Authentication and access control overview - PowerPoint PPT Presentation

About This Presentation
Title:

Authentication and access control overview

Description:

... grant course or fine-grained authorizations, revoke or delegate authorizations ... 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA. ... – PowerPoint PPT presentation

Number of Views:27
Avg rating:3.0/5.0
Slides: 25
Provided by: lorrie2
Learn more at: http://cups.cs.cmu.edu
Category:

less

Transcript and Presenter's Notes

Title: Authentication and access control overview


1
Authentication and access control overview
  • March 20, 2007

2
Outline
  • Definitions
  • Authentication
  • Factors
  • Evaluation
  • Examples
  • Focus on password problems and alternatives
  • Access control
  • Case study Convenient SecureID
  • Case study Website mutual authentication

3
Definitions
  • Identification - a claim about identity
  • Who or what I am (global or local)
  • Authentication - confirming that claims are true
  • I am who I say I am
  • I have a valid credential
  • Authorization - granting permission based on a
    valid claim
  • Now that I have been validated, I am allowed to
    access certain resources or take certain actions
  • Access control system - a system that
    authenticates users and gives them access to
    resources based on their authorizations
  • Includes or relies upon an authentication
    mechanism
  • May include the ability to grant course or
    fine-grained authorizations, revoke or delegate
    authorizations

4
Building blocks of authentication
  • Factors
  • Something you know (or recognize)
  • Something you have
  • Something you are
  • Two factors are better than one
  • Especially two factors from different categories
  • What are some examples of each of these factors?
  • What are some examples of two-factor
    authentication?

5
Authentication mechanisms
  • Text-based passwords
  • Graphical passwords
  • Hardware tokens
  • Public key crypto protocols
  • Biometrics

6
Evaluation
  • Accessibility
  • Memorability
  • Security
  • Cost
  • Environmental considerations

7
Typical password advice
8
Typical password advice
  • Pick a hard to guess password
  • Dont use it anywhere else
  • Change it often
  • Dont write it down
  • So what do you do when every web site you visit
    asks for a password?

9
Bank b3aYZ Amazon aa66x! Phonebill
p2ta1
10
(No Transcript)
11
Problems with Passwords
  • Selection
  • Difficult to think of a good password
  • Passwords people think of first are easy to guess
  • Memorability
  • Easy to forget passwords that arent frequently
    used
  • Difficult to remember secure passwords with a
    mix of upper lower case letters, numbers, and
    special characters
  • Reuse
  • Too many passwords to remember
  • A previously used password is memorable
  • Sharing
  • Often unintentional through reuse
  • Systems arent designed to support the way people
    work together and share information

12
Mnemonic Passwords
Four
F
Four
score
s
and
a
and
years
y
,
,
seven
s
seven
ago
a
our
o
Fathers
F
First letter of each word (with punctuation)
4sasya,oF
4sa7ya,oF
4s7ya,oF
Source Cynthia Kuo, SOUPS 2006
13
The Promise?
  • Phrases help users incorporate different
    character classes in passwords
  • Easier to think of character-for-word
    substitutions
  • Virtually infinite number of phrases
  • Dictionaries do not contain mnemonics

Source Cynthia Kuo, SOUPS 2006
14
The Problem?
  • Goodness of mnemonic passwords unknown
  • Yan et al. compared regular, mnemonic, and
    randomly generated passwords
  • Used standard (non-mnemonic) dictionary
  • Effectively evaluated whether mnemonic passwords
    contained dictionary words

Source Cynthia Kuo, SOUPS 2006
15
Mnemonic password evaluation
  • Mnemonic passwords are not a panacea for password
    creation
  • No comprehensive dictionary today
  • May become more vulnerable in future
  • Many people start to use them
  • Attackers incentivized to build dictionaries
  • Publicly available phrases should be avoided!
  • C. Kuo, S. Romanosky, and L. Cranor. Human
    Selection of Mnemonic Phrase-Based Passwords. In
    Proceedings of the 2006 Symposium On Usable
    Privacy and Security, 12-14 July 2006,
    Pittsburgh, PA.

Source Cynthia Kuo, SOUPS 2006
16
Password keeper software
  • Run on PC or handheld
  • Only remember one password

17
Single sign-on
  • Login once to get access to all your passwords

18
Biometrics
19
Graphical passwords
20
Forgotten password mechanism
  • Email password or magic URL to address on file
  • Challenge questions
  • Why not make this the normal way to access
    infrequently used sites?

21
Types of access control
  • Discretionary access control
  • Distributed, dynamic, users set access rules for
    resources they own and can delegate access to
    others
  • Role-based access control
  • Centralized admin assigns users to roles and sets
    access rules based on roles
  • And many others that vary discretionary/mandatory,
    centralized/distributed, granularity, grouping

22
Access control usability problems
  • Admins, large organizations understanding large
    access control policies
  • Someone in marketing changed a policy and now we
    cant figure out why people in sales no longer
    have access to a document
  • Who has access to this document anyway?
  • End users creating and understanding policies
  • Examples File system permissions, Grey,
    Perspective, privacy rules
  • Home users want to share some files with some
    other users, but dont want to share everything

23
Convenient SecureID
  • What problems do these approaches solve?
  • What problems do they create?

Sources http//worsethanfailure.com/Articles/Secu
rity_by_Oblivity.aspx http//fob.webhop.net/
24
Browser-based mutual authentication
  • Chris Drakes Magic Bullet proposal
  • http//lists.w3.org/Archives/Public/public-usable-
    authentication/2007Mar/0004.html
  • User gets ID, password (or alternative), image,
    hotspot at enrollment
  • Before user is allowed to login they are asked to
    confirm URL and SSL cert and click buttons
  • Then login box appears and user enters username
    and password (or alternative)
  • Server displays set of images, including users
    image (or if user entered incorrect password,
    random set of images appear)
  • User finds their image and clicks on hotspot
  • Image manipulation can help prevent replay
    attacks
  • What problems does this solve?
  • What problems doesnt it solve?
  • What kind of testing is needed
Write a Comment
User Comments (0)
About PowerShow.com