Computer

Security
Chapter 4
Authentication and
Access Control
User
authentication
 Authentication

Authentication is the process of verifying the identity of a

user who wants to access a system or resource.
It is crucial for maintaining effective security and access
control.
User authentication typically involves providing
credentials, which usually include a user ID and password.
 common methods of
authentication,
1. Password-based authentication: This is the most
widely used method where users provide a unique
combination of a username (user ID) and a secret
password. The system compares the provided
password with the stored password associated with the
username to verify the user's identity.
2. Multi-factor authentication (MFA): MFA combines two
or more authentication factors to enhance security. It
typically involves a combination of something the user
knows (e.g., password), something the user possesses
(e.g., a physical token or smartphone), and something
the user is (e.g., biometric data like fingerprints or
facial recognition).
 Continue…..
3. Public Key Infrastructure (PKI): PKI is a cryptographic
system that uses public and private key pairs. Users possess
a private key that is kept secret and a corresponding public
key that is widely distributed. The system uses the public
key to authenticate the user by verifying the digital
signature created with the private key
4. Biometric authentication: This method uses unique
physical or behavioral characteristics, such as fingerprints,
retinal scans, facial recognition, or voice recognition, to
identify and authenticate individuals.
 Continue…
5.Token-based authentication: Tokens are physical or
digital devices that generate one-time passwords (OTPs)
or short-lived authentication codes. Users provide the
OTP or code along with their username to authenticate
themselves.

6. Single Sign-On (SSO): SSO allows users to authenticate

once and gain access to multiple systems or resources
without re-entering credentials. It relies on a centralized
authentication server that handles the authentication
process and provides tokens for subsequent access.
 Authorization,
Authorization, also known as access control, is a security
mechanism that determines what actions or operations an
authenticated user or entity is allowed to perform within
system or on a particular resource. It involves granting or
denying permissions based on the user's identity, role, or
other attributes.
 The goal of authorization is to enforce restrictions and
ensure that users can only access and manipulate
resources that they are authorized to use. It helps
protect sensitive information, maintain system integrit
and prevent unauthorized activities.
 key concepts related to
authorization:
1. Access Control Lists (ACLs): ACLs are lists associated
with resources, such as files, folders, or database
records, that specify which users or groups have
permission to perform specific operations, such as read,
write, or delete.

2. Role-Based Access Control (RBAC): RBAC is a model that

assigns permissions based on predefined roles instead of
individual users. Users are assigned roles, and
permissions are associated with those roles. This
approach simplifies permission management, especially
in larger systems with many users.
 Continue..
3. Permissions and Privileges: Permissions define the
specific actions or operations that a user is allowed or
denied on a resource. For example, read, write, execute,
create, or delete permissions. Privileges refer to higher-
level access rights, often associated with administrative
tasks, such as user management or system configuration.
4. Authorization Policies: Policies are rules or conditions
that determine which permissions are granted to users or
entities. Policies can be defined based on factors like user
roles, attributes, or conditions related to the resource
being accessed. They provide a flexible way to manage and
enforce access control.
 Continue..
3.Access Tokens: Access tokens are cryptographic tokens
issued to authenticated users or entities. These tokens
contain information about the user's identity and
associated permissions. They are used to verify and enforc
authorization when requesting access to resources or
performing operations.

4. Principle of Least Privilege (PoLP): The PoLP states that

users should be granted the minimum set of permissions
required to perform their tasks. By limiting privileges, the
potential impact of a security breach or an accidental
misuse of permissions is reduced.
 Summary
Authorization is a critical aspect of system security, and it
works in conjunction with authentication (verifying the
identity of users) to ensure that only authorized individuals
or entities can access resources and perform specific
actions. By implementing robust authorization mechanisms
organizations can protect their systems, data, and sensitiv
information from unauthorized access or misuse.
Authentication
procedure
The authentication procedure consists of 4
stages:

1) identification of the user (who is it?)

2) provision of some kind of authentication
information, which is secret and
unforgeable.
3) transmission of the authentication
information
to the system through a secure channel.
4) validation of the authentication information wrt
some reference information (proof of
correctness)
 Authentication
information
The authentication information can be of 3 different,
generic types, based on something that is unique for the
user:
• something you K N O W (e.g password, PIN code)
• something you H AVE (e.g smartcard)
• something you ARE (DO) (e.g fingerprint),
(biometrical methods, something characteristic about
you)
( W HERE you are can also be used in some situations)
In general, something that you have is called a token.
i.e. something that is used for authentication
A capability is an unforgeable token that gives the
possessor certain rights (to an object) -
authorization
Access Control
 Access Control
Elements
⚫ subject - entity that can access objects
◦ a process representing user/application
◦ often have 3 classes: owner, group, world
⚫ object - access controlled resource
◦ e.g. files, directories, records, programs etc
◦ number/type depend on environment
⚫ accessright - way in which subject
accesses an object
◦ e.g. read, write, execute, delete, create,
search
Access Control
Usage
 Access
⚫ providedControl
using an access control
matrix
◦ lists of subjects in one dimension (rows)
◦ lists of objects in the other
dimension (columns)
◦ each entry specifies access rights of
the specified subject to that object
⚫ access control matrix is often
sparse
⚫ can decompose by either column,
leading to an access control list
Access Control
Matrix
 Mandatory and
D iscretionary
Access Control
⚫ MANDATORY A C C E S S C O N T R O L
(MAC) means that some central authority (e.g. the
security officer) determines what information is
accessible to whom
⚫ D I SCR E TI O NA RY A C C E S S C O N T R O L
(DAC) means that the owner of the file (i.e. the user)
determines what information is accessible to whom
⚫ MAC and DAC can both be applied at the same time
⚫ MAC is most commonly used in the multi-level
security mechanism (MLS) in the Military Security
Policy
⚫ DAC is used in many operating systems, e.g.
UN IX.
 Role-Based Access
C ontrolA C C E S S C O N T R O L
⚫ In ROLE-BASED (RBAC)
the rights are assigned to roles rather than to the
users.
For example in a hospital: surgeon, medical
practitioner, nurse, janitor, etc
⚫ RBAC employs MAC and has been developed to meet
the needs from commercial and societal systems.
⚫ Procedure:
identification - authentication - selection of role - access
to information (according to role).
⚫ Advantages:
- easy to enforce enterprise-specific security policies
- security management is simplified
Role-
Based
Access
Contro
l
 User to Role:

Role-
Based
Access
Contro
l
Role to Access
Right: