Access Control and Password Management
advertisement
FORESEC Academy FORESEC Academy Security Essentials (II) ACCESS CONTROL AND PASSWORD MANAGEMENT FORESEC Academy Agenda Access Control - Techniques - Models Passwords - Password Cracking - Password Management FORESEC Academy Key Terms & Principles Data Owner Data Custodian Separation of duties Least Privilege FORESEC Academy Access Control Techniques Discretionary (DAC) Mandatory (MAC) Role-based Rule-based List-based Token-based FORESEC Academy Lattice Techniques Access Matrix - Objects - Subjects Bell-LaPadula Biba Clark-Wilson FORESEC Academy Lattice Techniques (2) Bell-LaPadula Designed for Military Environment Address only Confidentiality Rules - Simple Security Property - Star Property (* Property) - Strong Star Property FORESEC Academy Lattice Techniques (3) Biba Model for Integrity Suited for Commercial Environment Rules - Simple Integrity Property - Integrity Start Property Information only flow downwards FORESEC Academy Lattice Techniques (4) Clark-Wilson Integrity Model Use an access triple - Subject, Program, Object Prevent loss or corruption of data Ensure well formed transactions FORESEC Academy Access Management Account administration Maintenance Monitoring Revocation FORESEC Academy Access Control Models State machine Information flow Covert channels Non-interference FORESEC Academy Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) FORESEC Academy Centralized Control TACACS RADIUS Domains & Trusts Active Directory Kerberos FORESEC Academy Access Control: Biometrics Hand: Fingerprint, hand geometry Eye: retina, iris Face: Thermograms, Photo Voice print Mannerisms: keystroke, tread, handwriting FORESEC Academy Access Control: Biometrics (2) Key factors in selecting biometrics: Reliability - FRR, FAR, CER, EER User friendliness Cost FORESEC Academy Single Sign-On (SSO) User only have to log on once Credentials are carried with user Simplifies User management Allow centralized management User only has to remember one set of credentials FORESEC Academy Single Sign-On (2) Can take different forms: - Scripts - Directory Services - Kerberos - Thin Clients Security Issues Interoperability Issues FORESEC Academy Access Control: Passwords FORESEC Academy What is Password Cracking? Discovering a plan text password given an encrypted password. FORESEC Academy Methods of Password Cracking Dictionary attack Hybrid attack Brute force attack FORESEC Academy Unix Password Cracking - Crack Name: Crack Operating System: Unix Brief Description: Crack is a "password guessing" program that is designed to quickly identify accounts having weak passwords given a Unix password file. FORESEC Academy Crack Available from ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack Features - Configurable password cracking - Modular approach with various scripts - Combining and extracting password files - Works with any crypt() implementation FORESEC Academy Configuring Crack Download Crack file Unzip the file using gzip - gunzip -r crack5.0.tar.gz Untar the file - tar -xvf crack5.0.tar Read manual.txt Edit the script file Compile program - Crack -makeonly - Crack -makedict FORESEC Academy Running Crack Run Crack with a password file - Crack [options] [-fmt format] [file ...] - Crack myfile Pipe output to a file - Crack myfile > output Run Reporter script to see results - ./Reporter [-quiet] [-html] FORESEC Academy Effectiveness of Crack User Eric password eric – CRACKED User John password john1234 User Mike password 5369421 User Mary password #57adm7# User Sue password sue – CRACKED User Lucy password 12345 – CRACKED User Pat no password – CRACKED User Tim password password – CRACKED User Cathy password 55555 – CRACKED User Frank password abcde – CRACKED User Tom password mnopqr User Karen password bbbbbbbb - CRACKED FORESEC Academy How to Protect Against it Enforce a strong password policy Use shadow passwords Use one-time passwords Use passwd to enforce strong passwords
