Chapter 2

Identification, Authentication and Operational

Security

Marks 20
Syllabus

2.1 User name and password, Managing passwords, choosing password.

2.2 Role of people in Security: Password selection, Piggybacking, Shoulder

surfing, Dumpster diving, Installing unauthorized software/hardware,
Access by Nonemployees, Security awareness, Individual User
responsibilities.

2.3 Access controls: Definition, principle, policies: DAC, MAC, RBAC.

2.4 Biometrics: finger prints, hand prints, Retina, patterns, voice patterns,
signature and writing patterns, keystrokes.
  What is Username ?

 What is Password ?

Username : Identification (who u are ? )

Password : Authentication (proof for identification )

Managing Password
How organizations manage user passwords ?

o Do not give the password to caller , call back on

authorized phone number from an internal company
address book OR call back to higher authority of that
user to provide password.
o Send passwords that are valid for single login so that
user has to change immediately to a password not
known by the sender.
o Send by courier with personal delivery.
o Request confirmation on a different channel.
Choosing Password
o Do’s
• Minimum 8 character
• Seemingly random but easy to remember Eg. “I have two
project partners : John and Jack”.
• Digits should be there. Eg. “john2212”.
• Use special symbols Eg. “john#2212”.
• Use lower and upper case letters Eg. “”JohN#2212”.
o Don'ts
• Not be a dictionary word.
• Not be family member name only.
Role of Peoples in Security

o Password Selection ( Guidelines and Password

Selection strategies )
o Piggybacking
o Shoulder Surfing
o Dumpster Diving
o Installing Unauthorized S/W and H/W.
o Access by Non employees
o Security Awareness
o Individual user responsibilities
Password Selection Strategies
• User Education
• Computer generated
• Reactive Password checking
• Proactive Password checking
User Education
The user education strategy tells users the importance of using hard-to-guess passwords
and provides guidelines for selecting strong passwords, but it needs their cooperation.
The problem is that many users will simply ignore the guidelines. Some guidelines for
selecting a good password are:
1.Use  mix of upper and  lower case letters, numbers, punctuation and special symbols
2.Don't use your login name
3.Don't use your first or last name
4.Don't use your spouse's or child's name.
5.Don't use other information easily obtained about you. This includes license plate
numbers, telephone numbers, social security numbers, the brand of your automobile, the
name of the street you live on, etc.
6.Don't use a password of all digits, or the entire same letter. This significantly decreases
the search time for a cracker.
7.Don't use a word contained in English or foreign language dictionaries, spelling lists, or
other lists of words.
8.Don't use a password shorter than six characters.
9.Use a password that is easy to remember, so you don't have to write it down.
10.Use a password that you can type quickly, without having to look at the keyboard. This
makes it harder for someone to steal your password by watching over your shoulder.
The main problem is that many users will simply ignore the guidelines.
Computer-generated passwords
This strategy let computer create passwords. If the passwords are quite
random in nature, users will not be able to remember them. Even if the
password is pronounceable, the user may have difficulty remembering it and
so be tempted to write it down even pronounceable not remembered. It has
history of poor user acceptance.
Reactive password checking
A reactive password checking strategy is one in which the system
periodically runs its own password cracker to find guessable passwords. The
system cancels any passwords that are guessed and notifies the user.
Drawbacks are that it is resource intensive if the job is done right, and any
existing passwords remain vulnerable until the reactive password checker
finds them.
Proactive password checking
  The most promising approach to improved password security is a proactive
password checker, where a  user is allowed to select his or her own password,
but the system checks to see if it is allowable and  rejects it if not. The trick is
to strike a balance between user acceptability and strength. 
Dumpster Diving
Dumpster diving is looking for information in someone else's trash (A dumpster is a
large trash container). In the world of information technology, dumpster diving is a
technique used to retrieve information that could be used to carry out an attack on a
computer network.

