8/9/2019 Secure Authentication and Access Control Systems
1/17
Secure Authentication and Access Control Systems
Authentication:
1. Introduction:For other uses of the terms authentication, authentic, and authenticity, see
Authenticity.
Authentication(from Greek: !"# authentikos, rea$, %enuine, from &'#authentes, author is the act of confirmin% the truth of an attri)ute of a sin%$e
*iece of data (datum or entity. +n contrast ith identification hich refers to the act of statin% or
otherise indicatin% a c$aim *ur*orted$y attestin% to a *erson or thin%-s identity, authentication isthe *rocess of actua$$y confirmin% that identity. +t mi%ht ino$e confirmin% the identity of a
*erson )y a$idatin% their identity documents, erifyin% the a$idity of a /e)site ith a di%ita$
certificate, tracin% the a%e of an artifact )y car)on datin%, or ensurin% that a *roduct is hat its
*acka%in% and$a)e$in% c$aim to )e. +n other ords, authentication often ino$es erifyin% the a$idity of at
$east one form of identification.
Types of Authentication:0he first type of authentication is acce*tin% *roof ofidentity %ien )y a credi)$e *erson ho has first1hand eidence
that the identity is %enuine. /hen authentication is
re2uired of art or *hysica$ o)3ects, this *roof cou$d )e afriend, fami$y mem)er or co$$ea%ue attestin% to the item-s
*roenance, *erha*s )y hain% itnessed the item in its
creator-s *ossession. /ith auto%ra*hed s*orts memora)i$ia,this cou$d ino$e someone attestin% that they itnessedthe o)3ect )ein% si%ned. A endor se$$in% )randed
items im*$ies authenticity, hi$e he or she may not hae
eidence that eery ste* in the su**$y chain as authenticated.0his hear1say authentication has no use case e4am*$e
in the conte4t of com*uter security.
0he second type of authentication is com*arin% the attri)utes
of the o)3ect itse$f to hat is knon a)out o)3ects
of that ori%in. For e4am*$e, an art e4*ert mi%ht $ook
for simi$arities in the sty$e of *aintin%, check the $ocation and form of a si%nature, or com*are theo)3ect to an o$d *hoto%ra*h. An archaeo$o%ist mi%ht use car)on datin% to
erify the a%e of an artifact, do a chemica$ ana$ysis of the materia$s used, or com*are the sty$e of
construction or decoration to other artifacts of simi$ar ori%in. 0he *hysics of sound and $i%ht, andcom*arison ith a knon *hysica$ enironment, can )e used to e4amine the authenticity of
audio recordin%s, *hoto%ra*hs, or ideos.5ocuments can )e erified as )ein% created on ink or
*a*er readi$y aai$a)$e at the time of the item-s im*$iedcreation.
8/9/2019 Secure Authentication and Access Control Systems
2/17
0he third type of authentication re$ies on documentation
or other e4terna$ affirmations. +n crimina$ courts, the
ru$es of eidence often re2uire esta)$ishin% the chain ofcustody of eidence *resented.
2. Factors and identity0he ays in hich someone may )e authenticated fa$$ into
three cate%ories, )ased on hat are knon as the factorsof authentication: somethin% the user knows, somethin%
the user has, and somethin% the user is. 6ach authenticationfactor coers a ran%e of e$ements used to authenticateor erify a *erson-s identity *rior to )ein% %ranted
access, a**roin% a transaction re2uest, si%nin% a document
or other ork *roduct, %rantin% authority to others,and esta)$ishin% a chain of authority.
7ecurity research has determined that for a *ositie authentication,e$ements from at $east to, and *refera)$y
a$$ three, factors shou$d )e erified.89 0he three factors(c$asses and some of e$ements of each factor are:
_ the knowledge factors: 7omethin% the user knows
(e.%., a *assord, *ass *hrase, or *ersona$ identificationnum)er (;+
8/9/2019 Secure Authentication and Access Control Systems
3/17
!roduct authentication
?ounterfeit *roducts are often offered to consumers as
)ein% authentic. ?ounterfeit consumer %oods such as
e$ectronics, music, a**are$, and ?ounterfeit medicationshae )een so$d as )ein% $e%itimate. 6fforts to contro$ the
su**$y chain and educate consumers he$* ensure that authentic
*roducts are so$d and used. 6en security *rintin%
on *acka%es, $a)e$s, and name*$ates, hoeer, is su)3ectto counterfeitin%.
