Chapter 2

Identification, Authentication and Operational

Security

Marks 20
Syllabus

2.1 User name and password, Managing passwords, choosing password.

2.2 Role of people in Security: Password selection, Piggybacking, Shoulder

surfing, Dumpster diving, Installing unauthorized software/hardware, Access by
Nonemployees, Security awareness, Individual User responsibilities.

2.3 Access controls: Definition, principle, policies: DAC, MAC, RBAC.

2.4 Biometrics: finger prints, hand prints, Retina, patterns, voice patterns,
signature and writing patterns, keystrokes.
  What is Username ?

 What is Password ?

Username : Identification (who u are ? )

Password : Authentication (proof for identification )

Managing Password
How organizations manage user passwords ?

o Do not give the password to caller , call back on authorized

phone number from an internal company address book OR call
back to higher authority of that user to provide password.
o Send passwords that are valid for single login so that user has
to change immediately to a password not known by the sender.
o Send by courier with personal delivery.
o Request confirmation on a different channel.
Choosing Password
o Do’s
• Minimum 8 character
• Seemingly random but easy to remember Eg. “I have two project
partners : John and Jack”.
• Digits should be there. Eg. “john2212”.
• Use special symbols Eg. “john#2212”.
• Use lower and upper case letters Eg. “”JohN#2212”.
o Don'ts
• Not be a dictionary word.
• Not be family member name only.
Role of Peoples in Security

o Password Selection ( Guidelines and Password Selection

strategies )
o Piggybacking
o Shoulder Surfing
o Dumpster Diving
o Installing Unauthorized S/W and H/W.
o Access by Non employees
o Security Awareness
o Individual user responsibilities
Password Selection Strategies
• User Education
• Computer generated
• Reactive Password checking
• Proactive Password checking
User Education
The user education strategy tells users the importance of using hard-to-guess passwords and
provides guidelines for selecting strong passwords, but it needs their cooperation. The problem is
that many users will simply ignore the guidelines. Some guidelines for selecting a good
password are:
1.Use  mix of upper and  lower case letters, numbers, punctuation and special symbols
2.Don't use your login name
3.Don't use your first or last name
4.Don't use your spouse's or child's name.
5.Don't use other information easily obtained about you. This includes license plate numbers,
telephone numbers, social security numbers, the brand of your automobile, the name of the street
you live on, etc.
6.Don't use a password of all digits, or the entire same letter. This significantly decreases the search
time for a cracker.
7.Don't use a word contained in English or foreign language dictionaries, spelling lists, or other
lists of words.
8.Don't use a password shorter than six characters.
9.Use a password that is easy to remember, so you don't have to write it down.
10.Use a password that you can type quickly, without having to look at the keyboard. This makes it
harder for someone to steal your password by watching over your shoulder.
The main problem is that many users will simply ignore the guidelines.
Computer-generated passwords
This strategy let computer create passwords. If the passwords are quite random in
nature, users will not be able to remember them. Even if the password is
pronounceable, the user may have difficulty remembering it and so be tempted to
write it down even pronounceable not remembered. It has history of poor user
acceptance.
Reactive password checking
A reactive password checking strategy is one in which the system periodically
runs its own password cracker to find guessable passwords. The system cancels any
passwords that are guessed and notifies the user. Drawbacks are that it is resource
intensive if the job is done right, and any existing passwords remain vulnerable until
the reactive password checker finds them.
Proactive password checking
  The most promising approach to improved password security is a proactive
password checker, where a  user is allowed to select his or her own password, but the
system checks to see if it is allowable and  rejects it if not. The trick is to strike a
balance between user acceptability and strength. 
Dumpster Diving
Dumpster diving is looking for information in someone else's trash (A dumpster is a
large trash container). In the world of information technology, dumpster diving is a
technique used to retrieve information that could be used to carry out an attack on a
computer network.

