SHREE KRUSHNA ENGG.

CLASSES NETWORK AND INFORMATION SECURITY IS 22620

B Page 1
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

Unit 2 – Authentication and Access Control

2.1 Identification and Authentication
Identification is the claiming of an identity. Authentication is the act of verifying or
proving the claimed identity. Identification and authentication are two terms that
describe the initial phases of the process of allowing access to a system.
Identification is the act of identifying a particular user, often through a username.
Authentication is the proof of this user’s identity, which is commonly managed by
entering a password. Only after a user has been properly identified and authenticated
can they then be authorized access to systems or privileges.
Authentication involves identifying a particular user based on their login
credentials, such as usernames and passwords, biometric scans, PINs, or security
tokens.
Authorization refers to giving a user the appropriate level of access as determined
by access control policies. These processes are typically automated.
But managing password security can be quite expensive. A user plays very
important role in protecting a password.
There are a number of methods to crack a user’s password, but the most
prominent one is a Password Guessing Attack. Basically, this is a process of
attempting to gain the system’s access by trying on all the possible passwords
(guessing passwords).
To combat these advancements, today's passwords need the following traits: At least
12 characters long is recommended, 8 at the minimum A combination of both upper-
and lower-case letters, numbers, and symbols Random enough that they do not
contain any predictable sequence.

B Page 2
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

2.1.1 User Name and Password

1) Username (Identification)
In network and information security, a username is used for identification. It is a
unique name or ID that a user enters to tell the system who they are. It helps the
system recognize the user account that is trying to gain access. A username is not
secret and is usually created by the user or assigned by an administrator. For
example, when logging into an email account, entering the email address or user ID
serves as the username. Without a username, the system cannot identify which
account the person wants to access.
2) Password (Authentication)
A password is used for authentication. After the username is entered, the system
asks for a password to verify that the person is really the owner of that account. The
password must match the one stored in the system for that username. This helps
protect the account from unauthorized access. A strong password usually includes
a mix of uppercase and lowercase letters, numbers, and special characters. If the
password is weak or easy to guess, hackers can break into the system. That’s why
users are advised to create strong passwords and keep them secret.
Guessing Password
Exhaustive search: A brute-force attack consists of an attacker submitting many
passwords or passphrases with the hope of eventually guessing correctly. The
attacker systematically checks all possible passwords and passphrases until the
correct one is found. Alternatively, the attacker can attempt to guess the key which
is typically created from the password using a key derivation function. This is
known as an exhaustive key search.

B Page 3
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

Intelligent search: Here an attacker searches a password with the help of

user’s personal data, like name, DOB, family members names, phone numbers etc.
Ex: Dictionary attack. A dictionary attack is a brute-force technique where attackers
run through common words and phrases, such as those from a dictionary, to guess
passwords. The fact people often use simple, easy-to-remember passwords across
multiple accounts means dictionary attacks can be successful while requiring fewer
resources to execute.
Protection techniques which can be used by users:
a. Default password: Keep on changing the default password given by administrator.
b. Length of password: Length of password should be at least 8 characters.
c. Password should have (A-Z) (a-z) (0-9) and some special characters like -
!@#$&*,:;?
d. Avoid obvious password.
Techniques that system can follow to improve password security:
1. Password checkers: Password Checker Online helps you to evaluate the
strength of your password. More accurately, Password Checker Online checks
the password strength against two basic types of password cracking methods
– the brute-force attack and the dictionary attack. It also analyses the syntax
of your password and informs you about its possible weaknesses. This tool
can thus also help you create stronger password from a weak one. It’s
drawbacks – If the job is done right, then it is resource intensive. A strong-
minded opponent who is able to steal password file, can dedicate full CPU
time only to this task for many hours or even days.

B Page 4
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

2. Password generation: Many OS can produce computer generated passwords.

These passwords are random in nature and can be pronounceable. Here users
are not allowed to select their own password. As the generated password is
random, user feels difficulty to remember it.

3. Password aging: The password can be set with its expiry date. It will force
the users to change their password at regular intervals. It is normally used in
conjunction with a setting to prevent re-use of X number of previous
passwords - the minimum password age is intended to discourage users from
cycling through their previous passwords to get back to a preferred one.

