Lecture13

advertisement

Cyber Security

Lecture for July 2, 2010

Access Control

Dr. Bhavani Thuraisingham

4/18/2020 00:47

Outline

0

0

0

0

0

0

0

Access Control Overview

Identification, Authentication, Authorization, Accountability

0 Single Sign-on and Kerberos

Access Control Models

Access Control Techniques and Technologies

Access Control Administration

Access Control Monitoring: Intrusion Detection

Threats to Access Control

13-2

4/18/2020 00:47

Access Control

0 Access control is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system.

0 In computer security, access control includes authentication, authorization and audit. It also includes measures such as physical devices, including biometric scans and metal locks, hidden paths, digital signatures, encryption, social barriers, and monitoring by humans and automated systems.

0 In any access control model, the entities that can perform actions in the system are called subjects, and the entities representing resources to which access may need to be controlled are called objects (see also Access Control Matrix). Subjects and objects should both be considered as software entities and as human users

13-3

4/18/2020 00:47

Access Control

0 Access control models used by current systems tend to fall into one of two classes: those based on capabilities and those based on access control lists (ACLs).

0 In a capability-based model, holding an unforgeable reference or

capability to an object provides access to the object

0 Access is conveyed to another party by transmitting such a capability over a secure channel.

0 In an ACL-based model, a subject's access to an object depends on whether its identity is on a list associated with the object

13-4

4/18/2020 00:47

Identification, Authentication, Authorization

0 Access control systems provide the essential services of

identification and authentication (I&A), authorization, and

accountability where:

0 identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in;

0

0 authorization determines what a subject can do; accountability identifies what a subject (or all subjects associated with a user) did.

13-5

4/18/2020 00:47

Identification, Authentication, Authorization

0 Identification and authentication (I&A): Identification and authentication (I&A) is the process of verifying that an identity is bound to the entity that makes an assertion or claim of identity. The

I&A process assumes that there was an initial validation of the identity, commonly called identity proofing. Various methods of identity proofing are available ranging from in person validation using government issued identification to anonymous methods that allow the claimant to remain anonymous, but known to the system if they return. The method used for identity proofing and validation should provide an assurance level commensurate with the intended use of the identity within the system. Subsequently, the entity asserts an identity together with an authenticator as a means for validation. The only requirements for the identifier is that it must be unique within its security domain.

13-6

4/18/2020 00:47

Identification, Authentication, Authorization

0 Authenticators are commonly based on at least one of the following four factors:

0 Something you know, such as a password or a personal identification number (PIN). This assumes that only the owner of the account knows the password or PIN needed to access the account.

0 Something you have, such as a smart card or security token. This assumes that only the owner of the account has the necessary smart card or token needed to unlock the account.

0 Something you are, such as fingerprint, voice, retina, or iris characteristics.

0 Where you are, for example inside or outside a company firewall, or proximity of login location to a personal GPS device.

13-7

4/18/2020 00:47

Identification, Authentication, Authorization

0 Authorization: Authorization applies to subjects. Authorization determines what a subject can do on the system.

0 Most modern operating systems define sets of permissions that are variations or extensions of three basic types of access:

0

0 Read (R): The subject can

Read file contents, List directory contents

Write (W): The subject can change the contents of a file or directory with the following tasks:

0

Add, Create, Delete, Rename

Execute (X): If the file is a program, the subject can cause the program to be run. (In Unix systems, the 'execute' permission doubles as a 'traverse directory' permission when granted for a directory.)

13-8

4/18/2020 00:47

Identification, Authentication, Authorization

0 These rights and permissions are implemented differently in systems based on discretionary access control (DAC) and mandatory access control (MAC).

0 Accountability: Accountability uses such system components as audit trails

(records) and logs to associate a subject with its actions. The information recorded should be sufficient to map the subject to a controlling user.

0 Audit trails and logs are important for Detecting security violations, Recreating security incidents

0 If no one is regularly reviewing your logs and they are not maintained in a secure and consistent manner, they may not be admissible as evidence.

0 Many systems can generate automated reports based on certain predefined criteria or thresholds, known as clipping levels. For example, a clipping level may be set to generate a report for the following: More than three failed logon attempts in a given period, Any attempt to use a disabled user account,

These reports help a system administrator or security administrator to more easily identify possible break-in attempts.

13-9

4/18/2020 00:47

Single Sign-On

0 Single sign-on (SSO) is a property of access control of multiple, related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems.

