Kingdom of Saudi Arabia

Ministry of Higher Education

Al-Imam Muhammad Ibn Saud Islamic University
College of Computer and Information Sciences

Access Control
T.Wed Ateeq

First Semester

2023

1
Outline
• Authentication, capabilities, and limitations
• The three bases of authentication: knowledge,
characteristics, possessions
• Strength of an authentication mechanism

2 2
Basic Problem How do you prove to
someone that you are who
?you claim to be
Any system with access control must solve this problem.

3
Access Control
• Access control is the method by which systems determine
whether and how to admit a user into a trusted area of the
organization.
• Access control is achieved by means of a combination of
policies, programs, and technologies.

4
Related terms
• Identification
• Authentication
• Authorization

Q: Can you authenticate someone without identification?

5
Access Control
• Two parts to access control
• Authentication: Who goes there?
• Determine whether access is allowed
• Authenticate human to machine
• Authenticate machine to machine
• Authorization: Are you allowed to do that?
• Once you have access, what can you do?
• Enforces limits on actions
• Note: Access control often used as synonym for
authorization

6
AUTHENTICATION

7
Access Control
• Two parts to access control
• Authentication: is the process of determining whether a user (or
other entity) should be allowed access to a system.
Are you who you say you are? someone or something claiming to
be Alice is indeed Alice and not Trudy.)
• Determine whether access is allowed
• Authenticate human to machine
• Or authenticate machine to machine
• Authorization: Are you allowed to do that?
• Once you have access, what can you do?
• Enforces limits on actions
• Note: “access control” often used as synonym for authorization

8 8
?Are You Who You Say You Are
• How to authenticate human a machine?
• Can be based on…
• Something you know
• For example, a password
• Something you have
• For example, an ATM card or a smartcard
• Something you are
• For example, your fingerprint (biometrics)

9 9
 Something You Know
• Passwords: An ideal password is something that you know,
something that a computer can verify that you know, and
something nobody else can guess.
• Lots of things act as passwords!
• PIN
• Social security number
• Mother’s maiden name
• Date of birth
• Name of your pet, etc.

• A problem with such passwords is that they are often not

secret.
10 10
?Why Passwords
• Why is “something you know” more popular
than “something you have” and “something
you are”?
• Cost: passwords are free
• Convenience: easier for admin to reset pwd
than to issue a new thumb

11 11
Good and Bad Passwords
• Good Passwords? • Bad passwords
• jfIej,43j-EmmL+y • frank

• 09864376537263 • Fido
• password
• P0kem0N
• 4444
• FSa7Yago
• Pikachu
• 0nceuP0nAt1m8
• 102560
• PokeGCTall150
• AustinStamp

12 12
Attacks on Passwords

• Attacker could…
• Target one particular account
• Target any account on system
• Target any account on any system
• Attempt denial of service (DoS) attack

13 13
Password Retry
• Another interesting issue concerns the proper
response when attempted password cracking is
detected. For example, systems often lock users
out after three bad passwords attempts.
• Suppose system locks after 3 bad passwords.
How long should it lock?
• 5 seconds (insufficient)

• 5 minutes (might open the door to a denial of service attack,

where Trudy is able to lock accounts indefinitely by
periodically making three password guesses on an account.)
• Until the administrator manually resets the service
14
?Password File

• Bad idea to store passwords in a file

• It might be tempting to encrypt the password file with a
symmetric key. However, to verify passwords, the file
must be decrypted, so the decryption key must be as
accessible as the file itself. Consequently, if Trudy can
steal the password file, she can probably steal the key
as well. Consequently, encryption is of little value here.
• We need to verify passwords
• Instead of storing raw passwords in a file or encrypting
the password file, it's more secure to store hashed
passwords.

15
?Password File
• Cryptographic solution: hash the pwd
• Store y = h( password )
• For example, if Alice's password is FSa7Yago, we could store y =
h(FSa7Yago) in a file, where h is a secure cryptographic hash
function.
• Can verify entered password by hashing
Then when someone claiming to be Alice enters a password x, it is
hashed and compared to y, and if y = h(x) then the entered password
is assumed to be correct and the user is authenticated.
• If Trudy obtains “password file,” she does not obtain passwords

16
Dictionary Attack
• Trudy pre-computes h(x) for all x in a
dictionary of common passwords
• Suppose Trudy gets access to password file
containing hashed passwords
• She only needs to compare hashes to her pre-
computed dictionary
• After one-time work, actual attack is trivial

• Can we prevent this attack? Or at least make

attacker’s job more difficult?

