Term Paper on Computer Security
The
Need of Security
The Internet is playing a particular role as it has proved to be a valuable
business tool for that, as well as to sustain a visible business presence with
customers, partners, and suppliers. In 1999, 75 % of all enterprises were
Internet-isolated. By 2004, 80 percent of enterprises will be using the Internet
as an integral part of their business processes. Following statistics are
representative of the Internet influence over the American economical and social
life. While computer networks revolutionize the way business is done, the risks
they introduce can be fatal. Attacks can lead to lost money, time, products,
reputation and sensitive information. Security concern particularly grew as the
Internet was hyped up. Much of the press publicized break-in attempts of various
Internet sites (Yahoo, e-Bay, CNN.com and buy.com were subjects to Denial of
Service beginning of 2000, thus preventing thousands of visitors to access the
sites and proceed purchase orders).
Order Your
Custom Term Papers, College Essays and Research Papers
Authentication:
Authentication is the most essential of all the security services because
reliable authentication is needed to implement access control, to determine who
is authorized to receive, create or modify information, to implement
accountability, and to achieve non-repudiation. Authentication is tightly
coupled with authorization: once the system trusts a user, the access rights
associated with that user (read only, create, delete, and modify) are unlocked.
The system then grants access to information assets.
In the virtual word, identity can be characterized by one or more distinctive
attributes that can be:
• First name and last name, for example to access an on-line bank account
• A name, an address and the validity of a credit card number, to order a
product online
• A gender, to become a member of a virtual community
• A PIN or Password number
The selection of identity attributes which identification and authentication
will be based on, is the starting point of the process. It is essentially
dependent upon the level of security that we want to have.
The system must then validate the identification in a two-step process:
• Validate the existence of identification - who is he?
• Verify the authenticity of the identity claimed by an entity who wants to
connect – is he really the one that he pretends to be?
Authentication’s Methods
In general, methods of authentication fall into three categories:
• Something the user knows (passwords, Pins)
• Something the user has (i.e. Tokens: ID Cards, smart card)
• Something the user is (i.e. Biometrics: voiceprint identification, retinal
scanners, fingerprint readers)
Each method will be explained and illustrated; limitations and risks will be
presented as well as what can be done to moderate the risks, what are its
advantages and its best adapted environment.
Authentication Systems Based On Something You Know
It can be a password, an identification name or an identification number or
private information of any kind (like the mother’s maiden name). It can also be
a combination of several secrets. Passwords and PINs are the most common method
of authentication.
Order Your
Custom Term Papers, College Essays and Research Papers
Limitations and risks
Passwords do have some weaknesses.
• They are vulnerable to guessing attacks, because users often choose passwords
based on easily obtained personal information to make them easy to remember.
• When they choose hard to guess passwords, they often write them down and store
them with their PC.
• Passwords generate high help desk cost for password reset. The total cost of
managing passwords are estimated between 150 and 300$ a year per user (Forrester
– Gartner Group research). The more changes and resets, the higher the cost.
Moderators
Some factors decrease password vulnerabilities:
• The adoption of an enforceable password policy, which defines password length
and composition.
• The periodical renewal of password.
• Regular information to users about risks related to password use will make
them less vulnerable to social engineering attacks.
• The secured conditions of the PC that can prevent any installation of hack
tools.
• Password synchronization between all applications within the same
organization.
Advantages
• Passwords are familiar to users.
• Passwords do not require reader devices on PC’s.
• Passwords are portable between devices.
• Passwords are easy to implement.
• Users can usually choose what their password will be and they feel to control
the situation.
Adapted Use
• Passwords are best adapted to closed environments and local networks.
• They are convenient online but must be restricted to low-level security sites.
There are several variants of the system:
> Asynchronous one-time passwords (or challenge-response token)
The server prompts the client to enter information - “a password” -, which
grants one unique access only. The “password” can also be sent from the server
on a special device. The “password” or “challenge” is valid for one login only
and can be time dependent, i.e. validity is limited in time
Order Your
Custom Term Papers, College Essays and Research Papers
> Synchronous one-time-passwords
The “password” can be generated by an algorithm stored on the device (a little
calculator for instance), which corresponds to an algorithm on the server. The
server does not request any challenge-response; it only waits for the correct
authentication information to be sent. SecureID© systems are an example of
synchronous one-time passwords.
> Smart Cards
Smart cards are a variety of synchronous one-time password systems. Smart cards
contain a microchip where the login information can be stored. It can store the
user’s proof of identity (a biometric data for instance), which can be protected
by private encryption key. A special reader is attached to the PC that will scan
the card and send the login information to the server. Some vendors worked on
systems that would suppress the need of a special reader by using alternatives
like the PC’s floppy drive.
