Wireless Security

Thursday, October 29, 2009
Before we go deeper into wireless security, better we had a brief information about wireless technology. Wireless technology has helped to simplify networking by enabling multiple computer users to simultaneously share resources in a home or business without additional or intrusive wiring.

Wireless networking enables the same capabilities and comparable speeds of a wired 10BASE-T network without the difficulties associated with laying wire, drilling into walls, or stringing Ethernet cables throughout an office building
or home. Laptop users have the freedom to roam anywhere in the office building or home without having to hunt down a connector cable or available jack.

Reasons to choose wireless networking over traditional wired networks include:
  • Running additional wires or drilling new holes in a home or office could be prohibited (because of rental regulations), impractical (infrastructure limitations), or too expensive
  • Flexibility of location and data ports is required
  • Roaming capability is desired; e.g., maintaining connectivity from almost anywhere inside a home or business
  • Network access is desired outdoors; e.g., outside a home or office building

Wireless Network Components
  • Access Point - The access point is a device that links a wireless network to a wired LAN. It increases the effective range of a wireless network and provides additional network management and security features.
  • PC Card - A wireless PC card enables laptop users to connect wirelessly to the LAN.
  • PCI Adapter - Just as a wireless access PC card allows portable and laptop computers access to the LAN, a wireless access PCI adapter allows desktop PC users access to the LAN.
  • Router - A router is a device used for sharing a single Internet connection across multiple computers.

IEEE Wireless Networking Specifications - 802.11 Specifications

The 802.11 specifications were developed specifically for Wireless Local Area Networks (WLANs) by the IEEE and include four subsets of Ethernet-based protocol standards: 802.11, 802.11a, 802.11b, and 802.11g.
  • 802.11 - 802.11 operated in the 2.4 GHz range and was the original specification of the 802.11 IEEE standard. This specification delivered 1 to 2 Mbps using a technology known as phase-shift keying (PSK) modulation.
  • 802.11a - 802.11a operates in the 5 - 6 GHz range with data rates commonly in the 6 Mbps, 12 Mbps, or 24 Mbps range.
  • 802.11b - The 802.11b standard (also known as Wi-Fi) operates in the 2.4 GHz range with up to 11 Mbps data rates and is backward compatible with the 802.11 standard. 802.11b uses a technology known as complementary code keying (CCK) modulation.
  • 802.11g - 802.11g is the most recent IEEE 802.11 draft standard and operates in the 2.4 GHz range with data rates as high as 54 Mbps over a limited distance.

Ad Hoc (Peer-to-Peer) Mode vs.Infrastructure Mode

The 802.11 specification defines two types of operational modes: ad hoc (peer-to-peer) mode and infrastructure mode.

Ad-Hoc
  • In ad hoc mode, the wireless network is relatively simple and consists of 802.11 network interface cards (NICs). The networked computers communicate directly with one another without the use of an access point.
  • In ad hoc mode, also known as Independent Basic Service Set (IBSS) or peer-to-peer mode, all of the computers and workstations connected with a wireless NIC card can communicate with each other via radio waves without an access point. Ad hoc mode is convenient for quickly setting up a wireless network in a meeting room, hotel conference center, or anywhere else sufficient wired infrastructure does not exist.

Infrastructure mode
  • In infrastructure mode, the wireless network is composed of a wireless access point(s) and 802.11 network interface cards (NICs).
  • In infrastructure mode, all mobile and wireless client devices and computers communicate with the access point, which provides the connection from the wireless radio frequency world to the hard-wired LAN worldA basic wireless infrastructure with a single access point is called a Basic Service Set (BSS). When more than one access point is connected to a network to form a single sub-network, it is called an Extended Service Set (ESS).

Wireless Security

Security is an obvious concern with any network, wired or wireless. Because communication over a traditionally wired network is, by its very nature, over physical wires, security is often built into the physical environment itself.

WLANs operate over radio signals, so the same security users, the enabling of the built-in security known as Wireless Equivalent Privacy (WEP) is sufficient for their home or small to medium office WLAN.

Wired Equivalent Privacy (WEP) uses 64- and 128-bit encryption and is the cipher scheme designated for use in 802.11b networking. WEP encrypts the data transmitted over a WLAN, protecting the once vulnerable communication between
the client and access point. When combined with traditional security measures (password protection, authentication, encryption, virtual private networks), WEP can be very effective.

Open System Authentication (OSA) is a process by which a computer can gain access to a wireless network that uses the WEP protocol. With OSA, a computer equipped with a wireless modem can access any WEP network and receive files that are not encrypted.

