Security fundamentals Topic 3 Using access control and authentication Agenda • • • • • AAA Basic access control methods Access control models Authentication methods and techniques Authentication and access control guidelines AAA - Authentication, Authorisation (Access Control) and Accounting • Authentication is the process of identifying a user or process by examining credentials to verify identity • Authorisation is the process of granting a user access to a protected resource • Accounting is the tracking of access and use of network resources by users • Access Control combines authentication with authorisation Access Control methods • The point of using Access Control is to differentiate and control the abilities of users and processes Password based Access Control • A password on the resource – user does not establish identity • Anyone who knows the password can access the resource • PBAC is considered a weak security measure because: – No accountability for access to resources as users cannot be monitored – High risk that the shared password will be compromised and given to an unauthorised user – Difficult to distribute a new shared password to legitimate users securely – Each resource may require a separate password which makes it difficult for users to remember and encourages them to write down passwords User based Access Control • Firstly: Authenticates the user • Secondly: Authorises access to resources based on the user’s identity – Provides accountability as the actions of specific users can be monitored – A single password allows access to multiple resources – Password reset and distribution is simpler to manage Access Control models • Discretionary Access Control (DAC) – The owner of the object manages access control, eg a user can choose to share a folder with others • Mandatory Access Control (MAC) – Access to the object is based on sensitivity label and authorisation is granted based on security clearance for the level of data as defined by label • Role-Based Access Control (RBAC) – Access is based on the role of the user in the organisation, eg HR manager or Sales Dept staff Discretionary Access Control • The owner of the resource controls access to the resource • An ACL lists the users that have been allowed or denied access to the resource and lists the type of access they have been granted • Risks of the DAC Model: – Assumes that owners have the knowledge and skills to secure resources: Owners might not enforce strong security – A lack of centralised administration may lead to: • Software executed or updated by unauthorised personnel • Confidential information compromised • Auditing file access may be difficult • Windows NTFS file systems use DAC Mandatory Access Control • Classify all users and resources and assign a security label to each classification • Information is placed into categories depending on the sensitivity • Access requests are denied if the requestor’s security label is not higher or does not match the security label • Major classification levels: – Top secret – Confidential – Unclassified • Implicit trust with higher classifications – Top secret clearance allows access to lower levels such as confidential and unclassified • Used by military and government • Feasible if security levels are clearly defined and are centrally administered MAC Example Unclassified Confidential Top Secret Data Data Data Role-based Access Control • Information is placed into categories depending on the content • Users and processes are granted access based on their role in the organisation • Can specify and enforce enterprise specific security policies that map to organisation structure • Each user or group is assigned one or more roles • Each role is assigned one or more privileges • RBAC requires a list of roles with mappings from role to user or user group • Windows can use multiple models: – RBAC element: add users to global groups, assign permission to resources to domain local groups and place global groups into domain local groups – DAC element: Owner can still grant access to resources RBAC Example Manager Accounting Budget Data Sales Authentication methods Establishing identity • Usernames and passwords – Windows, Linux and most Operating Systems – OS asks for username and password and validates it against database • Passwords are stored as a hash in database. When a user presents their password it is hashed and the hashes are compared. Hashes are irreversible – Assumes only the user knows the password Password weaknesses There are many weaknesses when using passwords for authentication: • If authentication is performed locally a running process could intercept username and password • If authentication is performed remotely on a central server the network traffic can be intercepted and the password compromised • A user could be observed typing a password or may write down their password • Password based authentication cannot determine whether the user is legitimate or impostor – it only verifies that the password is known Password security guidelines • Easy to remember and difficult to guess • Long passwords: long enough to protect from brute force attack • Complex passwords: increase the potential character set from 26 to 72 by including uppercase, lowercase, symbols and numbers • Difficult to guess passwords: not names, pets, common words or phone numbers to avoid dictionary attack • Passwords are frequently changed: reduces the time in which a password can be broken and reduces the time that a compromised password can be used • Passwords are not written down: best secured password is very long and randomly generated • Passphrase: long passwords with spaces – perhaps a sentence or the line of a song or poem Biometrics • Identifying a person based on a physical characteristic • Comparing a sample against a captured biometric sample • Two processes involved: – Enrolment: storing a user’s biometric identity to be used to verify the user at authentication – Verification: a sensor captures a biometric feature and transmits it to authenticating server which compares it to the sample captured at enrolment • Weaknesses: – Performance and reliability: possibility of false rejection and false acceptance – Difficulty: in collecting the samples – User capability: user impairment may prevent from using the biometric