Professional Documents
Culture Documents
Part 2
Access Control
Access Control
Two parts to access control
Authentication: Are you who you say you are?
Part 2
Access Control
Chapter 7: Authentication
Guard: Halt! Who goes there?
Arthur: It is I, Arthur, son of Uther Pendragon,
from the castle of Camelot. King of the Britons,
defeater of the Saxons, sovereign of all England!
Monty Python and the Holy Grail
Then said they unto him, Say now Shibboleth:
and he said Sibboleth: for he could not frame to pronounce it right.
Then they took him, and slew him at the passages of Jordan:
and there fell at that time of the Ephraimites forty and two thousand.
Judges 12:6
Part 2
Access Control
Part 2
Access Control
o
o
o
o
o
Part 2
PIN
Social security number
Mothers maiden name
Date of birth
Name of your pet, etc.
Access Control
Part 2
Access Control
Why Passwords?
Why
Part 2
Access Control
Keys vs Passwords
Crypto keys
Spse key is 64 bits
Then 264 keys
Choose key at
random
then attacker must
try about 263 keys
Part 2
Access Control
Passwords
Spse passwords are 8
characters, and 256
different characters
Then 2568 = 264 pwds
Users do not select
passwords at random
Attacker has far less
than 263 pwds to try
(dictionary attack)
o
o
o
o
o
o
o
Part 2
passwords
frank
Fido
password
4444
Pikachu
102560
AustinStamp
Access Control
Good
o
o
o
o
o
o
Passwords?
jfIej,43j-EmmL+y
09864376537263
P0kem0N
FSa7Yago
0nceuP0nAt1m8
PokeGCTall150
Password Experiment
Three groups of users each group
advised to select passwords as follows
Results
o
o
o
Part 2
Access Control
10
Password Experiment
User compliance hard to achieve
In each case, 1/3rd did not comply
Part 2
Access Control
11
Attacks on Passwords
Attacker could
o
o
o
o
Part 2
Access Control
12
Password Retry
Suppose
What
Part 2
Access Control
13
Password File?
Bad
But
Part 2
Access Control
14
Dictionary Attack
Trudy pre-computes h(x) for all x in a
dictionary of common passwords
Suppose Trudy gets access to password
file containing hashed passwords
computed dictionary
o After one-time work, actual attack is trivial
Part 2
Access Control
15
Salt
Hash password with salt
Choose random salt s and compute
y = h(password, s)
and store (s,y) in the password file
Note: The salt s is not secret
Easy to verify salted password
But Trudy must re-compute dictionary
hashes for each user
Part 2
Access Control
16
Password Cracking:
Do the Math
Assumptions:
Pwds are 8 chars, 128 choices per character
Part 2
Access Control
17
Part 2
Access Control
18
success is 1/4
Part 2
Access Control
19
If no salt is used
If salt is used
Part 2
Access Control
20
about 219/210 = 29
Part 2
Access Control
21
Part 2
Access Control
22
Passwords
The bottom line
Password cracking is too easy
Part 2
Access Control
23
Password Crackers
Password Portal
L0phtCrack and LC4 (Windows)
John the Ripper (Unix)
Part 2
Access Control
24
Biometrics
Part 2
Access Control
25
Biometric
Schneier
Examples
o
o
o
o
o
o
o
Part 2
Fingerprint
Handwritten signature
Are
Facial recognition
Have
Know
Speech recognition
Gait (walking) recognition
Digital doggie (odor recognition)
Many more!
Access Control
26
Why Biometrics?
More secure replacement for passwords
Cheap and reliable biometrics needed
Part 2
Access Control
27
Ideal Biometric
Universal
Distinguishing
Collectable
Part 2
Access Control
28
Biometric Modes
Identification
o Compare one-to-many
o Example: The FBI fingerprint database
Authentication
o Compare one-to-one
o Example: Thumbprint mouse
Access Control
29
Enrollment vs Recognition
Enrollment phase
o
o
o
o
o
Recognition phase
Part 2
Access Control
30
Cooperative Subjects?