For OSA to work, the service set identifier (SSID) of the computer should match the SSID of the wireless access point. The SSID is a sequence of characters that uniquely names a wireless local area network (WLAN). The process occurs in three steps. First, the computer sends a request for authentication to the access point. Then the access point generates an authentication code, usually at random, intended for use only during that session. Finally, the computer accepts the authentication code and becomes part of the network as long as the session continues and the computer remains within range of the original access point.

If it is necessary to exchange encrypted data between a WEP network access point and a wireless-equipped computer, a stronger authentication process called Shared Key Authentication (SKA) is required.

Security Safeguards Over Wireless Networks

Transmissions over wireless networks can be intercepted by any suitable device within the transmission radius. If a network intruder is able to attach to an unsecured AP, she can get access to the wireless network and the Internet connection.

Media-access control (MAC) address filtering can be used to limit access to only identifiable network cards with approved MAC addresses. A MAC address is a hardware code unique to each PC and network device. This system is not foolproof, however, because MAC addresses are broadcast in the clear, so an intruder may be able to spoof them.

Encryption is used to ensure that only authorized receivers can understand transmitted data. Typically, a key is required to encrypt and decrypt information. WPA is an encryption security standard for wireless networks.

WPA

Wi-Fi Protected Access (WPA and WPA2) is a certification program created by the Wi-Fi Alliance to indicate compliance with the security protocol created by the Wi-Fi Alliance to secure wireless computer networks. This protocol was created in response to several serious weaknesses researchers had found in the previous system, WEP (Wired Equivalent Privacy).



The WPA protocol implements the majority of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. Specifically, the Temporal Key Integrity Protocol (TKIP), was brought into WPA. TKIP could be implemented on pre-WPA wireless network interface cards that began shipping as far back as 1999 through firmware upgrades. Because the changes required fewer modifications on the client than on the wireless access point, most pre-2003 APs could not be upgraded to support WPA with TKIP. Researchers have since discovered a flaw in TKIP that relied on older weaknesses to retrieve the keystream from short packets to use for re-injection and spoofing.

Number of common precautions that a WLAN user can take to limit a network to hacker attacks, vandalism, and corporate espionage.



Change Common Passwords Frequently:
Most of the top manufacturers have default passwords for all of their equipment. Users should be diligent in changing any default passwords and to change them on a regular basis in order to avoid detection.

Limit MAC Addresses:
Some access points allow users to specify exactly which Media Access Control (MAC) addresses can communicate with the network. A MAC address is a
hardware address that uniquely identifies each node of a network. Every network adapter in the world has a unique MAC address. By strictly specifying only those MAC addresses that can attach to a network, unauthorized users can be denied access.

Disable DHCP:
By default, some access points respond directly to Dynamic Host Configuration Protocol (DHCP) requests or allow the forwarding of DHCP requests from clients. DHCP is a protocol for assigning IP addresses dynamically on a network. However,with DHCP enabled on a WLAN, and without proper security measures enabled, a user can connect automatically to the network. Change Subnet Default: Some access points default to the IP subnet of 192.168.x.x. When disabling DHCP and using static IP addresses, users should also change their default IP subnet value.

Move Access Point in Front of Firewalls or DMZs:
The best solution for keeping prying eyes away from a corporate network is to move the access point off of the corporate LAN and in front of a firewall or on a DMZ (demilitarized zone) port. With the access point in front of a firewall, intruders will not have access to the corporate LAN. All corporate wireless users will require the installation and use of a virtual private network (VPN) client to create a secure tunnel into the corporate LAN. This may require additional administrative support from IT personnel, but the extra security is well worth the effort.
Posted by nina ricci at 2:59 PM 0 comments

Firewall

Firewall is a system designed to prevent unauthorized access to or from a private network. protects networked computers from intentional hostile intrusion that could compromise confidentiality or result in data corruption or denial of service.Firewalls can be implemented in both hardware and software program running on a secure host computer, or a combination of both. In either case, it must have at least two network interfaces, one for the network it is intended to protect, and one for the network it is exposed to.


Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

A firewall sits at the junction point or gateway between the two networks, usually a private network and a public network such as the Internet. The earliest firewalls were simply routers. The term firewall comes from the fact that by segmenting a network into different physical subnetworks, they limited the damage that could spread from one subnet to another just like firedoors or firewalls.

How does a firewall work?