A secure key stora%e deice can )e used for authentication
in consumer e$ectronics, netork authentication, $icensemana%ement, su**$y chain mana%ement, etc. Genera$$y
the deice to )e authenticated needs some sort of
Information content
0he authentication of information can *ose s*ecia$ *ro)$ems
ith e$ectronic communication, such as u$nera)i$ity
to man1in1the1midd$e attacks, here)y a third *artyta*s into the communication stream, and *oses as each
of the to other communicatin% *arties, in order to interce*t
information from each. 64tra identity factors can)e re2uired to authenticate each *arty-s identity.
@iterary for%ery can ino$e imitatin% the sty$e of a famous
author. +f an ori%ina$ manuscri*t, ty*eritten te4t,or recordin% is aai$a)$e, then the medium itse$f (or its
*acka%in% = anythin% from a )o4 to e1mai$ headers can
he$* *roe or dis*roe the authenticity of the document.oeer, te4t, audio, and ideo can )e co*ied into ne
media, *ossi)$y $eain% on$y the informationa$ content itse$f
to use in authentication.
Barious systems hae )een inented to a$$o authors to*roide a means for readers to re$ia)$y authenticate that
a %ien messa%e ori%inated from or as re$ayed )y them.
0hese ino$e authentication factors $ike:
8/9/2019 Secure Authentication and Access Control Systems
4/17
_ A difficu$t1to1re*roduce *hysica$ artifact, such as
a sea$, si%nature, atermark, s*ecia$ stationery, or
fin%er*rint._ A shared secret, such as a *ass*hrase, in the content
of the messa%e.
_ An e$ectronic si%natureC *u)$ic1key infrastructureis often used to cry*to%ra*hica$$y %uarantee that a
messa%e has )een si%ned )y the ho$der of a *articu$ar
*riate key.
".1 Factual #erification
5eterminin% the truth or factua$ accuracy of information
in a messa%e is %enera$$y considered a se*arate *ro)$emfrom authentication. A ide ran%e of techni2ues, from
detectie ork, to fact checkin% in 3ourna$ism, to scientific
e4*eriment mi%ht )e em*$oyed.
".2 $ideo authentication+t is sometimes necessary to authenticate the eracity of
ideo recordin%s used as eidence in 3udicia$ *roceedin%s.;ro*er chain1of1custody records and secure stora%e
faci$ities can he$* ensure the admissi)i$ity of di%ita$ or
ana$o% recordin%s )y the ?ourt.
Authori%ation:
0he *rocess of authoriDation is distinct from that of authentication. /hereas authentication is the*rocess oferifyin% that you are ho you say you are, authoriDation
is the *rocess of erifyin% that you are *ermitted to
do hat you are tryin% to do. AuthoriDation thus *resu**osesauthentication.
For e4am*$e, a c$ient shoin% *ro*er identification credentia$s
to a )ank te$$er is askin% to )e authenticated that
8/9/2019 Secure Authentication and Access Control Systems
5/17
he rea$$y is the one hose identification he is shoin%. A
c$ient hose authentication re2uest is a**roed )ecomes
authoriDed to access the accounts of that account ho$der,)ut no others.
Access controlEne fami$iar use of authentication and authoriDation is
access contro$. A com*uter system that is su**osed to )eused on$y )y those authoriDed must attem*t to detect and
e4c$ude the unauthoriDed. Access to it is therefore usua$$y
contro$$ed )y insistin% on an authentication *rocedure toesta)$ish ith some de%ree of confidence the identity of
the user, %rantin% *rii$e%es esta)$ished for that identity.
?ommon e4am*$es of access contro$ ino$in% authenticationinc$ude:
_ Askin% for *hoto+5 hen a contractor first arriesat a house to *erform ork.
