user authentication
DESCRIPTION
User Authentication. Overview. Means of Authentication. Something the individual: Knows Password, Pin, answer to questions Possesses Keycards, smart cards, physical keys Is (static biometric) Fingerprints, retina(iris), face Does (dynamic biometrics) Voice, handwriting,typing rhythm. - PowerPoint PPT PresentationTRANSCRIPT
User Authentication
Overview
Means of Authentication
• Something the individual:• Knows
• Password, Pin, answer to questions
• Possesses• Keycards, smart cards, physical keys
• Is (static biometric)• Fingerprints, retina(iris), face
• Does (dynamic biometrics)• Voice, handwriting,typing rhythm
Password
• ‘Normal ‘• Hashed password
• Using salt
• Shadow password file
• Token based password• Often combined with cards / PINs etc
Hashed password
Password using salt
Some Password Attacks• Offline dictionary attack
• Distr.Password-cracking, OPHcrack• Need the passwordfile (<> access control to file)
• Specific account attack• Need a userid (<> # trials)
• Popular password attack• Need userID(s) (<> non trivial passwords)
• Password guessing against one user• Need knowlegde of a user (<> non trivial passwords)
• Computer hijacking• Need physical acces to a foreign computer (<> timeout lockout)
• Exploiting user mistakes • Need user mistaks like password on ‘postITs’
Password choices
Control passwords
• User education• Computer generated• Reactive password checking• Proactive password checking
• Size, Characters, dictionary
Biometrics
• Faced problems– Positive, Negative– False Positive, False Negative
Access control
Access Control Policies
• Discretionary Access control (DAC)• User <-> ressource (linux/unix)
• Mandatory Access control (MAC)• User level <-> ressource level (millitary)
• Role-Based Access control (RBAC)• Users role <-> ressource (windows)
DAC
Example Unix classic
RBAC
RBAC cont
Windows Active Directory
• The windows X.500 (directory service)• Same information structures as DNS
• E.g. tree – laerer.rhs.dk
• Integrated with windows domain concepts• Primary doamin server, Backup domain servers
• Domain = tree of information• Several domains = forest
• Activating: Normally part of installation• When install windows server – asked to install domain
(i.e. also define SoA of DNS (=tree root))
Example
Figure 1.10 Distinguished Name for the User Object JSmith
Note
Users and groups (for RBAC)
• Users are created – lots of attributes / information possible to added
• Create groups – less attributes• Mostly members etc.• Consider type of group
– Universal group – logical (spanning the forest)– Global group – logical (spanning one domain)– Domain Local group (for physical access control)
User create
Different groups
New user - passwords
Access rights