Access Controls Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2013 Domain Objectives • • • • Provide definitions and key concepts Identify access control categories and types Discuss access control threats Review system access control measures Domain Agenda • • • • • • • Definitions and key concepts Access control categories and types Access control threats Access to system Access to data Intrusion prevention and detection systems Access control assurance Basic Requirements and Concepts • • Requirements – Security – Reliability – Transparency – Scalability – Maintainability – Auditability – Integrity – Authentic Key Concepts – Separation of duties – Least privilege – Need-to-know Information Classification • • • • • Objectives Benefits Example of classification Compartmentalized information Classification Program – Scope – Process • Ownership • Declassification • Marking and labeling • Assurance Domain Agenda • • • • • • • Definitions and key concepts Access control categories and types Access control threats Access to system Access to data Intrusion prevention and detection systems Access control assurance Access Control Types and Strategies • Types – Administrative – Technical / Logical – Physical • Strategies – – – – – – – Preventive Detective Corrective Directive Deterrent Recovery Compensating Access Control Examples Controls Administrative Technical Physical Directive Policy Warning Banner ‘Do Not Enter’ Deterrent Demotion Violation Reports ‘Beware of Dog’ Preventive User Registration Passwords, Tokens Fences, Bollards Detective Report Reviews Audit Logs, IDS Sensors, CCTV Corrective Employee Termination Connection Management Fire Extinguisher Recovery DRP Backups Reconstruct, Rebuild Compensating Supervision, Job Rotation Keystroke Logging Layered Defenses Access Control • • • Access control is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. In computer security, access control includes authentication, authorization and audit. It also includes measures such as physical devices, including biometric scans and metal locks, hidden paths, digital signatures, encryption, social barriers, and monitoring by humans and automated systems. In any access control model, the entities that can perform actions in the system are called subjects, and the entities representing resources to which access may need to be controlled are called objects (see also Access Control Matrix). Subjects and objects should both be considered as software entities and as human users Access Control • • • • Access control models used by current systems tend to fall into one of two classes: those based on capabilities and those based on access control lists (ACLs). In a capability-based model, holding an unforgeable reference or capability to an object provides access to the object Access is conveyed to another party by transmitting such a capability over a secure channel. In an ACL-based model, a subject's access to an object depends on whether its identity is on a list associated with the object Domain Agenda • • • • • • • Definitions and key concepts Access control categories and types Access control threats Access to system Access to data Intrusion prevention and detection systems Access control assurance Access Control Threats • Denial of service • Password crackers – Dictionary – Brute force – Rainbow tables • • • • Keystroke Loggers Spoofing/Masquerading Sniffers Shoulder Surfing/Swiping • Dumpster diving • Emanations • TOC/TOU Domain Agenda • • • • • • • Definitions and key concepts Access control categories and types Access control threats Access to system Access to data Intrusion prevention and detection systems Access control assurance System Access Control • • • • Identification Authentication Authorization Accountability Identification and Authentication • Identification – – – – – Methods Guidelines RFID MAC and IP address Secure user registration • Authentication – Knowledge (something you know) – Ownership (something you have) – Characteristics (something you are) Identification, Authentication, Authorization • • • • Access control systems provide the essential services of identification and authentication (I&A), authorization, and accountability where: identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in; authorization determines what a subject can do; accountability identifies what a subject (or all subjects associated with a user) did. Identification, Authentication, Authorization • Identification and authentication (I&A): Identification and authentication (I&A) is the process of verifying that an identity is bound to the entity that makes an assertion or claim of identity. The I&A process assumes that there was an initial validation of the identity, commonly called identity proofing. Various methods of identity proofing are available ranging from in person validation using government issued identification to anonymous methods that allow the claimant to remain anonymous, but known to the system if they return. The method used for identity proofing and validation should provide an assurance level commensurate with the intended use of the identity within the system. Subsequently, the entity asserts an identity together with an authenticator as a means for validation. The only requirements for the identifier is that it must be unique within its security domain. • • • • • Identification, Authentication, Authorization Authenticators are commonly based on at least one of the following four factors: Something you know, such as a password or a personal identification number (PIN). This assumes that only the owner of the account knows the password or PIN needed to access the account. Something you have, such as a smart card or security token. This assumes that only the owner of the account has the necessary smart card or token needed to unlock the account. Something you are, such as fingerprint, voice, retina, or iris characteristics. Where you are, for example inside or