4. Limit login attempts: One of the very common attacks is Brute Force attack.
This basically means that a hacker keeps trying to guess your password until
they get it right. Most of the times, they use a script for this. Limit Login
Attempts allows us to track and limit the number of failed login attempts.
2.1.2 Password attacks
 Piggybacking: Piggybacking is a social engineering attack in which an
attacker uses another person’s legitimate access to a physical or electronic
location to gain unauthorized access themselves.
This type of attack is often seen in office buildings, where an attacker will
follow someone with an access badge into a secured area. It can also be seen in IT
systems, where an attacker may log into a system using another user’s credentials.
Piggybacking can also be used as a form of eavesdropping, where an attacker uses
another person’s access to a location in order to listen in on conversations or harvest

B Page 5
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

sensitive information.
Piggybacking attacks are relatively easy to carry out and are often very hard to
detect. However, there are several steps that organizations can take in order to
protect themselves against this type of attack. For example, they can limit access to
sensitive areas only to authorized individuals with proper credentials or set up a
system for detecting unauthorized access attempts.
Overall, piggybacking is a serious security threat that can have serious
consequences for organizations. Therefore, it is important for organizations to be
aware of this type of attack and take measures to protect themselves against it.
 Shoulder Surfing: Shoulder surfing is using direct observation techniques,
such as looking over someone’s shoulder, to get information. Shoulder surfing
is an effective way to get information in crowded place because it is relatively
easy to stand next to someone and watch as they fill out a form, enter a pin
number at an ATM machine etc. It can also be done long distance with the aid
of binoculars or other vision-enhancing devices. This attack is the most
successful type of attack against password and some other graphical password.
 Dumpster Diving: Getting familiar with the dumpster diving definition is the
first step to fight this attack. Here, cyber attackers take the idiom “One man’s
trash is another man’s treasure” to a whole new realm.
Dumpster diving in cybersecurity is the process of investigating an individual
or organization’s trash to retrieve information that could be used to compromise
network resources or plan a cyberattack.
A person going through your trash can gather enough data to create a complex
profile and commit identity theft. Aside from physical trash, cyber actors can also
access recycle or electronic waste bins, phone list, calendar or organizational chart

B Page 6
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

for sensitive information that can severely compromise your company.

Cybercriminals often use malware to achieve this. When a dumpster diver
goes through your trash, they’re looking for any information to execute a
cyberattack. Some of the data such criminals can obtain from your trash include:

• Domicile or email addresses

• Private passwords, PINs, or any other sensitive data
• Bank account statements
• Digital signatures

To prevent dumpster divers from learning any valuable information about a user or
his organization, establish a disposal policy. Ensure all unwanted information,
documents, notes, and hardware is properly destroyed. Below are a few practices to
prevent dumpster diving in cyber security.

1. Implement a Trash Management Plan

2. Practice Storage Media Deletion
3. Enforce a Data Retention Policy
4. Use a Shredder
2.2 Biometrics:
Biometrics can be defined as the most practical means of identifying and
authenticating individuals in a reliable and fast way through unique biological
characteristics.
The term Biometrics is composed of two words − Bio (Greek word for Life) and
Metrics (Measurements). Biometrics is a branch of information technology that

B Page 7
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

aims towards establishing one’s identity based on personal traits. Each human being
is unique in terms of characteristics, which make him or her different from all others.
The physical attributes such as finger prints, color of iris, color of hair, hand
geometry, and behavioural characteristics such as tone and accent of speech,
signature, or the way of typing keys of computer keyboard etc., make a person stand
separate from the rest. The biometric sample is acquired from candidate user. The
prominent features are extracted from the sample and it is then compared with all
the samples stored in the database. When the input sample matches with one of the
samples in the database, the biometric system allows the person to access the
resources; otherwise prohibits.

2.2.1 Types of Biometric:

➢ Fingerprints: Are an impression or mark made on a surface by a person's
fingertip, able to be used for identifying individuals from the unique pattern
of whorls and lines on the fingertips. It involves a finger size identification
sensor with a low cost biometric chip. Fingerprint matching system extracts
no. of features from the fingerprints for storage as a numerical substitute.

B Page 8
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

The software works by extracting meaningful features known as minutia points from
the fingerprint. The scanner picks out attributes such as orientation, change of ridge
direction, arches, loops and whorls in the print. Some scanners can even pick up
pores on the skin. The software then records and stores these minutia points in order
to verify the user’s identity in the future.
It's limitations:
a. Hardware and software programs can be expensive.
b. It can lead to false rejections and false acceptance.
c. It makes mistakes with dryness or dirty finger’s skin, and well as with age.
➢ Hand Print: Handprint is obtained from the inner surface of a hand between
the wrist and the top of the fingers, which contains the principal lines,
wrinkles and ridges on the palm, finger and fingerprint. As in the case of
finger print, everybody has unique handprints. A handprint Biometric
Systems scan hand and fingers and the data is compared with the specimen
stored for you in the system. The user is allowed or denied based on the result
of this verification.
➢ Retina: Everybody has a unique retinal vascular pattern. Retina Pattern
Biometric system uses an infrared beam to scan your retina. Retina pattern
biometric systems examine the unique characteristics of user’s retina and
compare that information with stored pattern to determine whether user
should be allowed access. Some other biometric systems also perform iris
and pupil measurements. Retina Pattern Biometric Systems are highly
reliable. Users are often worried in using retina scanners because they fear
that retina scanners will blind or injure their eyes.