Limitations and risks
• Devices can be lost or stolen.
• Due to the fact that a device and very often a reader are required, these
systems can be quite expensive to set up.
• The distribution of devices in a secured way can be problematic or at least
expensive to exploit.
Moderators
• Replacement of a stolen or lost device can be validated through predefined
questions, which the users must answer.
• The use of “devices” (a printed table or scratch list or the use of a mobile
phone), which does not require a reader can make the system less expensive.
Authentication Systems Based On Something You Are Biometric techniques can be
broken down into two categories:
• Physical characteristics can be the look of face, the voice tones’ variations,
the shape of the veins in the retina, the colors and design of the iris, the
digital fingerprints or the shape of the hand.
• Behavioral characteristics are the way of writing the signature or the typing
rhythm on a keyboard.
Physical category is usually considered as more accurate, compared to behavioral
category. The authentication process registers a digital “image” that is based
on the unique original characteristics of an individual. An algorithm transforms
these characteristics into a reference model that must be compared with a
biometric sample.
Digital Fingerprints
Most widespread biometric solutions are applications based on digital
fingerprints. Fingerprints have long been used to identify people, of course not
in digital format. They have long been the exclusive right of law enforcement
and they have only recently appeared in general public applications.
Order Your
Custom Term Papers, College Essays and Research Papers
Shape Of The Hand Or The Face
Biometric systems, which use the shape of the hand or of the face, capture
three-dimensional images. They measure different characteristics like length of
fingers, width, thickness and knuckle size. The system based on the face is
close to the visual interaction used by human beings to communicate. For this
reason, it is relatively well accepted on a psychological level. These
characteristics are then compared with the one submitted to the system.
Nevertheless it is not very reliable since the captured signal can vary over
time due to makeup, glasses, hair, age or emotion.
Signature
Techniques based on signature track the way this signature is written down. It
uses parameters like the angle at which the pen is held, the time taken to sign,
the velocity and acceleration of the signature, the pressure exerted when
holding the pen and the number of times the pen is lifted from the paper. This
technique is not hundred percent reliable. Signatures can be easy to imitate,
and they can evolve over time or be influenced by the environment.
Voice
Voice is also a natural way for human beings to interact with each other. Voice
biometrics measures the sound of one’s voice, which is affected by resonance,
the length of the vocal tract, and shape of one’s mouth and nasal cavities. Some
systems are text depend where the user has to repeat a determined text, some
others are text independent. Performances of these systems depend on the quality
of signals, on the stability of the speaker’s voice, on quality of signal and
recording equipment.
Retina Scans
Retina-based solutions are very reliable. Contrary to hand and fingerprint, the
eye changes very little over time. There are not very well accepted though as
the laser used to read the back of the eye is felt as invasive.
Iris Scans
Iris-scans have the same advantages than retina-based solutions. They are also
better accepted.
Limitations And Risks
• Biometric systems can be felt as intrusive by the users
• Biometric systems are not always user-friendly in their implementation
• They are sensitive to capture and replay attacks43
• Implementation costs are quite high, above all because a special device is
usually required.
• There are legal and ethical issues to biometric solutions related to the
maintenance and storage of databases, which contain “living” data, or the
transmission of these data to third commercial parties.
• As the biometric data are unique, they cannot be changed once compromised like
one would change his password. A stolen biometric image is stolen for life.
• Biometrics cannot identify devices.
• The users are not in control and cannot decide what their “biometric password”
will be (except for BioPassword solution).
• There are a limited number of biometric passwords that can be created. This
could be a problem in a world where access is based on biometric, like to start
one’s car, to enter a building, to read email, to unlock a bank account for
which a different access would be required.
Order Your
Custom Term Papers, College Essays and Research Papers
Moderators
• Biometrics can be used in combination with smart card. The biometric reference
image can be stored on the chip of the card. Cardholders would be required to
present a biometric to be matched with one stored on the chip. This approach can
reduce consumer concern about privacy since the data is held on smart card chip
and not in a database.
• This approach also interests credit card providers, as the biometric data
would
replace the easily duplicated signature that is written on the card.
• It brings several benefits, among them increased security due to the more
accurate authentication of the cardholder, convenience for the user who does not
need to remember a password and a reduced privacy concern since data is stored
on the card.
• The combination of smart cards and biometrics has nevertheless some drawbacks
like reliance on card retention, the potential rejection of biometric-based
authentication, and the costs of the additional hardware required to read the
smart card and the biometric image.
Order Your
Custom Term Papers, College Essays and Research Papers