scanner – they will require alternative authentication method – Acceptance: users may consider the method too invasive – Cost: can be costly to implement – Availability: may not be available from all locations (eg remotely) – There are known attack methods against biometric authentication Tokens • A token is a device issued to a user for authentication (eg A smart card) • Challenge Response: – Send username to authentication server – Server sends back a challenge: randomly created data used only once – Challenge is encrypted with a secret known to user or derived from token and sent to server – Server performs the same encryption with the secret and compares the results – If match, then secrets are the same and authenticated • Secrets (passwords) do not travel over the network • Tokens offer reliable security, are difficult to duplicate and tamper resistant • Costly and difficult to deploy in an enterprise (may require token readers) • Tokens can be used to provide a one time password • Smart cards can store certificates and passwords Multifactor authentication • • • • Multiple authentication methods Something you know, eg a password Something you have, eg a token or smart card Something you are, eg biometrics • Multifactor authentication can significantly increase security • Can be difficult and expensive to implement Kerberos authentication • Network authentication protocol that provides strong authentication for client/server applications • Single sign-on to heterogeneous environments • Scalable to large environments • Mutual authentication • Encrypted communications Kerberos process • User logs on to computer • Logon process sends authentication request to Kerberos server • Server sends encrypted credentials for the user to the local computer • Local computer tries to decrypt credentials using user supplied password • If correct user is validated and given a ticket to verify identity, access to specific resources and cipher keys to encrypt data sessions Kerberos definitions • Realm: Organisational authentication boundary – domain. Each realm has at least one KDC Key Distribution Center (domain controller) which consists of at least 1 Authentication Server (AS) and 1 Ticket Granting Server (TGS) • Principal: Any unique identity which can have a ticket issued such as users and computer accounts • Authenticators: A series of bits inserted into a message and used for validation – can only be used once • Ticket: A block of data that proves the identity of a principal. Each ticket is stored in a ticket cache locally and time stamped. Tickets expire, are refreshed or reissued after a given time (10 hours) Kerberos definitions • Ticket cache: Stores all of the users tickets and can be used by applications to prove authentication allowing a user to authenticate only once • Ticket Granting Ticket (TGT): A ticket granted at authentication and used to obtain other tickets specific to a particular service. Each service requires it’s own ticket • Authentication Server (AS): Clients register with the AS. The AS gives each client a TGT that verifies identity • Ticket Granting Server (TGS): Clients contact the TGS and use a TGT to request a session ticket for access to a particular service Kerberos definitions • Cross realm authentication: The capability of users in 1 realm to be authenticated and access services in another realm. User’s realm registers with Remote TGS on the realm of the service • Remote TGS: Grants session tickets to users for a remote realm. The TGS of the users realm registers with the TGS of the remote realm (where the service is) Kerberos authentication processes • Basic Kerberos authentication process analogy • Kerberos authentication in the same realm • Kerberos authentication in a different realm Kerberos caveats • Centralised Kerberos KDC creates a single point of failure • Compromise of KDC results in compromise all user’s secret keys • Compromise of client will compromise user’s password • Kerberos requires the time settings on all computers in the realm to be synchronised as tickets expire after a certain amount of time • Tickets usually out by more than 10 minutes (by default) will not be authorised Mutual authentication • Both the client and the server authenticate to each other • Assures the server that the client is who they claim to be • Assures the client that the server is legitimate and not a spoofed rogue server Certificates • Kerberos uses certificates to identify users and computers • A certificate is a block of data containing information for identification • Trust in a 3rd party to issue certificates to verified users • A Certification Authority (CA) issues a certificate to verify identity • Encryption and signing ensure that certificates cannot be altered after they are issued Microsoft® Challenge Handshake Authentication Protocol (CHAP) • Used to authenticate a remote client to a network server (PPP connection on routers) • 3-way handshake that does not send the password – Network access server sends a challenge (session ID and random string) to remote client – Remote client uses a MD5 hash function to create a fixed length string based on username, password, session ID and the challenge random string and sends to server – Server performs same MD5 hash function and compares the result to the hash sent by the remote client – if match then client is authenticated • The use of a random string protects from replay attack • Challenges are repeated at unpredictable intervals which protects from impersonation • Windows uses MS-CHAPv2 (Microsoft Vista® does not support for MS-CHAPv1) Principle of least privilege • A user should only have the minimum privileges required to perform assigned job functions • Administrators should use standard privileges if they are performing tasks which do not require admin permissions – Prevent accidental damage – Prevent exposure to malware Using alternative credentials • Good practise to log on to systems with a standard user account • Use the Run as command or su to promote to admin privileges for a specific task • This avoids the insecure practise of using a privileged account for running all programs Lesson summary • AAA • Access Control – PBAC and UBAC – DAC, MAC, RBAC • Authentication – Passwords, Biometrics, Tokens, Multifactor – Kerberos, CHAP • Guidelines and practises