1 / 29

ESTABLISHING IDENTITY part b crh503

ESTABLISHING IDENTITY part b crh503. Jacky Hartnett 2011. Context. Proving Identity First step in protecting CIA Unsolved problem No 100% effective way of telling who is using a remote computer Most techniques developed are used in closed systems

hilliardj
Download Presentation

ESTABLISHING IDENTITY part b crh503

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ESTABLISHING IDENTITY part bcrh503 Jacky Hartnett 2011

  2. Context • Proving Identity • First step in protecting CIA • Unsolved problem • No 100% effective way of telling who is using a remote computer • Most techniques developed are used in closed systems • require an initial registration or introduction process • Even PKI which was invented for use in open systems is mostly used in closed systems • However, access rights granted based on identity of user • Fundamental security technique

  3. Topics • Logical Access Control continued • Passive Access Control • Q and A • Challenge-response • What user has • What user is - Biometrics • Active Access Control

  4. Topics • Logical Access Control continued • Passive Access Control • Q and A • Challenge-response • What user has • What user is - Biometrics • Active Access Control

  5. Passive Access Control • The computer responds to a claimed identity • Authentication process initiated by the user NOT the computer • Computer waits for process to begin • Obvious two stages: • Claim identity • Verify claimed identity

  6. Questions and answers • Questions and Answers • bank of questions and answers only user and system knows • system selects a set randomly • can ask more if responses inaccurate or slow • must include questions that it is reasonable no one else would know answer to

  7. Challenge - response • Challenge - Response • have to know algorithm to turn challenge into correct response • challenge sent by system = 3 • response from user = mod3(ord(name) * 12) • algorithm is (ord(name) * 12) • Mostly used together with another device that contains the algorithm • something the user knows and has

  8. What the user has • Tokens, cards and keys • credit / eftpos card • key • token • response calculator for challenges • device containing one time password list • Possession of device some degree of authentication

  9. What the user has • Advantages: • cannot be copied (mostly) • probably notice loss • simple to use • Disadvantages • does not prove identity just possession • Used by themselves to monitor software license compliance • dongle

  10. What the user has • Mostly used in conjunction with something the user knows or is • have device and prove right to have device by knowing something that only the true owner does • sometimes device stores this knowledge so local authentication can take place • EFTPOS / ATM cards

  11. Topics • Logical Access Control continued • Passive Access Control • Q and A • Challenge-response • What user has • What user is - Biometrics • Active Access Control

  12. What the user is • Authenticates identity by validating physical characteristic of user • glamour end of authentication • surprising the number of unique features humans have • on verge of systems that are sufficiently cheap to be cost effective for a large number of users • Problem with replacing the authentication • Key decay • Faked • Digital version stolen

  13. What the user is • Physical Biometrics: • Bertillonage - measuring body lengths (no longer used) • Fingerprint - analyzing fingertip patterns • Facial Recognition - measuring facial characteristics • http://www.face-rec.org/ • Hand Geometry - measuring the shape of the hand • http://biometrics.cse.msu.edu/hand_geometry.html

  14. What the user is • Physical Biometrics: • Iris Scan - analyzing features of coloured ring of the eye • http://www.iridiantech.com/ • Retinal Scan - analyzing blood vessels in the eye • Vascular Patterns - analyzing vein patterns • http://www.dex.co.za/security-solutions/DexID-Vascular-Pattern-Biometric-Identification.htm • DNA - analyzing genetic makeup

  15. What the user is • Behavioral Biometrics: • Speaker Recognition - analyzing vocal behavior • Signature - analyzing signature dynamics • http://consumerschoicepos.com/hhp_transaction_team_1500.html • Keystroke - measuring the time spacing of typed words • Other Biometrics: • Smart Cards - combining biometrics with identification cards

  16. What the user is - Biometrics • Biometrics may be unique • BUT • They are NOT secret!

  17. What the user is - Biometrics • Idea is that physical characteristic presented to device that measures identifying features of this • Still passive as user presenting evidence to authenticate claimed identity • Used in conjunction with what user has or knows

  18. What the user is - Biometrics • Faking Fingerprints • Famous gummy finger experiments • http://cryptome.org/gummy.htm • Voice verification • Consistency (hab you gotch er cold?) • Hand Geometry • Passport control

  19. What the user is - Biometrics Fingerprint templates Fingerprint (left) Feature Extraction (right)

  20. Something the user can do • Can also detect pattern of system use as authentication • I never use VI with intent so a Unix user using VI and pretending to be me is highly suspicious • Can also use keyboard use • speed of typing • time interval between certain letters • spelling

  21. What the user is - problems • Key decay • The more you use the same piece of authentication data the harder it is to protect it • Faked • As biometric data is not secret it is possible to create fakes • False fingerprints • Altered face dimensions (masks) • Stolen as a digital version • All biometrics are reduced to a digital data structure or template that captures the essential unique characteristics • This digital version is open to all standard attacks when stored

  22. Topics • Logical Access Control continued • Passive Access Control • Q and A • Challenge-response • What user has • What user is - Biometrics • Active Access Control

  23. Active Access Control • User does not initiate identification and authentication • Computer detects presence • Works out identity from characteristics that it can monitor • Sensors detect features and search database for match • One to many • Identifies and verifies at same time

  24. Active Access Control • Need method for encoding unique features • Facial characteristics from video • Fingerprints (need person to present this) • Hand Geometry (need hand) • Need fast search algorithms to select best match • Match identity and accept as authenticated

  25. Active Access Control • Active: one to many • Work out and encode selected features of individual • Search whole data base for match • Identify individual • Can be sufficient authentication or can ask for confirmation • Passive: one to one • Encode offered authentication • Check match against info stored at identity location • Confirm identity

  26. Summary • Most PASSIVE logical access control systems use a combination of what user • knows, • has, • Is & can do • User submits an identity and system tries to authenticate it

  27. Summary • Successful ACTIVE systems involve user wearing a badge that emits signals the system can detect and interpret • Honour system wearing correct badge • Identification from video image soon? • Should not involve any user actions

  28. Summary • Access control can be found as a barrier to • access to a physical space • (layered approach and after hours access) • access to a particular device • (layered approach) • access to an operating system • when finally circumvent physical access control

  29. Summary • Logical Access Control • Implemented as front end to all computer systems • Need to be sure that authenticating data is not captured as travels to code that processes this • Mostly done via passwords • What the user knows • Biometric authentication just becoming widespread • Authentication of actual computer user is largest unsolved problem in computer security

More Related