This document discusses access control systems and methodologies. It covers security clearances used by the federal government, multifactor authentication/biometrics, and passwords. Specific access control methods like fingerprints, voiceprints, retina scanning, iris scanning, and face recognition are explained. The document also discusses password cracking techniques and applications used to crack passwords like John the Ripper, Rainbow Crack, and Cain & Abel.
2. INTRODUCTION
● JERMAINE ROBINSON
M.S. Information Systems
● CHIBUZO OBIOHA
M.S. Telecommunications Systems and Networks
● ARTI AMBOKAR
M.S. Information Systems
3. OVERVIEW
• ACCESS CONTROLS ARE USED IN ORDER TO
PROTECT INFORMATION SYSTEMS AND DATA
• 3 TYPES OF ACCESS CONTROL METHODOLOGIES
ARE:
• SECURITY CLEARANCES (FEDERAL GOVERNMENT)
• MULTIFACTOR AUTHENTICATION/BIOMETRICS
• PASSWORDS
• PASSWORD CRACKING IS A METHOD OF GETTING
PAST ACCESS CONTROLS
• DEMONSTRATION OF JAVA PROGRAM TO CREATE
PASSWORD REQUIREMENTS
4. WHAT IS A SECURITY
CLEARANCE?
SPECIAL PERMISSION THAT IS
GRANTED BY FEDERAL
GOVERNMENT TO PERSONNEL
THAT HAVE APPROVAL TO
ACCESS NETWORKS, DATA, AND
INFORMATION SYSTEMS
CLEARANCE LEVELS ARE
CONFIDENTIAL, SECRET, AND
TOP SECRET
NETWORKS, DATA, AND
INFORMATION SYSTEMS ALSO
RECEIVE CORRESPONDING
DESIGNATIONS
APPLIES TO MILITARY, FEDERAL
EMPLOYEES, AND FEDERAL
CONTRACTORS
5. GETTING A CLEARANCE
CLEARANCES ARE GIVEN TO
PERSONNEL ON A NEED TO HAVE BASIS
BIOMETRICS ARE USED AS A MEANS OF
GAINING SPECIFIC INFORMATION ABOUT
APPLICANTS AND ALL DATA IS STORED
FOR THE DURATION OF MILITARY
CAREER
THE INVESTIGATION PROCESS MUST BE
COMPLETED BEFORE A PERMANENT
CLEARANCE IS GAINED HOWEVER
TEMPORARY CLEARANCES CAN BE
ISSUED
INVESTIGATIONS COST FROM $200 -
$15,000
REINVESTIGATIONS ARE DONE
PERIODICALLY AND CLEARANCES HAVE
AN EXPIRATION DATE OF 5-15 YEARS
REVOCATION CAN OCCUR AT ANY TIME
6. SCREENING PROCESS
SECURITY CLEARANCE SCREENING VIDEO
● SECURITY CLEARANCE SCREENINGS ARE USUALLY CONDUCTED
UPON ENTRANCE INTO THE MILITARY
● THE MOS/AFSC/RATING (JOB) THAT ONE IS ENTERING THE
MILITARY TO DO OR THE LOCATION OF THEIR PERMANENT DUTY
