Announcements

1
Announcements

• 2-Nite
• Book review is due
• 1 talk
• 1 presentation
• Freedom Downtime DVD
• Next Week Guest speakers Jeff Doug
• Major security breach at UC Berkeley has allowed
  thousands of confidential records to be stolen
  this week
  
• Privacy policy of my eye doctor and their
  security practices

2
INLS 187

• October 21, 2004
• Identification, and Authentication and
  Authorization

3
Securing Assets

• The age old problem of securing assets is that
  you dont want to protect them from everybody
  
• Owners want and need access
• All security systems must allow people in
• Buildings and safes have doors and keys
• ATM machines have access panels for servicers and
  a user interface for customers

4
Additional Complexity

• Making systems or barriers conditionally
  penetrable raises the level of complexity and
  requires planning, design, and execution
  
• Punch a hole in a barrier and then control access
  to that hole
  
• These avenues of access are most often the
  weakest links

5
The Jumble

• Many systems jumble identification,
  authentication and authorization
  
• Identification Who are you?
• Authentication Prove it.
• Authorization Here is what you are allowed to
  do.
  
• Conflating these three or failing to distinguish
  between them, can lead to security problems.

6
Example

• London Underground
• Can purchase passes that allow unlimited travel
  for a week, month or year.
  
• Two parts Photocard and ticket
• The photocard is obtained from a clerk and is
  permanent, it has an ID number and your photo on
  it.
  
• Tickets are purchased from a clerk or vending
  machine and are not valid until they have ID
  number written on them that corresponds to your
  photocard

7
Example Cont.

• In this example, the card is your authentication,
  or token, but doesnt authorize anything.
  
• The ticket is the authorization.
• There is no identification, it is an anonymous
  system. The Underground only cares that two
  people dont share passes, which is what the
  photo is for.

8
More examples

• Postage stampsauthorizations
• In Switzerland, trash stamps, same thing (user
  fees paid)
  
• National Park tickets
• Ski lift tickets
• NYC subway pre-paid cards or ride tokens
• Very simple security, many possible avenues of
  attack

9
Tokens, tickets passes

• Most of these examples have limited life
  spansstamps are canceled, tickets torn in half,
  lift tickets only good for a day or a weekend
  
• Authorization tokens dont necessarily require
  identification and are generally transferable
  
• Airline tickets are an exceptionthey now contain
  passenger info, and that was more to prevent
  re-sale of tickets than it was to solve any
  security problems.
• Do we have a right to fly anonymously?

10
Identification

• A basic way to achieve authorization is through
  identification.
  
• Our most important security system.
• Implemented universally
• You recognize (identify) family, friends,
  colleagues, celebrities, etc.
  
• Once identified, a level of trust can be decided
  upon

11
Examples

• You recognize, and thus identify, a co-worker and
  know that she is allowed into her office, whereas
  a strange person entering that office would alarm
  you
• The people who work at Armadillo Grill have
  identified me as a regular and let me run a tab
  in the bar

12
Reputation?

• Reputation also comes into play when talking
  about identification
  
• Reputation is knowing things about someone over
  timedo they pay their bills?
  
• As civilization has grown more complex and people
  more mobile, credit bureaus have come into
  existence. These organizations track your
  reputation so that potential business associates
  or creditors have some basis for judgement about
  you.

13
Reputation Deux

• In one Sterling book, reputation systems are
  pervasive and assign a rank to everyone in a
  highly mobile society that has no other means of
  gauging trust
• One character went from general to corporal
  and eventually back up to colonel as his
  strategy played out
  
• Reputations are hard to build and easy to damage,
  so be cautious
  
• Resumes, transcripts, letters of recommendation,
  letters of introduction, these can all describe
  parts of your reputation
  

14
Fact Checking

• Fact checking of resumes transcripts is big
  business
  
• 123NC criminal history checks in NC
• Background checks are now common at companies and
  even at UNC
  
