Professional Documents
Culture Documents
Chapter 1 2 AU
Chapter 1 2 AU
Chapter 1 2 AU
Computer Security
the protection afforded to an automated information system in order to
attain the applicable objectives of preserving the integrity, availability
and confidentiality of information system resources (includes hardware,
software, firmware, information/data, and telecommunications)
2
Definitions
Confidentiality is the concealment(keeping secret / hiding) of
information or resources.
E.g., only sender, and intended receiver should “understand”
message contents
Authenticity is the identification and assurance of the origin of
information.
Integrity refers to the trustworthiness of data or resources in terms of
preventing improper and unauthorized changes.
Availability refers to the ability to use the information or resource
desired.
The more critical a component or service, the higher is the level of
availability required.
3
Examples of Security Requirements
confidentiality – student grades(grades should only be available to
students, their parents, and their employers (when required for the
job))
integrity – patient allergy information(high integrity data) , a doctor
should be able to trust that the info is correct and current
If a nurse deliberately falsifies the data, the database should be
restored to a trusted basis and the falsified information traced back
to the person who did it
availability – a system that provides authentication services(high
availability requirement)
If customers cannot access resources, the loss of services could result
in financial loss
4
Aspects of Security
Consider 3 aspects of information security:
security attack- Any action that compromises the security of
information owned by an organization
security mechanism-A process that is designed to detect, prevent, or
recover from a security attack.
security service- A processing or communication service that
enhances the security of the data processing systems and the information
transfers of an organization.
The security services are intended to counter security attacks, and
they make use of one or more security mechanisms to provide the
service.
Eg, Confidentiality is a security service. Cryptography is mechanism.
5
Security Threats and Attacks
A threat/vulnerability is a potential violation of security.
Flaws in design, implementation, and operation.
An attack is any action that violates security.
Active adversary/an opponent or rival
An attack has an implicit concept of “intent”
Router mis-configuration or server crash can also cause loss of
availability, but they are not attacks
note terms
threat – an indication of an about to happen/occur danger
a potential for violation of security, That is, a threat is a possible
danger that might exploit a vulnerability
attack – an assault on system security that derives from an intelligent
threat, a deliberate attempt to evade security services and violate the
security policy of a system.
6
Friends and enemies: Alice, Bob, Trudy
well-known in network security world
Bob, Alice (lovers! ) want to communicate “securely”
Trudy (intruder) may intercept, delete, add messages
Alice Bob
channel data, control
messages
data secure secure data
sender receiver
Trudy
Eavesdropping - Message Interception (Attack
on Confidentiality)
Unauthorized access to information
Packet sniffers and wire-tappers
Illicit copying of files and programs
A B
Eavesdropper
8
Integrity Attack - Tampering With Messages
Stop the flow of the message
Delay and optionally modify the message
Release the message again
A B
Perpetrator
9
Authenticity Attack - Fabrication
Unauthorized assumption of other’s identity
Generate and distribute objects under this identity
A B
Masquerader: from A
10
Attack on Availability
Destroy hardware (cutting fiber) or software
Modify software in a subtle way (alias commands)
Corrupt packets in transit
A B
12
Active attacks – modification of data stream to:
masquerade of one entity as some other
replay previous messages
13
Security Policy and Mechanism
Policy: a statement of what is, and is not allowed.
Mechanism: a procedure, tool, or method of enforcing a policy.
Security mechanisms implement functions that help prevent, detect,
and respond to recovery from security attacks.
Security functions are typically made available to users as a set of
security services through APIs or integrated interfaces.
Cryptography underlies many security mechanisms.
Eg, confidentiality is a security service. Cryptography is mechanism. The
data is confident to whom is expressed by policies
be notarized or witnessed;
be recorded or licensed
16
Ta
bl
e:
Se
cu
rit
yS
er
vi
ce
s(
X.
80
0)
17
Security Mechanism
feature designed to detect, prevent, or recover from a security attack
no single mechanism that will support all services required
however one particular element underlies many of the security
mechanisms in use:
cryptographic techniques ( hence our focus on this topic)
Challenge-response
the server or any other authenticating system generates a challenge
to the host requesting for authentication and expects a response.
Centralized authentication
central server authenticates users on the network and in addition
also authorizes and audits them.
27
Multiple Factors and Effectiveness of
Authentication
To increase authentication effectiveness, a scheme with multiple methods is used.
