Access Control

Our first step in protecting a computing environment or cyberenvironment is to establish methodologies for determining how access may be gained to our environment. We usually divide this concern into two components that we call authentication and authorization.

Our concern in providing authentication is basically to answer the question “Who are you?” In other words, this means the establishment of a mechanism for determining whether a party wishing to gain access is allowed to enter the system. In this case, the party in question might be either a human or a machine, the authentication process is initiated by that external party, and our system must respond appropriately.

The second aspect of access control is called authorization. In other words, once an external party has been authenticated, questions may arise as to whether that party has the authority to perform certain tasks in this new environment. In other words, the authorization question might be “Are you allowed to do that?” And so, our system must have a methodology for enforcing limits on actions.

Authentication

The process of authentication begins with a request from the external party, followed by a challenge from our system, which usually can be divided into one of three approaches:

Something you know

Something you have

Something you are

Something You Know: Passwords

The something you know is usually thought of as a password. Something you have may be some physical device such as a key, smart card, or some other token. And something you are is usually described as a biometric, in other words, your fingerprints, the image of your face, the scan of your retina, your method of walking or gait, or your DNA, among others.

Thus, there is a long history of users creating good or bad passwords, and this has been one of the biggest problems in the world of cybersecurity. The concept is that the user chooses a good password—in other words, one that is hard for an outsider to guess— and that will foil an outsider from making a successful guess.

Every password system has allowable types of symbols or characters to be typed. Examples are digits { 0,1, 2,..., 9 }, letters of the alphabet (lowercase) {a, b, c, ..., z}, special (typable) symbols {#, $, %,A, &, ?,!}, or combinations of these. The set of these that is being used will be designated as c, for the character set.

The second part is how many of these symbols may or must be typed in for a legitimate password. For the moment, consider that this must be a fixed number, n.

It is important to know, therefore, how many possible passwords there can be. Since there are c choices for each entry, and there must be n of them, the total number of potential passwords is c".

Example: For many ATM pins, four digits are required, and there are 10 potential digits. So, c = 10, n = 4, and the total number of possible pins is cn = 104 = 10,000.

Example: In many older password systems, seven characters needed to be entered, each one a lowercase letter. Thus, c11 = 267 = 8,031,810,176 = 8.03 x 109 or just over 8 billion possible passwords.

Let us call this value the “password set,” p = cn. This value also indicates the challenge to someone trying to obtain someone else’s password.

Since the system itself will usually instruct a potential user as to the password rules, the hacker trying to determine a user’s password will know c and n and thus can calculate p. So the most obvious hacker’s approach is usually called “brute force”—try all the potential passwords.

Good Password Choice

How to create good passwords is a long-standing, but nevertheless still perplexing, problem for computer users everywhere. Undoubtedly this problem will remain until such time as the community of computer users determines that passwords are not an appropriate test for authentication—for example, to be replaced by biometrics (what you are) or physical devices (what you have).

On the other hand, if one assumes that we must commit a password to memory, then we must be confident that our memory is sufficient to contain such a password—or, in general in these modern times, contain the multiple passwords that we need for not only our computing account, but also access to many other websites such as our bank account, our accounts with bills that we may have to pay electronically, or online vendors where we may purchase various merchandise.

With the use of multiple passwords, of course our human memory requirements multiply as well.

The suggestion that we tend to use is to choose a relatively short, but memorable event, so that it is indelibly burned into our conscious, but also one that is not well known to persons who wish to research our histories. Let us say that many years ago, I had a memorable encounter of a person, place, or thing—let us say it was “Penobscot,” which is actually a river in the state of Maine.

Furthermore, in this case, I had told no one of having spent some time along that particular river—so no one who knew me would make such an association. So now, this is a password I am unlikely to ever forget; to use Penobscot but isolate from a dictionary attack, I might insert some other character into the password so that simply by testing for the password with a dictionary of river names, we might deflect such an attack by using as the password, for example, penob7scot.

Password Meters

Another approach to the creation and use of secure passwords is through one of a number of so-called “password meters” that are available at various sites on the Internet.

In particular, we have examined five of these candidates for password meters. In each case, the meter is available through a particular website, the user is encouraged to enter a test password, and a report is generated for the user as to the password meter’s judgment of the strength of the password. We designate them as (A) https:// passwordmeter.com; (B) https://lastpass.com/howsecure.php; (C) https://my 1 login.com/resources/password-strength-test/; (D) https:// thycotic.com/resources/password-strength-checker/; and (E) https:// howsecureismypassword. net/.

Unfortunately, what we have too often discovered is that the strength of password judged by any one of the test password meters may vary completely from the judgement by one or several of the other candidates for password meters.

