Authentication, access control, and policy configuration Lorrie Faith Cranor October 2009
advertisement
Authentication, access control, and policy configuration Lorrie Faith Cranor October 2009 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 1 Outline Definitions Authentication Access control Policy management Policy authoring CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 2 Definitions Identification - a claim about identity – Who or what I am (global or local) Authentication - confirming that claims are true – I am who I say I am – I have a valid credential Authorization - granting permission based on a valid claim – Now that I have been validated, I am allowed to access certain resources or take certain actions Access control system - a system that authenticates users and gives them access to resources based on their authorizations – Includes or relies upon an authentication mechanism – May include the ability to grant course or fine-grained authorizations, revoke or delegate authorizations – Also includes an interface for policy configuration and management CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 3 Building blocks of authentication Factors – Something you know (or recognize) – Something you have – Something you are Two factors are better than one – Especially two factors from different categories What are some examples of each of these factors? What are some examples of two-factor authentication? CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 4 Authentication mechanisms Text-based passwords Graphical passwords Hardware tokens Public key crypto protocols Biometrics CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 5 Evaluation Accessibility Memorability Security Cost Environmental considerations CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 6 Typical password advice CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 7 Typical password advice Pick a hard to guess password Don’t use it anywhere else Change it often Don’t write it down So what do you do when every web site you visit asks for a password? CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 8 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 9 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 10 Problems with Passwords Selection – Difficult to think of a good password – Passwords people think of first are easy to guess Memorability – Easy to forget passwords that aren’t frequently used – Difficult to remember “secure” passwords with a mix of upper & lower case letters, numbers, and special characters Reuse – Too many passwords to remember – A previously used password is memorable Sharing – Often unintentional through reuse – Systems aren’t designed to support the way people work together and share information CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 11 Mnemonic Passwords F Four s score and and sseven seven y years aago , oour FFathers First letter of each word (with punctuation) Substitute numbers for words or similar-looking letters 4sasya,oF 4sa7ya,oF fsasya,oF Substitute symbols for words or similar-looking letters 4sa7ya,oF 4s&7ya,oF Source: Cynthia Kuo, SOUPS 2006 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 12 The Promise? Phrases help users incorporate different character classes in passwords – Easier to think of character-for-word substitutions Virtually infinite number of phrases Dictionaries do not contain mnemonics Source: Cynthia Kuo, SOUPS 2006 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 13 The Problem? “Goodness” of mnemonic passwords unknown – Yan et al. compared regular, mnemonic, and randomly generated passwords • Used standard (non-mnemonic) dictionary • Effectively evaluated whether mnemonic passwords contained dictionary words Source: Cynthia Kuo, SOUPS 2006 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 14 Mnemonic password evaluation Mnemonic passwords are not a panacea for password creation No comprehensive dictionary today May become more vulnerable in future – Many people start to use them – Attackers incentivized to build dictionaries Publicly available phrases should be avoided! C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic PhraseBased Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA. Source: Cynthia Kuo, SOUPS 2006 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 15 Password keeper software Run on PC or handheld Only remember one password CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 16 Single sign-on Login once to get access to all your passwords CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 17 Biometrics CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 18 Graphical passwords CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 19 “Forgotten password” mechanism Email password or magic URL to address on file Challenge questions Why not make this the normal way to access infrequently used sites? CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 20 Convenient SecureID 1 What problems does this approach solve? What problems does it create? Source: http://worsethanfailure.com/Articles/Security_by_Oblivity.aspx CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 21 Convenient SecureID 2 What problems does this approach solve? What problems does is create? Previously available at: http://fob.webhop.net/ CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 22 Browser-based mutual authentication Chris Drake’s “Magic Bullet” proposal http://lists.w3.org/Archives/Public/public-usableauthentication/2007Mar/0004.html – User gets ID, password (or alternative), image, hotspot at enrollment – Before user is allowed to login they are asked to confirm URL and SSL cert and click buttons – Then login box appears and user enters username and password (or alternative) – Server displays set of images, including user’s image (or if user entered incorrect password, random set of images appear) – User finds their image and clicks on hotspot • Image manipulation can help prevent replay attacks What problems does this solve? What problems doesn’t it solve? What kind of testing is needed CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 23 Types of access control Discretionary access control – Distributed, dynamic, users set