Identification Authentication and Operational

Security
•Username and Password
•When first time user log on to computer ask for user
name and password.
•The first step is called Identification, purpose is Who you
are ?
•Second is called Authentication, what you access ?
•If your username and password is correct then you
successfully log into computer, and if username or password
is incorrect then login screen display again.
• Some times incorrect attempts will be count and if
threshold attempts reached system prevent to login again.

Marathwada Mitra Mandal's

Polytechnic,Pune
 Managing Password
• All time we try not to disclose password at any level.
• There are number of tools to crack password.
• Send password through courier with personal delivery.(Banks
normally use it)
• Send Password through information given in the form like
email or Mobile number, use that password for one time only.
• Ask user to change that password in first login only.
• Confirmation should send through mail or activate account
through particular link only.
• Do not relay only on password also use some key, this key will
be generated through device or generate online and send
through mail or mobile number.
• Do not use vehicle no, computer name,spell backwords like
drowssap etc

Marathwada Mitra Mandal's

Polytechnic,Pune
 Choosing a password
• Do not choose password base upon personal data.
• Do not choose password that is English dictionary word,
TV show, keyboard sequence.
• Do not choose password that is append special character.
Like pasword123, password!, password* etc..
• Do not choose password less then 8 characters.
• Do not only use characters, numbers.
• Avoid guessable words, or easily traceable.
• Do not choose Default Passwords
• Do not use password as name of spouse, child ,surname,
friends name etc
• Do not give same password to all account.

Marathwada Mitra Mandal's

Polytechnic,Pune
 Best method to choose password
• Select more that 8 characters in a password.
• Create a phrase or series of letters randomly
but easy to remember like :I Have Two Kids
:Jack And Jill
• Convert it like ihtk:jaj
• Add numbers in it ih2k:jaj
• Add special characters like ih2k:j&j
• Use combinations of upper case and lower
case like Ih2k:J&j
Marathwada Mitra Mandal's
Polytechnic,Pune
• Make following password
• My name is Bond: James Bond.
• We lives in Maharashtra: Pune
• I like chicken
• I love my country: India.

Marathwada Mitra Mandal's

Polytechnic,Pune
 Role of people in security
Password Selection
• Make your password as long as possible.
• Use many characters as possible like Upper case, Lower
case, Numbers Special Characters etc.
• Do not use personal data, like account no, mob. No.
• Change your password regularly, ideally after 30 ,60 or
90 days.
• Make sure that password is hard to crack but easy to
remember.
• Do not write down password any ware like on table,in
a computer file, in your personal dairy.

Marathwada Mitra Mandal's

Polytechnic,Pune
 Password Selection Strategy
• User Education
• Computer Generated Password.
• Reactive Password.
• Proactive Password.

Marathwada Mitra Mandal's

Polytechnic,Pune
 User Education
 Tell computer users importance of hard-to guess
password.
 Give password selection guidelines.
 Do not tell your password to unknown person.
Computer Generated Password
 Computer generated password also have some problem
, it is reasonable random in nature but very difficult to
remember like : gTs!P5w2q.
 Many time users write it down.
 Automated password generators use random characters
and numbers generator.
 Many system generator passwords is used for one time
only or at first login we have to change it.
Marathwada Mitra Mandal's
Polytechnic,Pune
 Reactive Password Checking
 In this scheme system periodically run it’s own
password cracker and find out guessable password.
 If system found system cancel it and inform to user.
 This method has number of drawbacks, it will take
hours to check the system.
 Many vulnerable passwords existing until reactive
password checker find it.
 Reactive password system is not available in each
system.

Marathwada Mitra Mandal's

Polytechnic,Pune
 Proactive Password Checking
 It is the most promising approach to improve password ,
in this scheme user is allowed to select his/her own
password.
 However at the time of selection system check the
password if the password is allowable then allow or
reject it.
 Such systems are designed by considering all guidelines .
 Some systems are show bar between weak and strong
password.
 If system continuously reject password it means that user
gives weak password.
 It will also provide guidelines to select passwords.