• After incidents in Eastern NC, legislators now
  want prospective college students to have
  background checks done before admission
  
• Sex offender registriesMegans Law

15
Technology makes it easier

• Technology is making all this checking easier and
  cheaper
  
• Unfortunately, technology is making it harder for
  those who want to build back their reputations
  
• Having ones debt to society paid in full is
  becoming a quaint notion, but maybe it never
  truly existed, depending on how heinous the crime
  committed was
• This takes us into privacy and why people
  migrated west, among other things

16
Back to Identification

• In many systems, identification authorization
  are muddled and thus perceived to be the same
  thing
  
• Knowing who someone is and knowing what they are
  allowed to do are different, however
  
• Our names identify us
• In technological systems, numbers are the
  identifiers (e.g. database keys) because early
  punch card sorters were designed for numbers and
  computers have carried on the tradition

17
Names

• Names are poor identifiers because so many
  duplicates exist
  
• There is another Ben Brunk in Virginia, man, was
  he unlucky!
  
• People get each others paychecks and airline
  tickets
  
• The no-fly list is a problem for mistaken
  identities
  
• Your ATM card identifies you by the account
  number, not the nameSwiss banks have no names
  associated with them at all

18
Identifiers

• Account number, customer number, order number,
  these all identify things related to you
  
• Many databases use the SSN, allowing broad
  cross-referencing possibilities
  
• Your drivers license and passport have unique
  identifying numbers on them

19
Authentication

• An entirely different system
• Example You give your passport to an
  immigration official. They scan the number into
  a computer, then compare you with the picture in
  the passport. The name and number identify you,
  the picture authenticates you.
• Your Username on the computer identifies you,
  your password authenticates you

20
Authentication

• Three methods of authenticating someone
• Something she knows
• Something she has
• Something she is
• Protocols algorithms again

21
Something you know

• Passwords
• Secret handshakes
• PIN codes
• Combinations
• A question

22
Vulnerabilities

• Once told, the verifier knows the secret
• WWII Who won the 1940 World Series?
• Led to challenge/response systems where both
  parties had to have an answer
  
• Still possible for someone to find out the
  password accidentally
  
• Having computers do the authentication is better
  because computers are easier to control and not
  as easy to subvert

23
Something you have

• A key, membership card, cell phone SIM card
• Transferable
• Identifies a group, not an individual
• Secret handshake authenticates members of a
  secret society
  
• House keys authenticate not the homeowner, but
  one of a group who has access to a given house

24
Something you are

• Physical characteristics
• Your face
• Your voice
• This is what we normally think of as
  identification

25
Biometrics

• Modern version of something you are
• Signatures
• Fingerprinting
• Voiceprinting
• Hand geometry
• Iris and retina prints or scans
• Ear shape

26
Biometric Advantages/Disadvantages

• Biometrics are built in, so there is no need for
  tokens that can be forgotten
  
• Harder to lose, but not impossible
• Impossible to change
• Not secretcan be readily observed and perhaps
  copied surrepticiouslyyou leave fingerprints all
  over the place (exoinformation?)
  

27
Biometrics (cont.)

• If someone loses a key or access code, it is a
  trivial matter to change the lock or combination
  and regain security.
  
• If someone steals your biometric, youre stuck.
  Your iris is your iris, your fingerprint is your
  fingerprint.

28
Even more biometric notes

• For biometrics to work, the verifier must
  establish the biometric matches the master
  biometric on file and that the biometric
  
• Remote system may be able to verify a biometric,
  but not when it came from that person
  
• Voice print fooled by a tape recorder
• Signature cut pasted faxed

29
Biometric examples

• The Bad 2001 Tampa Super Bowl, face recognition
  system attempted to scan for known criminals
  entering the stadium (absolute disaster with high
  error rates)
• The better Face scanning against a known
  database for purposes of authentication (still
  not too reliable by itself)

30
Authentication Brittleness

• Relying in a single authentication technique can
  be brittle
  
• Better authentication from two or more methods
• ATM uses something you have a card, and
  something you know a PIN, there is also a
  camera in the ATM for audit purposes
  
