9 Access control
I have introduced encryption keys in previous sections. A password can also be thought of as a type of key in as much as it enables the keyholder to gain access to a particular resource. In Section 2.3, I described the process of starting up my computer at The Open University. I referred to the need to enter several sets of user identities and passwords to access various services or software using my computer. Given the frequent use of passwords, it is reasonable to consider what constitutes an effective password.
A major issue here is human behaviour. It is tempting, for instance, to make a record of passwords that are used but not always remembered, or to make all one's passwords identical, or to make them short or highly memorable in some personal way by linking them to personal information, which is unlikely to be highly secure. Alternatively, names, places or normal words may be used as passwords. There are security concerns with all these strategies. For example, electronic dictionaries could be used to probe passwords that are based on known words in all languages. Where passwords are restricted to a small number of characters, brute force methods may quickly find the one correct combination out of many that may be possible.
An effective password, technically speaking, is one that can resist both dictionary and brute force attacks. (For the purposes of network security a dictionary is a compilation of combinations of characters that find use in any field of activity. It is not restricted to words commonly used for general human communication.) A dictionary attack seeks to identify any predictable structure within the string of characters included in the password: for example, a name, a word, or a sequence of numbers, such as in a date format. A brute force attack relies on the power of computers to cycle through combinations of characters on a trial-and-error basis in the absence of predictable structure, until a successful conclusion is reached. If a password contains any partial structure then the processing needed to discover it is reduced.
Based on the above, how would you specify how a password should be constructed?
To avoid a dictionary attack, it is wise to ensure that strings of characters do not produce a recognisable dictionary word. Ensuring that each password is made up of a minimum number of characters reduces the likelihood of a successful attack over a given time period. Including special characters (non-alphanumeric), numbers and upper and lower case letters helps to increase the range of combinations that would need to be tested, and also helps to remove any recognisable structure.
The security of an encrypted password used to access a remote station over a network depends on the form of encryption used and whether it is applied over the whole path from sender to receiver. A variety of means can be used to collect or bypass password protection systems. For instance, password crackers are programs specifically designed to capture password sequences, and decrypt or disable them. I referred earlier to the use of protocol analysers, which may be used to ‘sniff’ traffic for password sequences. In addition, Trojans can be hidden in programs that an attacker expects the legitimate user to run, and will contain a hidden routine to bypass the user's system's password protection. Hence encryption does not prevent capture and there is a danger that message replay can lead to successful access even when passwords cannot be decrypted by an attacker.
Despite the problems associated with passwords, they remain a first line of defence to intruder access. There are several examples of internet sites offering a consolidation service for an individual's multiplicity of passwords. The idea is that a single encrypted password can be used to release the collection of passwords – a potential ‘winner-takes-all’ situation.
What alternatives to passwords could be used to allow or bar the use of facilities by a person (not necessarily restricted to data networks)?
Any characteristic that is unique to a person can in principle be used to allow or bar access. For example, voice, face, hand, finger and iris recognition are candidates for authenticating an individual seeking access to some facility and so can be considered a key, like passwords. Magnetic strip cards too are often used to allow access to facilities such as workplaces, libraries and photocopiers.
In the answer to the question above, what advantages do the examples referred to have over a password?
With the exception of magnetic cards, the examples are normally inseparable from the individual being authenticated. All the examples dispense with the need to remember or record a password.
In general, combining two components, such as something you know (a password) and something you possess (e.g. a physical device or attribute, whether separable from the legitimate user or not) gives a higher level of security than either component alone. This is a valuable concept that is put to use in many practical security systems.
Think of examples where this principle is in common use.
I thought of my cash point card and my mobile telephone. Both require me to enter a number sequence (what I know) in addition to possessing an artefact (the card in one case and the mobile telephone containing the SIM card in the other). (SIM stands for subscriber identity module.) This assumes that the user has enabled the SIM card key, although it seems that many choose not to.