Asset Security System Security is about building barriers to protect assets. What complicates...
-
Upload
vincent-stone -
Category
Documents
-
view
216 -
download
3
Transcript of Asset Security System Security is about building barriers to protect assets. What complicates...
AssetAsset
Security System
Security is about building barriers to protect assets.
What complicates security is the necessity for barrier penetration.
AttackProperAccess
To be secure the barrier holes must be guarded.
Basic Concepts in Barrier Penetration Control
- Can you prove it?
- That which you are permitted to do.
- You should be held responsible.
- Who are you?
Security systems need to be able to distinguish the“white hats” from the “black hats”. This all begins with identity.
What are some common identifiers used in our world?
What is the problem with using people’s names as identifiers?
Access privileges granted to a user, program, or process.†
† Definition from National Information Systems Security
Common authorization tokens:
Security measure designed to establish the validity of a transmission, message, or originator,or a means of verifying an individual’s authorization to receive specific categories of information.†
† Definition from National Information Systems Security
Authentication is often necessary to ensure integrity of origin.
Authentication ... is a basis for trust
Password -- the most common means of authentication
Passwords are vulnerable to attacks. Why?
Uses challenge - reponse protocol
RESPONSE
password:
CHALLENGE
(Encryption required)
Challenge-response systems fail when responses are efficiently discovered.
Give password cracking software a challenge.The conventional wisdom is as follows...
Use first letters from some phrase you can remember.
TtlsH1wwya
Don’t use short passwords (at least 8 symbols).
Include both lowercase and uppercase and digits.
Bracket the password with non-alphanumerics.
#TtlsH1wwya&
Bracket the password with non-printables.
#TtlsH1wwya&
Alt - 0181
cracker algorithm == repeatedlycracker algorithm == repeatedly
token -- small device carried by user(often includes microprocessor, keypad and/or real-time clock)
Challenge-Response Token1) System displays random number which user enters on keypad.2) Card uses keypad input to calculate and display number.3) User enters number in computer which system verifies by same computation.
Time-Based Token1) Card uses internal real-time clock value to calculate and display number.2) User enters number in computer which system verifies with its clock.
HHAD - Hand Held Authentication Device
biometric -- requires special devices to read human features
fingerprints
retinal/iris scans
facial recognition?
voice patterns
Advantages • nothing to remember or to carry• promise of simple use
Disadvantages • imperfect accuracy (1:100,000 at best)• susceptible to physical injury• theft possible (even without direct contact)• not all systems will be consistent
NIST has suggested including two fingerprints and a faceprint on passports.
A few major U.S. airports have tested face recognition software.
In Jan., 2002, a Yokohama math researcher spoofed fingerprints.
A British medical report claims that medications used to treat Glaucoma willalter iris patterns, rendering iris scans useless.
digital certificate -- a certificate authority performs a security checkon a user and grants an electronic certificate (essentially encryption keys)
smartcard -- physically requires reader, contains full microprocessor with cryptographic calculations performed onboard.
Smartcards can store ... private keys biometric data digital certificate user data
Tampering with a smartcard typically renders it useless.
Strength of authentication
Vulnerability to attack
Ease of use
Cost to implement
Interoperability with other systems
...what you _______ (password)
...what you _______ (key, token, smartcard)
...what you _____ (biometrics - fingerprints, retinal scan)
..._______ you are (in secure location, at some terminal)
Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, soneither can later deny having processed the data.†
† Definition from National Information Systems Security
Access
Attacker
User