Authentication cooperative subjects
Identification uncooperative subjects
For example, facial recognition
Part 2
Access Control
31
Biometric Errors
Part 2
Access Control
32
Fingerprint History
1823 Professor Johannes Evangelist
Purkinje discussed 9 fingerprint patterns
1856
Sir William Hershel used
fingerprint (in India) on contracts
1880
Dr. Henry Faulds article in Nature
about fingerprints for ID
1883
Mark Twains Life on the
Mississippi (murderer IDed by fingerprint)
Part 2
Access Control
33
Fingerprint History
Part 2
Access Control
34
Fingerprint Comparison
Examples of loops, whorls, and arches
Minutia extracted from these features
Loop (double)
Part 2
Access Control
Whorl
Arch
35
Fingerprint: Enrollment
Part 2
Access Control
36
Fingerprint: Recognition
Part 2
Access Control
37
Hand Geometry
A popular biometric
Measures shape of hand
Part 2
Access Control
38
Hand Geometry
Advantages
o Quick
Disadvantages
Part 2
Access Control
39
Iris Patterns
Part 2
Access Control
40
Part 2
Access Control
41
Iris Scan
Scanner locates iris
Take b/w photo
Use polar coordinates
2-D wavelet transform
Get 256 byte iris code
Part 2
Access Control
42
= 1/3
Part 2
43
Fraud rate
0.2
9
1 in
1.31010
0.3
0
1 in 1.5109
0.3
1
1 in 1.8108
0.3
2
1 in 2.6107
0.3
6
1
in
4.010
==
3 equal error rate
0.3
4
Part 2
Access Control
1 in 6.910
distance
44
Afghan
To
Part 2
Access Control
45
Part 2
Access Control
46
Part 2
Access Control
47
in your possession
Examples include following
o
o
o
o
Part 2
Car key
Laptop computer (or MAC address)
Password generator (next)
ATM card, smartcard, etc.
Access Control
48
Password Generator
1. Im Alice
3. PIN, R
4. h(K,R)
password
generator
2. R
Alice
5. h(K,R)
Bob, K
Part 2
Access Control
49
2-factor Authentication
Examples
o
o
o
o
Part 2
Access Control
50
Single Sign-on
o Microsoft: Passport
o Everybody else: Liberty Alliance
o Security Assertion Markup Language (SAML)
Part 2
Access Control
51
Web Cookies
Cookie is provided by a Website and stored
on users machine
Cookie indexes a database at Website
Cookies maintain state across sessions
Part 2
Access Control
52
Authorization
Part 2
Access Control
53
Chapter 8: Authorization
It is easier to exclude harmful passions than to rule them,
and to deny them admittance
than to control them after they have been admitted.
Seneca
You can always trust the information given to you
by people who are crazy;
they have an access to truth not available through regular channels.
Sheila Ballantyne
Part 2
Access Control
54
Authentication vs
Authorization
Authentication
Authorization
Part 2
Access Control
55
System Certification
Government
attempt to certify
security level of products
Of historical interest
Still
Part 2
Access Control
56
Orange Book
Part 2
Access Control
57
secure products
Four
o D is lowest, A is highest
Divisions
Part 2
Access Control
D and C Divisions
D
Part 2
Access Control
59
B Division
B
B1
Access Control
60
B and A Divisions
B2
B3
Part 2
Access Control
61
Part 2
Access Control
62
Common Criteria
Part 2
Access Control
63
EAL
Note:
Also,
Part 2
Access Control
64
EAL 1 thru 7
EAL1
Access Control
65
Common Criteria
EAL4
EAL7
Who
performs evaluations?
Part 2
Access Control
66
Authentication vs
Authorization
Authentication
Authorization
Part 2
Access Control
67
OS
Payroll
data
Bob rx
rx
---
---
Alice rx
rx
rw
rw
Sam rwx
rwx
rw
rw
rx
rw
rw
rw
Accounting
program
Part 2
rx
Access Control
68
Part 2
Access Control
69
OS
Payroll
data
Bob rx
rx
---
---
Alice rx
rx
rw
rw
Sam rwx
rwx
rw
rw
rx
rw
rw
rw
Accounting
program
Part 2
rx
Access Control
70
OS
Payroll
data
Bob rx
rx
---
---
Alice rx
rx
rw
rw
rwx
rw
rw
rx
rw
rw
rw
Sam rwx
Accounting
program
Part 2
rx
Access Control
71
ACLs vs Capabilities
Alice
r
--r
Bob
w
r
---
Fred
rw
r
r
file1
file2
file3
Alice
r
w
rw
file1
Bob
--r
r
file2
Fred
r
--r
file3
Capability
Part 2
Access Control
72
Confused Deputy
Two resources
Part 2
Access Control
BILL
--rw
73
BILL
IL L
Compiler
Alice
BILL
Part 2
Access Control
74
Confused Deputy
Compiler acting for Alice is confused
There has been a separation of authority
from the purpose for which it is used
With ACLs, difficult to avoid this problem
With Capabilities, easier to prevent problem
intended purpose
o Capabilities make it easy to delegate authority
Part 2
Access Control
75
ACLs vs Capabilities
ACLs
Capabilities
o
o
o
o
Part 2
Access Control
76
Part 2
Access Control
77
apply to objects
Clearances apply to subjects
US Department of Defense (DoD)
uses 4 levels:
TOP SECRET
SECRET
CONFIDENTIAL
UNCLASSIFIED
Part 2
Access Control
78
classifications
o Aggregation flipside of granularity
Part 2
Access Control
79
O be an object, S a subject
For
o O has a classification
o S has a clearance
o Security level denoted L(O) and L(S)
Part 2
Access Control
80
Part 2
Access Control
81
MLS Applications
Classified government/military systems
Business example: info restricted to
Network firewall
Confidential medical info, databases, etc.