17
 • Users with the same password have different
Salt entries in the password file
• Offline dictionary attack becomes much harder

18
Copyright © The McGraw-Hill Companies, Inc.
Salt
• Hash password with salt
• Choose random salt s and compute
y = h(password, s)
and store (s,y) in the password file
• Note: The salt s is not secret
• Easy to verify salted password but must re-
compute dictionary hashes for each user

19
 Graphical
Passwords
• Another variant:
draw on the image
(Windows 8)
• Problem: users
choose predictable
points/lines

20
Copyright © The McGraw-Hill Companies, Inc.
 Unlock Patterns

Problems:
– Predictable patterns
(sound familiar by now??)
– Smear patterns
– Side channels: apps can use
accelerometer and gyroscope
to extract pattern!

21
Biometrics

22 22
Something You Are
• Biometric
• “You are your key”

 Examples
Are
o Fingerprint
o Handwritten signature Know Have
o Facial recognition
o Speech recognition
o Gait (walking) recognition
o “Digital doggie” (odor recognition)
o Many more!

23
?Why Biometrics
• More secure replacement for passwords
• Cheap and reliable biometrics needed
• Today, an active area of research
• Biometrics are used in security today
• Thumbprint mouse
• Palm print for secure entry
• Fingerprint to unlock car door, etc.
• But biometrics not too popular
• Has not lived up to its promise (yet?)

24
 Ideal Biometric
• Universal applies to (almost) everyone
• In reality, no biometric applies to everyone
• Distinguishing distinguish with certainty
• In reality, cannot hope for 100% certainty
• Permanent physical characteristic being
measured never changes
• In reality, OK if it to remains valid for long time
• Collectable easy to collect required data
• Depends on whether subjects are cooperative

25
Enrollment vs Recognition
• Enrollment phase
• Subject’s biometric info put into database
• Must carefully measure the required info
• OK if slow and repeated measurement needed
• Must be very precise
• May be weak point of many biometric
• Recognition phase
• Biometric detection, when used in practice
• Must be quick and simple
• But must be reasonably accurate
26
Fingerprint
• 1888  Sir Francis Galton developed
classification system
• His system of “minutia” still used today
• Also verified that fingerprints do not change

• Some countries require fixed number of

“points” (minutia) to match in criminal cases
• In Britain, at least 15 points
• In US, no fixed number of points

27
Fingerprint Comparison

• Examples of loops, whorls, and arches

• Minutia extracted from these features

Loop (double) Whorl Arch

28
Fingerprint: Enrollment

• Capture image of fingerprint

• Enhance image
• Identify points

29
 Fingerprint: Recognition

• Extracted points are compared with information

stored in a database
• Is it a statistical match?
• Aside: Do identical twins’ fingerprints differ?
30
 Hand Geometry
 A popular biometric
 Measures shape of hand

o Width of hand, fingers

o Length of fingers, etc.
 Human hands not unique
 Hand geometry sufficient for
many situations
 OK for authentication
 Not useful for ID problem

31
Hand Geometry
• Advantages
• Quick 1 minute for enrollment, 5 seconds for
recognition
• Hands are symmetric  so what?
• Disadvantages
• Cannot use on very young or very old
• Relatively high equal error rate

32
Iris Patterns

• Iris pattern development is “chaotic”

• Little or no genetic influence
• Different even for identical twins
• Pattern is stable through lifetime

33
Iris Scan
• Scanner locates iris
• Take b/w photo
• Use polar coordinates…
• 2-D wavelet transform
• Get 256 byte iris code

Part 2 Access Control

34 34
 Measuring Iris Similarity
• Based on Hamming distance
• Define d(x,y) to be
• # of non match bits / # of bits compared
• d(0010,0101) = 3/4 and d(101111,101001) = 1/3

• Compute d(x,y) on 2048-bit iris code

• Perfect match is d(x,y) = 0
• For same iris, expected distance is 0.08
• At random, expect distance of 0.50
• Accept iris scan as match if distance <0.32

35
Single Sign-on
• A hassle to enter password(s) repeatedly
• Alice wants to authenticate only once
• “Credentials” stay with Alice wherever she goes
• Subsequent authentications transparent to Alice
• Single sign-on for the Internet?
• Single sign-on (SSO) is an authentication scheme that allows a
user to log in with a single ID and password to any of several
related, yet independent, software systems.
• True single sign-on allows the user to log in once and access
services without re-entering authentication factors.