Marathwada Mitra Mandal's

Polytechnic,Pune
 Piggybacking
• Piggybacking is the simply access of a wireless
connection closely behind a person who just used there
own access card on PIN to gain physical access to a room
or building, without knowing to subscriber
• They get access to facility to without knowing to
authorized persons.
• In short, access of wireless internet connection by
bringing one’s computer within range of another wireless
connection without permission.
Reasons for piggy backing:
• Avoid paying required access fees.
• Gain access to area which is completely restricted .
• To hide identification.
• Person forgotten or loss it’s access key.
Marathwada Mitra Mandal's
Polytechnic,Pune
 Shoulder Surfing
• In shoulder surfing refer to use direct observation
technique. looking overs some one ‘s shoulder to get
information.
• This method is effective in crowded places because it is
relatively easy to observe some one’s activity like:
– Entering password or PIN number in the computer.
– Fill out form
– Entering access code in ATM or public places.
– Shoulder surfing can be done at a distance using vision
enhancing devices.
• To avoid shoulder surfing it is advice to hide
keypad by using body.
• Do not use computer in crowded places like cyber
café ,libraries or places where people are very
close to you.
Marathwada Mitra Mandal's
Polytechnic,Pune
 Dumpster Diving
• Dumpster Diving is method by which attacker search for
important system information by diving into the dump. The
search is carried out in paper waste, electronic waste such
as old HDD, floppy and CD media recycle and trash bins on
the systems etc.
• attackers tries to extracts passwords, system
configuration, network configuration, user lists from these
list from these methods, and gain access to these
important details.
• Dumpster diving is learning anything
valuable from your trash,
• Experts recommended that company should make disposal
policy where all paper, including print outs and important
documents should be erased properly and recycled.
Marathwada Mitra Mandal's
Polytechnic,Pune
 Unauthorized Software/Hardware installation
• Installing software from unauthorized sources will
automatically install some software which user don’t
want.
• Such software may be harmful to your system.
– Such software may contain viruses which infect your system or
network.
– May send unwanted messages from your system.
– These software should be pirated, leads penalties incase of
audit.
– May contain spyware that will capture information and send to
unauthorized persons.

Marathwada Mitra Mandal's

Polytechnic,Pune
 Individual User Responsibility
• Every Computer User must aware about computer
security aspects, comprised security by doing
following things –
– Execute program from unknown or unreliable sources.
– Opening and accessing documents from unsecure sources.
– Exposing password or not protecting them.
– Access computer network remotely.
– Opening e-mails and their attachments from untrusted
origin .
– Download plugging and active-X controls.
• To secure computer system avoid these
points.

Marathwada Mitra Mandal's

Polytechnic,Pune
 Access Control
• Access control is the ability to permit or deny use of
particular resource by a particular entity.
• Access control mechanism is minimize physical
resource, logical resources or digital resources.
• Access control techniques:
– Discretionary Access Control (DAC)
– Mandatory Access Control (MAN)
– Role Base Access Control (RBAC)

Marathwada Mitra Mandal's

Polytechnic,Pune
 Discretionary Access Control (DAC)

• Discretionary Access Control: This is a type of access

control in which user has complete control over all the
programs it own and execute.
• DAC is an access policy determined by the owner of an
object. Owner decide who is allowed to access the object
and what privilege they have .
• Two important aspects:
 File and Data Ownership : Every object in the system has an
owner . In most DAC system initial owner is subject that
cause it to be created.
– Access policy for an object is determine by it’s owner
 Access rights and Permissions : These are the control that
an owner can assign to other subjects for specific resources
Marathwada Mitra Mandal's
Polytechnic,Pune
 Mandatory Access Control (MAN)

• In this control administrator cam manages the access control.