access rules for resources they own and can delegate access to others Role-based access control – Centralized admin assigns users to roles and sets access rules based on roles And many others that vary – – – – discretionary/mandatory centralized/distributed granularity grouping CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 24 Policy management problems Admins, large organizations understanding large access control policies – Someone in marketing changed a policy and now we can’t figure out why people in sales no longer have access to a document – Who has access to this document anyway? End users creating and understanding policies – Examples: File system permissions, Grey, Perspective, privacy rules – Home users want to share some files with some other users, but don’t want to share everything CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 25 Roles for policy professionals Policy makers Policy implementers L. Bauer, L. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. Real life challenges in access-control management. CHI 2009. http://www.ece.cmu.edu/~lbauer/papers/2009/chi09management.pdf CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 26 Policy conflicts Given User/group conflict – Alice is in GroupA and GroupB – FileQ is in FolderX – Alice allowed access to FileQ – GroupA denied access to FileQ What types of conflicts might occur? File/directory conflict Direct conflict 2-way conflict – Alice allowed access to FileQ – Alice denied access to FileQ – Alice allowed access to FileQ – Alice denied access to FolderX – Alice allowed access to FileQ – GroupA denied access to FolderX Group/group conflict – GroupA allowed access to FileQ – GroupB denied access to FileQ CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 27 How can conflicts be resolved? Default rule – deny/allow takes precedence Ordered rules – policy author sets order Ordered rules – most recent first/last Specificity – most/least specific takes precedence Weighted rules – policy author assigns weights Exceptions – policy authors defines exceptions (essentially a partial ordering) Combination CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 28 Policy Authoring Slides courtesy of Rob Reeder R. W. Reeder. Expandable Grids: A user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring. PhD Thesis, Computer science department, Carnegie Mellon University, Pittsburgh, PA, July 2008. Available as tech report number CMU-CS-08-143. CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 29 Memogate CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 30 Proliferation of policies File systems Location disclosure applications Online social networks Websites CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 31 Policy authoring Policy – a set of rules that determine the conditions under which access is allowed to a resource Policies are created, edited, and viewed – authored Someone determines policy – the author Policies should fulfill the author’s intentions Policy authoring is done with a user interface CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 32 List of rules interfaces support policy authoring operations poorly Viewing policy – Often only one rule at a time is visible – Difficult to understand policy by reading long list of rules Changing policy – Difficult to understand effect of changes because you can’t see all relevant parts of a policy together Viewing group memberships – Usually requires using a separate interface Detecting and resolving conflicts – When rules interact, it isn’t clear what the outcome will be CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 33 Solution: Expandable Grid Key insight: Center policyauthoring user interfaces around a display of the whole effective policy, not a list of rules CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 34 Expandable Grid details Jana CyLab Usable Privacy and Security Laboratory 35 http://cups.cs.cmu.edu/ 35 Direct manipulation interface To change a policy, just click on a cell and toggle the color In order to make this work, we had to change the conflict resolution semantics – Widows semantics: Deny takes precedence, but specificity precedence in resource dimension – Expandable Grid semantics: Recency precedence CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 36 User study of Expandable Grid for file permissions Laboratory study 2 conditions: – Expandable Grid – Native Windows file permissions interface 36 participants, 18 per condition, novice policy authors Training: – 3.5 minutes for Grid – 5.5 minutes for Windows 18 tasks based on a teaching assistant scenario CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 37 Example task: Jana Set permissions so that Jana can read and write the Four-part Harmony.doc file in the Theory 101\Handouts folder. Task setup: – Jana is a TA “this” year (did the study in 2007) • Is in the group Theory 101 TAs 2007 – Jana was a TA last year • Is in the group Theory 101 TAs 2006 – 2007 TAs are allowed READ & WRITE – 2006 TAs are denied READ & WRITE – Since Jana is in both groups, she is denied access CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 38 Jana task – common error CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 39 Learning Jana’s effective permissions 1 Click “Advanced” 2 Click “Effective Permissions” 3 Select Jana 4 View Jana’s Effective Permissions CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 40 Learning Jana’s group membership Bring up Computer Management interface 5 Click on “Users” 6 TAs 2006 TAs 2007 7 Read Jana’s group membership Double-click Jana 9 Click “Member Of” CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 41 Learning Jana’s groups’ permissions 10 Click on TAs 2006 11 Read permissions for TAs 2006 12 13 Read permissions for TAs 2007 CyLab Usable Privacy and Security Laboratory Click on TAs 2007 http://cups.cs.cmu.edu/ 42 Changing Jana’s groups’ permissions 14 15 Click on TAs 2006 Change permissions for TAs 2006 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 43 Checking work 16 Click “Advanced” 17 Click “Effective Permissions” 18 Select Jana 19 View Jana’s Effective Permissions CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 44 XP support for fundamental operations