Authentication is any process of determining whether someone or something is in fact who or what it is declared to be by a system and wants to access it. Authenticatoin may be implemented most commonly through logon passwords and UserID. Access control on the other hand refers to security features that exert control over who can interact with a resource. This is mostly done by persons in authority. Applications call access control functions to set who can access specific resources or control access to resources provided by the application. Examples of access control resources are a building or groups of them, computer-based information systems or even a restroom (Nielsen, 1993).
In computer security, Discretionary Access Control (DAC) is a type of access control is defined by the Trusted Computer System Evaluation Criteria in which a user has complete control over all programs it owns and executes based on the identity of subjects and/or groups to which they belong. It also determines the permissions other users have to the files and programs. It is best to use this in high risk factors (Nielsen, 1993).. If one has few employees, it can be used too as it will not take up much of your time as opposed to many employees. Role-based access control (RBAC) is an approach to restricting systems access to authorized users based on the roles of individual users within the enterprise. In this context, access is the ability of an individual user to perform a task, such as view, create, or modify a file (Abrams & Podell, 1987) . In regards to the this one, it is best to use it when you have an enterprise with more than 500 employees and enables users to carry out a wide range of authorized tasks by dynamically regulating their actions according to flexible functions, relationships, and constraints. It is very useful when it comes to creating roles, changing them, and discontinuing them as the needs of the enterprise evolve, without having to individually update the privileges for every user (Nielsen, 1993)..
There are several authentication alternatives all with their pros and cons. One of them is cryptography.
Cryptography is a tool for protecting information in computer systems. It is the practice and study of techniques for secure communication in the presence of third parties. In general, what it does is that it constructs and analyzes protocols that will not be influenced by enemies and which are related to various aspects in information security such as data confidentiality, data integrity, authentication and non-repudiation. There is public-key cryptography and secret-key cryptography (Nielsen, 1993).
The advantages of public-key cryptography are that it has a high level of security and convenience. It is secure as the private keys is neither transmitted nor revealed. They also provide a method for digital signatures. It is best for a multi-user environment. Public-key cryptography has a speed disadvantage as is it not as fast as secret-key cryptography. There is also a danger of impersonation where an adversary can use that to bind a key of the adversary’s choice to the name of another user (Abrams & Podell, 1987) .
When an environment can allow secure secret-key, public-key cryptography is not necessary and secret-key can be used instead. Also a place where there is only one authority that knows and manages all the keys. It is also good for a single user environment. Zero-knowledge password proof (ZKPP) is another authentication method where there is interaction between one party (the prover) and another (the verifier) where the first proves to the verifier that it knows a value of a password, without revealing anything other than the fact that it knows that password to the verifier. The host involved in this form of authentication usually communicates several times to finalize authentication.
The main disadvantage for this type of authentication is that while Host A thinks he is proving his identity to Host B, it is possible for Host B to simultaneously authenticate to a third party, Host C, using Host A’s credentials (Lobel, 1986)
The Secure Sockets Layer (SSL) is a commonly-used protocol used to manage the security of a message transmission on the internet. After a TCP connection is established, the clients. After a TCP connection is established, the client sends a client hello message to which the server responds with a server hello message. The hello messages establish connection attributes which include the protocol version, a session identifier, the cipher suite used, and the compression method in addition to random values for both the server and the client. It is very useful as customers will trust your website. It also avoids disputes due to credit cards fraud(Lobel, 1986). The main disadvantages are that it needs regular renewal and that it is very complex to install.
There are several types of attacks. One such is pass-word based attacks. Older applications do not always protect identity information as it is passed through the network for validation. This might allow an eavesdropper to gain access to the network by posing as a valid user. When an attacker finds a valid user account, the attacker has the same rights as the real user. Therefore, if the user has administrator-level rights, the attacker also can create accounts for subsequent access at a later time. Others include, Eavesdropping, Application-Layer Attack, Denial-of-Service Attack, Data Modification Man-in-the-Middle Attack, Identity Spoofing (IP Address Spoofing) Compromised-Key Attack, Password-Based Attack and Sniffer Attack (Lobel, 1986).
Unscrupulous activity shows up in very many forms. Some of the way you can spot them can be through viruses and other malware, spam in email inboxes, spyware and adware programs. Spyware and adware programs monitor and report on computer activity. Spyware only becomes a security risk when keystrokes and passwords are monitored. A forecast of normal activities is used to detect a large deviation of the observed activities from the forecast as a possible intrusion into computer systems. A Chi square distance metric is used to measure the deviation of the observed activities from the forecast of normal activities. The two forecasting methods are tested on computer audit data of normal and intrusive activities for intrusion detection. The results indicate that the Chi square distance measure with the EWMA forecasting provides better performance in intrusion detection than that with the average-based forecasting method. Detection of normal activity from (Lobel, 1986). A way of detecting normal activity is through the average of long-term normal activity as the forecast. The other way is by using Exponentially Weighted Moving Average (EWMA) one-step-ahead forecast. Intrusion detection measures for authorized and unauthorized users include The IDES Prototype, The Intrusion-Detection Measures, Preliminary Results and The IDES Design.
There are several types of firewalls. One is the packet filtering firewall. It has five functions. One is that has a Network Address Translation (NAT). Second is that it forwards the packet(s) on to the intended destination. It is also Log accepted and/or denied packet information. In fourth, if rejects packet(s) and notifies the sender (ICMP destunreach/admin prohibited). Finally, it drops the packets(s) without notifying the sender. Fire wall hardware or software is a type of firewall with a Unix or Windows based host with a single network interface, running a firewall software package which filters the incoming outgoing traffic to the individual interface. It is a dedicated hardware/software application such as Cisco PIX Firewall which filters traffic passing through the multiple network interfaces (Nielsen, 1993).