Usually, MLS not a viable technical system
Part 2
Access Control
82
Part 2
Access Control
83
Bell-LaPadula
BLP security model designed to express
essential requirements for MLS
BLP deals with confidentiality
Part 2
Access Control
84
Bell-LaPadula
BLP
consists of
No
Part 2
Access Control
85
Part 2
Access Control
86
Part 2
Access Control
87
Part 2
Access Control
88
Bibas Model
Part 2
Access Control
89
Biba
Let I(O) denote the integrity of object O
and I(S) denote the integrity of subject S
Biba can be stated as
Access Control
90
BLP vs Biba
high
l
e
v
e
l
BLP
L(O)
Biba
L(O)
L(O)
low
Part 2
Confidentiality
Access Control
high
l
e
v
e
l
I(O)
I(O)
I(O)
Integrity
low
91
Compartments
Part 2
Access Control
92
Compartments
Multilevel Security (MLS) enforces access
control up and down
Simple hierarchy of security labels is
generally not flexible enough
Compartments enforces restrictions across
Suppose TOP SECRET divided into TOP
SECRET {CAT} and TOP SECRET
{DOG}
Both are TOP SECRET but information
flow restricted across the TOP SECRET
level
Part 2 Access Control
93
Compartments
Why compartments?
Part 2
Access Control
94
Compartments
TOP SECRET
SECRET {CAT, DOG}
SECRET {CAT}
SECRET {DOG}
SECRET
Part 2
Access Control
95
MLS vs Compartments
Part 2
Access Control
96
Covert Channel
Part 2
Access Control
97
Covert Channel
MLS designed to restrict legitimate
channels of communication
May be other ways for information to flow
For example, resources shared at
different levels could be used to signal
information
Covert channel: a communication path not
intended as such by systems designers
Part 2
Access Control
98
Part 2
Access Control
99
Create file
Delete file
Create file
Bob:
Check file
Check file
Check file
Data:
Delete file
Check file
Check file
Time:
Part 2
Access Control
100
Covert Channel
Print queue
ACK messages
Network traffic, etc.
Access Control
101
Covert Channel
So, covert channels are everywhere
Easy to eliminate covert channels:
Access Control
102
Covert Channel
Part 2
Access Control
103
o Sequence number
o ACK number
Part 2
Access Control
104
SYN
Spoofed source: C
Destination: B
SEQ: X
A. Covert_TCP
sender
Part 2
Access Control
B. Innocent
server
C. Covert_TCP
receiver
105
Inference Control
Part 2
Access Control
106
professors at SJSU?
o Answer: $95,000
o Question: How many female CS professors at
SJSU?
o Answer: 1
Part 2
Access Control
107
Part 2
Access Control
108
Part 2
Access Control
109
Less-nave Inference
Control
contributed by N or fewer
o Example: Avg salary in Bill Gates neighborhood
o This approach used by US Census Bureau
Randomization
Part 2
Access Control
none satisfactory
110
Inference Control
Robust inference control may be impossible
Is weak inference control better than nothing?
Part 2
Access Control
111
CAPTCHA
Part 2
Access Control
112
Turing Test
Proposed by Alan Turing in 1950
Human asks questions to another human
and a computer, without seeing either
If questioner cannot distinguish human
from computer, computer passes the test
The gold standard in artificial intelligence
No computer can pass this today
Part 2
Access Control
113
CAPTCHA
CAPTCHA
Part 2
Access Control
114
CAPTCHA Paradox?
Part 2
Access Control
115
CAPTCHA Uses?
Part 2
Access Control
116
Part 2
Access Control
117
Do CAPTCHAs Exist?
Access Control
118
CAPTCHAs
Current
types of CAPTCHAs
o Visual
o Audio
No
text-based CAPTCHAs
Part 2
Access Control
119
CAPTCHAs and AI
Part 2
Access Control
120
Firewalls
Part 2
Access Control
121
Firewalls
Internet
Firewall
Internal
network
Part 2
Access Control
122
Firewall as Secretary
A firewall is like a secretary
To meet with an executive
Part 2
Access Control
123
Firewall Terminology
No
Other
Part 2
Access Control
124
Packet Filter
Operates
at network layer
Can filters based on
o
o
o
o
o
o
Part 2
Source IP address
Destination IP address
Source Port
Destination Port
Flag bits (SYN, ACK, etc.)
