Chapter 2 – Who I am and what I am allowed to do

Humans can tell people apart quite easily, by their appearance or voice, for example. Computers, however, do not have senses, so we must prove our identity to them through some authentication method.

Once we have authenticated ourselves, authorisation takes place, which defines what actions we may perform.

1. Introduction

In the real world, humans can tell people apart quite easily and, in the case of people they know, even recognise exactly who they are. A computer has a much more complicated problem, and a person must prove their identity to it in a way that computing technology is able to process. That is why there are various methods of logging into computer systems.

The next step that people perform subconsciously is to assess what a given person is allowed to do – for example, go through the gate, ask for lunch, borrow a pen, etc. Computer systems cannot be used by everyone in the same way. For example, a student cannot write down their exam results; only the examiner can do that, and a teacher cannot change the course unit syllabus, since the course guarantor has that permission. Computer systems, therefore, contain lists of users and their permissions, which are defined by system administrators according to the requirements or the job position of the user.

In short, since many activities today cannot be done without computers, the computer must know who you are (authentication) and, based on the assigned permissions, allow you (or not) to perform specified activities (authorisation).

2. Electronic identity (Who I am…)

Electronic identity is the interpretation of a specific person in the cyber world. In the real world, each person has one physical identity, but in the cyber world they often use multiple identities (personal email accounts, university accounts, work email accounts, online banking, social networks, etc.).

Electronic identity is stored in computer systems as a unique identifier, usually referred to as a username. This identifier is not secret – for example, in e-shops, the username is typically an email address. Some organisations, such as banks, use an identifier that is not externally linked to the person or a known account number, so an attacker must first guess a valid username to steal an identity.

The natural person who owns the electronic identity must somehow prove this fact to the computer because the username is not secret and is known by someone other than the owner. Only those who have correctly proved and verified their identity can use the electronic identity.

We can prove ownership of an electronic identity in various ways (so-called authentication methods). The most common, simplest and universal method is the knowledge of secret information, most often a password or PIN (Personal Identification Number). Still, it can also be a secret gesture (tracing the correct secret shape with a finger on the display), etc. Identity can also be verified by ownership of objects – typically a chip, identification card, biometric features (fingerprints), etc.

However, the computer is no longer able to tell whether the secret information was entered by the person to whom it belongs or by the person who only obtained and entered it. If someone gets your password or steals your identification card, they can use your electronic identity and essentially impersonate you.

Fortunately, weak points can be reinforced with multi-layer defence, which we discussed in the Basic principles and motivation chapter. The user (and potential attacker) must successively go through several authentication methods in this procedure called multi-factor authentication. In practice, the most common form of authentication is the so-called two-factor authentication (often abbreviated to 2FA), where two methods of authentication are required – typically a classic password supplemented by entering a code from an SMS sent to a preset phone number or copying a time-varying code from a connected application on the phone.

Why two-factor authentication? Why not three or four?

Adding a second phase – the first is knowledge, and the second is ownership (whoever owns the mobile phone can read the SMS) – significantly increases login security. Adding more phases also improves security, but the benefits are not as great as the costs (except for super-secret agencies), and user comfort suffers more.

It is no longer enough for those who want to impersonate us to get a password; they must also get hold of the phone, which is often secured by a gesture, fingerprint or numerical code.

Not like this – misusing two-factor authentication

Today’s smartphones are full-fledged computers and are used as such, which often leads to people logging into online banking from the smartphone to which they receive an authentication SMS. However, if someone compromises the device, they can easily control both channels – they can see what is entered for the username and password and even read the SMS they receive. So, the attacker has everything handed on a silver platter.

The level of security of an electronic identity needs to be chosen depending on how valuable the electronic identity is and what we can lose (remember the discussion about the security price in the Basic principles and motivation chapter). We can choose a simple password for an e-shop where we make a one-off purchase and do not have payment card numbers stored there. Still, for example, the password for a university account is already in a higher category because its misuse can cause significant damage, from the loss of the university’s prestige to, for example, the loss of a job. The highest category includes a private email account, which can often be used to reset passwords for other services, and anything where money is involved, typically internet banking.

3. Password issues

Password logins are still the most widely used authentication method because they are simple, cheap and familiar to users. Knowing how to choose the right password and how to use it correctly is essential knowledge for protecting electronic identities.

A password should resist all possible methods of compromise – remember the weakest link principle. Irresponsible behaviour of the administrators of the services you log in to (e.g. e-shop) can also be risky. That is why we choose different passwords for different services, such as e-shops, social networks, university accounts, electronic banking, etc. If someone were to get a password for one service, they would not be able to access the others.

Depending on the importance of the service, we also choose reasonably complex passwords (again related to the price of security). The complexity of the password protects against so-called brute force attacks when an attacker generates random passwords and tries to log in as the user. If the password contains multiple types of characters (i.e. lowercase letters, uppercase letters, numbers and special characters such as periods or slashes) or is long, there are many possible combinations and it will take a long time to guess the right one. Also, after a certain number of attempts, the server will usually block the attacker from logging in, which limits the number of attempts.