_ sin% ca*tcha as a means of assertin% that a user isa human )ein% and not a com*uter *ro%ram.
_ >y usin% Ene 0ime ;assord (E0;, receied on a
te$e1netork ena)$ed deice $ike mo)i$e *hone, asan authentication *assord;+o) does not. A$ice either
%ies >o) her credentia$, or >o) takes itC he no has
access to the serer room. 0o *reent this, to1factorauthentication can )e used. +n a to factor transaction,
the *resented credentia$ and a second factor are needed
for access to )e %rantedC another factor can )e a ;+
8/9/2019 Secure Authentication and Access Control Systems
9/17
1.2 Credential
A credentia$ is a *hysica$tan%i)$e o)3ect, a *iece of
kno$ed%e, or a facet of a *erson-s *hysica$ )ein%, thatena)$es an indiidua$ access to a %ien *hysica$ faci$ity
or com*uter1)ased information system. 0y*ica$$y, credentia$s
can )e somethin% a *erson knos (such as anum)er or ;+iometric
techno$o%ies inc$ude fin%er*rint,
facia$ reco%nition, iris reco%nition, retina$ scan,oice, and hand %eometry.8M 0he )ui$t1in )iometric techno$o%ies
found on neer smart*hones can a$so )e usedas credentia$s in con3unction ith access softare runnin%
on mo)i$e deices.8K +n addition to o$der more traditiona$
card access techno$o%ies, neer techno$o%ies suchas
8/9/2019 Secure Authentication and Access Control Systems
10/17
contro$ door can contain seera$ e$ements. At its most
)asic, there is a stand1a$one e$ectric $ock. 0he $ock is un$ocked
)y an o*erator ith a sitch. 0o automate this,o*erator interention is re*$aced )y a reader. 0he reader
cou$d )e a key*ad here a code is entered, it cou$d )e
a card reader, or it cou$d )e a )iometric reader. Neadersdo not usua$$y make an access decision, )ut send a
card num)er to an access contro$ *ane$ that erifies the
num)er a%ainst an access $ist. 0o monitor the door *ositiona ma%netic door sitch can )e used. +n conce*t,
the door sitch is not un$ike those on refri%erators or car
doors. Genera$$y on$y entry is contro$$ed, and e4it is uncontro$$ed.
+n cases here e4it is a$so contro$$ed, a secondreader is used on the o**osite side of the door. +n cases
here e4it is not contro$$ed, free e4it, a deice ca$$ed a
re2uest1to1e4it (N6O is used. Ne2uest1to1e4it deices
can )e a *ush1)utton or a motion detector. /hen the)utton is *ushed, or the motion detector detects motion
at the door, the door a$arm is tem*orari$y i%nored hi$ethe door is o*ened. 64itin% a door ithout hain% to e$ectrica$$y
un$ock the door is ca$$ed mechanica$ free e%ress.
0his is an im*ortant safety feature. +n cases here the$ock must )e e$ectrica$$y un$ocked on e4it, the re2uestto1
e4it deice a$so un$ocks the door.
Access control topology:
ypical access control door wiring
8/9/2019 Secure Authentication and Access Control Systems
11/17
Access control door wiring when using intelligent readers
Access contro$ decisions are made )y com*arin% the credentia$
to an access contro$ $ist. 0his $ook1u* can )e done)y a host or serer, )y an access contro$ *ane$, or )y a
reader. 0he dee$o*ment of access contro$ systems has
seen a steady *ush of the $ook1u* out from a centra$ hostto the ed%e of the system, or the reader. 0he *redominant
to*o$o%y circa 9PPQ is hu) and s*oke ith a contro$
*ane$ as the hu), and the readers as the s*okes. 0he $ooku*and contro$ functions are )y the contro$ *ane$. 0he
s*okes communicate throu%h a seria$ connectionC usua$$y
N71MRK. 7ome manufactures are *ushin% the decision
makin% to the ed%e )y *$acin% a contro$$er at the door.0he contro$$ers are +; ena)$ed, and connect to a host and
data)ase usin% standard netorks.
