Chapter 4: Access Control Part A

1
Chapter 4 Access Control (Part A)

• Access controls overview
• Security principles
• Identification, Authentication, and Authorization

2
Access controls overview

• Access control control how users and systems
  communicate and interact with other systems and
  resources.
• Protect the systems and resources from
  unauthorized access
• A component of determining the level of
  authorization after authentication
• One of the first lines of defense,
• Covers several different types of mechanisms
• E.g. log in (username, pwd) and file access
  control list

3
Access controls overview (2)

• Access the flow of information between a subject
  and an object.
• subject an active entity that requests access to
  an object or the data within an object.
• E.g., a user, program, process
• Object a passive entity that contains
  information.
• E.g., a computer, database, file, computer
  program, directory, or field contained in a table

4
Security Principles

• Three main security principles
• Availability ensures reliability and timely
  access to data and resources to authorized
  individuals
• Integrity assurance of accuracy and reliability
  of information and system is provided.
• Confidentiality ensures the necessary level of
  secrecy is enforced at each junction of data
  processing and prevents unauthorized disclosure.
• Security management procedure to identify
  threats that can negatively affect the
  availability, integrity, and confidentiality and
  find cost-effective countermeasures.

5
The AIC Triad
6
Identification, Authentication, and Authorization

• Identification describes a method of ensuring
  that a subject (user, program, or process) is the
  entity it claims to be.
• Common identification username, account number
• A second piece in the credential set password,
  passphrase, cryptographic key, PIN, anatomical
  attribute, token.
• Authentication two credential items are compared
  to information that has been previously stored
  for this subject.
• Match ? the subject is authenticated

7
Identification, Authentication, and Authorization
(2)

• Authorization (follows authentication)
• The system needs to determine if this
  (authenticated) subject has been given the
  necessary rights and privileges to access the
  required resources.
• Beside identification, authentication, and
  authorization, the subject needs to be hold
  accountable for the actions taken.
• Accountability the auditing system records the
  subjects actions within the system

8
Three steps Identification, Authentication, and
Authorization
9
Identification, Authentication, and Authorization
(3)

• Logical access controls are tools used for
  identification, authentication, authorization,
  and accountability.
• Are software components that enforce access
  control measures for systems, programs,
  processes, and information.
• Can be embedded within operating systems,
  applications, add-on security packages, or
  database and telecommunication management systems.

10
Identification Authentication (1)

• Three general factors can be used for
  authentication
• something a person knows password, PIN, mothers
  maiden name, etc.
• something a person has key, swipe card, access
  card, badge, etc.
• something a person is unique physical attributes
  biometrics (more details later)
• Strong authentication must include two out of
  the three methods
• A.k.a., two-factor authentication
• E.g., type PIN and then biometric scan

11
Identification Authentication (2)

• Identification Component Requirements
• Each value should be unique (for accountability)
• A standard naming scheme should be followed
• The value should be non-descriptive of the users
  position or tasks
• The value should not be shared between users.
• Identity management encompasses the use of
  different products to identify, authenticate, and
  authorize users through automated means.

12
Identification Authentication (3)

• Features of identity management
• The increase in complexity and diversity of
  networked environments complicates access control
• The goal of identity management is to simplify
  the administration of these tasks
• Identity management provides rich
  functionalities
• User provisioning
• Password synchronization and resetting
• Self service for users on specific types of
  activities
• Delegation of administrative tasks
• Centralized auditing and reporting
• Integrated workflow and increase in business
  productivity
• Decrease in network access points
• Regulatory compliance

13
Biometric (1)

• Biometrics verifies an individuals identity by
  analyzing a unique personal attribute or
  behavior.
• one of the most effective and accurate methods of
  verifying identification
• much more expensive and complex than the other
  types
• basic types
• based on an individuals behavior (signature
  dynamics)
• can change over time and possibly be forged.
• based on physical attributes (iris, retina,
  fingerprint)
• more accuracy
• typically dont change, and are harder to
  impersonate.