Systems using a scheme with two or more methods can result in greater system
security
The popular technique, referred to as multi-factor authentication, overcome the
limitations of a specific authentication.
28
Authentication Elements
An authentication process as is based on the following five elements:
Person or Group Seeking Authentication
usually users who seek access to a system either individually or as
a group.
If individually, they must be prepared to present to the
authenticator evidence to support the claim that they are
actually authorized to use the requested system resource.
Distinguishing Characteristics for Authentication
User characteristics are grouped into four factors that include:
In each of these factors, there are items that a user can present to
the authenticator for authorization to use the system.
29
The Authenticator
to positively and sometimes automatically identify the user and
indicate whether that user is authorized to access the requested
system resource.
The Authentication Mechanism
consists of three parts that work together to verify the presence of
the authenticating characteristics provided by the user.
the input, E.g:- computer keyboard, card reader, video camera,
telephone etc
the transportation system: responsible for passing data b/n the
input component and the element that can confirm a person's
identity.
and the verifier.
hand geometry
32
Anonymous Authentication
Used for clients who do not intend to modify entries or access
protected attributes or entries on a system .
Mostly these users are not indigenous users in a sense that they do
not have membership to the system they want access to.
They access the system via a special “anonymous” account.
Digital Signatures-Based Authentication
does not require passwords and user names.
It consists of an electronic signature that uses public key
infrastructure (PKI) to verify the identity of the sender of a message
or of the signer of a document.
Wireless Authentication
This is an IEEE’s 802.1X, Extensible Authentication Protocol (WEP)
scheme that authenticates mobile devices as they connect to fixed
network as well as mobile networks.
This authentication requires Wi-Fi mobile units to authenticate with
network operating systems such as Windows XP.
33
Developing an Authentication Policy
Several steps are necessary for a good authentication policy:
List and categorize the resources that need to be accessed, whether
these resources are data or systems. Categorize them by their business
sensitivity and criticality.
Define the requirements for access to each of the above categories
taking into account both the value of the resource in the category as well
as the method of access.
Set requirements for passwords and IDs.
Create and implement processes for the management of
authentication systems.
Communicate policies and procedures to all concerned in the
organizations and outside it, the creation of policies
34
Outline
User authentication
Password authentication, salt
Challenge-response authentication protocols
Biometrics
Token-based authentication
Authentication in distributed systems (multi service
providers/domains)
Single sign-on, Microsoft Passport
35
Password authentication
Basic idea
User has a secret password
System checks password to authenticate user
Issues
How is password stored?
How does system check password?
How easy is it to guess a password?
Difficult
to keep password file secret, so best if it is hard to guess
password even if you have the password file
36
Basic password scheme
n is can of
t io at ta of
User Password file u nc n th da ata
f io ap d
h
s nct m to
exrygbzyf a
h fu to ize
kiwifruit
A y ed s
kgnosfix an us rary e.
ggjoklbsz be bit siz
ar ed
… fix
hash function …
38
The “dictionary” attack
hypothesis:
known hash algorithm
known password hash values
pre-computation:
for (each Word in Dictionary) do store ( DB, Word, hash(Word) )
attack:
let HP be the hash value of a (unknown) password
w = lookup ( DB, HP )
if ( success ) then write ( “pwd = ”, w ) else write ( “pwd not in my
dictionary” )
39
Salt
Password line
walt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh
Compare
Salt
Input
Constant, Key
Ciphertext
A 64-bit block of 0 25x DES
Plaintext
When password is set, salt is chosen randomly 12-bit salt slows dictionary
attack by factor of 212
40
Dictionary Attack – some numbers
Typical password dictionary
1,000,000 entries of common passwords
people'snames, common pet names, and ordinary words.
Suppose you generate and analyze 10 guesses per second
This may be reasonable for a web site; offline is much faster
41
Outline
User authentication
Password authentication, salt
Challenge-response authentication protocols
Biometrics
Token-based authentication
Authentication in distributed systems (multi service
providers/domains)
Single sign-on, Microsoft Passport
42
Challenge-response Authentication
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap1.0: Alice says “I am Alice”
“I am Alice”
Failure scenario??
44
Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packet containing her
source IP address
Alice’s
IP address
“I am Alice”
Failure scenario??
45
Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packet containing her
source IP address
IP spoofing is the creation of Internet Protocol (IP) packets with a
forged source IP address, with the purpose of concealing the identity of
the sender or impersonating another computing system.