STATION DETERMINES THE CLEARANCE LEVEL THEY WILL BE
CONSIDERED FOR
EXAMPLE: IF YOU ARE ENTERING THE MILITARY TO DO A NON
CLEARANCE JOB BUT ARE ASSIGNED TO A LOCATION WHERE A
CERTAIN CLEARANCE LEVEL IS REQUIRED YOU WILL HAVE TO
RECEIVE THAT CLEARANCE BEFORE BEING SENT TO THAT DUTY
STATION
● A FAIR CHANCE IS GIVEN TO DISCLOSE ALL BACKGROUND
INFORMATION BEFORE IT IS DISCOVERED
● CRIMINAL,FINANCIAL, AND MENTAL HEALTH ARE EXAMPLES OF
INFORMATION THAT IS LOOKED INTO
7. DESIGNATIONS GIVEN
SECURITY DESIGNATIONS THAT ARE GIVEN TO
NETWORKS, DATA, AND INFORMATION SYSTEMS ARE
DONE SO WITH THE FOLLOWING GUIDELINES:
-CONFIDENTIAL: REASONABLY COULD BE EXPECTED TO
CAUSE DAMAGE TO THE NATIONAL SECURITY IF
DISCLOSED
-SECRET: REASONABLY COULD BE EXPECTED TO CAUSE
SERIOUS DAMAGE TO THE NATIONAL SECURITY IF
DISCLOSED
-TOP SECRET: REASONABLY COULD BE EXPECTED TO
CAUSE EXCEPTIONALLY GRAVE DAMAGE TO THE
NATIONAL SECURITY IF DISCLOSED
8. PROTECTING THE ASSETS
-EXAMPLE: IF AN OFFICE IS DEEMED AS “SECRET” THE
OFFICE CAN CONTAIN A VAULT OR SPECIAL OFFICE
WITHIN IT WHERE “TOP SECRET” ASSETS ARE STORE
INCLUDING COMPUTERS
-ANYTHING FROM AN ENTIRE
MILITARY BASE, TO A
BUILDING, TO AN OFFICE,TO A
COMPUTER, TO A FILE CAN BE
GRANTED A SECURITY
DESIGNATION
-ACCESS TO SECURE ASSETS
CAN BE GRANTED ON A NEED
TO ACCESS BASIS NOT JUST
ON THE BASIS OF HAVING A
CLEARANCE LEVEL
9. WAR
ZONES
-ANYTIME MILITARY
OPERATIONS ARE BASED IN
“ENEMY TERRITORY” THERE
IS A LARGER RISK INVOLVED
-EASIER FOR TERRORISTS TO
INFILTRATE NETWORKS
BASED IN THEIR HOMELAND
VERSUS DOING IT HERE IN
AMERICA
-ACCESS TO AMERICAN
INFORMATION SYSTEMS,
DATA, AND NETWORKS IS AT
AN EVEN HIGHER
PROTECTION LEVEL
10. ALL ABOUT CLEARANCES
● SECURITY CLEARANCES ARE THE FEDERAL
GOVERNMENT’S WAY OF CONTROLLING ACCESS
TO INFORMATION SYSTEMS, NETWORKS, AND
DATA
● THE PROGRAM PROVIDES A STANDARD THAT CAN
BE USED ACROSS THE BOARD SO NATIONAL
SECURITY CAN BE AT ITS HIGHEST
● BILLIONS OF DOLLARS ARE SPENT EVERY YEAR ON
COMING UP WITH STRATEGIC NATIONAL SECURITY
PLANS
● OUR NATION'S SECURITY DEPENDS ON
PROTECTING ACCESS TO OUR INFORMATION
SYSTEMS, DATA, AND NETWORKS
12. WHAT IS MULTIFACTOR
AUTHENTICATION?