14
Biometric (2) Fingerprint

• Fingerprint is made up of ridge endings and
  bifurcations and other detailed characteristics
  (minutiae)
• Instead of storing the full fingerprint,
  finger-scan technology extracts specific features
  from fingerprint and store them.
• The reference file takes up less storage
• Quick database lookups and comparisons

15
Biometric (3) Palm Scan

• The palm has creases, ridges, and grooves
  throughout that are unique to a specific person.
• The palm scan also includes the fingerprints of
  each finger.

16
Biometric (4) Hand Geometry

• Hand geometry the shape of a persons hand
• the length and width of the hand and fingers
• The system compares the geometry of each finger,
  and the hand as a whole, to the information in a
  reference file

17
Biometric (5) Retina Scan

• Retina scan scans the blood-vessel pattern of the
  retina on the backside of the eyeball.

18
Biometric (6) Iris Scan

• iris is the colored portion of the eye that
  surrounds the pupil.
• has unique patterns, rifts, colors, rings,
  coronas, and furrows.

19
Biometric (7) Signature Dynamics

• Signing a signature produces electrical signals
  that can be captured by a biometric system.
• Signature dynamics provides more information than
  a static signature
• Signature dynamics vs. digitized signature vs.
  digital signature
• A digitized signature is just an electronic copy
  of someones signature
• Electronic signature based upon cryptographic
  methods of originator authentication
• the electrical signals when a person signs a
  name, includes the speed of signing, the way the
  person holds the pen, and the pressure the signer
  exerts to generate the signature

20
Biometric (8) Keyboard Dynamics

• keyboard dynamics captures electrical signals
  when a person types a certain phrase.
• As a person types a specified phrase, the
  biometric system captures the speed and motions
  of this action.
• Each individual has a certain style and speed,
  which translate into unique signals.
• more effective than typing in a password

21
Biometric (9) Voice Print

• There are many subtle distinguishing differences
  in peoples speech sounds and patterns.
• During the enrollment process, an individual is
  asked to say several different words.
• In the authentication process, the biometric
  system jumbles these words and presents them to
  the individual. The individual then repeats the
  sequence of words given.

22
Biometric (10) Facial Scan

• Facial Scan scans a persons face
• bone structures, nose ridges, eye widths,
  forehead sizes, and chin shapes.

23
Biometric (11) Hand Topology

• Hand topology the different peaks and valleys of
  the hand, along with its overall shape and
  curvature.
• is not unique enough to authenticate individuals
  by itself
• is commonly used in conjunction with hand
  geometry.

24
Biometric (12) Errors CER

• Errors
• When a biometric system rejects an authorized
  individual, it is called a Type I error (false
  rejection rate).
• When the system accepts impostors who should be
  rejected, it is called a Type II error (false
  acceptance rate).
• The goal is to obtain low numbers for each type
  of error, but Type II errors are the most
  dangerous and thus the most important to avoid.
• Crossover error rate (CER)
• Is the most important measurement when
  determining the systems accuracy.
• CER is a percentage and represents the point at
  which the false rejection rate equals the false
  acceptance rate.

25
Biometric (13) Errors CER

• Biometric systems can be calibrated
• Lower the Type II error rate by adjusting the
  systems sensitivity ? an increase in Type I
  errors vice versa.
• Individual environments have specific security
  level requirements, which will dictate how many
  Type I and Type II errors are acceptable.
• E.g., A military base would be prepared to accept
  a certain number of Type I errors, but would
  absolutely not accept any false accepts (Type II
  errors).

26
Biometric (14) Errors CER

• CER is a.k.a. equal error rate (EER)

27
Biometric (15) Errors CER

• What is the purpose of CER ?
• CER is an impartial judgment of a biometric
  system helps to create standards ? The lower CER
  the more accurate of the system
• E.g.
• A vendor claims that their fingerprint scanner
  has 0 type-II error.
• Will your company purchase this product?

