Αυθεντικοποίηση με χρήση οπτικής πληροφορίας και διαχείριση πρόσβασης με δυναμικές παραμέτρους σε πληροφοριακά συστήματα
View/ Open
Keywords
Αυθεντικοποίηση ; Κωδικοί γραφικών ; Οπτική πληροφορία ; Κωδικοί πρόσβασης ; Διαχείριση πρόσβασης ; Έλεγχος πρόσβασης ; Πληροφοριακά συστήματα -- ΑσφάλειαAbstract
Modern information technology systems are characterized by increased complexity and by the obligation to support multiple concurrent users with different needs. In all cases it is a common requirement for all information systems to protect the information stored and managed by them.
In order to be able to successfully protect the resources of a system it is a prerequisite to authenticate users prior to granting them access and enforcing access controls rules thereafter so as to determine what resources and information each user is allowed to access.
The most widely used authentication method used, despite the well-known issues that it faces, is text passwords. Nevertheless, the human ability to remember and recall visual information has been the trigger for intense research in the field of graphical passwords authentication as a more reliable alternative against text-based passwords. However, graphical passwords suffer from user acceptance issues and security weaknesses.
Having identified these shortcomings, in this thesis we present a novel authentication scheme, namely the Novel Authentication with Visual Information (NAVI), based on visual information that generates strong and secure passwords. NAVI utilized as users’ credentials the route a user selects in a predefined map. We present a security analysis of NAVI at a theoretical level and we have implemented a prototype that was provided to a number of users in order to evaluate its ease of use and its real-life password generated strength. In addition to that, the users who participated in the aforementioned experiment have answered a questionnaire regarding NAVI’s functionality and implementation.
Once a user has been successfully authenticated appropriate access rights should be granted to him. The majority of access control models has been based on the assumption that the users’ access rights can be defined a priori. However, in a modern and complex environment emergency and unpredictable situations arise very often, leading to access requests that have not been foreseen by the standard procedures in place. Having identified such a need, we introduce a novel access control model, namely the Dynamic Spatio Temporal EMergency Role Based Access Control (DSTEM-RBAC) which has been based upon the Role Based Access Control (RBAC) model. DSTEM-RBAC takes into account spatiotemporal restrictions and more importantly it provides controllable and secure means to override the defacto security policy of an organization by utilizing static and dynamic information in order to reach a decision whether emergency access should be allowed.
In DSTEM_RBAC, the Role hierarchy is represented as a directed graph with weights, where each role is a node. The distance between nodes is the key parameter for the
proposed emergency access process. In essence, the distance between roles combined with spatiotemporal restrictions and dynamic information determine whether emergency access should be granted. The dynamic information consists of the user’s location, its level of trust, the organization’s threat level, the organization’s emergency status and the internet threats risk level.
The proposed architecture, as implemented in DSTEM-RBAC, is an extension of XACML. A prototype implementation of the model is presented in order to highlight its applicability in the healthcare environment.
In addition to that a methodology was developed to assess the users’ behavior so as to provide the means to optimize the DTSTEM-RBAC parameter configuration and also to provide a methodology to detect possible abuses of the emergency access functionality. Finally, a survey was performed in two clinics as a case study for the emergency access process.