MULTI FACTOR AUTHENTICATION: A METHOD THAT
CONTROLS COMPUTER ACCESS WHICH CONTAINS A
SYSTEM WHERE A USER IS GIVEN ACCESS AFTER
PRESENTING NUMEROUS SEPARATE PIECES OF
EVIDENCE AUTHENTICATE THEMSELVES
TYPICALLY CAN BE EITHER TWO OR THREE TYPES:
● KNOWLEDGE(SOMETHING THAT IS KNOWN)
● POSSESSION(SOMETHING THAT IS PRESENT)
● INHERENCE(SOMETHING THAT THEY ARE)
13. TWO & THREE-FACTOR
AUTHENTICATION
TWO-FACTOR AUTHENTICATION: REQUIRE A PASSWORD AND
USERNAME IN ADDITION TO SOMETHING THAT IS ONLY KNOWN
TO THE USER:
EXAMPLE:A PIECE OF INFORMATION ONLY THE USER SHOULD
KNOW (PHYSICAL TOKEN)
THREE-FACTOR AUTHENTICATION: IS NOTHING BUT SOMETHING
A USER IS:
EXAMPLE: ALL TYPES OF BIOMETRICS
Multifactor
Authentication
Two-factor Authentication
(something which is only known to
user)
Three-factor Authentication
(something a user is)
14. BIOMETRICS
- THE DEFINITION OF ‘BIO’ IS LIFE
- THE DEFINITION OF ‘METRICS’ IS MEASURE
- IN BIOMETRICS TECHNOLOGY IS USED TO MEASURE
SOMETHING THAT IS RELATED TO LIFE
EXAMPLE: PHYSICAL TRAITS THAT AN INDIVIDUAL
POSSESS
MAIN TYPES OF BIOMETRIC IDENTIFIERS:
● PHYSIOLOGICAL CHARACTERISTICS: FINGERPRINTS
,DNA, FACE, HAND, RETINA OR EAR FEATURES; AND
ODOR
● BEHAVIORAL CHARACTERISTICS: TYPING RHYTHM,
GESTURES, VOICE , MONITORING KEYSTROKES
16. FINGERPRINT
● THERE ARE 3 BASIC PATTERNS OF FINGERPRINTS
● MINUTIAE: THE MATCHING OF TWO HUMAN
FINGERPRINTS
MINUTIAE REFERS TO SPECIFIC POINTS IN A
FINGERPRINT, THAT CONTAIN SMALL DETAILS IN A
FINGERPRINT THAT IS MOST IMPORTANT FOR
FINGERPRINT RECOGNITION
17. THREE BASIC PATTERNS OF
FINGERPRINT RIDGES
ARCH LOOP WHORL
ARCH: RIDGES ENTER FROM ONE SIDE OF THE FINGER,
AND RISE IN THE CENTER FORMING AN ARC, AND THEN
EXIT THE OTHER SIDE OF THE FINGER
LOOP: RIDGES ENTER FROM ONE SIDE OF A FINGER,
FORM A CURVE, AND THEN EXIT ON THAT SAME SIDE
WHORL: RIDGES FORM CIRCULARLY AROUND A CENTRAL
POINT ON THE FINGER
18. MINUTIAE
RIDGE ENDING: SPOT WHERE RIDGE ENDS
BIFURCATION: SPOT WHERE RIDGE SPLITS INTO TWO RIDGES
SHORT RIDGE(DOT): THOSE RIDGES WHICH ARE SIGNIFICANTLY
SHORTER THAN OTHER RIDGES
FINGERPRINTS RECOGNITION VIDEO
19. Shape
of Vocal
Cavities
Mouth
Movements
While
Speaking
Unique
Voice
VOICE PRINTS
VOICEPRINT SYSTEM: EXACT
WORDS ARE NEEDED FOR
ACCESS OR A SPECIFIC
EXTENDED SAMPLE IS
LOGGED IN THE SYSTEM SO
ONLY YOUR VOICE CAN BE
PICKED UP WHEN YOU SAY
THE WORDS
VOICEPRINTS ARE STORED IN A
SPECTROGRAM(GRAPH THAT
SHOWS SOUND'S FREQUENCY
ON VERTICAL AXIS AND TIME ON
HORIZONTAL AXIS.
20. SIGNATURE DYNAMICS
DONE BY ANALYZING THE
SHAPE, SPEED, STROKE, PEN
PRESSURE AND TIMING
INFORMATION DURING
SIGNING PROCESS
SIGNATURE DYNAMICS VIDEO
21. RETINA SCANNING
● RETINA: LAYER AT THE BACK OF THE
EYEBALL THAT CONTAINS CELLS
THAT ARE SENSITIVE TO LIGHT AND
TRIGGER NERVE IMPULSES THAT
PASS THROUGH THE OPTIC NERVE
TO THE BRAIN AT WHICH POINT A
VISUAL IMAGE IS CREATED
● THERE ARE UNIQUE PATTERNS ON A
PERSON'S RETINA BLOOD VESSELS
PROCESS:
1. RETINA SCAN
2. CAST A BEAM OF INFRARED LIGHT
3. TRACE THE RETINA
4. BLOOD VESSEL ABSORB LIGHT
5. IMAGE STORED TO DATABASE
22. IRIS SCANNING
IRIS: FLAT, COLORED, RING-SHAPED
MEMBRANE BEHIND THE CORNEA
OF THE EYE, WITH AN ADJUSTABLE
CIRCULAR OPENING (PUPIL) IN THE
CENTER.