28
Password Password Management (1)

• Passwords are one of the most used authentication
  mechanisms employed today
• It is important that the passwords are strong and
  properly managed.
• Why password is considered one of the weakest
  security mechanisms available?
• Password Management If passwords are properly
  generated, updated, and kept secret, they can
  provide effective security.

29
Password Password Management (2)

• Password Management
• Password generators creates passwords for the
  users
• create uncomplicated, pronounceable,
  non-dictionary words to help users remember them
  so that they arent tempted to write them down.
• The users choose their own passwords and the OS
  should enforce certain password requirements
• To ensure a password contain a certain number of
  characters, unrelated to the user ID, include
  special characters, include upper- and lowercase
  letters, and not be easily guessable.
• to ensure that no passwords are reused.
• to force users to change their passwords
  periodically (aging)

30
Password Password Management (3)

• Attacks on passwords
• Electronic monitoring
• Listening to network traffic to capture
  information, especially when a user is sending
  her password to an authentication server.
• The password can be copied and reused by the
  attacker at another time, which is called a
  replay attack.
• Access the password file Usually done on the
  authentication server.
• The password file contains many users passwords
• This file should be protected with access control
  mechanisms and encryption.
• E.g., Microsoft Windows NT/2000/XP stores
  encrypted password hashes in the Windows
  Registry. Unix / Linux stores encrypted password
  hashes in file /etc/passwd

31
Password Password Management (4)

• Attacks on passwords (cont)
• Brute force attacks
• Performed with tools that cycle through many
  possible character, number, and symbol
  combinations to uncover a password.
• Dictionary attacks
• Files of thousands of words are used to compare
  to the users password until a match is found.
• Social engineering
• An attacker falsely convinces an individual that
  she has the necessary authorization to access
  specific resources.

32
Password Password Management (5)

• Techniques that can be implemented to provide
  another
• layer of security for passwords
• After each successful logon, a message can be
  presented to a user indicating the date, time,
  location of the last successful logon, and if
  there were any unsuccessful logon attempts.
• Limit logon attempts administrator can set
  operating parameters that allow a certain number
  of failed logon attempts to be accepted before a
  user is locked out.
• An audit trail can also be used to track password
  usage and successful and unsuccessful logon
  attempts.
• Password aging define a practical passwords
  lifetime, i.e., a balance between protection and
  practicality

33
Password Password Management (6)

• Password Checker Cracker
• a tool used by a security professional to test
  the strength of a password.
• performs dictionary and/or brute force attacks to
  detect the weak passwords.
• password cracker is usually used by a hacker
• Most of the time, these tools are one and the
  same.
• E.g.,
• John the Ripper
• Crack Unix password
• Oracle Password Checker (Cracker)

34
Password Password Management (7)

• Password Hashing and Encryption
• Most systems hash the password with a hashing
  algorithm
• E.g., In Windows, the passwords are stored in a
  Security Accounts Management (SAM) database in
  their hashed version. In addition, administrators
  can use a Syskey utility to encrypt the database.
  Syskey can work in three modes
• Mode 1 -- System key is generated, encrypted, and
  stored locally.
• Mode 2 -- System key is generated, encrypted, and
  stored locally but is password protected. When
  the computer restarts, the administrator must
  enter the password to unlock Syskey.
• Mode 3 -- System key is generated, encrypted, and
  stored on a floppy disk. The computer cannot
  start up properly without a user providing the
  floppy disk.

35
Password Password Management (8) Cognitive
passwords

• Cognitive passwords are fact- or opinion-based
  information used to verify an individuals
  identity.
• A user is enrolled by answering several questions
  based on her life experiences. E.g., mothers
  maiden name, favorite color, dogs name
• is best for a service the user does not use on a
  daily basis
• Easier to remember than normal password

36
Classical Encryption (symmetric key encryption )
37
Public Key Encryption
Message encrypted by private key can be decrypted
by public key as well.
38
Hash Functions

• Produce a message digest that cannot be reversed
  to produce the original
• One way hash function H(x) ? y
• Input x message of variable length
• Output y digest message of fixed length
• Ideally, any change of x will change y
• Two major hash functions in use
• SHA-1 (Secure Hash Algorithm 1)
• MD5 (Message Digest algorithm version 5)