0 As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication.

13-10

4/18/2020 00:47

Single Sign-on Kerberos

0 Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by MIT that implements this protocol. Its designers aimed primarily at a client –server model, and it provides mutual authentication — both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

0 Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography by utilizing asymmetric key cryptography during certain phases of authentication

13-11

4/18/2020 00:47

Kerberos

0 Kerberos uses as its basis the symmetric Needham-Schroeder protocol. It makes use of a trusted third party, termed a key distribution center (KDC), which consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server

(TGS). Kerberos works on the basis of "tickets" which serve to prove the identity of users.

0 The KDC maintains a database of secret keys; each entity on the network — whether a client or a server — shares a secret key known only to itself and to the KDC. Knowledge of this key serves to prove an entity's identity. For communication between two entities, the

KDC generates a session key which they can use to secure their interactions.

0 The security of the protocol relies heavily on participants maintaining loosely synchronized time and on short-lived assertions of authenticity called Kerberos tickets.

13-12

4/18/2020 00:47

Kerberos

0 The client authenticates itself to the Authentication Server and receives a ticket. (All tickets are time-stamped.)

0 It then contacts the Ticket Granting Server, and using the ticket it demonstrates its identity and asks for a service.

0 If the client is eligible for the service, then the Ticket Granting

Server sends another ticket to the client.

0 The client then contacts the Service Server, and using this ticket it proves that it has been approved to receive the service.

13-13

4/18/2020 00:47

Kerberos: Drawbacks

0 Single point of failure: It requires continuous availability of a central server.

When the Kerberos server is down, no one can log in. This can be mitigated by using multiple Kerberos servers and fallback authentication mechanisms.

0 Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail. The default configuration requires that clock times are no more than five minutes apart. In practice Network Time Protocol daemons are usually used to keep the host clocks synchronized.

0 The administration protocol is not standardized and differs between server implementations.

0 Since all authentication is controlled by a centralized KDC, compromise of this authentication infrastructure will allow an attacker to impersonate any user.

13-14

4/18/2020 00:47

Access Control Techniques

0

0

0

0

Role based access control

Constrained user interfaces

0 Access control Matrix

Content dependent access control

Content dependent access control

13-15

4/18/2020 00:47

Access Control

0 Access control techniques: Access control techniques are sometimes categorized as either discretionary or non-discretionary. The three most widely recognized models are Discretionary Access Control (DAC),

Mandatory Access Control (MAC), and Role Based Access Control (RBAC).

MAC and RBAC are both non-discretionary.

0 Attribute-based Access Control: In attribute-based access control, access is granted not based on the rights of the subject associated with a user after authentication, but based on attributes of the user. The user has to prove so called claims about his attributes to the access control engine. An attributebased access control policy specifies which claims need to satisfied in order to grant access to an object. For instance the claim could be "older than 18" .

Any user that can prove this claim is granted access. Users can be anonymous as authentication and identification are not strictly required. One does however require means for proving claims anonymously. This can for instance be achieved using Anonymous credentials.

13-16

4/18/2020 00:47

Access Control

0 Discretionary access control: (DAC) is an access policy determined by the owner of an object. The owner decides who is allowed to access the object and what privileges they have.

0

0 Two important concepts in DAC are

File and data ownership: Every object in the system has an owner. In most DAC systems, each object's initial owner is the subject that caused it to be created. The access policy for an object is determined by its owner.

0 Access rights and permissions: These are the controls that an owner can assign to other subjects for specific resources.

0 Access controls may be discretionary in ACL-based or capabilitybased access control systems. (In capability-based systems, there is usually no explicit concept of 'owner', but the creator of an object has a similar degree of control over its access policy.)

13-17

4/18/2020 00:47

Access Control

0 Mandatory access control: (MAC) is an access policy determined by the system, not the owner. MAC is used in multilevel systems that process highly sensitive data, such as classified government and military information. A multilevel system is a single computer system that handles multiple classification levels between subjects and objects.

0 Sensitivity labels: In a MAC-based system, all subjects and objects must have labels assigned to them. A subject's sensitivity label specifies its level of trust. An object's sensitivity label specifies the level of trust required for access. In order to access a given object, the subject must have a sensitivity level equal to or higher than the requested object.

0 Data import and export: Controlling the import of information from other systems and export to other systems (including printers) is a critical function of MAC-based systems, which must ensure that sensitivity labels are properly maintained and implemented so that sensitive information is appropriately protected at all times.

13-18

4/18/2020 00:48

Access Control

0 Two methods are commonly used for applying mandatory access control:

0 Rule-based (or label-based) access control: This type of control further defines specific conditions for access to a requested object.