THE COLORED PATTERN OF IRIS IS
GENETICAL AND COMES FROM
PIGMENT CALLED MELANIN
MORE MELANIN: BROWNER LESS
MELANIN: BLUER
TWO PEOPLE CANNOT HAVE SAME
PATTERNS
IRIS SCANNING VIDEO
23. FACE
RECOGNITION
1. IDENTIFY OR VERIFY A
PERSON
2. DIGITAL IMAGE OR
VIDEO FRAME FROM
VIDEO SOURCE
3. ALGORITHM IS USED
TO MATCH FACE
24. SINGLE SIGN ON
● MULTIPLE SYSTEMS REQUIRE MULTIPLE SIGN-ON
DIALOGUE
● CAN BE HEADACHE TO ADMINISTRATORS AND
USERS
● INCREASES SIGN-ON DIALOGUE (USER MUST
REPEATEDLY LOGIN TO EVERY SYSTEM)
25. KERBEROS
KERBEROS: A COMPUTER
NETWORK COMMUNICATION
PROTOCOL THAT USES A
‘TICKET’ TO ALLOW NODES TO
COMMUNICATE OVER A
NETWORK THAT IS NOT SECURE
IN ORDER TO PROVE A USER'S
IDENTITY IN A SECURE WAY
User logs in to gain
access
Ticket is generation is
passed on to key
distribution center
Key distribution center
sends response to user to
decrypt TGT by password
hash
User response is now send
to authentication service
in which request for ticket
is made
Ticket granting service
sends the reply by sending
ticket
26. PASSWORDS
-WHAT IS A USERNAME
AND PASSWORD
-PASSWORD STORAGE
-PASSWORD CRACKING
-METHODS FOR
CRACKING PASSWORD
-PASSWORD CRACKING
APPLICATIONS
-PREVENTION
27. WHAT IS A USERNAME AND
PASSWORD?
-USERNAMES ARE CREATED TO IDENTIFY YOURSELF AS A USER
OF A COMPUTER DOMAIN OR SYSTEM
-PASSWORDS ARE SYSTEM DESIGNED AND ARE CREATED TO
PROVIDE AUTHENTICATION
-PASSWORD ARE INTENDED TO BE COMPLEX AND STRONG
(PASSWORDS WHICH THAT ARE ALPHANUMERIC, AND CONTAIN
SPECIAL CHARACTERS)
-PASSWORDS SHOULD TAKE DAYS AND YEARS TO BRING OUT
THE PLAINTEXT FROM HASH
28. AUTHENTICATION
THE 3 DIFFERENT WAYS TO AUTHENTICATE USERS
OF A SYSTEM:
1. USERS PRESENT A PHYSICAL OBJECT SUCH AS A KEY CARD
2. USERS PROVE IDENTITY USING A PERSONAL
CHARACTERISTIC(BIOMETRICS)
3. USERS ANSWER QUESTION ONLY THEY KNOW THE ANSWER
IN THE EVENT OF YOUR PASSWORD BECOMES COMPROMISED
IT CAN BE EASILY CHANGED.(I.E. A STRONG BENEFIT OF USING
AUTHENTICATION THROUGH A PASSWORD)
29. PASSWORD STORAGE
WINDOWS PASSWORD FILE: WINDOWS SYSTEM FOR
STORING PASSWORD FILES, WHICH IS SIMILAR TO THE
WAY UNIX DOES ITS STORING. PASSWORD FILE FOR
WINDOWS, IS KNOWN AS THE SECURITY ACCOUNT
MANAGER(SAM) FILE, IS LOCATED IN:
C:WINDOWSSYSTEM32CONFIGSAM.