39
Password Password Management (9) One-Time
passwords

• A one-time password (a.k.a., dynamic password)
• used for authentication purposes and is only good
  once.
• used in environments that require a higher level
  of security than static passwords provide
• The token device generates the one-time password
  for the user to submit to an authentication
  server. two general types
• Synchronous token device
• Asynchronous token device

40
Password Password Management (10) One-Time
passwords

• The token device (password generator), is usually
  a handheld device that has an LCD display and
  possibly a keypad.
• The token device presents the user with a list of
  characters to be entered as a password when
  logging onto a computer.
• one-time password, also called a token, and is no
  longer valid after initial use.

41
Password Password Management (11) Synchronous
Token

• A synchronous token device synchronizes with the
  authentication service by using time or a counter
  as the core piece of the authentication process.
• In time based synchronization , the token device
  and the authentication service must hold the same
  time within their internal clocks.
• In counter-synchronization, the user will need to
  initiate the logon sequence on the computer and
  push a button on the token device.
• The token device and authentication service must
  share the same secret key

42
SecureID one of the most widely used time-based
tokens
43
Password Password Management (12) Asynchronous
Token

• A asynchronous token device uses a
  challenge/response scheme to authenticate the
  user.

44
Challenge-Response Mechanism

• User, system share a secret function f (in
  practice, f is a
• known function with unknown parameters, such as
  a
• cryptographic key)
• e.g., IFF (identification-friend or foe)
  identify airplane

request to authenticate
system
user
random message r (the challenge)
system
user
f(r) (the response)
system
user
45
Password Password Management (13) Asynchronous
Token

• The authentication server sends the user a
  challenge, a random value also called a nonce.
• The user enters this nonce into the token device,
  which encrypts it and returns a value as a
  one-time password. The user sends this value,
  along with a username, to the authentication
  server.
• If the authentication server can decrypt the
  value. If it is the same nonce that was sent
  earlier, the user is authenticated,

46
Password Password Management (14) Features of
token devices

• Pros
• Not vulnerable to electronic eavesdropping,
  sniffing, or password guessing.
• something the user knows (PIN) something the
  user has (the token device) ? a strong
  authentication
• Cons
• Subject to masquerading attack if a user shares
  his identification and the token device is shared
  or stolen.

47
Private key digital signature

• A private key or digital signature could be used
  in place of using a password.
• Another way to prove ones identity
• used in environments that require higher security
  protection than what is provided by passwords.
• A private key is a secret value that should be in
  the possession of one person, and one person
  only.
• Public key cryptography is a form of cryptography
  which generally allows users to communicate
  securely without having prior access to a shared
  secret key.
• This is done by using a pair of cryptographic
  keys, designated as public key private key,
  which are related mathematically.

48
Digital Signature

• A digital signature is a technology that uses a
  private key to encrypt a hash value (message
  digest).
• A digital signature attached to a message proves
  that the message originated from a specific
  source, and that the message itself was not
  changed while in transit.

49
(No Transcript)
50
Digital Signature
51
Memory Card vs. Smart Card

• A memory card holds information but cannot
  process information.
• e.g. ATM card, swipe card
• PIN ATM card ? strong authentication
• A smart card holds information and has the
  necessary hardware and software to actually
  process that information.
• The authentication can be done in three means
• using a one-time password,
• using a challenge/response value
• providing the users private key if it is used
  within a PKI environment.
• Contact smart card vs. contactless smart card
• Contact card is fully inserted into a card reader
• contactless smart card has an antenna wire that
  surrounds the perimeter of the card.