Firewalls operate at different layers to use different criteria to restrict traffic. The lowest layer at which a firewall can work is layer three. In the OSI model this is the network layer. In TCP/IP it is the Internet Protocol layer. This layer is concerned with routing packets to their destination. At this layer a firewall can determine whether a packet is from a trusted source, but cannot be concerned with what it contains or what other packets it is associated with. Firewalls that operate at the transport layer know a little more about a packet, and are able to grant or deny access depending on more sophisticated criteria. At the application level, firewalls know a great deal about what is going on and can be very selective in granting access.


Firewalls fall into four broad categories:

1. Packet Filtering Firewall:


  • In a packet filtering firewall, the firewall examines five characteristics of a packet:
  1. Source IP address
  2. Source port
  3. Destination IP address
  4. Destination port
  5. IP protocol (TCP or UDP)
  • Based upon rules configured into the firewall, the packet will either be allowed through, rejected, or dropped. If the firewall rejects the packet, it sends a message back to the sender letting him know that the packet was rejected. If the packet was dropped, the firewall simply does not respond to the packet. The sender must wait for the communications to time out. Dropping packets instead of rejecting them greatly increases the time required to scan your network. Packet filtering firewalls operate on Layer 3 of the OSI model, the Network Layer. Routers are a very common form of packet filtering firewall.
  • Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.

2. Stateful Inspection Firewall:


  • Stateful inspection is a firewall architecture that works at the network layer. Unlike static packet filtering, which examines a packet based on the information in its header, stateful inspection tracks each connection traversing all interfaces of the firewall and makes sure they are valid.
  • An example of a stateful firewall may examine not just the header information but also the contents of the packet up through the application layer in order to determine more about the packet than just information about its source and destination. A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table. Because of this, filtering decisions are based not only on administrator-defined rules (as in static packet filtering) but also on context that has been established by prior packets that have passed through the firewall.
  • As an added security measure against port scanning, stateful inspection firewalls close off ports until connection to the specific port is requested.

3. Application-Level Gateway(Application Proxy):


  • The Application Level Gateway acts as a proxy for applications, performing all data exchanges with the remote system in their behalf. This can render a computer behind the firewall all but invisible to the remote system.
  • It can allow or disallow traffic according to very specific rules, for instance permitting some commands to a server but not others, limiting file access to certain types, varying rules according to authenticated users and so forth. This type of firewall may also perform very detailed logging of traffic and monitoring of events on the host system, and can often be instructed to sound alarms or notify an operator under defined conditions.
  • Application-level gateways are generally regarded as the most secure type of firewall. They certainly have the most sophisticated capabilities.
  • A disadvantage is that setup may be very complex, requiring detailed attention to the individual applications that use the gateway.
  • An application gateway is normally implemented on a separate computer on the network whose primary function is to provide proxy service.

4. Circuit-Level Gateway:


  • A circuit level gateway is sometimes described as a second generation firewall. It is a fast unrestricted passage through the firewall based on predefined rules maintained in the TCP/IP kernel.
  • A circuit level gateway operates at the transport layer of the OSI or internet reference models and, as the name implies, implements circuit level filtering rather than packet level filtering. It checks the validity of connections (i.e. circuits) at the transport layer (typically TCP connections) against a table of allowed connections, before a session can be opened and data exchanged. The rules defining a valid session prescribe, for example, the destination and source addresses and ports, the time of day, the protocol being used, the user and the password. Once a session is allowed, no further checks, for example at the level of individual packets, are performed.
  • A circuit level gateway acts as a proxy and has the same advantage as an application level gateway in hiding the internal host from the serving host, but it incurs less processing than an application level gateway.
  • Disadvantages of circuit level gateways include the absence of content filtering and the requirement for software modifications relating to the transport function.
  • Circuit level gateways can be implemented within application level gateways or as stand-alone systems. Implementation within an application level gateway allows screening to be asymmetric, with a circuit level gateway in one direction and an application level gateway in the other.

What is a virtual private network (VPN)?



Basically, VPN gives extremely secure connections between private networks linked through the Internet. It allows remote computers to act as though they were on the same secure, local network.

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. A virtual private network can be contrasted with an expensive system of owned, using a dedicated, real-world connection or leased lines that can only be used by one organization. A VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee. The goal of a VPN is to provide the organization with the same capabilities, but at a much lower cost.

Virtual private networks help distant colleagues work together, much like desktop sharing.

