240 likes | 376 Views
User Authentication. Overview. Means of Authentication. Something the individual: Knows Password, Pin, answer to questions Possesses Keycards, smart cards, physical keys Is (static biometric) Fingerprints, retina(iris), face Does (dynamic biometrics) Voice, handwriting,typing rhythm.
E N D
Means of Authentication • Something the individual: • Knows • Password, Pin, answer to questions • Possesses • Keycards, smart cards, physical keys • Is (static biometric) • Fingerprints, retina(iris), face • Does (dynamic biometrics) • Voice, handwriting,typing rhythm
Password • ‘Normal ‘ • Hashed password • Using salt • Shadow password file • Token based password • Often combined with cards / PINs etc
Some Password Attacks • Offline dictionary attack • Distr.Password-cracking, OPHcrack • Need the passwordfile (<> access control to file) • Specific account attack • Need a userid (<> # trials) • Popular password attack • Need userID(s) (<> non trivial passwords) • Password guessing against one user • Need knowlegde of a user (<> non trivial passwords) • Computer hijacking • Need physical acces to a foreign computer (<> timeout lockout) • Exploiting user mistakes • Need user mistaks like password on ‘postITs’
Control passwords • User education • Computer generated • Reactive password checking • Proactive password checking • Size, Characters, dictionary
Biometrics • Faced problems • Positive, Negative • False Positive, False Negative
Access Control Policies • Discretionary Access control (DAC) • User <-> ressource (linux/unix) • Mandatory Access control (MAC) • User level <-> ressource level (millitary) • Role-Based Access control (RBAC) • Users role <-> ressource (windows)
Windows Active Directory • The windows X.500 (directory service) • Same information structures as DNS • E.g. tree – laerer.rhs.dk • Integrated with windows domain concepts • Primary doamin server, Backup domain servers • Domain = tree of information • Several domains = forest • Activating: Normally part of installation • When install windows server – asked to install domain (i.e. also define SoA of DNS (=tree root))
Example Figure 1.10 Distinguished Name for the User Object JSmith Note
Users and groups (for RBAC) • Users are created – lots of attributes / information possible to added • Create groups – less attributes • Mostly members etc. • Consider type of group • Universal group – logical (spanning the forest) • Global group – logical (spanning one domain) • Domain Local group (for physical access control)