outside a company firewall, or proximity of login location to a personal GPS device. • • • • • Identification, Authentication, Authorization Authorization: Authorization applies to subjects. Authorization determines what a subject can do on the system. Most modern operating systems define sets of permissions that are variations or extensions of three basic types of access: Read (R): The subject can – Read file contents, List directory contents Write (W): The subject can change the contents of a file or directory with the following tasks: – Add, Create, Delete, Rename Execute (X): If the file is a program, the subject can cause the program to be run. (In Unix systems, the 'execute' permission doubles as a 'traverse directory' permission when granted for a directory.) • • • • • Identification, Authentication, Authorization These rights and permissions are implemented differently in systems based on discretionary access control (DAC) and mandatory access control (MAC). Accountability: Accountability uses such system components as audit trails (records) and logs to associate a subject with its actions. The information recorded should be sufficient to map the subject to a controlling user. Audit trails and logs are important for Detecting security violations, Re-creating security incidents If no one is regularly reviewing your logs and they are not maintained in a secure and consistent manner, they may not be admissible as evidence. Many systems can generate automated reports based on certain predefined criteria or thresholds, known as clipping levels. For example, a clipping level may be set to generate a report for the following: More than three failed logon attempts in a given period, Any attempt to use a disabled user account, These reports help a system administrator or security administrator to more easily identify possible break-in attempts. Authentication by Knowledge • • • • • Password – p3nc!l Passphrase – t@lk@bou+th3w3@th3r Personal history – 1st pet, 1st address, 1st friend Graphical Guidelines Authentication by Ownership • Tokens – One-time passwords • Smart cards • Memory cards • RFID cards Asynchronous and Synchronous Token Device 1. 2. 3. 4. 5. 6. User requests access via authentication server (i.e. userID) Authentication server issues challenge # to user User enters challenge # w/PIN in handheld Handheld calculates cryptographic response (i.e. password) User sends “password” to authentication server Authentication server grants access to application server Synchronous • Event-based synchronization • Time-based synchronization Authentication: Smart Cards and Biometrics • Smartcards – Contact smart cards • Card body • Chip • Contacts – – – – Contact-less smart cards Card body Chip Antenna • Biometrics (Authentication by Characteristic) – Physiological – Behavioral Biometric Types and Selection Criteria • • • Static – Fingerprint/Palm print – Hand geometry – Palm vein structure – Retina scan – Iris scan – Facial recognition Dynamic – Voice pattern – Keystroke dynamics – Signature dynamics Selection Criteria – Accuracy – Acceptability – Reaction or processing time – Population coverage – Data protection Identity and Access Management • Need for identity management – – – – Manual provisioning Complex environments Outsourcing risks Compliance with regulations and legislation • Authoritative system of record • Challenges • – Consistency – Reliability – Usability – Efficiency – Scalability – Principals – Data – Life cycle Benefits – Headcount reduction – Productivity increase – Risk management Identity Management Technologies • • • • Web access management (WAM) Password management Account management Profile update • • • • • • Access Control Technologies Single sign-on Kerberos – To be explained in the next chart SESAME – An extension of Kerberos for use with applications – Symmetric and asymmetric – Distributed authentication Directory services – Lightweight Directory Access Protocol (LDAP) – Network Information Services (NIS) – Domain Name System (DNS) Security domains – Hierarchical domain relationship – Equivalent classes of subjects Web Portal Access – Federated login – Portlet Single Sign-on Process 1. 2. 3. 4. User enters ID and password UserID and passwords transmitted to Authentication Server Authentication Server verifies user’s identity Authentication Server authorizes access to requested resource. Single Sign-On • • Single sign-on (SSO) is a property of access control of multiple, related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems. As different applications and resources support different authentication mechanisms, single sign-on has to internally translate to and store different credentials compared to what is used for initial authentication. Single Sign-on Kerberos • • Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by MIT that implements this protocol. Its designers aimed primarily at a client–server model, and it provides mutual authentication — both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography by utilizing asymmetric key cryptography during certain phases of authentication Kerberos • • • Kerberos uses as its basis the symmetric Needham-Schroeder protocol. It makes use of a trusted third party, termed a key distribution center (KDC), which consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). Kerberos works on the basis of "tickets" which serve to prove the identity of users. The KDC maintains a database of secret keys; each entity on the network — whether a client or a server — shares a secret key known only to itself and to the KDC. Knowledge of this key serves to prove an entity's identity. For communication between two entities, the KDC generates a session key which they can use to secure their interactions. The security of the protocol relies heavily on participants maintaining loosely synchronized time and on short-lived assertions of authenticity called Kerberos tickets. Kerberos • • • • The client authenticates itself to the Authentication Server and receives a ticket. (All tickets are time-stamped.) It then contacts the Ticket Granting Server, and using the ticket it demonstrates its identity and asks for a service. If the client is eligible for the service, then the Ticket Granting Server sends another ticket to the client. The client then contacts the Service Server, and using this ticket it proves that it has been approved to receive the service. Kerberos: Drawbacks • • • • Single point of failure: It requires continuous availability of a central server. When the Kerberos server is down, no one can log in. This can be mitigated by using multiple Kerberos servers and fallback authentication mechanisms. Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail. The default configuration requires that clock times are no more than five minutes apart. In practice Network Time Protocol daemons are usually used to keep the host clocks synchronized. The administration protocol is not standardized and differs between server implementations. Since all authentication is controlled by a centralized KDC, compromise of this authentication infrastructure will allow an attacker to impersonate any user. Access Control Languages • Service Provisioning Markup Language (SPML) • Security Assertion Markup Language (SAML) • eXtensible Access Control Markup Language (XACML) Domain Agenda • • • • • • • Definitions and key concepts Access control categories and types Access control threats Access to system Access to data Intrusion prevention and detection systems Access control assurance Access to Data Implementations • Mandatory • Temporal • Discretionary • Role • Rule • Content • Privacy Descriptions • List • Matrix • Capabilities • Non-discretionary • Constraints • Centralized • Decentralized Access Control • Mandatory Access Control – Labels: Subject and Objects • Temporal Aces Control – Hours of Operation • Role-based Aces Control • Depends on Roles • Privacy-Aware, Role-based Access Control – Based on organization for economic co-operation and development • Content Dependent – Access based on values in data (i.e. Department) Can only see data having to do with employees in the same department Access Control Lists • • • • • Objects/Subjects Files/Users O.S. dependent Object Based Matrix Subject Based Matrix Non-discretionary Access Control (NDAC)/ Constrained User Interfaces • Non Discretionary – Operating system protection – Security administrator control – Ensures system security enforced • Constrained User Interfaces – – – – Menus Database views Physically constrained user interfaces Encryption Centralized/Decentralized Access Control • Centralized access control – RADIUS – TACACS+ – Diameter • Decentralized access control Access Conrol Administration • • • • Access Contol Administration will work out how the organiztion will adninistrw access control: Centralzied or Distributed. Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or XTACACS. This server was normally a program running on a host. The host would determine whether to accept or deny the request and send a response back. The TIP (routing node accepting dial-up line connections, which the user would normally want to log in into) would then allow access or not, based upon the response. TACACS+ and RADIUS have generally replaced TACACS. TACACS+ is an entirely new protocol and not compatible with TACACS or XTACACS. TACACS+ uses the Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP). Domain Agenda • • • • • • • Definitions and key concepts Access control categories and types Access control threats Access to system Access to data Intrusion prevention and detection systems Access control assurance Intrusion Detection System • • • An IDS is a device (or application) that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.[ Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. Intrusion Detection System • • • For the purpose of dealing with IT, there are two main types of IDS's: network-based and host-based IDS. In a network-based intrusion-detection system (NIDS), the sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. The sensor captures all network traffic and analyzes the content of individual packets for malicious traffic. In a host-based system, the sensor usually consists of a software agent, which monitors all activity of the host on which it is installed, including file system, logs and the kernel. Some application-based IDS are also part of this category. Intrusion Detection Systems Network-based = Packet Host-based = Permission Application-based = Process Intrusion Prevention Systems • Host-based • Network-based – Content-based – Rate-based • KPI Analysis Engine Methods • Examples – Anomaly – Response – Alert • Pattern- or signature-based – Pattern matching – Stateful matching • Anomaly-based – Statistical – Traffic – Protocol • Heuristic Scanning Threats to Access Control • • • • • Dictionary Attack Brute Force Attack Spoofing at Logon Phishing Identity Theft Domain Agenda • • • • • • • Definitions and key concepts Access control categories and types Access control threats Access to system Access to data Intrusion prevention and detection systems Access control assurance Access Control Assurance and Penetration Testing • Assurance – Audit trail monitoring – Vulnerability assessment tools • Penetration Testing – – – – – Definition Areas to test Methods of testing Testing procedures Testing hazards Areas to Test • • • • • • Application security Denial of service (DoS) War dialing Wireless penetration Social engineering PBX and IP telephony • Penetration Testing Methods and Steps External – Zero-knowledge (blind) – Partial-knowledge • Internal – – – – Full-knowledge Targeted Blind Double-blind • Steps – – – – Discovery Enumeration Vulnerability mapping Exploitation Testing Hazards and Reporting • Production interruption – Application abort – System crash • Documentation – Identified vulnerabilities – Countermeasure