A VPN works by using the shared public infrastructure while maintaining privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol (L2TP). In effect, the protocols, by encrypting data at the sending end and decrypting it at the receiving end, send the data through a "tunnel" that cannot be "entered" by data that is not properly encrypted. An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses.

Advantages
  • Allows you to be at home and access your company's computers in the same way as if you were sitting at work.
  • Almost impossible for someone to tap or interfer with data in the VPN tunnel.
  • If you have VPN client software on a laptop, you can connect to your company from anywhere in the world.

Disadvantages
  • Setup is more complicated than less secure methods. VPN works across different manufacturers' equipment, but connecting to a non-NETGEAR product will add to difficulty, since there may not documentation specific to your situation.
  • The company whose network you connect to may require you to follow the company's own policies on your home computers

VPN goes between a computer and a network (client-to-server), or a LAN and a network using two routers (server-to-server). Each end of the connection is an VPN "endpoint", the connection between them is a "VPN tunnel". When one end is a client, it means that computer is running VPN client software.The two types of VPN:
  1. VPN Client-to-Server (Client-to-Box)
  2. VPN Server-to-Server (Box-to-Box)

Posted by nina ricci at 2:48 PM 0 comments

Security in Applications


Application security is the use of software, hardware, and procedural methods to protect applications from external threats. Security measures built into applications and a sound application security routine minimize the likelihood that hackers will be able to manipulate applications and access, steal, modify, or delete sensitive data. Once an afterthought in software design, security is becoming an increasingly important concern during development as applications become more frequently accessible over networks and are, as a result, vulnerable to a wide variety of threats.

Actions taken to ensure application security are sometimes called countermeasures. The most basic software countermeasure is an application firewall that limits the execution of files or the handling of data by specific installed programs. The most common hardware countermeasure is a router that can prevent the IP address of an individual computer from being directly visible on the Internet. Other countermeasures include conventional firewalls, encryption/decryption programs, anti-virus programs, spyware detection/removal programs, and biometric authentication systems.

Electronic mail

Electronic mail security is the type of security that is used to protect all the incoming personal mail from being accessed by unauthorized individuals. The use of this electronic mail security is a mandatory application for major companies and corporations so that they may secure their business from intruders obtaining their information sent through electronic mail.

Electronic mail has greatly improved whereby it is not only used in the sending of text messages, but also in the transfer of spreadsheets and documents. The more one uses the electronic emails the more the data transfer sensitivity increases. The data integrity is however, rarely questioned, which is a problem that may allow easy access of information between rival companies. The intrusion may also cause the falsification or modification of messages.

Security in email
  • SMIME
  • PGP

SMIME

S/MIME (Secure Multi-Purpose Internet Mail Extensions) - Short for Secure/MIME, a version of the MIME protocol that based on RSA's public-key encryption technology. It is a secure method of sending e-mail that uses the Rivest-Shamir-Adleman encryption system. S/MIME is included in the latest versions of the Web browsers from Microsoft and Netscape and has also been endorsed by other vendors that make messaging products. RSA has proposed S/MIME as a standard to the Internet Engineering Task Force (IETF). An alternative to S/MIME is PGP/MIME, which has also been proposed as a standard.


MIME itself, described in the IETF standard called Request for Comments 1521, spells out how an electronic message will be organized. S/MIME describes how encryption information and a digital certificate can be included as part of the message body. S/MIME follows the syntax provided in the Public-Key Cryptography Standard format #7.

PGP

PGP (Pretty good Privacy) is the most widely recognized public key encryption program in the world. It can be used to protect the privacy of email, data files, drives and instant messaging.

PGP is powerful, free cryptography package that lets people exchange files in a private, encrypted format, and also provides message authentication. PGP is called a public key system. Each person using PGP has both a public and a private key. Each key is actually a digital signature (a small file with a stream of uniquely generated characters). The public key is widely distributed to any correspondents, while the private key is guarded with secrecy.

Security in Web
  • SSL
  • SSH
  • SET
  • HTTPS
  • SFTP
SSL
Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data − a public key known to everyone and a private or secret key known only to the recipient of the message. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http:.

SSH
Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. It is intended as a replacement for rlogin, rsh, and rcp.

Additionally, ssh provides secure X connections and secure forwarding of arbitrary TCP connections.

SET
Visa and MasterCard have jointly developed the Secure Electronic Transaction (SET) protocol as a method for secure, cost effective bankcard transactions over open networks. SET includes protocols for purchasing goods and services electronically, requesting authorization of payment, and requesting ``credentials'' (that is, certificates) binding public keys to identities, among other services. Once SET is fully adopted, the necessary confidence in secure electronic transactions will be in place, allowing merchants and customers to partake in electronic commerce.