46
Authentication: another try
Protocol ap3.0: Alice says “I am Alice” and sends her secret password to
“prove” it.
Alice’s Alice’s
“I’m Alice”
IP addr password
Failure scenario??
Alice’s
OK
IP addr
47
Authentication: another try
Protocol ap3.0: Alice says “I am Alice” and sends her secret password to
“prove” it.
Alice’s Alice’s
“I’m Alice”
IP addr password
playback attack: Trudy
Alice’s records Alice’s packet
OK
IP addr and later plays it back
to Bob
Alice’s Alice’s
“I’m Alice”
IP addr password
48
Authentication: yet another try
Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret
password to “prove” it.
Alice’s encrypted
“I’m Alice”
IP addr password
Alice’s
OK Failure scenario??
IP addr
49
Authentication: another try
Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret
password to “prove” it.
Alice’s encryppted
“I’m Alice” Record and
IP addr password
playback
Alice’s still works!
OK
IP addr
Alice’s encrypted
“I’m Alice”
IP addr password
50
Authentication: yet another try
Goal: avoid playback attack
Nonce: number (R) used only once –in-a-lifetime
ap4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice must return
R, encrypted with shared secret key. nonce is an arbitrary number that
may only be used once
“I am Alice”
R
KA-B(R) Alice is live, and
only Alice knows
key to encrypt
nonce, so it must
Failures, drawbacks? be Alice!
51
Authentication: ap5.0
ap4.0 doesn’t protect against server database reading
can we authenticate using public key techniques?
ap5.0: use nonce, public key cryptography
“I am Alice”
Bob computes
R + -
- KA (KA (R)) = R
K A (R) and knows only Alice
could have the private
key, that encrypted R
such that
+ -
K (K (R)) = R
A A
52
Outline
User authentication
Password authentication, salt
Challenge-response authentication protocols
Biometrics
Token-based authentication
Authentication in distributed systems (multi service
providers/domains)
Single sign-on, Microsoft Passport
53
Biometrics
Use a person’s physical characteristics
fingerprint, voice, face, keyboard timing, …
Advantages
Cannot be disclosed, lost, forgotten
Disadvantages
Cost, installation, maintenance
Reliability of comparison algorithms
False positive: Allow access to unauthorized person
False negative: Disallow access to authorized person
55
Outline
User authentication
Password authentication, salt
Challenge-Response
Biometrics
Token-based authentication
Authentication in distributed systems
Single sign-on, Microsoft Passport
56
LAN
Rules Database
user name,
password, Authentication Application
other auth
Server
• Advantages
User signs on once
No need for authentication at multiple sites, applications
Can set central authorization policy for the enterprise
57
Microsoft Passport
Launched 1999
Claim > 200 million accounts in 2002
Over 3.5 billion authentications each month
Log in to many websites using one account
Used by MS services Hotmail, MSN Messenger or MSN subscriptions;
also Radio Shack, etc.
Hotmail or MSN users automatically have Microsoft Passport accounts
set up
58
59
60
Access Control and Authorization
Access control is a process to determine “Who does what to what,” based
on a policy.
It is controlling access of who gets in and out of the system and who
uses what resources, when, and in what amounts.
Access control is restricting access to a system or system resources
based on something other than the identity of the user
Access control consists of four elements:
subjects,
objects,
operations,
a reference monitor(server)
61
Subjects are system users and groups of users while objects are files
and resources such as memory, printers, and scanners including
computers in a network.
An access operation comes in many forms including Web access,
server access, memory access, and method calls.
Whenever a subject requests to access an object, an access mode must
be specified.
There are two access modes:
Observe - in this mode, the subject may only look at the content of
the object.
This mode is the typical read in which a client process may request a server
to read from a file.
Alter – in this mode, the subject may change the content of the
object
62
For example a user, initiates an access request for Web resource.
The request goes to the reference monitor.
The job of the reference monitor is to check on the hierarchy of rules that
specify certain restrictions.
A set of such rules is called an access control list (ACL).
The access control hierarchy is based on the:
URL path (http://www.goal.com/en/fixtures/premier-league/) for a
Web access, or
file path (C:\Windows\Users\david\Favorites\Links) for a file access
such as in a directory.
When a request for access is made, the monitor or server goes in turn
through each ACL rule, continuing until it encounters a rule that prevents
it from continuing and results in a request rejection or comes to the last
rule for that resource, resulting into access right being granted.
read
append
write
NB: The user is cautioned not to confuse access rights and access modes.