All MAC-based systems implement a simple form of rule-based access control to determine whether access should be granted or denied by matching:

0

An object's sensitivity label

A subject's sensitivity label

Lattice-based access control: These can be used for complex access control decisions involving multiple objects and/or subjects. A lattice model is a mathematical structure that defines greatest lowerbound and least upper-bound values for a pair of elements, such as a subject and an object.

13-19

4/18/2020 00:48

Access Control

0 Role-based access control: (RBAC) is an access policy determined by the system, not the owner. RBAC is used in commercial applications and also in military systems, where multi-level security requirements may also exist. RBAC differs from DAC in that DAC allows users to control access to their resources, while in RBAC, access is controlled at the system level, outside of the user's control.

0 Although RBAC is non-discretionary, it can be distinguished from

MAC primarily in the way permissions are handled. MAC controls read and write permissions based on a user's clearance level and additional labels. RBAC controls collections of permissions that may include complex operations such as an e-commerce transaction, or may be as simple as read or write. A role in RBAC can be viewed as a set of permissions.

13-20

4/18/2020 00:48

Access Control

0

0 Three primary rules are defined for RBAC:

1. Role assignment: A subject can execute a transaction only if the subject has selected or been assigned a role.

0 2. Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized.

0 3. Transaction authorization: A subject can execute a transaction only if the transaction is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can execute only transactions for which they are authorized.

0 Additional constraints may be applied as well, and roles can be combined in a hierarchy where higher-level roles subsume permissions owned by sub-roles.

0 Most IT vendors offer RBAC in one or more products.

13-21

4/18/2020 00:48

What is Biometrics?

0 Biometrics are automated methods of recognizing a person based on a physiological or behavioral characteristic

0 Features measured: Face, Fingerprints, Hand geometry, handwriting,

Iris, Retinal, Vein and Voice

0 Identification and personal certification solutions for highly secure applications

0 Numerous applications: medical, financial, child care, computer access etc.

0

0

0

0

0

0 Biometrics replaces Traditional Authentication Methods

Provides better security

More convenient

Better accountability

Applications on Fraud detection and Fraud deterrence

Dual purpose: Cyber Security and National Security

13-22

4/18/2020 00:48

What is the Process?

0

0

0

0

Three-steps: Capture-Process-Verification

Capture: A raw biometric is captured by a sensing device such as fingerprint scanner or video camera

Process: The distinguishing characteristics are extracted from the raw biometrics sample and converted into a processed biometric identifier record

Called biometric sample or template

Verification and Identification

Matching the enrolled biometric sample against a single record; is the person really what he claims to be?

Matching a biometric sample against a database of identifiers

13-23

4/18/2020 00:48

Why Biometrics?

0

0 Authentication mechanisms often used are User ID and Passwords

However password mechanisms have vulnerabilities: Stealing passwords

0

0 Biometrics systems are less prone to attacks

Need sophisticated techniques for attacks

Cannot steal facial features and fingerprints

Need sophisticated image processing techniques for modifying facial features

0 Biometrics systems are more convenient, Need not have multiple passwords or difficult passwords

E.g., characters, numbers and special symbols, Need not remember passwords

0

0 Need not carry any cards or tokens

Better accountability: Can determine who accessed the system with less complexity

13-24

4/18/2020 00:48

What is Secure Biometrics?

0

0

0

Study the attacks of biometrics systems

Modifying fingerprints

Modifying facial features

Develop a security policy and model for the system

Application independent and Application specific policies

Enforce Security constraints

= Entire face is classified but the nose can be displayed

Develop a formal model

Formalize the policy

Design the system and identify security critical components

Reference monitor for biometrics systems

13-25

4/18/2020 00:48

Security Vulnerabilities

0

0

0

0

0

0

Type 1 attack: present fake biometric such a synthetic biometric

Type 2 attack: Submit a previously intercepted biometric data: replay

Type 3 attack: Compromising the feature extractor module to give results desired by attacker

Type 4 attack: Replace the genuine feature values produced by the system by fake values desired by attacker

Type 5 attack: Produce a high number of matching results

Type 6 attack: Attack the template database: add templates, modify templates etc.

