Using access control and authentication

advertisement
Security fundamentals
Topic 3
Using access control and
authentication
Agenda
•
•
•
•
•
AAA
Basic access control methods
Access control models
Authentication methods and techniques
Authentication and access control guidelines
AAA - Authentication, Authorisation
(Access Control) and Accounting
• Authentication is the process of identifying a user or
process by examining credentials to verify identity
• Authorisation is the process of granting a user access
to a protected resource
• Accounting is the tracking of access and use of
network resources by users
• Access Control combines authentication with
authorisation
Access Control methods
• The point of using Access Control is to
differentiate and control the abilities of users
and processes
Password based Access Control
• A password on the resource – user does not establish identity
• Anyone who knows the password can access the resource
• PBAC is considered a weak security measure because:
– No accountability for access to resources as users cannot be
monitored
– High risk that the shared password will be compromised and given to
an unauthorised user
– Difficult to distribute a new shared password to legitimate users
securely
– Each resource may require a separate password which makes it
difficult for users to remember and encourages them to write down
passwords
User based Access Control
• Firstly: Authenticates the user
• Secondly: Authorises access to resources
based on the user’s identity
– Provides accountability as the actions of specific users can
be monitored
– A single password allows access to multiple resources
– Password reset and distribution is simpler to manage
Access Control models
• Discretionary Access Control (DAC)
– The owner of the object manages access control,
eg a user can choose to share a folder with others
• Mandatory Access Control (MAC)
– Access to the object is based on sensitivity label and
authorisation is granted based on security clearance
for the level of data as defined by label
• Role-Based Access Control (RBAC)
– Access is based on the role of the user in the
organisation, eg HR manager or Sales Dept staff
Discretionary Access Control
• The owner of the resource controls access to the resource
• An ACL lists the users that have been allowed or denied access to
the resource and lists the type of access they have been granted
• Risks of the DAC Model:
– Assumes that owners have the knowledge and skills to secure
resources: Owners might not enforce strong security
– A lack of centralised administration may lead to:
• Software executed or updated by unauthorised personnel
• Confidential information compromised
• Auditing file access may be difficult
• Windows NTFS file systems use DAC
Mandatory Access Control
• Classify all users and resources and assign a security label to each
classification
• Information is placed into categories depending on the sensitivity
• Access requests are denied if the requestor’s security label is not
higher or does not match the security label
• Major classification levels:
– Top secret
– Confidential
– Unclassified
• Implicit trust with higher classifications
– Top secret clearance allows access to lower levels such as confidential and
unclassified
• Used by military and government
• Feasible if security levels are clearly defined and are centrally
administered
MAC Example
Unclassified
Confidential
Top Secret
Data
Data
Data
Role-based Access Control
• Information is placed into categories depending on the content
• Users and processes are granted access based on their role in the
organisation
• Can specify and enforce enterprise specific security policies that
map to organisation structure
• Each user or group is assigned one or more roles
• Each role is assigned one or more privileges
• RBAC requires a list of roles with mappings from role to user or user
group
• Windows can use multiple models:
– RBAC element: add users to global groups, assign permission to resources to
domain local groups and place global groups into domain local groups
– DAC element: Owner can still grant access to resources
RBAC Example
Manager
Accounting
Budget Data
Sales
Authentication methods
Establishing identity
• Usernames and passwords
– Windows, Linux and most Operating Systems
– OS asks for username and password and validates it
against database
• Passwords are stored as a hash in database. When a user
presents their password it is hashed and the hashes are
compared. Hashes are irreversible
– Assumes only the user knows the password
Password weaknesses
There are many weaknesses when using passwords
for authentication:
• If authentication is performed locally a running process could
intercept username and password
• If authentication is performed remotely on a central server
the network traffic can be intercepted and the password
compromised
• A user could be observed typing a password or may write
down their password
• Password based authentication cannot determine whether
the user is legitimate or impostor – it only verifies that the
password is known
Password security guidelines
• Easy to remember and difficult to guess
• Long passwords: long enough to protect from brute force
attack
• Complex passwords: increase the potential character set from
26 to 72 by including uppercase, lowercase, symbols and
numbers
• Difficult to guess passwords: not names, pets, common
words or phone numbers to avoid dictionary attack
• Passwords are frequently changed: reduces the time in which
a password can be broken and reduces the time that a
compromised password can be used
• Passwords are not written down: best secured password is
very long and randomly generated
• Passphrase: long passwords with spaces – perhaps a sentence
or the line of a song or poem
Biometrics
• Identifying a person based on a physical characteristic
• Comparing a sample against a captured biometric sample
• Two processes involved:
– Enrolment: storing a user’s biometric identity to be used to verify the user at
authentication
– Verification: a sensor captures a biometric feature and transmits it to
authenticating server which compares it to the sample captured at enrolment
• Weaknesses:
– Performance and reliability: possibility of false rejection and false acceptance
– Difficulty: in collecting the samples
– User capability: user impairment may prevent from using the biometric
scanner – they will require alternative authentication method
– Acceptance: users may consider the method too invasive
– Cost: can be costly to implement
– Availability: may not be available from all locations (eg remotely)
– There are known attack methods against biometric authentication
Tokens
• A token is a device issued to a user for authentication (eg A smart card)
• Challenge Response:
– Send username to authentication server
– Server sends back a challenge: randomly created data used only once
– Challenge is encrypted with a secret known to user or derived from token and
sent to server
– Server performs the same encryption with the secret and compares the
results
– If match, then secrets are the same and authenticated
• Secrets (passwords) do not travel over the network
• Tokens offer reliable security, are difficult to duplicate and tamper
resistant
• Costly and difficult to deploy in an enterprise (may require token readers)
• Tokens can be used to provide a one time password
• Smart cards can store certificates and passwords
Multifactor authentication
•
•
•
•
Multiple authentication methods
Something you know, eg a password
Something you have, eg a token or smart card
Something you are, eg biometrics
• Multifactor authentication can significantly
increase security
• Can be difficult and expensive to implement
Kerberos authentication
• Network authentication protocol that provides
strong authentication for client/server
applications
• Single sign-on to heterogeneous environments
• Scalable to large environments
• Mutual authentication
• Encrypted communications
Kerberos process
• User logs on to computer
• Logon process sends authentication request to
Kerberos server
• Server sends encrypted credentials for the user to
the local computer
• Local computer tries to decrypt credentials using
user supplied password
• If correct user is validated and given a ticket to
verify identity, access to specific resources and
cipher keys to encrypt data sessions
Kerberos definitions
• Realm: Organisational authentication boundary – domain.