One way of testing the validity for consistency of a proposed password meter is to submit a number of prospective passwords to each meter candidate and examine the consistency of the results:

Test Password

Feature

11111111111111111111

Penob7scot

A rather simple but very long string; a nuisance to type A word found in some types of dictionaries, for example, a dictionary of US place names, with the insertion of a number to defeat a dictionary attack

x3p9q!m

Brittttany

A seemingly random string, but difficult to remember

A person’s name, with a certain letter duplicated (T); probably easy to remember

Onomatopoeia aBcl23xYz

A long word, but in most dictionaries

Follows a pattern, but the mixture of letters, numbers, and capitals could prove strong and in this case probably easy to remember

The results of the meters (A) through (E) on the test passwords were as follows:

A

B

C

D

E

6

2

6

3

1

Very weak

Weak

Very weak

2 weeks

79 years

0%

0.04 seconds

2

2

2

1

2

Strong

Moderately

Strong

3 years

8 months

63%

strong

/months

3

4

1

6

6

Good

Weak

Strong

1 minute

22 seconds

54%

8 months

5

2

5

5

5

Very weak

Moderately

Weak

4 hours

59 minutes

8%

strong

16.05 minutes

4

1

3

2

3

Very weak

Very

Medium

4 months

4 weeks

13%

strong

13 hours

1

4

4

3

4

Strong

Weak

Weak

2 weeks

4 days

76%

40.01 minutes

Tokens: What You Have

Devices that you physically possess are becoming less and less common in contemporary computing environments. The reason is simply that if you have some form of key, token, smartcard, or other physical device, and if it is simply lost or stolen and only that physical device is necessary for entry or authorization in some environment, then essentially the door is left wide open.

Consequently, more and more the physical device is used as part of what is called “two-factor authorization.” Now, more often, the physical device is combined with a second factor, normally a password.

A more clever device is the so-called RSASecurlD security token (CDW, 2018), which is synchronized in a multiuser system with the time that the token is activated. This device has a sixdigit display, which changes every 60 seconds. The user with the token must enter the displayed six digits concurrently with the entry of a password. The central system uses an algorithm that can determine to the minute what the token’s six-digit readout should display, and the user must enter the six digits to match what the system stores.

More and more in recent times, websites that require that you use a password mechanism to have an account at the website (banks, credit cards, web retailers, or e-tailers) use a two-factor authentication system. Typically, you create a password that the e-tailer then stores. Periodically, you might have to change the password—or more likely, address the issue if you happen to forget the password. In this case, if you indicate you wish to change or restore your password, the system will ask for a second account—typically a cell phone number—where you will find an email or phone message with a secondary password in order to update your password or other security information.

Biometrics: What You Are

The field of biometrics has been in existence much longer than the computer era. Perhaps one of the most common biometric measurements—what you are—is the fingerprint. The study of classification of humans by fingerprint dates back to the nineteenth century. Other more contemporary biometric measurements include facial recognition, hand recognition, retinal patterns, and DNA.

Problems

1. Which of the following pairs of password schemes provides the greater security in terms of the largest number of legal passwords in the scheme?

a. U: (c, n) = (26, 8) or V: (c, n) = (20, 9)

b. W: (c, n) = (52, 8) or X: (c, n) = (72, 7)

c. Y: (c, n) = (62, 13) or Z: (c, n) = (20, 18)

  • 2. Suppose the password set size is 109 = 1 billion. Find a minimal value for c when n = 7. Find a minimal value for n when c = 52.
  • 3. Suppose we have the following password authentication schemes. Indicate the solutions for each case in the matrix below, assuming a brute force attack.

Total

Number of

Expected

Number of

Attempts

Attempts

Necessary

Necessary

to Find a

to Find a

Case Scheme Password

Password

A Exactly six alphanumeric characters, case sensitive

B Any word in the Oxford English Dictionary C Fifteen characters, which all must be vowels (i.e., a, e, i, o, u, y)

D A four-digit PIN (numeric characters only)

E Six characters, which must have at least one in each category: non-case-sensitive letters, numbers, and one of the following special symbols {! # $ % A & * ~ ("{}” represents a set

notation, not two of the special characters)

F Exactly ten alphabetic characters, non-case sensitive

4. Consider the RSA token. With a six-digit display, changing every minute, how long will it take until the display repeats?

Reference

CDW Inc. 2018. RSA SecurelD. https://www.cdw.com/search/?key=rsa% 20securid%20sid800&searchscope=all&sr=l.

THE FIRST STEP

 
Source
< Prev   CONTENTS   Source   Next >