When dumpster diving, hackers look for:

Calendars of events
Tells the hackers when everyone will be elsewhere and not logged into the
system. Best time to break in.
Print outs
Source code is frequently found in dumpsters, along with e-mails (revealing
account names)
Memos
Reveal activities inside the target organization.
disks, tapes, CD-Roms
People forget to erase storage media, leaving sensitive data exposed. These
days, dumpsters may contain larger number of "broken" CD-Rs. The CD-ROM
"burning" process is sensitive, and can lead to failures, which are simply
thrown away. However, some drives can still read these disks, allowing the
hacker to read a half-way completed backup or other sensitive piece of
Piggybacking
• On Internet access is the practice of establishing a wireless Internet
connection by using another subscriber's wireless Internet access service
without the subscriber's explicit permission or knowledge.
Shoulder Surfing
• is a procedure where an attacker position themselves in such a way that he is
able to observe the authorized user entering the correct access code.
• This attack is by direct observation techniques, like looking over someone
when he is entering a PIN or Password etc.
Installing Unauthorized Software's / Hardware
• when users download various software's from Internet they are unaware
about origin of software and who upload it. Problem with such downloaded
software's is that they come with harmful codes.
Access by Non-Employee
• Attacker may get physical access to organization facilities and obtain
enough information about how to enter into computer system OR
organization network. So it become necessary for organization to restrict
Non-Employees from illegal entry into organization premises.

• Precautions taken by Organizations

o To avoid access by Non-Employees organizations restrict their
employees to wear identification symbols at work.
o Organizations restrict their employees to, do not invite their relatives
and friends at work sites.
o Some organizations restrict visitors (Non-Employees) to enter in
organization premises with cameras , cell phones etc. Because visitors
may misuse such devices to stole information from organization.
Security Awareness
• Security awareness programs for employees are very effective to
avoid potential attacks on organizations security.
• Employees must know about sensitivity of different type of
information.
• When a new employee is hired it is important to provide
training about security policies of organization.
• It is also necessary to remind employees about different avenues
of attacks by using security awareness advertisements and
monthly email-newsletters.
Individual user responsibilities
• Lock the door of the workspace.
• Do not leave sensitive information unprotected.
• Do not discuss sensitive information with family members and
other individuals.
• Protect your laptops form strangers.
• Shredding papers containing sensitive information about
organization before discarding them.
• Do not allow access without any identification procedure.
Physical Access Controls
• Something the individual has eg. Smart Card
• Something the individual know eg. Password
• Something they are eg. Manager
Access Control:
“The prevention of unauthorized use of a resource, including the prevention of use of a
resource in an unauthorized manner.”
Access Control Principles
• Authentication
• Authorization
• Audit

An access control mechanism mediates between a user (or a process executing

on behalf of a user) and system resources, such as applications, operating systems,
firewalls, routers, files, and databases. The system must first authenticate an entity
seeking access. Typically, the authentication function determines whether the user is
permitted to access the system at all. Then the access control function determines if
the specific requested access by this user is permitted. A security administrator
maintains an authorization database that specifies what type of access to which
resources is allowed for this user. The access control function consults this database to
determine whether to grant access. An auditing function monitors and keeps a record
of user accesses to system resources.
Access Control Policies
• DAC
• MAC
• RBAC
These three policies are not mutually exclusive ( Figure 4.2 ). An access control mechanism
can employ two or even all three of these policies to cover different classes of system resources.
Discretionary Access Control

User U01 User U02

F1
owner READ

READ
WRITE
EXECUTE

User U03
READ
WRITE
NOTE: Only ADMINISTRATOR is responsible for defining access control policies.
 Label TOP
SECRET
Object SECRET INTERNAL PUBLIC
E
E
Atomic √
Weapons Label TOP
SECRET
Data File Subject SECRET INTERNAL PUBLIC
E
E
Atomic
Power Ajay
√
plant Data
√
File √
A. Kalam
Other √
Weapons Vikas
√
Data File
Tender √ Sameer
√
Notification
File
Abraham
√

Registered √
Vendors

Mandatory Access Control

 Role Principal HOD Lecturer Student Class Class
User Coordinator Representative
Ajay √
Vijay √ √
Vinod √ √
Sohel √ √

Object Attendance Account Feedback Student Data Employee

Role Data Data Data Data
Principal Update Select Update,Delete Update,Delete
HOD Select Update Select
Lecturer Update Select Select
Student Select Update Select
Class Update Update
Coordinator

Fig. RBAC Matrix

Role Based Access Control
Biometric

Biometric is nothing but a authentication technology in which human physical

OR behavioral characteristics are used to uniquely identify a person.