Another basic fire wall is the Application Gateway (Proxy Server). In normal occasions, proxy servers sit between the client and actual service. Instead of talking directly to each other, both client and server talk to the proxy. It operates at the application protocol level, (Telnet, FTP, HTTP). Application Gateways ‘understand’ the protocol and can be configured to allow or deny specific protocol operations. One last basic firewall are IPChains/IPFilter/CiscoRouter ACLs. They are very popular and free. Demilitarized zone (DMZ) infrastructures are common for secure hosting and other connections between the enterprise and the Internet. It prevents outside users from getting direct access to a server that has company data. In other words “demilitarised zone” or DMZ refers to this isolated zone that hosts the applications made available to the public. It adds an extra layer of security to an organization’s Local Area Network (LAN). To set up DMZ, you need to decide what services will run on each machine. Since DMZ is on different network, you will need to use a separate machine to host the services you want to make public. Set up correctly since all requests go through firewall (Nielsen, 1993).
Symmetric encryption allows two people to send text-based messages to each other. It uses a secret key which can be any set of characters. For it to work, the two people have to know the secret key, or password. This might be as simple as shifting each letter by a number of places in the alphabet. Weaknesses line in trying to exchange the secret keys and the base configuration pattern over a public network and from it being obtained by the wrong people because then it can be deciphered.
The problem with secret keys is exchanging them over the internet or a large network while preventing them from falling into the wrong hands. Asymmetric encryption uses two different keys, or a key pair, to combat the problem of the secret key becoming not-to- secret. Anyone who knows the secret key can decrypt the message. Therefore a public key is made freely available to anyone who might want to send you a message. A second private key is kept secret, so that only you know it. You can decrypt all the messages sent to you with this private key. In this same way, you encrypt all your outgoing messages with your private key, and someone who has the corresponding public key must decrypt them.
There are issues with maintain and distributing encryption keys. These are like tracking what data was encrypted with which key, and where the key is stored. It is also difficult to ensure that the keys are available in many years when access to archived data is needed. One also questions whether staff that is authorized will be able to access keys in a disaster when servers must be rebuilt from encrypted backups without the original backup software or tape drive that did the encryption. There is also an issue on storage where it’s asked whether the encryption keys will be stored in a hardware device, on each client that need the information or on a central server that requires authentication to release the key.
In computer security, a digital certificate is used for identification. Digital certificates are used to verify that individuals are associated with a particular server. This allows coworkers and business partners to communicate securely using public communication protocols. Encryption techniques using public and private keys require a public-key infrastructure (PKI) to support the distribution and identification of public keys. It is also used for authentication where digital certificates are used to guarantee that signed code is safe to run and that it comes from a trusted software vendor. A list of trusted software publishers can be edited on your Web browser’s settings. Finally it is used for security. Digital certificates are used to validate HTTPS-based websites and assure the user that all communication, especially e-commerce related information, is secure and is coming from the website in question. Digital certificates are a guarantee that the website is unique and that the relationship between the generator of the website content, the website operator and the purchaser of the certificate is genuine. Generally in order to ensure that the public key contained in the certificate belongs to the entity with which the certificate was issued. It uses encryption techniques. Without the certificates, the valid key pair can be used without authorization.
A Certificate Authority plays various roles. The first is maintaining Certificate Revocation List (CRL). These should not be depended on by anyone as they have been revoked and are not valid anymore. It is also play the very important job of verifying the identity. The CA must validate the ID of the entity who requested a digital certificate before issuing it. Once the that is over, the certification authority gives out the digital certificate to the entity who requested it in a process called issuing of digital certificates. Other than using Certificate Authority to distribute keys, one can also use Secure Sockets Layer (SSL). Secure Sockets Layer is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers. SSL uses a program layer located between the Internet’s Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. To be able to create an SSL connection a web server requires an SSL Certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys – a Private Key and a Public Key. The Public Key is placed into a Certificate Signing Request (CSR) as it does not need to be secret and . You should then submit the CSR. During the SSL Certificate application process, the Certification Authority will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL. Your web server will match your issued SSL Certificate to your Private Key. Your web server will then be able to establish an encrypted link between the website and your customer’s web browser. The complexities of the SSL protocol remain invisible to your customers. Instead their browsers provide them with a key indicator to let them know they are currently protected by an SSL encrypted session – the lock icon in the lower right-hand corner, clicking on the lock icon displays your SSL Certificate and the details about it. All SSL Certificates are issued to either companies or legally accountable individuals. Typically an SSL Certificate will contain your domain name, your company name, your address, your city, your state and your country. It will also contain the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate. When a browser connects to a secure site it will retrieve the site’s SSL Certificate and check that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL (Nielsen, 1993).
References
Nielsen, J., “Usability Engineering”, AP Professional, 1993. Retrieved from http://www.cert.org
Brinkley D.L & Schell R.R (2004) Concepts and Terminology for Computer Security. Retrieved form http://www.acsa-admin.org/secshelf/book001/02.pdf
Abrams, M. D., and Podell, H. J. 1987. Tutorial: Computer and Network Security. IEEE
Computer Society Order No. DX756. Los Angeles: IEEE
Lobel, J. 1986. Foiling the System Breakers: Computer Security and Access Control. New York:
McGraw-Hill.
http://www.omnisecu.com/security/public-key-infrastructure/what-is-a-certificate-authority-ca.htm
http://adminguide.stanford.edu/64.pdf