Each realm has at least one KDC Key Distribution Center
(domain controller) which consists of at least 1
Authentication Server (AS) and 1 Ticket Granting Server
(TGS)
• Principal: Any unique identity which can have a ticket
issued such as users and computer accounts
• Authenticators: A series of bits inserted into a message and
used for validation – can only be used once
• Ticket: A block of data that proves the identity of a
principal. Each ticket is stored in a ticket cache locally and
time stamped. Tickets expire, are refreshed or reissued
after a given time (10 hours)
Kerberos definitions
• Ticket cache: Stores all of the users tickets and can be used
by applications to prove authentication allowing a user to
authenticate only once
• Ticket Granting Ticket (TGT): A ticket granted at
authentication and used to obtain other tickets specific to a
particular service. Each service requires it’s own ticket
• Authentication Server (AS): Clients register with the AS.
The AS gives each client a TGT that verifies identity
• Ticket Granting Server (TGS): Clients contact the TGS and
use a TGT to request a session ticket for access to a
particular service
Kerberos definitions
• Cross realm authentication: The capability of
users in 1 realm to be authenticated and
access services in another realm. User’s realm
registers with Remote TGS on the realm of the
service
• Remote TGS: Grants session tickets to users
for a remote realm. The TGS of the users
realm registers with the TGS of the remote
realm (where the service is)
Kerberos authentication processes
• Basic Kerberos authentication process analogy
• Kerberos authentication in the same realm
• Kerberos authentication in a different realm
Kerberos caveats
• Centralised Kerberos KDC creates a single point of
failure
• Compromise of KDC results in compromise all
user’s secret keys
• Compromise of client will compromise user’s
password
• Kerberos requires the time settings on all
computers in the realm to be synchronised as
tickets expire after a certain amount of time
• Tickets usually out by more than 10 minutes (by
default) will not be authorised
Mutual authentication
• Both the client and the server authenticate to
each other
• Assures the server that the client is who they
claim to be
• Assures the client that the server is legitimate
and not a spoofed rogue server
Certificates
• Kerberos uses certificates to identify users and
computers
• A certificate is a block of data containing
information for identification
• Trust in a 3rd party to issue certificates to verified
users
• A Certification Authority (CA) issues a certificate
to verify identity
• Encryption and signing ensure that certificates
cannot be altered after they are issued
Microsoft® Challenge Handshake
Authentication Protocol (CHAP)
• Used to authenticate a remote client to a network server (PPP
connection on routers)
• 3-way handshake that does not send the password
– Network access server sends a challenge (session ID and random string) to
remote client
– Remote client uses a MD5 hash function to create a fixed length string based
on username, password, session ID and the challenge random string and
sends to server
– Server performs same MD5 hash function and compares the result to the hash
sent by the remote client – if match then client is authenticated
• The use of a random string protects from replay attack
• Challenges are repeated at unpredictable intervals which
protects from impersonation
• Windows uses MS-CHAPv2 (Microsoft Vista® does not support
for MS-CHAPv1)
Principle of least privilege
• A user should only have the minimum
privileges required to perform assigned job
functions
• Administrators should use standard privileges
if they are performing tasks which do not
require admin permissions
– Prevent accidental damage
– Prevent exposure to malware
Using alternative credentials
• Good practise to log on to systems with a
standard user account
• Use the Run as command or su to promote to
admin privileges for a specific task
• This avoids the insecure practise of using a
privileged account for running all programs
Lesson summary
• AAA
• Access Control
– PBAC and UBAC
– DAC, MAC, RBAC
• Authentication
– Passwords, Biometrics, Tokens, Multifactor
– Kerberos, CHAP
• Guidelines and practises
Download