An attacker can also break into the service provider’s server and steal the passwords stored there. Fortunately, today no reasonable person would store passwords in open, readable form, but passwords are securely encrypted so that an attacker cannot easily deduce the password from the information obtained. However, an attacker does not even need to obtain the encrypted form of the passwords. If they did, and they guessed the type of cypher used, there would be nothing to stop them trying to re-encrypt randomly generated passwords using the same cypher – and comparing whether the encrypted form of the password matched the one they stole from the server. If it does, they have guessed the correct password. But this time, they are no longer limited by the number of possible incorrect logins, and can make as many attempts to crack it as the computing power at their disposal will allow.

Time needed to crack a password on a powerful device

Suppose an attacker has a computer capable of trying 20 billion combinations per second.
To solve this, we will use the formula for variation with repetition, i.e. nk, where n is the number of possible characters and k is the number of characters forming a “word”.
A password of 4 digits:
digits 0–9, i.e. 10 possible characters, 4 characters in the password
10⁴ = 10 thousand combinations
Decrypted in 0.0000005 s

A password consisting of 8 characters, using lowercase and uppercase letters and numbers:
number of lowercase letters = 26
number of uppercase letters = 26
number of digits = 10
i.e. 62 possible characters, 8 characters in the password
62⁸ = 218 340 105 584 896 = 218,3 trillion combinations
Cracked in approx. 3 hours

A password consisting of 10 characters, using lowercase and uppercase letters and numbers:
number of lowercase letters = 26
number of uppercase letters = 26
number of digits = 10
i.e. 62 possible characters, 10 characters in the password
62¹⁰ = 839 299 365 868 340 224 = 839 299,4 trillion combinations
Cracked in approx. 486 days

Therefore, the higher the number of characters used and the longer the password, the higher the total number of combinations.

However, cyber attackers are clever and know that most users do not choose completely random passwords, so they create lists of passwords (so-called dictionaries). Another way of obtaining passwords is thus the so-called dictionary attack, where instead of trying random passwords made up of random combinations of characters, a relatively small number of words are used as passwords. An example of this is Password123. Such a password would not take 3 hours to crack (see calculation) but a fraction of a second because it is at one of the top places in dictionaries.

The requirement for a password to withstand all of the above threats leads to the following recommendations for choosing a good password:

Long – at least 12 characters; the more, the better.
Complex – use a combination of different groups of characters, i.e. lower case, upper case, numbers, punctuation or other special characters (semicolon, slash, backslash). Lower complexity can be compensated for by length.
Unique – a different password should be used for each username and password combination.
Regularly changed – especially in those cases where two-factor authentication is not used. The change interval should be commensurate with the value of what the password is protecting and the other security features used. This interval is usually set by the service provider.

4. Authorisation (What I am allowed to do…)

As mentioned in the introduction, not everyone, under all circumstances, can perform the same actions in the system, just like in the real world, where, for example, criminal acts can be carried out by police officers and not by citizens. In computer systems, it is similar; therefore, it is necessary to set the appropriate permissions and roles for that user after verifying the user’s identity.

Every computer system has a list of users and their roles. These roles are set by the system administrator based on the needs of the system owner. Roles are often also assigned based on participation in a defined group; for example, the system may not know all the students, but when a student logs in, the system verifies that he/she is a student and automatically assigns them student rights. If you have multiple roles in the system, and the system or its user interface is different for each role, it is usually possible to switch roles and see the user environment corresponding to the role and its functions.

Is it necessary for a superior to have all the permissions of his/her subordinates?

No. When assigning permissions, respecting the rule of least access is a good idea. That is, if a superior does not know his subordinate’s exact sequence of activities, he/she should not have permission to perform them. This can do more harm than good.

5. Summary

In this chapter we have learned what electronic identity is and how to prove it to computer systems. We have also learned that you need to guard your electronic identity like a hawk, because losing it can have far-reaching consequences. Choosing and managing your password correctly can prevent an attacker from misusing it. Wherever possible, it is advisable to adopt a multi-layer defence in the form of multi-factor authentication. We have also learned that not everyone can perform the same operations on computer systems, so their permissions are set by the system administrator according to the wishes of the system owner.

Virtual tour

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
mdocs-f23d4887cc59eaf5d74998a5389151af	session	This cookie is associated with the site's document system and is used to store information needed to manage and display documents.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
pll_language	1 year	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.
qtrans_front_language	1 year	This cookie is set by qTranslate WordPress plugin. The cookie is used to manage the preferred language of the visitor.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_1HP1PTTJR4	2 years	The _ga_1HP1PTTJR4 cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
sid	1 month	The sid cookie contains digitally signed and encrypted records of a user’s Google account ID and most recent sign-in time.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	13 months	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	13 months	This cookie is set by Microsoft to recognise unique web browsers that visit its websites. It is used for personalised advertising, web analytics and other operations.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by Google and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	6 months	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Univerzita Tomáše Bati ve Zlíně