B Page 9
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

➢ Voice/Speech Patterns: Voice Patterns Biometric Systems examine the

unique characteristics of user’s voice. Voice biometrics can work with
existing security measures to speed up authentication. It enhances consumer
confidence which is crucial for trust. Users are saved from the trouble of
remembering multiple passwords and switching between devices and OTPs.
Voice biometrics authentication creates your voice signature from a recording
of your voice and then uses this to identify you back later. Whether or not it
relies on you saying a specific phrase depends on each system, more on that
below.

➢ Signature and Writing Pattern: Signature recognition is a biometric

modality that stores and compares the behavioural patterns which are integral
to the process of generating a signature. Some of the factors that are analysed
include the speed, variations in timing and the pressure applied to the pen
when an individual composes a signature.

B Page 10
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

Of all the biometric modalities in existence, signature recognition carries the most
potential in terms of adaptability, security and implementation. In addition, the costs
involved in the deployment and procurement of this biometric modality are minimal
in contrast to the much more complex modalities like retinal and fingerprint
recognition.
➢ Keystrokes: The behavioural biometric of Keystroke Dynamics uses the
manner and rhythm in which an individual types characters on a keyboard or
keypad. The keystroke rhythms of a user are measured to develop a unique
biometric template of the user's typing pattern for future authentication.
Keystrokes are separated into static and dynamic typing, which are used to
help distinguish between authorized and unauthorized users. Vibration
information may be used to create a pattern for future use in both identification
and authentication tasks.
2.3 Access Control
2.3.1 Definition:
✓ Access is the Ability of a subject to interact with an object. Authentication,
deals with verifying the identity of subject.
✓ Access control is a security technique that controls who can access or use
resources in a network or system.

B Page 11
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

✓ Access control is the ability to specify , to control and to limit the access to
the host system or application in terms of availability, integrity and
confidentiality.
2.3.2 Authentication Mechanism - In security, authentication is the process of
verifying whether someone (or something) is, in fact, who (or what) it is declared
to be.
There are three methods of authentication:
something you know (i.e., passwords)
something you have (i.e. token keys)
something you are (scanned body part, i.e. fingerprint)
2.3.3Authentication and Authorization
Authentication is the act of validating that users are whom they claim to be. This is
the first step in any security process.
Complete an authentication process with:
✓ Passwords. Usernames and passwords are the most common authentication
factors.
✓ Authentication apps. Generate security codes via an outside party that grants
access.
✓ Biometrics. A user presents a fingerprint or eye scan to gain access to the
system.
In some instances, systems require the successful verification of more than
one factor before granting access. This multi-factor authentication (MFA)
requirement is often deployed to increase security beyond what passwords
alone can provide.

B Page 12
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

✓ Authorization in system security is the process of giving the user permission

to access a specific resource or function. This term is often used
interchangeably with access control or client privilege.

Difference between Authentication and Authorization

2.3.4 Principal
B Page 13
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

The purpose od access control is to limit the actions or operations that a legitimate
user of a computer system can perform.

✓ Least Privilege Principle

o Users should have only the minimum access rights needed to do their
job.
o Reduces the risk of accidental or intentional misuse.

✓ Separation of Duties

o Tasks and responsibilities are divided among multiple users to prevent

fraud or abuse of power.
o Example: One person creates a user account, another approves it.
o

✓ Need to Know

o Access is granted only if the user needs the information to perform

their job.
o Helps protect sensitive data from being widely accessible.
o Common methods: passwords, biometrics, smart cards, or two-factor
authentication (2FA).

✓ Authorization

o Determines what an authenticated user is allowed to do.

o Example: One user can only view files, while another can edit or delete
them.

✓ Access Control Policies

o These are rules that define how access is granted.

o There are high level guidelines which determines how access are
controlled and access decisions determined.

B Page 14
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

1. Access Control Matrix (ACM)

In computer science, an access control matrix or access matrix is an abstract, formal

security model of protection state in computer systems, that characterizes the rights
of each subject with respect to every object in the system. It was first introduced by
Butler W. Lampson in 1971.
An access control matrix is a table that defines access permissions between specific
subjects and objects. A matrix is a data structure that acts as a table lookup for the
operating system. For example, Table above is a matrix that has specific access
permissions defined by user and detailing what actions they can enact.
2. Access Control List (ACL)
In computer security, an access-control list (ACL) is a list of permissions associated
with a system resource (object). An ACL specifies which users or system processes
are granted access to objects, as well as what operations are allowed on given
objects. Each entry in a typical ACL specifies a subject and an operation. For
instance, if a file object has an ACL that contains (Alice: read, write; Bob: read),
this would give Alice, permission to read and write the file and give Bob permission
only to read it.