HTTPS
HTTPS is a technical acronym that stands for hypertext transfer protocol secure. As the name implies, it is the secure and safe version of the usual http (stands for 'hyper text transfer protocol'). In HTTPS, transferring of data is facilitated in a more secure manner to avoid discrepancies and unnecessary interference and interceptions from unwanted and unscrupulous parties. That is why HTTPS is basically ideal for ecommerce transactions, specifically online banking dealings.


SFTP
SFTP, or secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. It is functionally similar to FTP, but because it uses a different protocol, you can't use a standard FTP client to talk to an SFTP server, nor can you connect to an FTP server with a client that supports only SFTP.

"sftp is an interactive file transfer program, similar to ftp, which performs all operations over an encrypted ssh transport".


Posted by nina ricci at 1:54 PM 0 comments

Security in Network




A computer network is simply two or more computers connected together so
they can exchange information. A small network can be as simple as two
computers linked together by a single cable.

Without a network, we can access resources only on our own computer.
These resources may be devices in our computer, such as a folder or disk
drive, or they may be connected to our computer, such as a printer or CDROM
drive. These devices, accessible only to us, are local resources. Networking allows us to share resources among a group of computer users.

Types of network topology


In the field of networking, the specialist area of network security consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access, and consistent and continuous monitoring and measurement of its effectiveness (or lack) combined together.



Security & Security Attacks

Security is a state of well-being of information and infrastructures in which the possibility of successful yet un-detected theft, tamper-with, and disruption of information and services is kept low. A security attack is any action that threatens this state of well-being

Consequence of Attacks
  • Theft of confidential information
  • Unauthorized use of network bandwidth computing resource
  • Spread of false information
  • Disruption of legitimate services
  • All attacks are related and dangerous!
Network Specific Security Issues
  • Attack channel - network-borne!
  • Attack targets - network management/control information:
  1. Steal of service
  2. Steal of user data
  3. Injection of disrupting data/control packets
  4. Interception and modification of data/control packets
  5. Compromising network entities, routers & switches

What's the Biggest Security Problem?

Experts, hackers debate cyberterror, digital teens, and holey software.

-Andrew Brandt, PCWorld.com-
-Apr 16, 2003 8:00 am-


Security Problems, Threats and Risks

Client-side Vulnerabilities in:
  • Web Browsers
  • Office Software
  • Email Clients
  • Media Players
Server-side Vulnerabilities in:
  • Web Applications
  • Windows Services
  • Unix and Mac OS Services
  • Backup Software
  • Anti-virus Software
  • Management Servers
  • Database Software
Security Policy and Personnel:
  • Excessive User Rights and Unauthorized Devices
  • Phishing/Spear Phishing
  • Unencrypted Laptops and Removable Media
Application Abuse:
  • Instant Messaging
  • Peer-to-Peer Programs
Network Devices:
  • VoIP Servers and Phones
Zero Day Attacks:
  • Zero Day Attacks
Posted by nina ricci at 9:47 AM 0 comments

Authentication & Access Control

Tuesday, October 27, 2009

Authentication, basic information of it is the process of identifying an individual, usually based on a username and password.


It is process of confirming the correctness of the claimed identity that ensures that users are who they say they are. When we type our name & password to login into a system, there is where we are authenticated & allowed access.

Authentication and authorization are never be the same.While authentication provides proof of identity, it does not describe the privileges an entry processes. So for instance, we are authenticated before we access a database system, but this does not tell the database system which data you are entitle to access. So this function is known as the authorization or access control.


In traditional systems, the user's identity is verified by checking a password typed during the login; the system record the identity and use it to determine what operations may be performed.

User authentication in computer systems has been a cornerstone of computer security for decades. The concept of a user id and password is a cost effective and efficient method of maintaining a shared secret between a user and a computer system. One of the key elements in the password solution for security is a reliance on human cognitive ability to remember the shared secret. In early computing days with only a few computer systems and a small select group of users, this model proved effective.

With the advent of the Internet, e-commerce, and the proliferation of PCs in offices and schools, the user base has grown both in number and in demographic base. Individual users no longer have single passwords for single systems, but are presented with the challenge of remembering numerous passwords for numerous systems, from email, to web accounts, to banking and financial services.