13-26

4/18/2020 00:48

Biometric Terms: Verification and Identification

0

0

Verification

User claims an identity for biometric comparison

User then provides biometric data

-

System tries to match the user’s biometric with the large number of biometric data in the database

Determines whether there is a match or a no match

Network security utilizes this process

Identification

User does not claim an identity, but gives biometric data

System searches the database to see if the biometric provided is stored in the database

Positive or negative identification

Prevents from enrolling twice for claims

Used to enter buildings

13-27

4/18/2020 00:48

Biometric Process

0

0

0

0

0

0

0

0

0

User enrolls in a system and provides biometric data

Data is converted into a template

Later on user provides biometric data for verification or identification

The latter biometric data is converted into a template

The verification/identification template is compared with the enrollment template

The result of the match is specified as a confidence level

The confidence level is compared to the threshold level

If the confidence score exceeds the threshold, then there is a match

If not, there is no match

13-28

4/18/2020 00:48

Enrollment and Template Creation

0

0

0

0

Enrollment

-

This is the process by which the user’s biometric data is acquired

Templates are created

Presentation

User presents biometric data using hardware such as scanning systems, voice recorders, etc.

Biometric data

Unprocessed image or recording

Feature extraction

Locate and encode distinctive characteristics from biometric data

13-29

4/18/2020 00:48

Data Types and Associated Biometric

Technologies

0

0

0

0

0

0

0

0

Finger scan: Fingerprint Image

Voice scan: Voice recording

Face scan: Facial image

Iris scan: Iris image

Retina scan: Retina image

Hand scan: Image of hand

Signature scan: Image of signature

Keystroke scan: Recording of character types

13-30

4/18/2020 00:48

Templates

0

0

0

0

0

0

Templates are NOT compressions of biometric data; they are constructed from distinctive features extracted

Cannot reconstruct the biometric data from templates

Same biometric data supplied by a user at different times may results in different templates

When the biometric algorithm is applied to these templates, it will recognize them as the same biometric data

Templates may consist of strings of characters and numeric values

Vendor systems are heterogeneous; standards are used for common templates and for interoperability

13-31

4/18/2020 00:48

Biometric Matching

0

0

0

0

Part of the Biometric process: Compares the user provided template with the enrolled templates

Scoring:

Each vendor may use a different score for matching; 1-10 or -1 to 1

Scores also generated during enrollment depending on the quality of the biometric data

User may have to provide different data if enrollment score is low

Threshold is generated by system administrator and varies from system to system and application to application

Decision depending on match/ nomatch

100% accuracy is generally not possible

13-32

4/18/2020 00:48

False Match Rate

0

0

0

System gives a false positive by matching a user’s biometric with another user’s enrollment

Problem as an imposter can enter the system

Occurs when two people have high degree of similarity

Facial features, shape of face etc.

Template match gives a score that is higher than the threshold

If threshold is increased then false match rate is reduced, but False no match rate is increased

False match rate may be used to eliminate the non-matches and then do further matching

13-33

4/18/2020 00:48

False Nonmatch rate

0

0

0

0

User’s template is matched with the enrolled templates and an incorrect decision of nonmatch is made

Consequence: user is denied entry

False nonmatch occurs for the following reasons

-

Changes in user’s biometric data

Changes in how a user presents biometric data

Changes in environment in which data is presented

Major focus has been on reducing false match rate and as a result there are higher false nonmatch rates

13-34

4/18/2020 00:48

Access Conrol Administration

0 Access Contol Administration will work out how the organiztion will adninistrw access control: Centralzied or Distributed.

0 Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks.

0 TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or XTACACS. This server was normally a program running on a host.

The host would determine whether to accept or deny the request and send a response back. The TIP (routing node accepting dial-up line connections, which the user would normally want to log in into) would then allow access or not, based upon the response.

0 TACACS+ and RADIUS have generally replaced TACACS. TACACS+ is an entirely new protocol and not compatible with TACACS or XTACACS.

TACACS+ uses the Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP).

13-35

4/18/2020 00:48

Intrusion Detection System

0 An IDS is a device (or application) that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.

[

0 Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents.

0 Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.

13-36

4/18/2020 00:48

Intrusion Detection System

0 For the purpose of dealing with IT, there are two main types of IDS's: network-based and host-based IDS.

0 In a network-based intrusion-detection system (NIDS), the sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. The sensor captures all network traffic and analyzes the content of individual packets for malicious traffic.

0 In a host-based system, the sensor usually consists of a software agent, which monitors all activity of the host on which it is installed, including file system, logs and the kernel. Some application-based

IDS are also part of this category.

13-37

4/18/2020 00:48

Threats to Access Control

0

0

0

0

Dictionary Attack

Brute Force Attack

0 Spoofing at Logon

Phishing

Identity Theft

13-38

Download