Access Control Two parts to access control Authentication: Are you who you say you are?o Determine whether access is allowedo Authenticate human to machineo Or authenticate machine to machine Authorization: Are you allowed to do that?o Once you have access, what can you do?o Enforces limits on actionsNote: access control often used as synonym for authoriationHow to authenticate human a machine? !an "e "ased on#o $omethin% you know &or e'ample, a passwordo $omethin% you have&or e'ample, a smartcardo $omethin% you are &or e'ample, your fin%erprintSomething You Know (asswords )ots of thin%s act as passwords*o (+No $ocial security num"ero ,other-s maiden nameo Date of "irtho Name of your pet, etc.Trouble with Passwords (asswords are one of the "i%%est practical pro"lems facin% security en%ineers today. /umans are incapa"le of securely storin% hi%h01uality crypto%raphic 2eys, and they have unaccepta"le speed and accuracy when performin% crypto%raphic operations. 3They are also lar%e, e'pensive to maintain, difficult to mana%e, and they pollute the environment. +t is astonishin% that these devices continue to "e manufactured and deployed.4h! Passwords? 5hy is somethin% you 2now more popular than somethin% you have and somethin% you are? Cost: passwords are free Attacks on Passwords Attac2er could#o Tar%et one particular accounto Tar%et any account on systemo Tar%et any account on any systemo Attempt denial of service 3Do$4 attac2 Po"ular "assword cracking tools o (assword !rac2ers o (assword (ortal o )6pht!rac2 and )!7 35indows4o 8ohn the 9ipper 3:ni'4 Admins should use these tools to test for wea2 passwords since attac2ers will ;ood articles on password crac2in%o (asswords 0 !onerstone of !omputer $ecurity o (asswords revealed "y sweet deal #iometricsSomething You Are