Password-based authentication is not suitable anymore for use on this advance era of computer networks. Password send across the networks can be intercepted and subsequently used by eavesdroppers to impersonate the user. In addition to the security concern, password based authentication is inconvenient; user does not want to enter password each time they access the network service. This has led to the use of the even weaker authentication on computer networks.

To over come these problems we need a stronger authenticatin methods based on cryptography are required. When using authentication based on cryptography, an attacker listing to the network gain no information that would enable it to falsely claim another's identity. So Kerberos is generated to replace the unsecure method of password-based authentication.

Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by Massachusetts Institute of Technology (MIT) that implements this protocol. Its designers aimed primarily at a client-server model, and it provides mutual authentication — both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

Kerberos builds on symmetric key cryptography and requires a trusted third party. Extensions to Kerberos can provide for the use of public-key cryptography during certain phases of authentication.

The name is taken from Greek mythology;
 Kerberos was a three-headed dog who guarded the gates of Hades

How Kerberos Works
  1. Suppose you want to access a server on another computer (which you may get to by sending a Telnet or similar login request). You know that this server requires a Kerberos "ticket" before it will honor your request.
  2. To get your ticket, you first request authentication from the Authentication Server (AS). The Authentication Server creates a "session key" (which is also an encryption key) basing it on your password (which it can get from your user name) and a random value that represents the requested service. The session key is effectively a "ticket-granting ticket."
  3. You next send your ticket-granting ticket to a ticket-granting server (TGS). The TGS may be physically the same server as the Authentication Server, but it's now performing a different service.The TGS returns the ticket that can be sent to the server for the requested service.
  4. The service either rejects the ticket or accepts it and performs the service.
  5. Because the ticket you received from the TGS is time-stamped, it allows you to make additional requests using the same ticket within a certain time period (typically, eight hours) without having to be reauthenticated. Making the ticket valid for a limited time period make it less likely that someone else will be able to use it later.

In term of technology, biometrics refers to technologies that measure and analyze human body characteristics, such as fingerprints, eye retinas and irises, voice patterns, facial patterns and hand measurements, for authentication purposes.

Authentication by biometric verification is becoming increasingly common in corporate and public security systems, consumer electronics and point of sale (POS) applications. In addition to security, the driving force behind biometric verification has been convenience.

Biometric devices, such as fingerscanners, consist of:
  • A reader or scanning device
  • Software that converts the scanned information into digital form and compares match points
  • A database that stores the biometric data for comparison
To prevent identity theft, biometric data is usually encrypted when it's gathered. Here's how biometric verification works on the back end:
To convert the biometric input, a software application is used to identify specific points of data as match points. The match points in the database are processed using an algorithm that translates that information into a numeric value. The database value is compared with the biometric input the end user has entered into the scanner and authentication is either approved or denied.

The nice thing about using biometrics is that end-users do not lose or misplace their personal identifier. It's hard to leave your fingers at home. However, biometrics have not caught on as fast as originally anticipated due to the false positives and false negatives that are common when using biometric technologies.

Access Control

The purpose of access control is to limit the actions or operations that a legitimate user of a computer system can perform. Access control constrains what a user can do directly, as well as what programs executing on behalf of the users are allowed to do. In this way access control seeks to prevent activity that could lead to a breach of security.


Access control by fingerprint identification

The primary objective of access control is to preserve and protect the confidentiality, integrity, and availability of information, systems, and resources. Many people confuse confidentiality with integrity. Confidentiality refers to the assurance that only authorized individuals are able to view and access data and systems. Integrity refers to protecting the data from unauthorized modification. You can have confidentiality without integrity and vice versa. It's important that only the right people have access to the data, but it's also important that the data is the right data, and not data that has been modified either accidentally or on purpose.

Controlling how network resources are accessed is paramount to protecting private and confidential information from unauthorized users. The types of access control mechanisms available for information technology initiatives today continues to increase at a breakneck pace. Most access control methodologies are based on the same underlying principles.

Access control devices properly identify people, and verify their identity through an authentication process so they can be held accountable for their actions. Good access control systems record and timestamp all communications and transactions so that access to systems and information can be audited at later dates.


Availability is certainly less confusing than confidentiality or integrity. While data and resources need to be secure, they also need to be accessible and available in a timely manner. If you have to open 10 locked safes to obtain a piece of data, the data is not very available in a timely fashion. While availability may seem obvious, it is important to acknowledge that it is a goal so that security is not overdone to the point where the data is of no use to anyone.
Posted by nina ricci at 8:10 AM 0 comments
Subscribe to: Comments (Atom)