36
Attacking Biometrics
• An adversary might try to steal biometric info
• Malicious fingerprint reader
• Consider when biometric is used to derive a cryptographic key
• Residual fingerprint on a glass
• Ex: Apple’s TouchID

37
Something You Have

• Something in your possession

• Examples include following…
• Car key
• Laptop computer (or MAC address)
• Password generator
• ATM card, smartcard, etc.

38 38
 Tokens
• Passive tokens do not change.
• photo or key
• Active tokens communicate with a sensor.
• memory cards with a magnetic strip

• static token remains fixed

• Keys, identity cards, passports, credit, RFID
• dynamic token is one whose value changes
• SecurID

39
Copyright © The McGraw-Hill Companies, Inc.
factor Authentication-2
• Requires any 2 out of 3 of
o Something you know
o Something you have
o Something you are
• Examples
• ATM: Card and PIN
• Credit card: Card and signature
• Password generator: Device and PIN
• Smartcard with password/PIN

40 40
Multi-Factor Authentication

41
AUTHORIZATION

42
 Authentication vs Authorization

• Authentication  Are you who you say you are?

• Restrictions on who (or what) can access system

• Authorization Are you allowed to do that?

• Restrictions on actions of authenticated users

• Authorization is a form of access control

• Classic authorization enforced by
• Access Control Lists (ACLs)
• Capabilities (C-lists)

43
 Access Control Lists (ACLs)
• ACL: store access control matrix by column
• Example: ACL for insurance data is in blue
Accounting Accounting Insurance Payroll
OS program data data data

Bob rx rx r --- ---

Alice rx rx r rw rw

Sam rwx rwx r rw rw

Accounting
program rx rx rw rw rw
44
 Capabilities (or C-Lists)
• Store access control matrix by row
• Example: Capability for Alice is in red
Accounting Accounting Insurance Payroll
OS program data data data

Bob rx rx r --- ---

Alice rx rx r rw rw

Sam rwx rwx r rw rw

Accounting
program rx rx rw rw rw
45
ACLs vs Capabilities
r r
Alice --- file1 Alice w file1
r rw

w ---
Bob r file2 Bob r file2
--- r

rw r
Fred r file3 Fred --- file3
r r

Access Control List Capability

…Note that arrows point in opposite directions •

With ACLs, still need to associate users to files46•
ACLs vs Capabilities
• ACLs
• Good when users manage their own files
• Protection is data-oriented
• Easy to change rights to a resource
• Capabilities
• Easy to delegate
• Easy to add/delete users
• More difficult to implement

47
Multilevel Security (MLS) Models

48
Classifications and Clearances
• Classifications apply to objects
• Clearances apply to subjects
• US Department of Defense (DoD) uses 4 levels:
TOP SECRET
SECRET
CONFIDENTIAL
UNCLASSIFIED

• To obtain a SECRET clearance requires a routine

background check
• A TOP SECRET clearance requires extensive
background check

49
Compartments

50
 Compartments
• Multilevel Security (MLS) enforces access control up and
down
• Simple hierarchy of security labels is generally notflexible
enough
• Compartments enforces restrictions across
• Suppose TOP SECRET divided into TOP SECRET
{CAT} and TOP SECRET {DOG}
• Both are TOP SECRET but information flow restricted
across the TOP SECRET level
• Compartments designed to enforce the need to know
principle
51
Compartments
• Arrows indicate “” relationship
TOP SECRET {CAT, DOG}

TOP SECRET {CAT} TOP SECRET {DOG}

TOP SECRET

SECRET {CAT, DOG}

SECRET {CAT} SECRET {DOG}

SECRET

52
Covert Channel

53
 Covert Channel
• Covert channel: a communication path not intended
as such by system’s designers

54
 Covert Channel Example

Alice: Create file Delete file Create file Delete file

Bob: Check file Check file Check file Check file Check file

Data: 1 0 1 1 0

Time:

