user authentication

User Authentication

Overview

Means of Authentication

• Something the individual:• Knows

• Password, Pin, answer to questions

• Possesses• Keycards, smart cards, physical keys

• Is (static biometric)• Fingerprints, retina(iris), face

• Does (dynamic biometrics)• Voice, handwriting,typing rhythm

Password

• ‘Normal ‘• Hashed password

• Using salt

• Shadow password file

• Token based password• Often combined with cards / PINs etc

Hashed password

Password using salt

Some Password Attacks• Offline dictionary attack

• Distr.Password-cracking, OPHcrack• Need the passwordfile (<> access control to file)

• Specific account attack• Need a userid (<> # trials)

• Popular password attack• Need userID(s) (<> non trivial passwords)

• Password guessing against one user• Need knowlegde of a user (<> non trivial passwords)

• Computer hijacking• Need physical acces to a foreign computer (<> timeout lockout)

• Exploiting user mistakes • Need user mistaks like password on ‘postITs’

Password choices

Control passwords

• User education• Computer generated• Reactive password checking• Proactive password checking

• Size, Characters, dictionary

Biometrics

• Faced problems– Positive, Negative– False Positive, False Negative

Access control

Access Control Policies

• Discretionary Access control (DAC)• User <-> ressource (linux/unix)

• Mandatory Access control (MAC)• User level <-> ressource level (millitary)

• Role-Based Access control (RBAC)• Users role <-> ressource (windows)

DAC

Example Unix classic

RBAC

RBAC cont

Windows Active Directory

• The windows X.500 (directory service)• Same information structures as DNS

• E.g. tree – laerer.rhs.dk

• Integrated with windows domain concepts• Primary doamin server, Backup domain servers

• Domain = tree of information• Several domains = forest

• Activating: Normally part of installation• When install windows server – asked to install domain

(i.e. also define SoA of DNS (=tree root))

Example

Figure 1.10 Distinguished Name for the User Object JSmith

 Note

Users and groups (for RBAC)

• Users are created – lots of attributes / information possible to added

• Create groups – less attributes• Mostly members etc.• Consider type of group

– Universal group – logical (spanning the forest)– Global group – logical (spanning one domain)– Domain Local group (for physical access control)

User create

Different groups

New user - passwords

Access rights