Viewing policy – Effective policy is 3 screens away (most authors don’t find them) Changing policy – Authors operate on rules, not effective policy Viewing group memberships – In a separate application from file permissions Detecting and resolving conflicts – Has to be done manually CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 45 Viewing effective policy 1 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 46 Viewing group membership 2 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 47 Changing policy 3 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 48 Resolving rule conflicts CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 49 Grid support for fundamental operations Viewing policy – Effective policy directly shown on screen Changing policy – Changes take one click Viewing group memberships – Group memberships are shown in the trees Detecting and resolving conflicts – Happens automatically CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 50 Results Grid Windows Small-size Accuracy Task type Time Small view simple View simple 1 View complex 1 Change simple 1 Change complex 1 Compare groups 1 Conflict simple 1 Conflict complex 1 Memogate simulation 1 Precedence rule test 1 89% 56% Grid Windows 0.20 0.40 0.60 0.80 0.20 0.40 0.60 0.80 89% 94% 1 Windows 0.20 0.40 0.60 61% 0% 0.80 0 0 0 Windows 1 Small compare groups 0.00 0.20 0.40 0.60 0.80 0.00 89% 83% 0.40 0.60 67% 61% 0.80 0 1.00 Windows 0.20 50 0.20 0.40 0.60 0.80 0.00 0.40 0.60 0.80 Windows 0.00 0.00 89% 0% 0.40 0.60 0.80 100% 94% 50 50 0.60 0.80 0.00 150 Grid Windows 100 100 0 89% 94% 1.00 50 1 20s 66s 39s 103s Grid Windows 0.20 0.40 0 50 100 0 50 100 0.60 0.80 55s 103s 0.00 Grid Windows 0.20 0.40 0.60 100 100 1 0.80 0 0.20 0.40 0.60 0.80 Windows 0 0 Grid Windows 50 0.40 0.60 67% 83% 50 50 0.00 Windows 0.20 0.40 0.60 0.80 0.00 150 Grid Windows 0.20 0.40 0.60 0.80 Windows 0 0.00 150 Grid Windows 0.20 0.40 0.60 0.00 CyLab Usable Privacy and Security Laboratory 1 Windows 100 50 0.40 0.60 0.80 150 100 94% 78% 1 150 50 100 73s 104s 150 Grid Windows Jana task 52s Insufficient data 50 100 150 Grid Windows Large Memogate 0 50 100 105s 116s 150 Grid Windows Large Precedence 0 1.00 1.00 111s 126s Windows 50 100 71s 115s 150 Grid 1 Windows Windows 0.20 100s 143s Grid 0 1.00 78% 78% 0.80 Grid 1 100 6% Grid 1 150 Large conflict simple 1.00 Windows Large precedence 100 Large conflict complex Grid 1 50s 42s Windows 0 Grid Windows Large Memogate Windows 1 1.00 Grid 1 Grid Grid Large conflict complex Grid 150 1 1.00 72% 61% 0.80 100 Large compare groups Windows 0.20 39s 67s Large change complex 1.00 Grid 1 Windows Large change simple 1.00 67% 17% 1 0.00 Grid 150 150 1 Windows Large conflict simple 150 42s 118s 100 39% 1.00 Grid 1 Grid Large view complex Windows Small precedence 1 42s 61s 1 Large compare groups 150 100 Windows Grid 1 0.00 150 100 0.80 Large change complex 29s Insufficient data 50 0.60 Large change simple 100 100 0.40 Small Memogate 1.00 Windows 0.40 0 1 1.00 Grid 0.20 30s 52s 1 1.00 Windows 0.20 0.20 1 Small conflict complex Grid Small precedence Windows Small conflict simple 0 Grid Windows 0.20 0.00 150 Grid 1 1.00 Grid Small Memogate 100 70s Insufficient data 50 Small conflict complex 0.00 35s 55s Grid Large view complex Small compare groups Grid Small conflict simple 50 Large view simple 61% 56% 1 Small change complex 1.00 Grid Windows Small change simple 1.00 Grid Small change complex 0.00 1 Windows Grid Small view complex 1.00 Time Large view simple 29s 64s 1 94% 17% Grid Small change simple 0.00 Accuracy Small view simple Small view complex 0.00 Large-size 0 50 100 150 http://cups.cs.cmu.edu/ 51 Conflict-resolution method Were the effects we observed due to the Expandable Grid visualization, the recency precedence conflictresolution method, or both? We ran another study to find out – Implemented deny-takes-precedence in the Expandable Grid interface – Ran 18 new participants with the new Grid interface Results – On the Jana task, recency precedence made a big difference – On the other tasks, the Grid was generally superior to Windows no matter the conflict resolution scheme Both the Grid’s presentation aspects AND recency precedence make a difference CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 52 Desired properties for conflict resolution method Direct manipulation Exception-rule preservation Order independence Fail safety CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 53 Problems with Windows and recency semantics Windows: – No satisfactory way to solve Jana-like rule conflicts Recency: – Too liberal in overriding existing rules – Does not work well in the presence of dynamic changes, like adding a user to a group, moving a file CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 54 Our specificity semantics Conflict resolution procedure – Resolve rule conflicts by choosing the more specific rule when possible (specificity precedence) – Otherwise, use deny-precedence Benefits – If group rules are in conflict, can make a user-level exception – Exceptions stay in place even when group rules change – User-level or file-level exceptions stay in place even in the presence of dynamic changes CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 55 Enhanced Grid CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 56 Enhanced Grid CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 57 Semantics study #2 Laboratory study 3 conditions: – Expandable Grid with specificity semantics – Expandable Grid with Windows semantics – Native Windows file permissions interface 54 participants, 18 per condition, novice policy authors 10 minutes training for all conditions Used large-scale Teaching Assistant scenario from prior study 12 total tasks with counterbalanced task order CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 58 Results and discussion Conflict resolution semantics can have a big effect on usability, but no perfect semantics Specificity helps resolve rule conflicts and makes group rule exceptions easy Specificity semantics is not always better than Windows semantics The grid/specificity combination overcomes semantics disadvantages Whatever the semantics, show effective policy! CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 59