Types of readers:
Access contro$ readers may )e c$assified )y the functions
they are a)$e to *erform:_ &asic 'nonintelligent( readers: sim*$y read card
num)er or ;+
8/9/2019 Secure Authentication and Access Control Systems
12/17
*o*u$ar ty*e of access contro$ readers. 64am*$es of
such readers are NF 0iny )y NF@EG+?7, ;ro4;oint
)y +5, and ;IPP )y Far*ointe 5ata._ Semiintelligent readers: hae a$$ in*uts and out*uts
necessary to contro$ door hardare ($ock, door contact,
e4it )utton, )ut do not make any access decisions./hen a user *resents a card or enters a
;+
8/9/2019 Secure Authentication and Access Control Systems
13/17
Access control system using serial controllers
1. Serial controllers. ?ontro$$ers are connected to a
host ;? ia a seria$ N71MRK communication $ine (or ia9PmA current $oo* in some o$der systems. 64terna$ N71
9I9MRK conerters or interna$ N71MRK cards hae to )einsta$$ed, as standard ;?s do not hae N71MRK communication
*orts.
Adanta%es:_ N71MRK standard a$$os $on% ca)$e runs, u* to MPPP
feet (J9PP m
_ Ne$atie$y short res*onse time. 0he ma4imum num)erof deices on an N71MRK $ine is $imited to I9,
hich means that the host can fre2uent$y re2uest status
u*dates from each deice, and dis*$ay eents a$mostin rea$ time._ i%h re$ia)i$ity and security as the communication
$ine is not shared ith any other systems.
5isadanta%es:_ N71MRK does not a$$o 7tar1ty*e irin% un$ess s*$itters
are used
_ N71MRK is not e$$ suited for transferrin% $ar%eamounts of data (i.e. confi%uration and users. 0he
hi%hest *ossi)$e throu%h*ut is JJK.9 k)itsec, )ut in
most system it is don%raded to KL.9 k)itsec, or
$ess, to increase re$ia)i$ity._ N71MRK does not a$$o the host ;? to communicate
ith seera$ contro$$ers connected to the same *ort
simu$taneous$y. 0herefore in $ar%e systems, transfersof confi%uration, and users to contro$$ers may
take a ery $on% time, interferin% ith norma$ o*erations.
_ ?ontro$$ers cannot initiate communication in caseof an a$arm. 0he host ;? acts as a master on the
8/9/2019 Secure Authentication and Access Control Systems
14/17
8/9/2019 Secure Authentication and Access Control Systems
15/17
Access control system using "P controllers
I! controllers. ?ontro$$ers are connected to a host
;? ia 6thernet @A< or /A
8/9/2019 Secure Authentication and Access Control Systems
16/17
)ased on certain *ermissions.
,. -ole&ased Access Control '-&AC(
N>A? a$$os access )ased on the 3o) tit$e. For e4am*$e,a human resources s*ecia$ist shou$d not hae
*ermissions to create netork accountsC this shou$d
)e a ro$e resered for netork administrators.". -ule&ased Access ControlAn e4am*$e of this ou$d )e on$y a$$oin% students
to use the $a)s durin% a certain time of the day.
. /rgani%ation&ased Access control '/r&AC(
Er>A? mode$ a$$os the *o$icy desi%ner to
define a security *o$icy inde*endent$y of the
im*$ementation.
-eferences
8J NF? MQMQ89 Federa$ Financia$ +nstitutions 64amination ?ounci$
(9PPR. Authentication in an +nternet >ankin%6nironment. Netrieed 9PPQ1J91IJ.
8I Hicro7trate%y-s office of the future inc$udes mo)i$e identity
and cy)ersecurity. /ashin%ton ;ost. 9PJM1PM1JM.Netrieed 9PJM1PI1IP.
8M)iometric access contro$ techno$o%y oerie
8K i;hone K7: A >iometrics 0urnin% ;ointVS. >ank+nfo7ecurity.
com. 9PJI1PQ1JL. Netrieed 9PJM1PI1IP.8L
8/9/2019 Secure Authentication and Access Control Systems
17/17
?;;;7;?7? Author
_ Goernment E*en 7ource Access ?ontro$=
Top Related