CISSP – Access Control – Authentication

We want to provide Access Control to networks.

Subjects and Objects

The network should be thought of as being made of subjects and objects. A subject is the person or device accessing something from an object. For instance a computer run by me requests a video on a NAS. I am the subject, the NAS is the object. It can become more complex with something such as a webpage with a database on another server. The subject is then requesting the webpage from the object but to do this the web server then becomes the subject requesting the data from the database server object and so on….. in short, subjects access objects.

Logical Access Controls (LAC)

These can also be referred to as Technical Access Controls (TAC).

Authentication, Authorisation, Accounting (AAA)

A popular theory of access control that involves the subject Authenticating who they are (or identifying themselves) perhaps with a username and password or perhaps with a certificate (in the case of a website) checked by a trusted third party and using SSL/TLS.

After authentication comes authorisation. In the example above the subject had logged into the object correctly and was verified to be that subject. Authorisation controls what the subject is allowed to do. Upload a file or delete a page.

Accounting is the third step where everything the subject did has been logged so we know when the subject logged in and what they did.

No Access

If you cannot prove who you are the server should give you no access at all.

Human Nature

Human nature is the greatest threat to security.


Passwords should be at least eight characters, and contain a mix of uppercase, lowercase, numeric and special characters.

HAK: Have, Are, Know

HAK is a method of identifying the user by getting them to provide something they have, something they are and something they know.  Using two or more of these categories is called multi-factor authentication. One of the benefits of using strong methods to identify users is that they aren’t able to say it was someone else logged in as them. This is called non-repudiation.


An example might be a card or USB stick.


Generally this will be biometric. This can be both a personal attribute such as the iris or the way they type or the sound of their voice. Physiological or behavioural.


And example of something they know might be a password.

There can be some barriers to the use of security measures such as cost, willingness to undergo the measure or just time. Iris scanning is very secure but it costs a lot of money to set-up, a lot of time for all the users to get their iris’s recorded and crosses the line into an invasion of privacy for many people.

Another time based problem might be the time it takes to authenticate. Swiping a card can be fairly quick whereas swiping a card and entering a pass code is slower. It doesn’t really matter for twenty people at the office but authenticating 2000 employees as they enter work can be a problem.

Biometric failures

In general, the more sensitive a biometric system is the more failures to authenticate it will have. This is called the false rejection rate (FRR) or Type 1 rejection where users should be able to authenticate but are not able to or have to try multiple times due to the increased sensitivity of the system.

The second type of error, Type 2, is the false accept rate (FAR) where the sensitivity is set to low any allows users to authenticate when they shouldn’t be able to.

If this was graphed then the point where the two lines intersect is called a crossover error rate (CER) or equal error rate (EER) and is used to evaluate the effectiveness of a biometric system.

Biometrics Error

With biometrics the aim is to get the CER% as low as possible but as many environments want a zero FAR it should be used with other parts of HAK to make multi-factor authentication.

Biometrics – Best to worst

  1. Iris recognition
  2. Retina scan
  3. Fingerprint
  4. Palm recognition
  5. Facial recognition
  6. Voice recognition
  7. Signature recognition
  8. Keystroke dynamics

Biometrics – User Acceptance

In general user acceptance of biometrics reverses the order of best to worst. Keystroke dynamics, signatures and voice recognition is more accepted than iris, retina, and fingerprint scanning. Another way of looking at it is that physical characteristic usage is less accepted.

Leave a comment