Egress or ingress
Access Control
application
transport
network
link
physical
125
Packet Filter
Advantages?
o Speed
Disadvantages?
o No concept of state
o Cannot see TCP connections
o Blind to application data
application
transport
network
link
physical
Part 2
Access Control
126
Packet Filter
Action
Source
IP
Dest
IP
Source
Port
Dest
Port
Protocol
Flag
Bits
Allow
Inside
Outside
Any
80
HTTP
Any
Allow
Outside
Inside
80
> 1023
HTTP
ACK
Deny
All
All
All
All
All
All
Q: Intention?
A: Restrict traffic to Web browsing
Part 2
Access Control
127
Part 2
Access Control
128
Trudy
Packet
Filter
RST
Internal
Network
Part 2
Access Control
129
Part 2
Access Control
application
transport
network
link
physical
130
Advantages?
o Can do everything a packet filter
can do plus...
o Keep track of ongoing connections
(so prevents TCP ACK scan)
Disadvantages?
o Cannot see application data
o Slower than packet filtering
Part 2
Access Control
application
transport
network
link
physical
131
Application Proxy
application
transport
network
link
physical
Part 2
Access Control
132
Application Proxy
Advantages?
Disadvantages?
o Speed
application
transport
network
link
physical
Part 2
Access Control
133
Application Proxy
Creates a new packet before sending it
thru to internal network
Attacker must talk to proxy and convince
it to forward message
Proxy has complete view of connection
Prevents some scans stateful packet filter
cannot next slides
Part 2
Access Control
134
Firewalk
Tool to scan for open ports thru firewall
Attacker knows IP address of firewall and
IP address of one system inside firewall
Part 2
Access Control
135
Trudy
Router
Packet
filter
Router
Part 2
Access Control
136
Part 2
Access Control
137
Web server
DNS server
Packet
Filter
Internet
Part 2
Access Control
Application
Proxy
Intranet with
additional
defense
138
Part 2
Access Control
139
Intrusion Prevention
Want
prevention
o Like locking the door on your car
Part 2
Access Control
140
Intrusion Detection
In spite of intrusion prevention, bad guys
will sometime get in
Intrusion detection systems (IDS)
Part 2
Access Control
141
Part 2
Access Control
142
IDS
Part 2
Access Control
143
Host-Based IDS
Monitor
o Known attacks
o Suspicious behavior
Designed
o Buffer overflow
o Escalation of privilege,
Little
Part 2
Access Control
144
Network-Based IDS
Part 2
Access Control
145
Part 2
Access Control
146
Signature Detection
Part 2
Access Control
147
Signature Detection
Many techniques used to make signature
detection more robust
Goal is to detect almost signatures
For example, if about N login attempts in
about M seconds
o
o
o
o
Part 2
Access Control
148
Signature Detection
Simple
Detect known attacks
Know which attack at time of detection
Efficient (if reasonable number of signatures)
o
o
o
o
Part 2
Access Control
149
Anomaly Detection
Anomaly detection systems look for unusual
or abnormal behavior
There are (at least) two challenges
Part 2
Access Control
150
to measure normal?
Part 2
behavior
Must not measure during an attack
or else attack will seem normal!
Normal is statistical mean
Must also compute variance to have any
reasonable idea of abnormal
Access Control
151
Bayesian statistics
Linear discriminant analysis (LDA)
Quadratic discriminant analysis (QDA)
Neural nets, hidden Markov models (HMMs), etc.
Part 2
Access Control
152
Part 2
Access Control
153
o
o
o
o
Part 2
Access Control
154
H0
H1
H2
H3
Recently, Alice
has accessed Fn at
rate An
A0
A1
A2
A3
Access Control
155
H1
H2
H3
Access Control
156
H1
H2
H3
Suppose new
observed rates
A0
A1
A2
A3
Access Control
157
The starting
averages were:
After 2 iterations,
averages are:
H3
H0
H1
.10
.38
H0
H1
H2
H2
H3
.
.
364 156
Part 2
Access Control
158
Part 2
Access Control
159
Part 2
Access Control
160
Anomaly Detection
Advantages?
Disadvantages?
o
o
o
o
o
Part 2
Access Control
161
Part 2
Access Control
162
and authorization
o Authentication
Part 2
Access Control
163
Authorization
o
o
o
o
o
o
o
o
Part 2
Access Control
164
Coming Attractions
Security protocols
o
o
o
o
o
o
o
Part 2
Access Control
165