effectiveness – Recommendations • KPI Domain Summary • • • • • • • Definitions and key concepts Access control categories and types Access control threats Access to system Access to data Intrusion prevention and detection systems Access control assurance APPENDIX • REVIEW of Access Control • REVIEW of Biometrics Access Control Techniques: Review • • • • • Role based access control Constrained user interfaces Access control Matrix Content dependent access control Content dependent access control Access Control • • Access control techniques: Access control techniques are sometimes categorized as either discretionary or non-discretionary. The three most widely recognized models are Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role Based Access Control (RBAC). MAC and RBAC are both non-discretionary. Attribute-based Access Control: In attribute-based access control, access is granted not based on the rights of the subject associated with a user after authentication, but based on attributes of the user. The user has to prove so called claims about his attributes to the access control engine. An attributebased access control policy specifies which claims need to satisfied in order to grant access to an object. For instance the claim could be "older than 18" . Any user that can prove this claim is granted access. Users can be anonymous as authentication and identification are not strictly required. One does however require means for proving claims anonymously. This can for instance be achieved using Anonymous credentials. Access Control • • • • • Discretionary access control: (DAC) is an access policy determined by the owner of an object. The owner decides who is allowed to access the object and what privileges they have. Two important concepts in DAC are File and data ownership: Every object in the system has an owner. In most DAC systems, each object's initial owner is the subject that caused it to be created. The access policy for an object is determined by its owner. Access rights and permissions: These are the controls that an owner can assign to other subjects for specific resources. Access controls may be discretionary in ACL-based or capability-based access control systems. (In capability-based systems, there is usually no explicit concept of 'owner', but the creator of an object has a similar degree of control over its access policy.) Access Control • • • Mandatory access control: (MAC) is an access policy determined by the system, not the owner. MAC is used in multilevel systems that process highly sensitive data, such as classified government and military information. A multilevel system is a single computer system that handles multiple classification levels between subjects and objects. Sensitivity labels: In a MAC-based system, all subjects and objects must have labels assigned to them. A subject's sensitivity label specifies its level of trust. An object's sensitivity label specifies the level of trust required for access. In order to access a given object, the subject must have a sensitivity level equal to or higher than the requested object. Data import and export: Controlling the import of information from other systems and export to other systems (including printers) is a critical function of MAC-based systems, which must ensure that sensitivity labels are properly maintained and implemented so that sensitive information is appropriately protected at all times. Access Control • • • Two methods are commonly used for applying mandatory access control: Rule-based (or label-based) access control: This type of control further defines specific conditions for access to a requested object. All MAC-based systems implement a simple form of rule-based access control to determine whether access should be granted or denied by matching: – An object's sensitivity label – A subject's sensitivity label Lattice-based access control: These can be used for complex access control decisions involving multiple objects and/or subjects. A lattice model is a mathematical structure that defines greatest lower-bound and least upper-bound values for a pair of elements, such as a subject and an object. Access Control • • Role-based access control: (RBAC) is an access policy determined by the system, not the owner. RBAC is used in commercial applications and also in military systems, where multi-level security requirements may also exist. RBAC differs from DAC in that DAC allows users to control access to their resources, while in RBAC, access is controlled at the system level, outside of the user's control. Although RBAC is non-discretionary, it can be distinguished from MAC primarily in the way permissions are handled. MAC controls read and write permissions based on a user's clearance level and additional labels. RBAC controls collections of permissions that may include complex operations such as an e-commerce transaction, or may be as simple as read or write. A role in RBAC can be viewed as a set of permissions. Access Control: Conclusion of Review • • • • • • Three primary rules are defined for RBAC: 1. Role assignment: A subject can execute a transaction only if the subject has selected or been assigned a role. 2. Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized. 3. Transaction authorization: A subject can execute a transaction only if the transaction is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can execute only transactions for which they are authorized. Additional constraints may be applied as well, and roles can be combined in a hierarchy where higher-level roles subsume permissions owned by sub-roles. Most IT vendors offer RBAC in one or more products. • • • • • • • • • • Review: Biometrics What is Biometrics? Biometrics are automated methods of recognizing a person based on a physiological or behavioral characteristic Features measured: Face, Fingerprints, Hand geometry, handwriting, Iris, Retinal, Vein and Voice Identification and personal certification solutions for highly secure applications Numerous applications: medical, financial, child care, computer access etc. Biometrics replaces Traditional Authentication Methods Provides better security More convenient Better accountability Applications on Fraud detection and Fraud deterrence Dual purpose: Cyber Security and National Security What is the Process? • • • • Three-steps: Capture-Process-Verification Capture: A raw biometric is captured by a sensing device such as fingerprint scanner or video camera Process: The distinguishing characteristics are extracted from the raw biometrics sample and converted into a processed biometric identifier record – Called biometric sample or template Verification and Identification – Matching the enrolled biometric sample against a single record; is the person really what he claims to be? – Matching a biometric sample against a database of identifiers Why Biometrics? • • • • • • • Authentication mechanisms often used are User ID and Passwords However password mechanisms have vulnerabilities: Stealing passwords Biometrics systems are less prone to attacks Need sophisticated techniques for attacks – Cannot steal facial features and fingerprints – Need sophisticated image processing techniques for modifying facial features Biometrics systems are more convenient, Need not have multiple passwords or difficult passwords – E.g., characters, numbers and special symbols, Need not remember passwords Need not carry any cards or tokens Better accountability: Can determine who accessed the system with less complexity Security Vulnerabilities • Type 1 attack: present fake biometric such a synthetic biometric • Type 2 attack: Submit a previously intercepted biometric data: replay • Type 3 attack: Compromising the feature extractor module to give results desired by attacker • Type 4 attack: Replace the genuine feature values produced by the system by fake values desired by attacker • Type 5 attack: Produce a high number of matching results • Type 6 attack: Attack the template database: add templates, modify templates etc. • Biometric Terms: Verification and Identification Verification – User claims an identity for biometric comparison – User then provides biometric data – System tries to match the user’s biometric with the large number of biometric data in the database – Determines whether there is a match or a no match – Network security utilizes this process • Identification – User does not claim an identity, but gives biometric data – System searches the database to see if the biometric provided is stored in the database – Positive or negative identification – Prevents from enrolling twice for claims – Used to enter buildings Biometric Process • User enrolls in a system and provides biometric data • Data is converted into a template • Later on user provides biometric data for verification or identification • The latter biometric data is converted into a template • The verification/identification template is compared with the enrollment template • The result of the match is specified as a confidence level • The confidence level is compared to the threshold level • If the confidence score exceeds the threshold, then there is a match • If not, there is no match Enrollment and Template Creation • Enrollment – This is the process by which the user’s biometric data is acquired – Templates are created • Presentation – User presents biometric data using hardware such as scanning systems, voice recorders, etc. • Biometric data – Unprocessed image or recording • Feature extraction – Locate and encode distinctive characteristics from biometric data • • • • • • • • Data Types and Associated Biometric Technologies Finger scan: Fingerprint Image Voice scan: Voice recording Face scan: Facial image Iris scan: Iris image Retina scan: Retina image Hand scan: Image of hand Signature scan: Image of signature Keystroke scan: Recording of character types Templates • Templates are NOT compressions of biometric data; they are constructed from distinctive features extracted • Cannot reconstruct the biometric data from templates • Same biometric data supplied by a user at different times may results in different templates • When the biometric algorithm is applied to these templates, it will recognize them as the same biometric data • Templates may consist of strings of characters and numeric values • Vendor systems are heterogeneous; standards are used for common templates and for interoperability Biometric Matching • Part of the Biometric process: Compares the user provided template with the enrolled templates • Scoring: – Each vendor may use a different score for matching; 1-10 or -1 to 1 – Scores also generated during enrollment depending on the quality of the biometric data – User may have to provide different data if enrollment score is low • Threshold is generated by system administrator and varies from system to system and application to application • Decision depending on match/ nomatch – 100% accuracy is generally not possible False Match Rate • System gives a false positive by matching a user’s biometric with another user’s enrollment – Problem as an imposter can enter the system • Occurs when two people have high degree of similarity – Facial features, shape of face etc. – Template match gives a score that is higher than the threshold – If threshold is increased then false match rate is reduced, but False no match rate is increased • False match rate may be used to eliminate the non-matches and then do further matching False Nonmatch rate • User’s template is matched with the enrolled templates and an incorrect decision of nonmatch is made • Consequence: user is denied entry • False nonmatch occurs for the following reasons – Changes in user’s biometric data – Changes in how a user presents biometric data – Changes in environment in which data is presented • Major focus has been on reducing false match rate and as a result there are higher false nonmatch rates