• Biometric hand scanners also often require a PIN
  as well

31
Authentication Brittleness

• Credit cards have two forms of authenticationthe
  card itself and the signature (not that many
  clerks check the sig)
  
• Now credit cards have additional numbers on the
  back that are not on the stripe or embossed on
  the card
  
• Some banks now offer single use card
  numbersuseless if stolen during the transaction

32
Overlapping

• Many systems perform identification and
  authorization concurrently (recognizing someone,
  or looking at their ID card)
  
• A door key is an authentication token and an
  entry authorization (it opens the door)
  
• SSN is an example of bad overlappingit is used
  as an identifier and an authenticator, but it is
  a public number!
  
• Mothers maiden name is a similarly lousy
  authentication code

33
Authentication using databases networks

• ID cards can potentially be forgedcut out the
  picture, insert your own
  
• If the ID can be checked against a database that
  includes photos, this attack will fail, thus
  databases can strengthen authentication
  
• ATM cards do not store the PIN on the card.
  Instead, it resides only in the banks database,
  making it much harder for a thief to recover the
  PIN (rubber hose attacks notwithstanding)

34
Networks (cont.)

• Unfortunately, networks and databases open up new
  avenues of attack
  
• Remote authentication is problematic
• Lots of authentication systems fail because they
  were not meant to be used remotely (fax us a copy
  of your drivers license)

35
Enrollment Revocation

• Someone has to decide who gets the office keys
  and for how long
  
• Ability to change the locks or codes
• Example of bad security A company I worked for
  used a keypad on the door but never changed the
  codedirt on buttons made it possible to tell
  which three buttons were pressed 10,000 times

36
Enrollment Revocation

• We trust a drivers license because of who
  enrolls you
  
• Transitive trusttrusting the ID requires
  trusting the people who issued it
  
• If these people or procedures are subverted, the
  security features of the ID are worthless
  
• Two 9/11 terrorists obtained real Virginia
  drivers licenses with fake names
  
• Statuses changedeath or an arrest require
  revocation, so databases must keep up

37
Liability

• Bars accept a drivers license as proof age not
  because they trust the accuracy of the license,
  but because they know any misstatement is not
  their faultaltered IDs are a matter for the
  state to handle, the bar owners job is to make
  sure no one underage drinks (unless they are
  female)

38
Automatic Token Expiration

• Many authorization tokens expire automatically
• AFS tokens expire daily
• Train passes expire after a month
• Postage stamps expire when the rates go up
• Drivers licenses expire after four years unless
  you get a DWI
  
• Many European DLs never expire
• Passports are generally good for 10 years,
  childrens passports for 5 years
  

39
Non-expiring ID Tokens

• Bank account numbers seldom change
• Phone numbers dont change unless you move (cell
  phone portability is the big thing now)
  
• Cash doesnt expire (it only gets devalued by the
  federal reserve)
  
• Forgeries are the reason why things expiresets a
  limit for usefulness (most of the credit card
  numbers available via google are expired)

40
Training

• People must be trained to spot forgeries
• How do you know what an FBI badge or ID looks
  like? Rarely seen by most people.
  
• How about a UPS drivers uniform?
• Uniforms and badges are easy to fake
• In 2002, someone used a 200 bill with a picture
  of GWB on it to buy a 2 item at a Dairy Queen in
  Kentucky. The clerk accepted the bill and gave
  them their food and 198 change.

41
Anti-forgery techniques

• Map companies add fake features to their maps
  that only they know about (security by
  obscurity?)
  
• Phone books and mailing lists also use fake
  listings to make sure no one steals, copies or
  uses the data without authorization
  
• Watermarks (sometimes removable)

42
Conclusions

• The same old push and pull between those who
  design the security systems and those who try to
  subvert them exists here as well
  
• Multiple layers of security are more resilient
• Talk to Joel about biometrics or read his paper