55
CAPTCHA

56
 Turing Test
• Proposed by Alan Turing in 1950
• Human asks questions to another human and a
computer, without seeing either
• If questioner cannot distinguish human from
computer, computer passes the test
• The gold standard in artificial intelligence
• No computer can pass this today

57
 CAPTCHA
• CAPTCHA
• Completely Automated Public Turing test to tell
Computers and Humans Apart
• Automated  test is generated and scored by a
computer program
• Public  program and data are public
• Turing test to tell…  humans can pass the test,
but machines cannot pass
• Also known as HIP == Human Interactive Proof
• Like an inverse Turing test (well, sort of…)
58
?CAPTCHA Paradox
• “…CAPTCHA is a program that can generate and grade tests that it
itself cannot pass…”
• “…much like some professors…”
• Paradox  computer creates and scores test that it cannot pass!
• CAPTCHA used so that only humans can get access (i.e., no
bots/computers)
• CAPTCHA is for access control

• Current types of CAPTCHAs

• Visual like previous example

• Audio  distorted words or music

• No text-based CAPTCHAs

• Maybe this is impossible…

59
?Do CAPTCHAs Exist

 Easy for most humans

 A (difficult?) OCR problem for computer
o OCR == Optical Character Recognition
60
Intrusion Detection Systems

61
Intrusion Prevention
• Want to keep bad guys out
• Intrusion prevention is a traditional focus of computer
security
• Authentication is to prevent intrusions
• Firewalls a form of intrusion prevention
• Virus defenses aimed at intrusion prevention
• Like locking the door on your car

62
Intrusion Detection
• In spite of intrusion prevention, bad guys will
sometime get in
• Intrusion detection systems (IDS)
• Detect attacks in progress (or soon after)
• Look for unusual or suspicious activity

• IDS evolved from log file analysis

63
Intrusion Detection Systems
• Who is likely intruder?
• May be outsider who got thru firewall
• May be evil insider
• What do intruders do?
• Launch well-known attacks
• Launch variations on well-known attacks
• Launch new/little-known attacks
• “Borrow” system resources
• Use compromised system to attack others. etc.

64
 Signature Detection
• Many techniques used to make signature
detection more robust
• Goal is to detect “almost” signatures
• For example, if “about” N login attempts in “about”
M seconds
• Warn of possible password cracking attempt
• What are reasonable values for “about”?
• Can use statistical analysis, heuristics, etc.
• Must not increase false alarm rate too much

65
 Signature Detection
• Advantages of signature detection
• Simple
• Detect known attacks
• Know which attack at time of detection
• Efficient (if reasonable number of signatures)
• Disadvantages of signature detection
• Signature files must be kept up to date
• Number of signatures may become large
• Can only detect known attacks
• Variation on known attack may not be detected

66
Anomaly Detection

• Anomaly detection systems look for unusual or

abnormal behavior
• There are (at least) two challenges
• What is normal for this system?
• How “far” from normal is abnormal?

• No avoiding statistics here!

• mean defines normal
• variance gives distance from normal to abnormal

67
Anomaly Detection (1)
• Suppose we monitor use of three commands:
open, read, close
• Under normal use we observe Alice:
open, read, close, open, open, read, close, …
• Of the six possible ordered pairs, we see four
pairs are normal for Alice,
(open,read), (read,close), (close,open),
(open,open)
• Can we use this to identify unusual activity?

68
 Anomaly Detection
• Over time, Alice has  Recently, “Alice”
accessed file Fn at has accessed Fn at
rate Hn rate An

H0 H1 H2 H3 A0 A1 A2 A3
.10 .40 .40 .10 .10 .40 .30 .20

 Is this normal use for Alice?

 We compute S = (H0A0)2+(H1A1)2+…+(H3A3)2
= .02
o We consider S < 0.1 to be normal, so this is normal
 How to account for use that varies over time?
69
Anomaly Detection

• Advantages?
• Chance of detecting unknown attacks
• Disadvantages?
• Cannot use anomaly detection alone…
• …must be used with signature detection
• Reliability is unclear
• May be subject to attack
• Anomaly detection indicates “something unusual”, but
lacks specific info on possible attack

70
END

71
71