ONLINE PASSWORD STORAGE: MOST WEBSITES AND
ONLINE SERVICES REQUIRE USERS TO LOG IN WITH A
TYPICAL PASSWORD SCHEME AND PASSWORD IS STORED
ON WEBSITE
PASSWORD SALT: STORING THE HASHED OR ENCRYPTED
VALUES FOR PASSWORDS. METHOD IS MUCH MORE
SECURE THAN STORING THE PLAIN TEXT IN A PASSWORD
FILE
30. WHAT IS PASSWORD CRACKING
PASSWORD CRACKING: THE PROCESS OF EITHER GUESSING
OR RECOVERING A PASSWORD FROM A STORED LOCATIONS OR
FROM A DATA TRANSMISSION SYSTEM.
PURPOSE:
● TO RECOVER FORGOTTEN PASSWORDS BUT WITH
MALICIOUS INTENT
● USED TO GAIN UNAUTHORIZED ACCESS TO A COMPUTER
SYSTEM
PASSWORD CRACKING INVOLVES TWO DISTINCT PHASES:
1. ATTACKER’S INTENTION IS TO DUMP THE HASHES OF THE
PASSWORDS
2. TRIES TO CRACK THOSE ACQUIRED HASHES
31. PASSWORD CRACKING
METHODOLOGIES
1. PHISHING: EASIEST AND MOST POPULAR HACKING METHOD AND IS
USED BY HACKERS TO GET SOMEONE’S ACCOUNT DETAILS. EX:
DISGUISING EMAIL REQUESTS AS ONE THAT CAME FROM A REAL
WEBSITE
2. SOCIAL ENGINEERING: PROCESS OF MANIPULATING SOMEONE TO
TRUST YOU AND GET INFORMATION FROM THEM. EX: IF HACKER WAS
TRYING TO GET THE COMPUTER PASSWORD OF A CO-WORKER OR
FRIEND, HE COULD CALL HIM PRETENDING TO BE FROM THE IT
DEPARTMENT AND SIMPLY ASK FOR HIS LOGIN DETAILS
3. MALWARE: KEY LOGGER OR SCREEN SCRAPER IS INSTALLED BY
MALWARE. KEYLOGGER RECORDS EVERYTHING YOU TYPE AND SCREEN
SCRAPER TAKES SCREEN SHOTS DURING A LOGIN PROCESS, AND THEN
FORWARDS A COPY OF FILES TO HACKER
4. OFFLINE CRACKING: GUESSING WITHIN THE RESTRICTION OF THREE OR
FOUR WRONG GUESSES AND LOGGING OUT OR WAITING ALLOTTED
TIME PERIOD TO AVOID THE BLOCKS IN PLACE BY AN AUTOMATED
GUESSING APPLICATION
5. GUESSING: MAKING INFORMED GUESSES BASED ON THE
PREDICTABILITY OF THE USER.
