Lec 4 - Protection in Operating Systems

AUTHENTICATION


* Verification of identity of someone who generated some data.
* Relates to identity verification.
*

classifications of identity verification:
#by something known e.g. password
#by something possessed e.g. smart card, passport
#by physical characteristics (biometrics) e.g. finger prints, palm prints, retina, voice
#by a result of involuntary action : signature

*


Requirements – must be able to verify that:
¤Message came from apparent source or author
¤Contents have not been altered
¤Sometimes, it was sent at a certain time or sequence

*


Protection against active attack (falsification of data and transactions)



PASSWORD


¨Protection of passwords
¤Don’t keep your password to anybody
¤Don’t write or login your password at everywhere
¤Etc.
¨Choosing a good password
¤Criteria:
-Hard to guess and easy to remember
¤Characteristics of a good password
-Not shorter than six characters
-Not patterns from the keyboard
-Etc.
¨Calculations on password
¤Password population, N =rs
¤Probability of guessing a password = 1/N
¤Probability of success, P=nt/N

***Support for password compliance reporting and strong authentication
-OneSign gives organizations a variety of powerful tools for password authentication, including:
*Automated password generation and changes, including the ability to generate strong random passwords on behalf of end-users.
*Self-service password reset - enabling users to securely reset their own passwords.
*Password authentication policy implementation.
*Built-in support for strong authentication options such as fingerprint biometrics, smart cards. proximity cards, USB tokens, and more.
*Pre-built and customized reports that track password authentication and access and provide data on who accessed what, how, when, and from where
*Audit logs of access and password change activity, delivering the information IT departments need to enhance and enforce compliance across the enterprise.
*Support for end-user workflow including shared workstations and fast user switching.

***Techniques for guessing passwords***
-Try default passwords.
-Try all short words, 1 to 3 characters long.
-Try all the words in an electronic dictionary(60,000).
-Collect information about the user’s hobbies, family names, birthday, etc.
-Try user’s phone number, social security number, street address, etc.
-Try all license plate numbers
-Use a Trojan horse
-Tap the line between a remote user and the host system.


BIOMETRIC


¨The term is derived from the Greek words bio (= life) and metric (= to measure)
¨Biometrics is the measurement and statistical analysis of biological data
¨In IT, biometrics refers to technologies for measuring and analysing human body characteristics for authentication purposes
¨Definition by Biometrics Consortium – automatically recognising a person using distinguishing traits

#How does it works?
¨Each person is unique
¨What are the distinguishing traits that make each person unique?
¨How can these traits be measured?
¨How different are the measurements of these distinguishing traits for different people


#Biometric Technologies
¤Fingerprint biometrics – fingerprint recognition
¤Eye biometrics – iris and retinal scanning
¤Face biometrics – face recognition using visible or infrared light (called facial thermography)
¤Hand geometry biometrics – also finger geometry
¤Signature biometrics – signature recognition
¤Voice biometrics – speaker recognition

#Classification of biometric methods
¨Static
¤Fingerprint recognition
¤Retinal scan
¤Iris scan
¤Hand geometry
¨Dynamic
¤Signature recognition
¤Speaker recognition
¤Keystroke dynamics
#Biometric system architecture
¤Data collection
¤Signal processing
¤Matching
¤Decision
¤Storage
¤Transmission


ACCES CONTROL


¨“The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner“
¤central element of computer security
¤assume have users and groups
nauthenticate to systemassigned access rights to certain resources on system


Requirements
¨reliable input
¨fine and coarse specifications
¨least privilege
¨separation of duty
¨open and closed policies
¨policy combinations, conflict resolution
¨administrative policies



Elements
¨subject - entity that can access objects
¤a process representing user/application
¤often have 3 classes: owner, group, world
¨• object - access controlled resource
¤e.g. files, directories, records, programs etc
¤number/type depend on environment
¨• access right - way in which subject accesses an object
¤e.g. read, write, execute, delete, create, search