The administrator can define uses of access policy , which can
not be modify or change by user.
• MAC is used in multilevel system that process highly sensitive
data, such as classified Government and military information.
• Sensitive labels: All subjects and objects must have labels
assigned to them. A subject sensitive label specify the level of
truth required to access a given object.
• Data Import and Export: Controlling import of information from
other system is a critical function of MAC base system, which
must ensure that sensitive label are properly maintain.
• Rule Base access control: These type of control further define
specific condition for access.
Marathwada Mitra Mandal's
Polytechnic,Pune
 Role Base Access Control (RBAC)
• RBAC is an access control is determine by the system not by
the owner, This type of access control is used in commercial
applications and also in military system. where multi level
access control is required
• ABAC and DAC is differ in nature as DAC allow user to control
but in RBAC system access is controlled by the system which is
outside user’s control.
• Three Rules are defined fro RBAC:
– Role Assigned: Subject can execute a transaction, only if the
subject has selected or being a role.
– Role authorization : A subject’s active role must be authorize
for the subject.
– Transaction authorization : A subject can execute a transaction
only if transaction is authorized, this insures that user can
execute only transaction for which they are authorized.
Marathwada Mitra Mandal's
Polytechnic,Pune
 BIOMETRICS
• “Biometric refers study of method for uniquely
recognizing human based upon one of more physical
or behavioral characters.”
•

Marathwada Mitra Mandal's

Polytechnic,Pune
• Physiological are related the shape of the body. For
example Fingerprints, Face recognition, DNA, Palm print,
iris recognition ,retina scan.
• Behavioral are related to the behavior of a person,
typing rhythm, signature and voice.
• Why human characters can be used for
Biometric:
– Universality : Every person should have these characters
– Uniqueness : biometric separates each individual from
another.
– Collect ability: Easy to collect samples for measurements.
– Performance: accuracy speed and robustness of technology
used.
– Acceptability: Degree of approval of a technology.
Marathwada Mitra Mandal's
Polytechnic,Pune
• Biometric work on following two modes.
• Verification : A one two one comparison of a
capture biometric with a stored temple to verify
that individual is who he claim to be.
• Identification: A one to many comparison of the
captured biometric against a biometric database
in attempt to identify an unknown individual.

Marathwada Mitra Mandal's

Polytechnic,Pune
Block diagram of Biometric Device Stored
Templates

Biometric System

Feature Template Matcher

Pre- Generator
Extractor
processing

Applicatio
Sensor n Device

Marathwada Mitra Mandal's

Polytechnic,Pune
 Fingerprints
• In this fingerprints are matched with the database and
matching is carried out using complex image processing
algorithm, user is authonticated,if matched.
• Fingerprint Recognition or fingerprint authentication
Process.
• Fingerprints are one of many forms of biometric used to
identify and individual and verify there identify.
• Analysis of fingerprints for matching purpose requires
several comparison of features of the print pattern.
• These patterns include unique features found with in
patterns.

Marathwada Mitra Mandal's

Polytechnic,Pune
Finger Print Patterns

Marathwada Mitra Mandal's

Polytechnic,Pune
 Finger print Sensors
• A finger print sensor is an electronic device used to
capture a digital image of the fingerprint patterns.
• Captured image is called as live scan.
• Which is used for creating template and this
template is used for matching live scan.
• Optical: Capturing Digital Image using visible light.
• Ultrasonic Sensors use principle of medical
ultrasonography in order to create visual image of
the fingerprint.

Marathwada Mitra Mandal's

Polytechnic,Pune
 Applications Of Fingerprints
• Forensic
Criminal investigation.
Terrorist identification
• Government
National ID card (Aadhaar Card)
Driving License
Social Security
• Commercial
• Computer network Cellular Phone
• E-commerce Medical record management
• ATM,Credit Card. Distance Learning

Marathwada Mitra Mandal's

Polytechnic,Pune
 Advantage
• High Accuracy
• Most Economical.
• Easy to use
• Small storage space.
• It is standardized
• Fingerprints are much harder to fake than identity cards.
• ·You can't guess a fingerprint pattern like you can guess a
password.
• You can't misplace your fingerprint, like you can misplace
an access card.
• You can't forget your fingerprints like you can forget a
password.

Marathwada Mitra Mandal's

Polytechnic,Pune
 Disadvantages
• Using the fingerprint scanner does not take into
consideration when a person physically changes.
• Using the fingerprint scanner can lead to false rejections.
• Some people have damaged fingerprints.

Marathwada Mitra Mandal's

Polytechnic,Pune
 Hand Prints
• Hand biometric is base on the geometric shape of the
hand size of palm, length and width of finger, distance
between knuckles etc.
• In hand geometric user can be identify by using shapes
and other dimensions matches with live hand scan.
• Advantages: Requires special Hardware which is easily
integrated with other devices.
• The amount of data requires to
identify a user in a system is small.
• Easy to use.
• Hand data easy to collect.
• Environmental factors is no issues

Marathwada Mitra Mandal's

Polytechnic,Pune
• Disadvantages: Special Device required and
Expensive .
• It is not valid for arthritic persons.
• Not ideal for growing children.
• Jewelry (Rings etc) may pose a challenge in
extracting information from hand.
• Size of Sample is very large so it is it is not
ideal for Embedded systems.

Marathwada Mitra Mandal's

Polytechnic,Pune
Retina Scan Technique

Marathwada Mitra Mandal's

Polytechnic,Pune
• A Retina Scan Technology is a biometric technique that use a
unique pattern on a persons retina to identify them.
• Human Retina is a thin tissue composed of neural cells that is
located in posterior portion of the eyes.
• Complex structure of capillaries each person’s retina unique.
• Even identical twins have different retina
• This retina remain same from birth to death because it’s
unique and unchanged nature.
• Retina scan is used a low energy infrared light into persons
eye.
• Because retina blood vessels are more absorbent of this light
then rest of eye.
• Patterns of variations is converted to computer code and
store in the database.
Marathwada Mitra Mandal's
Polytechnic,Pune
• Advantages :
• Very high accuracy.
• Extremely low false rate.
• Speedily result.
• Like fingerprint it remain same through life of human.
• So useful for children's also.
• Disadvantages: Measurement accuracy can be affected
by some deices like diabetes, glaucoma etc.
• Not user friendly.
• High equipment cost . Technology difficult to use as some
people discomfort for scanning.
• User commonly fear that the device itself or light can
harm to there eyes.

Marathwada Mitra Mandal's

Polytechnic,Pune
 Voice Synthesis
• In this method the voice of user is recorded and it’s digitally
signal analysis is carried out.
• There are Speaker recognition is to recognition WHO is
speaking and
• Speech recognition WHAT is speaking,. Words
• Voice recognition is combination of both speaker and
speech.
• Various technologies are used for
recording voice like frequency
estimation, Gaussian mixture model etc.

Marathwada Mitra Mandal's

Polytechnic,Pune
• Advantages: Cheap technology.
• Highly acceptable
• Can be automated and coupled with speech recognition
systems.
• No training required for users
• Disadvantages : Hig
• Even the best speech recognition systems sometimes
make errors. If there is noise or some other sound in
the room (e.g. the television or a kettle boiling), the
number of errors will increase. false non matching
rates
• Due to illness voice may change
Marathwada Mitra Mandal's
Polytechnic,Pune
 Signature and Writing Pattern
• Biometric signature recognition system will measure and
analyze the physical activity of signing, such as stroke
order, pressure applied and the speed.
• In a signature recognition system , a person signs his/her
signature on a digitized graphic table or personal
assistance.
• The system analyze signature dynamics such as speed,
relative speed, stroke order, stroke count and pressure.

Marathwada Mitra Mandal's

Polytechnic,Pune
• Advantages : Little time for verification.
• Cheap technology.
• It is easy to copy the image of signature.
• Low false acceptance rate
• Normally peoples are sign different documents.
• Disadvantages : Person who are not consistent
writing may be difficult to identify.
• Not useful for Non literate peoples.

Marathwada Mitra Mandal's

Polytechnic,Pune
 Key stroke Dynamics
• Key stroke or typing dynamic is the detail timing
information that describe exactly when each key was
pressed and when it was released as a person is typing at
a computer key board.
Working Principle: Keystroke dynamic use the manner and
rhythm in which an individual type characters on keyboard.
Key stroke can be recorded as Dwell time [The time key
pressed ] Flight time [Time between one “key down” and
next “key down” and time between one “key up” and next
“key up” ].
• Recorded key stroke timing data is then processed
through unique algorithm which then determine pattern
of comparison .
Marathwada Mitra Mandal's
Polytechnic,Pune
• Dwell-- Time How long a Key is pressed.
• Flight Time – How long it take to move from
one key to another.

Marathwada Mitra Mandal's

Polytechnic,Pune
Thank You !!

Marathwada Mitra Mandal's

Polytechnic,Pune