When dumpster diving, hackers look for:

Calendars of events
Tells the hackers when everyone will be elsewhere and not logged into the
system. Best time to break in.
Print outs
Source code is frequently found in dumpsters, along with e-mails (revealing
account names)
Memos
Reveal activities inside the target organization.
disks, tapes, CD-Roms
People forget to erase storage media, leaving sensitive data exposed. These
days, dumpsters may contain larger number of "broken" CD-Rs. The CD-ROM "
burning" process is sensitive, and can lead to failures, which are simply thrown
away. However, some drives can still read these disks, allowing the hacker to
read a half-way completed backup or other sensitive piece of information.
Piggybacking
• On Internet access is the practice of establishing a wireless Internet
connection by using another subscriber's wireless Internet access service
without the subscriber's explicit permission or knowledge.
Shoulder Surfing
• is a procedure where an attacker position themselves in such a way that he is
able to observe the authorized user entering the correct access code.
• This attack is by direct observation techniques, like looking over someone
when he is entering a PIN or Password etc.
Installing Unauthorized Software's / Hardware
• when users download various software's from Internet they are unaware
about origin of software and who upload it. Problem with such downloaded
software's is that they come with harmful codes.
Access by Non-Employee
• Attacker may get physical access to organization facilities and obtain
enough information about how to enter into computer system OR
organization network. So it become necessary for organization to restrict
Non-Employees from illegal entry into organization premises.

• Precautions taken by Organizations

o To avoid access by Non-Employees organizations restrict their
employees to wear identification symbols at work.
o Organizations restrict their employees to, do not invite their relatives
and friends at work sites.
o Some organizations restrict visitors (Non-Employees) to enter in
organization premises with cameras , cell phones etc. Because visitors
may misuse such devices to stole information from organization.
Security Awareness
• Security awareness programs for employees are very effective
to avoid potential attacks on organizations security.
• Employees must know about sensitivity of different type of
information.
• When a new employee is hired it is important to provide training
about security policies of organization.
• It is also necessary to remind employees about different
avenues of attacks by using security awareness advertisements
and monthly email-newsletters.
Individual user responsibilities
• Lock the door of the workspace.
• Do not leave sensitive information unprotected.
• Do not discuss sensitive information with family members and
other individuals.
• Protect your laptops form strangers.
• Shredding papers containing sensitive information about
organization before discarding them.
• Do not allow access without any identification procedure.
Physical Access Controls
• Something the individual has eg. Smart Card
• Something the individual know eg. Password
• Something they are eg. Manager
Access Control:
“The prevention of unauthorized use of a resource, including the prevention of use of
a resource in an unauthorized manner.”
Access Control Principles
• Authentication
• Authorization
• Audit

An access control mechanism mediates between a user (or a process executing

on behalf of a user) and system resources, such as applications, operating systems,
firewalls, routers, files, and databases. The system must first authenticate an entity
seeking access. Typically, the authentication function determines whether the user
is permitted to access the system at all. Then the access control function
determines if the specific requested access by this user is permitted. A security
administrator maintains an authorization database that specifies what type of
access to which resources is allowed for this user. The access control function
consults this database to determine whether to grant access. An auditing function
monitors and keeps a record of user accesses to system resources.
Access Control Policies
• DAC
• MAC
• RBAC
These three policies are not mutually exclusive ( Figure 4.2 ). An access control
mechanism can employ two or even all three of these policies to cover different
classes of system resources.
Discretionary Access Control

User U01 User U02

F1
owner READ

READ
WRITE
EXECUTE

User U03
READ
WRITE
NOTE: Only ADMINISTRATOR is responsible for defining access control policies.
 Label TOP
Object SECRETE INTERNAL PUBLIC
SECRETE

Atomic
√ Label TOP
Weapons SECRETE INTERNAL PUBLIC
Data File Subject SECRETE

Atomic √
Power plant √ Ajay
Data File
√
A. Kalam
Other
√
Weapons √
Data File Vikas

Tender √
√ Sameer
Notification
File
√
Abraham

Registered √
Vendors

Mandatory Access Control

 Role Principal HOD Lecturer Student Class Class
User Coordinator Representative
Ajay √
Vijay √ √
Vinod √ √
Sohel √ √

Object Attendance Account Feedback Student Data Employee

Role Data Data Data Data
Principal Update Select Update,Delete Update,Delete
HOD Select Update Select
Lecturer Update Select Select
Student Select Update Select
Class Update Update
Coordinator

Fig. RBAC Matrix

Role Based Access Control
Biometric

Biometric is nothing but a authentication technology in which human physical

OR behavioral characteristics are used to uniquely identify a person.