B Page 15
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

The advantages of using access control lists include:

• Better protection of internet-facing servers.
• More control of access through entry points.
• More control of access to and traffic between internal networks.
• More granular control of user and group permissions.
• Better protection from spoofing and denial of service attacks.
2.3.5Audit
A n audit is an investigation and evaluation of IT systems, infrastructures,
policies, and operations. Through IT audits, a company can determine if the
existing IT controls protect corporate assets, ensure data integrity and align
with the organization’s business and financial controls. Basically, to gain
assurance that these information systems are also working as intended and
the controls are in place in these systems and are working correctly to
ensure that the information processed and stored in reliable.
IT auditing or information technology audit basically examines the
internal control structure in information systems set up

B Page 16
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

2.3.6 Access Control policies

Several Different models are discussing in security literature, including
Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-
Based Access Control (RBAC)

B Page 17
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

1. Discretionary access control (DAC)

Discretionary access control (DAC) is a type of security access control that grants
or restricts object access via an access policy determined by an object's owner group
and/or subjects. DAC mechanism controls are defined by user identification with
supplied credentials during authentication, such as username and password. DACs
are discretionary because the subject (owner) can transfer authenticated objects or
information access to other users. In other words, the owner determines object
access privileges.
In DAC, each system object (file or data object) has an owner, and each initial object
owner is the subject that causes its creation. Thus, an object's access policy is
determined by its owner.
A typical example of DAC is Unix file mode, which defines the read, write and
execute permissions in each of the three bits for each user, group and others.
DAC attributes include:
• User may transfer object ownership to another user(s).
• User may determine the access type of other users.
• After several attempts, authorization failures restrict user access.
• Unauthorized users are blind to object characteristics, such as file size, file name
and directory path.
• Object access is determined during access control list (ACL) authorization and
based on user identification and/or group membership.
DAC is easy to implement and intuitive but has certain disadvantages, including:
• Inherent vulnerabilities (Trojan horse)
• ACL maintenance or capability
• Grant and revoke permissions maintenance

B Page 18
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

2. Mandatory access control (MAC)

The high levels of confidentiality and integrity mean that Mandatory Access Control
is used in areas that deal with sensitive data and require a high level of security. This
typically includes the military, government, politics, foreign trade, healthcare, and
intelligence. But MAC also has uses for normal companies. The security system
Security-Enhanced Linux (Selina), for example, is based on an implementation of
MAC in the Linux kernel. Mandatory Access Control uses a hierarchical approach:
Each object in a file system is assigned a security level, based on the sensitivity of
the data. Examples of security levels include “confidential” and “top secret”. Users
and devices are ranked in the same way. When a user tries to access a resource, the
system automatically checks whether or not they are allowed access. Additionally,
all users and information are assigned a category, which is also checked when a user
requests access. Users must fulfil both criteria – security level and category – in
order to access data.
Mandatory Access Control is one of the most secure access systems, as it’s pretty
much tamper-proof. Unlike with RBAC, users cannot make changes. The checking
and enforcing of access privileges is completely automated. This lends Mandatory
Access Control a high level of confidentiality. Furthermore, the system boasts a high
level of integrity: Data cannot be modified without proper authorization and are thus
protected from tampering.
However, MAC requires detailed planning and greater administrative work. You’ll
need to regularly check and update each assignment of access rights to objects and
users.
Maintenance work also includes adding new data or users and implementing
changes in categorizations and classifications.

B Page 19
 SHREE KRUSHNA ENGG. CLASSES NETWORK AND INFORMATION SECURITY IS 22620

3. Role-based access control (RBAC)

Role-based access control (RBAC) is a way of granting access to resources based
on users’ roles in an organization. Role-based access control (RBAC) is a policy-
neutral access-control mechanism defined around roles and privileges.
The components of RBAC such as role-permissions, user-role and role-role
relationships make it simple to perform user assignments. RBAC can be used to
facilitate administration of security in large organizations with hundreds of users
and thousands of permissions. Although RBAC is different from MAC and DAC
access control frameworks, it can enforce these policies without any complication.
Within an organization, roles are created for various job functions. The permissions
to perform certain operations are assigned to specific roles. Since users are not
assigned permissions directly, but only acquire them through their role (or roles),
management of individual user rights becomes a matter of simply assigning
appropriate roles to the user's account; this simplifies common operations, such as
adding a user, or changing a user's department.
Role based
access control interference is a relatively new issue in security applications, where
multiple user accounts with dynamic access levels may lead to encryption key
instability, allowing an outside user to exploit the weakness for unauthorized access.
Key sharing applications within dynamic virtualized environments have shown
some success in addressing this problem.

B Page 20