32. PASSWORD CRACKING
METHODOLOGIES(CONT)
6. DICTIONARY ATTACK: A BIG WORD DICTIONARY IS LOADED INTO THE
CRACKING TOOL TO TEST THESE WORDS AGAINST THE USER
ACCOUNT PASSWORD
7. BRUTE FORCE ATTACK: ALL POSSIBLE KEY COMBINATIONS ARE
TRIED AGAINST THE PASSWORD DATABASE UNTIL THE CORRECT KEY
IS DISCOVERED. USUALLY TAKES A LONG TIME
8. RAINBOW TABLE ATTACK: A VERY LARGE LIST OF PRE-COMPUTED
HASHES ARE COMPARED WITH THE PASSWORD FILE TO DISCOVER
ALL PASSWORDS
9. SHOULDER SURFING: HACKERS TAKE DISGUISE POSING AS A PARCEL
COURIER ,MAINTENANCE SERVICE TECHNICIAN OR ANYONE ELSE
THAT CAN GAIN ACCESS TO AN OFFICE SPACE OR BUILDING
10. SPIDERING : SAVVY HACKERS HAVE REALIZED THAT MANY
CORPORATE PASSWORD ARE MADE OF WORDS THAT ARE
CONNECTED TO THE BUSINESS ITSELF
33. PASSWORD CRACKING
APPLICATIONS
● JOHN THE RIPPER: OPEN SOURCE PASSWORD CRACKING TOOL FOR LINUX,
UNIX AND MAC OS X. A WINDOWS VERSION IS ALSO AVAILABLE. USED TO
DETECT WEAK PASSWORDS(FREE)
● RAINBOW CRACK: HASH CRACKER TOOL THAT USES A LARGE SCALE TIME
MEMORY TRADE OFF PROCESS FOR FASTER PASSWORD CRACKING THAN
TRADITIONAL BRUTE FORCE TOOLS. TIME MEMORY TRADE OFF IS A
COMPUTATIONAL PROCESS IN WHICH ALL PLAIN TEXT AND HASH PAIRS ARE
CALCULATED BY USING A SELECTED HASH ALGORITHM. AFTER COMPUTATION,
RESULTS ARE STORED IN THE RAINBOW TABLE (VERY TIME CONSUMING)
● CAIN & ABEL: PASSWORD CRACKING TOOL THAT IS CAPABLE OF HANDLING A
VARIETY OF TASKS. WORKS AS A SNIFFER IN THE NETWORK, CRACKING
ENCRYPTED PASSWORDS USING THE DICTIONARY ATTACK, RECORDING VOIP
CONVERSATIONS, BRUTE FORCE ATTACKS, CRYPTANALYSIS ATTACKS,
REVEALING PASSWORD BOXES, UNCOVERING CACHED PASSWORDS, DECODING
SCRAMBLED PASSWORDS, AND ANALYZING ROUTING PROTOCOLS (ONLY FOR
WINDOWS)
● BRUTUS: REMOTE ONLINE PASSWORD CRACKING TOOL THAT CLAIMS TO BE
THE FASTEST AND MOST FLEXIBLE PASSWORD CRACKING TOOL. TOOL IS FREE,
ONLY FOR WINDOWS SYSTEMS, AND WAS RELEASED OCTOBER 2000 (VERY
POPULAR)
34. WEBSITES THAT CRACK
THERE ARE MANY WEBSITES THAT HACKERS USE TO DO
QUICK HACKING WHERE SIMPLE INFORMATION LIKE A URL
IS SUPPOSED TO LEAD TO PASSWORDS BEING CRACKED.
THESE SITES HAVE VARYING DEGREES OF SUCCESS:
FACEBOOK CRACKED VIDEO
35. 4 WAYS OF
PREVENTION(s)
1. USE A PASSPHRASE
2. CHANGE PASSWORDS
REGULARLY(ABOUT EVERY 3
MONTHS)
3. DO NOT USE THE SAME PASSWORD
ON DIFFERENT MULTIPLE SITES
4. AVOID DICTIONARY WORDS AND
NAMES
36. CONCLUSION
ACCESS CONTROL IS VITAL TO THE PROTECTION OF
ASSETS, DATA, AND INFORMATION TECHNOLOGY
SECURITY CLEARANCES, PASSWORDS,
MULTIFACTOR AUTHENTICATION, AND BIOMETRICS
ARE ALL METHODOLOGIES THAT ARE USED TO
CONTROL ACCESS
IT’S IMPORTANT TO REMEMBER HACKERS ARE
ALWAYS TRYING TO GET IN
REGULATING ACCESS DOES NOT ALWAYS ELIMINATE
THE PROBLEM BUT IT HELPS