How it works

• first step to implement a biometric system is to register all authenticated

samples in the database. These registered samples are used for comparison
in future.
• In next step biometric device is used to capture the sample of user who
want to access a service.
• In a client server model, user sample is encrypted by the client and transfer
to the server. Server decrypt the sample and compare it with already
registered samples.
• If both samples are matched together then permission is granted to user
otherwise permission is denied.
Characteristics of Biometric System

• FAR (False Accept Ratio)

Measurement of chance that a person who should be rejected actually,
get accepted by the system as a good enough is known as the false
accept ratio.

• FRR (False Reject Ratio)

Measurement of chance that a person who should be accepted actually,
get rejected by the system as a not good enough is known as the false
accept ratio.
The major biometric form factors today used are

1. Hand-print ( Physical )
2. Fingerprint ( Physical )
3. Eye retina ( Physical )

4. Keystroke ( Behavioral )
5. Voice pattern ( Behavioral )
Hand-Print (Physical Biometric)

Everybody has unique hand-print. Hand-print or hand-geometry verification

systems examine the unique measurement of your hand and use that
information to determine whatever you should be allowed access.
Hand-geometry of a person registered in database on the basis of following
parameters.

o Length of fingers
o thickness of hand
o shape of curves
o depth of skin

With a hand-print verification system , you press your hand on a hand-

geometry reader, aligning all of your fingers sensor scan the hand on the basis
of above said parameters. The information is digitized and compare again a
hand-print template stored for you in the system.
System allows access if your hand-print sufficiently matches with stored
template.
Disadvantages
1. High cost device required to scan complete hand.
2. Large amount of memory required to store sample hand-print template
3. More time required to compare.
4. Swelling , presence of rings in fingers affect system ability.
Eye Retina Scan (physical)
o The human retina is a thin tissue composed of neural cells that is located
in the posterior portion of the eye.
o Because of the complex structure of the capillaries that supply the retina
with blood, each persons retina is unique.
o Even the identical twins also not share same eye retina.

Advantages
• Very high accuracy.
• Speedy results.
Disadvantages
• Some disease such as diabetic and retinal disorder cause to change
eye retina after some age.
Retinal Scanning:
The human retina is a
thin tissue composed of neuralcells that is
located in the posterior portion of the eye.
Because of the complex structure of
the capillaries that supply the retina
with blood, each person’s retina is unique.
The network of blood vessels in the retina
is so complex that even identical twins do
not share a similar pattern.
A biometric identifier known as a retinal
scan is used to map the unique patterns of
a person’s retina. The blood vessels within
the retina absorb light more readily than
the surrounding tissue and are easily
identified with appropriate lighting.
A retinal scan is performed by casting
an unperceived beam of low-
energy infrared light into a person’s eye
as they look through the scanner’s
eyepiece. This beam of light traces a
standardized path on the retina.
Because retinal blood vessels are
more absorbent of this light than the
rest of the eye, the amount of
reflection varies during the scan. The
pattern of variations is converted to
computer code and stored in
a database.

Fig. Internal Complex Retina Structure

Keystroke (Behavioral )
Keystroke biometric uses the manner and rhythm of in which an individual types
characters on a keyboard or keypad, for user identification.
Timing Data
Some kind of timing data is also stored which is as follows
Dwell time
• Time a key pressed
Flight time
• Time between a key-up and the next key down.
So we can say the manner , rhythm and timing data used to develop the unique
sample of the user.
Advantages
• Keystroke can be captured continuously.
• Not just at start time.
Disadvantages
Temporal variation : persons typing varies substantially during a day and
between different day.
Voice Pattern (Behavioral )
o Everybody has a unique vocal and acoustic pattern.
o The system converts the acoustic strength of a speakers voice in to
component frequency and analyzes how they are distributed.
o Voice print / voice signature constructed by sampling , digitizing and storing
several repetitions of particular phrase.
o Voice prints are not recorded words.
Advantages :
o Users do not have to install any devices.
o Easy to use.
o Only with the help of telephones remote user can interact with voice
biometric application.
Disadvantages
o Respiratory diseases, throat infection, background noises may affect the
systems ability to match a voice print.