How it works

• first step to implement a biometric system is to register all authenticated

samples in the database. These registered samples are used for comparison
in future.
• In next step biometric device is used to capture the sample of user who want
to access a service.
• In a client server model, user sample is encrypted by the client and transfer
to the server. Server decrypt the sample and compare it with already
registered samples.
• If both samples are matched together then permission is granted to user
otherwise permission is denied.
Characteristics of Biometric System

• FAR (False Accept Ratio)

Measurement of chance that a person who should be rejected actually,
get accepted by the system as a good enough is known as the false
accept ratio.

• FRR (False Reject Ratio)

Measurement of chance that a person who should be accepted actually,
get rejected by the system as a not good enough is known as the false
accept ratio.
The major biometric form factors today used are

1. Hand-print ( Physical )
2. Fingerprint ( Physical )
3. Eye retina ( Physical )

4. Keystroke ( Behavioral )
5. Voice pattern ( Behavioral )
Hand-Print (Physical Biometric)

Everybody has unique hand-print. Hand-print or hand-geometry verification

systems examine the unique measurement of your hand and use that
information to determine whatever you should be allowed access.
Hand-geometry of a person registered in database on the basis of following
parameters.

o Length of fingers
o thickness of hand
o shape of curves
o depth of skin

With a hand-print verification system , you press your hand on a hand-

geometry reader, aligning all of your fingers sensor scan the hand on the basis
of above said parameters. The information is digitized and compare again a
hand-print template stored for you in the system.
System allows access if your hand-print sufficiently matches with stored
template.
Disadvantages
1. High cost device required to scan complete hand.
2. Large amount of memory required to store sample hand-print template
3. More time required to compare.
4. Swelling , presence of rings in fingers affect system ability.
Eye Retina Scan (physical)
o The human retina is a thin tissue composed of neural cells that is located in
the posterior portion of the eye.
o Because of the complex structure of the capillaries that supply the retina
with blood, each persons retina is unique.
o Even the identical twins also not share same eye retina.

Advantages
• Very high accuracy.
• Speedy results.
Disadvantages
• Some disease such as diabetic and retinal disorder cause to change eye
retina after some age.
Retinal Scanning:
The human retina is a
thin tissue composed of neuralcells that is
located in the posterior portion of the eye.
Because of the complex structure of
the capillaries that supply the retina
with blood, each person’s retina is unique.
The network of blood vessels in the retina
is so complex that even identical twins do
not share a similar pattern.
A biometric identifier known as a retinal
scan is used to map the unique patterns of
a person’s retina. The blood vessels within
the retina absorb light more readily than
the surrounding tissue and are easily
identified with appropriate lighting.
A retinal scan is performed by casting
an unperceived beam of low-
energy infrared light into a person’s
eye as they look through the scanner’s
eyepiece. This beam of light traces a
standardized path on the retina.
Because retinal blood vessels are more
absorbent of this light than the rest of
the eye, the amount of reflection varies
during the scan. The pattern of
variations is converted to computer
code and stored in a database.

Fig. Internal Complex Retina Structure

Keystroke (Behavioral )
Keystroke biometric uses the manner and rhythm of in which an individual types characters
on a keyboard or keypad, for user identification.
Timing Data
Some kind of timing data is also stored which is as follows
Dwell time
• Time a key pressed
Flight time
• Time between a key-up and the next key down.
So we can say the manner , rhythm and timing data used to develop the unique sample
of the user.
Advantages
• Keystroke can be captured continuously.
• Not just at start time.
Disadvantages
Temporal variation : persons typing varies substantially during a day and between
different day.
Voice Pattern (Behavioral )
o Everybody has a unique vocal and acoustic pattern.
o The system converts the acoustic strength of a speakers voice in to component
frequency and analyzes how they are distributed.
o Voice print / voice signature constructed by sampling , digitizing and storing several
repetitions of particular phrase.
o Voice prints are not recorded words.
Advantages :
o Users do not have to install any devices.
o Easy to use.
o Only with the help of telephones remote user can interact with voice biometric
application.
Disadvantages
o Respiratory diseases, throat infection, background noises may affect the systems
ability to match a voice print.