Logical security

Last updated

Logical security consists of software [1] safeguards for an organization's systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation. It is a subset of computer security.

Contents

Elements

Elements of logical security are:

Token authentication

Token authentication are small devices that authorized users of computer systems or networks carry to assist in identifying that who is logging into a computer or network system is actually authorized. They can also store cryptographic keys and biometric data. The most popular type of security token (RSA SecurID) displays a number which changes every minute. Users are authenticated by entering a personal identification number and the number on the token. The token contains a time of day clock and a unique seed value, and the number displayed is a cryptographic hash of the seed value and the time of day. The computer which is being accessed also contains the same algorithm and is able to match the number by matching the user’s seed and time of day. Clock error is taken into account, and values a few minutes off are sometimes accepted. Another similar type of token (Cryptogram) can produce a value each time a button is pressed. Other security tokens can connect directly to the computer through USB, Smart card or Bluetooth ports, or through special purpose interfaces. Cell phones and PDA's can also be used as security tokens with proper programming.

Password authentication

Password authentication uses secret data to control access to a particular resource. Usually, the user attempting to access the network, computer or computer program is queried on whether they know the password or not, and is granted or denied access accordingly. Passwords are either created by the user or assigned, similar to usernames. However, once assigned a password, the user usually is given the option to change the password to something of his/her choice. Depending on the restrictions of the system or network, the user may change his/her password to any alphanumeric sequence. Usually, limitations to password creation include length restrictions, a requirement of a number, uppercase letter or special character, or not being able to use the past four or five changed passwords associated with the username. In addition, the system may force a user to change his/her password after a given amount of time.

Two-way authentication

Two-way authentication involves both the user and system or network convincing each other that they know the shared password without transmitting this password over any communication channel. This is done by using the password as the encryption key to transmit a randomly generated piece of information, or “the challenge.” The other side must then return a similarly encrypted value which is some predetermined function of the originally offered information, his/her "response", which proves that he/she was able to decrypt the challenge. Kerberos (a computer network authentication protocol) is a good example of this, as it sends an encrypted integer N, and the response must be the encrypted integer N + 1.

Common setup and access rights

Access rights and authority levels are the rights or power granted to users to create, change, delete or view data and files within a system or network. These rights vary from user to user, and can range from anonymous login (guest) privileges to superuser (root) privileges. Guest and superuser accounts are the two extremes, as individual access rights can be denied or granted to each user. Usually, only the system administrator (a.k.a. the superuser) has the ability to grant or deny these rights.

Guest accounts, or anonymous logins, are set up so that multiple users can log into the account at the same time without a password. Users are sometimes asked to type a username. This account has very limited access, and is often only allowed to access special public files. Usually, anonymous accounts have read access rights only for security purposes.

The superuser is an authority level assigned to system administrators on most computer operating systems. In Unix and related operating systems, this level is also called root and has all access rights in the system, including changing ownership of files. In pre-Windows XP and NT systems (such as DOS and Windows 9x), all users are effectively superusers, and all users have all access rights. In Windows NT and related systems (such as Windows 2000 and XP), a superuser is known as the administrator account. However, this administrator account may or may not exist depending on whether separation up.

See also

Related Research Articles

<span class="mw-page-title-main">Password</span> Text used for user authentication to prove identity

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

<span class="mw-page-title-main">Authentication</span> Act of proving an assertion

Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.

In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the account is not the determining factor; on Unix-like systems, for example, the user with a user identifier (UID) of zero is the superuser, regardless of the name of that account; and in systems which implement a role-based security model, any user with the role of superuser can carry out all actions of the superuser account. The principle of least privilege recommends that most users and applications run under an ordinary account to perform their work, as a superuser account is capable of making unrestricted, potentially adverse, system-wide changes.

passwd Tool to change passwords on Unix-like OSes

passwd is a command on Unix, Plan 9, Inferno, and most Unix-like operating systems used to change a user's password. The password entered by the user is run through a key derivation function to create a hashed version of the new password, which is saved. Only the hashed version is stored; the entered password is not saved for security reasons.

A replay attack is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a spoofing attack by IP packet substitution. This is one of the lower-tier versions of a man-in-the-middle attack. Replay attacks are usually passive in nature.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

In computing, privilege is defined as the delegation of authority to perform security-relevant functions on a computer system. A privilege allows a user to perform an action with security consequences. Examples of various privileges include the ability to create a new user, install software, or change kernel functions.

Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

There are several forms of software used to help users or organizations better manage passwords:

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine. The concept is also known as password chaos, or more broadly as identity chaos.

<span class="mw-page-title-main">Login</span> Process by which an individual gains access to a computer system

In computer security, logging in is the process by which an individual gains access to a computer system or program by identifying and authenticating themselves.

A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT, CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.

<span class="mw-page-title-main">User (computing)</span> Person who uses a computer or network service

A user is a person who utilizes a computer or network service. A user often has a user account and is identified to the system by a username . Some software products provide services to other systems and have no direct end users.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

<span class="mw-page-title-main">Microsoft account</span> User account required for Microsoft-owned services

A -changes-to-windows-10-insider-preview-builds/|title=Upcoming changes to Windows 10 Insider Preview builds [UPDATED 6/22]|website=Windows Experience Blog|date=June 19, 2015 |language=en-US|access-date=April 17, 2016}}</ref> is a single sign-on personal user account for Microsoft customers to log in to consumer Microsoft services, devices running on one of Microsoft's current operating systems, and Microsoft application software.

In computer security, general access control includes identification, authorization, authentication, access approval, and audit. A more narrow definition of access control would cover only access approval, whereby the system makes a decision to grant or reject an access request from an already authenticated subject, based on what the subject is authorized to access. Authentication and access control are often combined into a single operation, so that access is approved based on successful authentication, or based on an anonymous access token. Authentication methods and tokens include passwords, biometric scans, physical keys, electronic keys and devices, hidden paths, social barriers, and monitoring by humans and automated systems.

Biometric tokenization is the process of substituting a stored biometric template with a non-sensitive equivalent, called a token, that lacks extrinsic or exploitable meaning or value. The process combines the biometrics with public-key cryptography to enable the use of a stored biometric template for secure or strong authentication to applications or other systems without presenting the template in its original, replicable form.

References

  1. Chernis, P J (1985). "Petrographic analyses of URL-2 and URL-6 special thermal conductivity samples". doi: 10.4095/315247 .{{cite journal}}: Cite journal requires |journal= (help)