers to methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. In information technology, in particular, biometrics is used as a form of identity access management and access control. It is also used to identify individuals in groups that are under surveillance.

Biometric characteristics can be divided in 2 main classes:

* Physiological are related to the shape of the body. Examples include, but are not limited to fingerprint, face recognition, DNA, hand and palm geometry, iris recognition, which has largely replaced retina, and odor/scent.
* Behavioral are related to the behavior of a person. Examples include, but are not limited to typing rhythm, gait, and voice. Some researchers have coined the term behaviometrics for this class of biometrics.

It is possible to understand if a human characteristic can be used for biometrics in terms of the following parameters:

* Universality – each person should have the characteristic.
* Uniqueness – is how well the biometric separates individuals from another.
* Permanence – measures how well a biometric resists aging and other variance over time.
* Collectability – ease of acquisition for measurement.
* Performance – accuracy, speed, and robustness of technology used.
* Acceptability – degree of approval of a technology.
* Circumvention – ease of use of a substitute.

A biometric system can operate in the following two modes:

* Verification – A one to one comparison of a captured biometric with a stored template to verify that the individual is who he claims to be. Can be done in conjunction with a smart card, username or ID number.
* Identification – A one to many comparison of the captured biometric against a biometric database in attempt to identify an unknown individual. The identification only succeeds in identifying the individual if the comparison of the biometric sample to a template in the database falls within a previously set threshold.

Basic Blog Diagram in Biometric System.


Biometric Method

Face recognition



Of the various biometric identification methods, face recognition is one of the most flexible, working even when the subject is unaware of being scanned. It also shows promise as a way to search through masses of people who spent only seconds in front of a "scanner" - that is, an ordinary digital camera.
Face recognition systems work by systematically analyzing specific features that are common to everyone's face - the distance between the eyes, width of the nose, position of cheekbones, jaw line, chin and so forth. These numerical quantities are then combined in a single code that uniquely identifies each person.

Fingerprint identification



Fingerprints remain constant throughout life. In over 140 years of fingerprint comparison worldwide, no two fingerprints have ever been found to be alike, not even those of identical twins. Good fingerprint scanners have been installed in PDAs like the iPaq Pocket PC; so scanner technology is also easy. Might not work in industrial applications since it requires clean hands.
Fingerprint identification involves comparing the pattern of ridges and furrows on the fingertips, as well as the minutiae points (ridge characteristics that occur when a ridge splits into two, or ends) of a specimen print with a database of prints on file.

Hand geometry biometrics



Hand geometry readers work in harsh environments, do not require clean conditions, and forms a very small dataset. It is not regarded as an intrusive kind of test. It is often the authentication method of choice in industrial environments.

Retina scan



There is no known way to replicate a retina. As far as anyone knows, the pattern of the blood vessels at the back of the eye is unique and stays the same for a lifetime. However, it requires about 15 seconds of careful concentration to take a good scan. Retina scan remains a standard in military and government installations.

Access Control

What you know about Access Control ?

An access control system is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. An access control system, within the field of physical security, is generally seen as the second layer in the security of a physical structure.

Access Control Principles



Access Control Requirements

¤ reliable input
¤ fine and coarse specifications
¤ least privilege
¤ separation of duty
¤ open and closed policies
¤ policy combinations, conflict resolution
¤ administrative policies

Access Contril Matrix

Access Control Matrix or Access Matrix is an abstract, formal security model of protection state in computer systems, that characterizes the rights of each subject with respect to every object in the system.

Example Access Control Matrix

Consider system with two files and two processes. Set of rights is - r,w,x,a,o (read, write, execute, append, own).



Can get very large and hence inefficient in general purpose scenarios – seldom used.

Access Control List

An access control list (ACL) is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed to be performed on given objects. In a typical ACL, each entry in the list specifies a subject and an operation (e.g. the entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY).

UNIX File Access Control



¤ “set user ID”(SetUID) or “set group ID”(SetGID)
¤ system temporarily uses rights of the file owner / group in
¤addition to the real user’s rights when making access
¤control decisions
¤ enables privileged programs to access files / resources not
¤generally accessible
¤sticky bit
¤ on directory limits rename/move/delete to owner
¤superuser
¤ is exempt from usual access control restrictions.

File Permission

There are three specific permissions on Unix-like systems that apply to each class:

* The read permission

which grants the ability to read a file. When set for a directory, this permission grants the ability to read the names of files in the directory (but not to find out any further information about them, including file type, size, ownership, permissions.)

* The write permission

which grants the ability to modify a file. When set for a directory, this permission grants the ability to modify entries in the directory. This includes creating files, deleting files, and renaming files.

* The execute permission

which grants the ability to execute a file. This permission must be set for executable binaries (for example, a compiled c++ program) or shell scripts (for example, a Perl program) in order to allow the operating system to run them. When set for a directory, this permission grants the ability to traverse its tree in order to access files or subdirectories, but not see files inside the directory (unless read is set).