52
Smart Card Attacks

• Fault generation attacks
• Introduced errors into smart cards (changing
  input voltage, clock rate, temperature
  fluctuations)
• Analysis of these different results allows an
  attacker to reverse-engineer the encryption
  process, and to uncover the encryption key.
• Side-channel attacks
• hacker watches how something works and how it
  reacts in different situations
• differential power analysis examining the power
  emissions that are released during processing
• electromagnetic analysis examining the
  frequencies that are emitted
• Timing how long a specific process takes to
  complete

53
Smart Card Attacks (cont)

• Software attacks
• A smart card has software
• attacks can be disguised by using equipment that
  looks just like the legitimate reader.
• Input instructions into the smart card that will
  allow for the attacker to extract account
  information
• Microprobing
• uses needles to remove the outer protective
  material on the cards circuits, by using
  ultrasonic vibration.
• Data an be accessed and manipulated by directly
  tapping into the cards ROM chips.

54
Authorization (1)

• The system must establish whether the user is
  authorized to access the particular resource and
  what actions he is permitted to perform on that
  resource.
• a core component of every OS,
• applications, security add-on packages, and
  resources themselves can also provide
  authorization.
• Granularity of access criteria
• security professionals have as much control as
  possible over the resources
• a fine level of detail enables security
  professionals to give individuals just the
  precise level of access that they need.

55
Authorization (2)

• Granting access rights to subjects should be
  based on
• the level of trust (authorization authority has
  in a subject)
• the need-to-know principle (least privilege)
• The different access criteria
• This role is based on a job assignment or
  function
• If several users require the same type of access
  to information and resources, putting them into a
  group and then assigning rights and permissions
  to that group ? easy to manage
• Physical or logical location can also be used to
  restrict access to resources
• Time of day (temporal isolation) ensures that
  access at these times is restricted.

56
Authorization (3)

• The different access criteria (cont)
• Transaction-type restrictions can be used to
  control what data is accessed during certain
  types of functions and what commands can be
  carried out on the data.
• Other authorization practices
• Default to no access
• Least-privilege (need-to-know principle) give a
  user the least amount of privileges, but just
  enough for that user to be productive when
  carrying out tasks.
• It is managements job to determine the security
  requirements of individuals and how access is
  authorized. The security administrator configures
  the security mechanisms to fulfill these
  requirements.

57
Single Sign-On (SSO)

• What is SSO?
• A user needs to enter only one user ID and one
  password to be able to access all resources in
  all the networks this user is working in.
• Because of the proliferation of client/server
  technologies, centrally controlled networks ?
  heterogeneous, distributed environments
• The challenges of SSO every platform,
  application, and resource needs to accept the
  same type of credentials, in the same format, and
  interpret their meanings the same.

58
Single Sign-On (2)

• Examples of SSO
• Kerberos uses a KDC and tickets, and is based on
  symmetric key cryptography
• SESAME uses a PAS and PACs, and is based on
  symmetric and asymmetric cryptography
• Security domains resources working under the
  same security policy and managed by the same
  group
• Thin clients terminals that rely upon a central
  server for access control, processing, and storage

59
Kerberos (1)

• What is Kerberos?
• A de facto standard for heterogeneous networks.
• was designed in the mid-1980s as part of MITs
  Project Athena.
• works in a client/server model and is based on
  symmetric key cryptography.
• has been used for years in Unix systems and is
  currently the default authentication method for
  Windows 2000 and 2003 operating systems.

60
Kerberos (2)

• The Key Distribution Center (KDC) is the most
  important component within a Kerberos
  environment.
• KDC is the trusted authentication server for a
  set of principals (a realm)
• KDC has an account for, and shares a secret keys
  with, each principal (user / service)
• The secret key is used to send sensitive data
  between the principal and the KDC
• KDC provides an authentication service and key
  distribution functionality.
• A ticket is generated by the KDC and given to a
  principal (e.g. a user) when that principal needs
  to authenticate to another principal, (e.g. a
  print server).

