Authentication and access control overview - PowerPoint PPT Presentation

About This Presentation

Title:

Authentication and access control overview

Description:

Default rule deny/allow takes precedence. Ordered rules policy author sets order ... Specificity most/least specific takes precedence ... – PowerPoint PPT presentation

Number of Views:34

Avg rating:3.0/5.0

Slides: 28

Provided by: lorrie2

Learn more at: http://cups.cs.cmu.edu

Category:

more less

Transcript and Presenter's Notes

Title: Authentication and access control overview

1
Authentication and access control overview

March 24, 2008

2
Outline

Definitions
Authentication
Factors
Evaluation
Examples
Access control
Case study Convenient SecureID
Case study Website mutual authentication

3
Definitions

Identification - a claim about identity
Who or what I am (global or local)
Authentication - confirming that claims are true
I am who I say I am
I have a valid credential
Authorization - granting permission based on a
valid claim
Now that I have been validated, I am allowed to
access certain resources or take certain actions
Access control system - a system that
authenticates users and gives them access to
resources based on their authorizations
Includes or relies upon an authentication
mechanism
May include the ability to grant course or
fine-grained authorizations, revoke or delegate
authorizations

4
Building blocks of authentication

Factors
Something you know (or recognize)
Something you have
Something you are
Two factors are better than one
Especially two factors from different categories
What are some examples of each of these factors?
What are some examples of two-factor
authentication?

5
Authentication mechanisms

Text-based passwords
Graphical passwords
Hardware tokens
Public key crypto protocols
Biometrics

6
Evaluation

Accessibility
Memorability
Security
Cost
Environmental considerations

7
Typical password advice
8
Typical password advice

Pick a hard to guess password
Dont use it anywhere else
Change it often
Dont write it down
So what do you do when every web site you visit
asks for a password?

9
Bank b3aYZ Amazon aa66x! Phonebill
p2ta1
10
(No Transcript)
11
Problems with Passwords

Selection
Difficult to think of a good password
Passwords people think of first are easy to guess
Memorability
Easy to forget passwords that arent frequently
used
Difficult to remember secure passwords with a
mix of upper lower case letters, numbers, and
special characters
Reuse
Too many passwords to remember
A previously used password is memorable
Sharing
Often unintentional through reuse
Systems arent designed to support the way people
work together and share information

12
Mnemonic Passwords
Four
F
Four
score
s
and
a
and
years
y
,
,
seven
s
seven
ago
a
our
o
Fathers
F
First letter of each word (with punctuation)
4sasya,oF
4sa7ya,oF
4s7ya,oF
Source Cynthia Kuo, SOUPS 2006
13
The Promise?

Phrases help users incorporate different
character classes in passwords
Easier to think of character-for-word
substitutions
Virtually infinite number of phrases
Dictionaries do not contain mnemonics

Source Cynthia Kuo, SOUPS 2006
14
The Problem?

Goodness of mnemonic passwords unknown
Yan et al. compared regular, mnemonic, and
randomly generated passwords
Used standard (non-mnemonic) dictionary
Effectively evaluated whether mnemonic passwords
contained dictionary words

Source Cynthia Kuo, SOUPS 2006
15
Mnemonic password evaluation

Mnemonic passwords are not a panacea for password
creation
No comprehensive dictionary today
May become more vulnerable in future
Many people start to use them
Attackers incentivized to build dictionaries
Publicly available phrases should be avoided!
C. Kuo, S. Romanosky, and L. Cranor. Human
Selection of Mnemonic Phrase-Based Passwords. In
Proceedings of the 2006 Symposium On Usable
Privacy and Security, 12-14 July 2006,
Pittsburgh, PA.

Source Cynthia Kuo, SOUPS 2006
16
Password keeper software

Run on PC or handheld
Only remember one password

17
Single sign-on

18
Biometrics
19
Graphical passwords
20
Forgotten password mechanism

Email password or magic URL to address on file
Challenge questions
Why not make this the normal way to access
infrequently used sites?

21
Convenient SecureID 1

What problems does this approach solve?
What problems does is create?

Source http//worsethanfailure.com/Articles/Secur
ity_by_Oblivity.aspx
22
Convenient SecureID 2

What problems does this approach solve?
What problems does is create?

Sources http//fob.webhop.net/
23
Browser-based mutual authentication

Chris Drakes Magic Bullet proposal
http//lists.w3.org/Archives/Public/public-usable-
authentication/2007Mar/0004.html
User gets ID, password (or alternative), image,
hotspot at enrollment
Before user is allowed to login they are asked to
confirm URL and SSL cert and click buttons
Then login box appears and user enters username
and password (or alternative)
Server displays set of images, including users
image (or if user entered incorrect password,
random set of images appear)
User finds their image and clicks on hotspot
Image manipulation can help prevent replay
attacks
What problems does this solve?
What problems doesnt it solve?
What kind of testing is needed

24
Types of access control

Discretionary access control
Distributed, dynamic, users set access rules for
resources they own and can delegate access to
others
Role-based access control
Centralized admin assigns users to roles and sets
access rules based on roles
And many others that vary
discretionary/mandatory
centralized/distributed
granularity
grouping

25
Access control usability problems

Admins, large organizations understanding large
access control policies
Someone in marketing changed a policy and now we
cant figure out why people in sales no longer
have access to a document
Who has access to this document anyway?
End users creating and understanding policies
Examples File system permissions, Grey,
Perspective, privacy rules
Home users want to share some files with some
other users, but dont want to share everything

26
Policy conflicts