61
Kerberos (3)
62
Kerberos (4) Authentication Process

• U types username password on a PC. Kerberos
  software on that PC sends the username to
  authentication service (AS) on KDC.
• KDC returns a ticket granting ticket (TGT), which
  is encrypted by Us password (the secret key)
• Kerberos software on that PC decrypts TGT by
  using Us password, if password is correct ? U
  logons that PC
• The PC sends TGT to ticket granting service (TGS)
  on KDC.
• TGS creates and sends a ticket to user. This
  ticket contains three parts a session key
  encrypted by Us secret key, the same session key
  encrypted by Ps secret key, and an authenticator
  (ID of the U, IP of Us PC, and a timestamp)
• Us PC decrypts and extracts the session key,
  adds a second authenticator (encrypted by the
  session key) to the ticket, and then sends the
  ticket to P.
• P decrypts the session key, decrypts, extracts,
  and compares two authenticators. If completed, U
  is authenticated to P.

63
Kerberos (5) Terms

• AS is the part of the KDC that authenticates a
  principal
• TGS is the part of the KDC that makes the tickets
  and hands them out to the principals.
• Any time the user needs to communicate with
  another principal, he just reuses the TGT
  (temporarily stored on his system with a
  predefined lifetime) ? The user does not have to
  enter his password each time he needs to
  communicate with another principal.
• A secret key is shared between the KDC and a
  principal and is static in nature.
• A session key is shared between two principals
  and is generated when needed and destroyed after
  the session is completed.
• Authenticator a proof of identity

64
Kerberos (5) Weakness and attacks

• The KDC can be a single point of failure. ?
  Redundancy is necessary for the KDC.
• The KDC must be able to handle the number of
  requests it receives in a timely manner. ?
  scalable.
• Secret keys are temporarily stored on the users
  PC. And session keys are decrypted and reside on
  the users workstations, either in a cache or in
  a key table. ? An intruder can capture secret and
  session keys if users PC is compromised.
• Kerberos is vulnerable to password guessing. The
  KDC does not know if a dictionary attack is
  taking place. ? ?
• Network traffic is not protected by Kerberos if
  encryption is not enabled.

65
SESAME

• SESAME Secure European System for Applications
  in a Multi-vendor Environment (SESAME) project is
  a single sign-on technology
• Was developed to extend Kerberos functionality
  and improve upon its weaknesses.
• SESAME uses symmetric and asymmetric
  cryptographic techniques

66
Security Domains (1)

• A domain is a set of resources that is available
  to a subject.
• E.g., to a process a domain includes memory
  segments, hard disk, OS services, perhaps other
  processes
• Security domain resources within this logical
  structure (domain) are working under the same
  security policy and managed by the same group.
• E.g., put all accounting personnel, computers,
  and network resources in domain A.
• The different domains are separated by logical
  boundaries, such as firewalls with ACLs,
  directory services, and objects that have their
  own ACLs.
• The individual domain is isolated by using
  specific subnet mask address.

67
Security Domains (2)

• Domains can be architected in a hierarchical
  manner that dictates the relationship between the
  different domains
• Subjects can access resources in domains of equal
  or lower trust levels.
• Several different types of technologies are
  available today that are used to define and
  enforce these domains and security policies that
  are mapped to them
• E.g., domain controllers in a Windows
  environment, enterprise resource management (ERM)
  products, etc.
• The goal of each of them is to allow a user
  (subject) to sign in one time and be able to
  access the different domains that are available
  to them without having to reenter any other
  credentials.

68
Security Domains (3) Directory Service

• A network directory service contains information
  about these different resources and provides a
  naming scheme.
• provides a hierarchical database that outlines
  the resources characteristics
• such as name, logical and physical location,
  subjects that can access them, and the operations
  that can be carried out on them.
• provides users access to network resources
  transparently,
• E.g., Lightweight Directory Access Protocol
  (LDAP), Novell NetWare Directory Service (NDS),
  and Microsoft Active Directory.

69
Thin Client

• Thin clients (diskless computers or dumb
  terminals)
• Thin-client technology provides another type of
  SSO access for users,
• users authenticate only to the central server or
  mainframe, which then provides them access to all
  authorized and necessary resources.
• Saving money by purchasing thin clients instead
  of workstations
• Easier administration, access control, update