The difference lies in the fact that you can perform any access right
within each access mode.
Figure 2: shows how this can be done.
Note that according to the last column in Figure 2: there are ‘x’ marks in
both rows because in order to write, one must observe first before altering.
This prevents the operating system from opening the file twice, one for the
read and another for a write.
Capability Tables
Restricted Interfaces
For a long time, access control was used with user- or group-based access
control lists, normally based in operating systems.
However, with Web-based network applications, this approach is no longer
flexible enough because it does not scale in the new environment.
Thus, most Web-based systems employ newer techniques and technologies such
as role-based and rule-based access control, where access rights are based on
specific user attributes such as their role, rank, or organization unit.
66
Access Control Matrix
All the information needed for access control administration can be put
into a matrix with rows representing the subjects or groups of subjects and
columns representing the objects.
The access that the subject or a group of subjects is permitted to the object
is shown in the body of the matrix.
For example, in the matrix in Figure 3 below, user A has permission to
write in file R4.
67
Access Control Lists
• In the access control lists (ACLs), groups with access rights to an object are
stored in association to the object.
• If you look at the access matrix in Figure 3 above, each object has a list of
access rights associated with it.
• In this case each object is associated with all the access rights in the column.
• For example, the ACL for the matrix in Figure 3 is shown in Figure 4 below.
• ACLs are very fitting for operating systems as they manage access to objects.
70
Rule-Based Access Control
Rule-based access control (RuBAC), also known as policy-based access
control (PBAC), will control authorization based on conditions other than
who you are
e.g., time of day, location, type of device
RBAC is a multi-part process where one process assigns roles to users just
like in the role-based access control techniques.
The second process assigns privileges to the assigned roles based on a
predefined policy.
Another process is used to identify and authenticate the users allowed to
access the resources.
It is based on a set of rules that determine users’ access rights to resources
within an organization’s system.
Many organizations, for example limit the scope and amount, sometimes
the times, employees, based on their ranks and roles .
Such limits may be specified based on the number of documents that can
be downloaded by an employee during a certain time period and on the
limit of which part of the Web site such an employee can access. 71
EXAMPLE
Consider you are renting a room in a hotel and they give you an access
card. Possession of that card (authentication) gives you access to your room
(authorization) any time of day.
The card also grants you access to the gym, which is only open from
5:00am-11:00pm each day. This is an example of rule-based control.
Your card does not grant you access to the employee lounge, regardless of
the time of day. This is an example of role-based control.
Say you really liked the place, so you decided to get a job working there.
You finally get to see what’s behind the doors of the coveted employee lounge!
You get there a few hours early to enjoy your new amenity. You walk to the
door, swipe the card, and you’re greeted with a flashing red light. Role & rule
- you’re allowed to get in, but only within +/- 1 hour of your shift. Maybe just
hang out at KALDIS for a while.
72
Access Control Systems
Physical Access Control
In a limited number of cases, accesses to an organization systems come
from intruders physically gaining access on the system itself, where
they can install password cracking programs.
Studies have shown that a great majority of system break-ins originate
from inside the organization.
Access Cards
Access cards are perhaps the most widely used form of access control
system worldwide.
With advanced digital technology, cards now contain magnetic strips
and embedded microchips.
Access cards are used in most e-commerce transactions, payment
systems, and in services such as health and education.
These types of identification are also known as electronic keys.
73
Electronic Surveillance
Consists of a number of captures such as video recordings, system
logs, keystroke and application monitors, screen-capture software
commonly known as activity monitors, and network packet sniffers.
Video recordings capture the activities at selected access points.
Increasingly these video cameras are now connected to computers and
actually a Web, a process commonly now referred to as webcam
surveillance.
Many of these cameras are now motion-activated and they record video
footage shot from vantage points at the selected points.
The video footage can be viewed live or stored for later viewing.
Keystroke monitors are software or hardware products that record
every character typed on keyboards.
Packet sniffers work at a network level to sniff at network packets as
they move between nodes.
Based on the analysis, they can monitor e-mail messages, Web browser
usage, node usage, traffic into a node, nature of traffic, and how often a user
accesses a particular server, application, or network.
74
Biometrics
confirm a person's identity by scanning a physical characteristic such as a
fingerprint, voice, eye movement, facial recognition, and others.
It has probably been one of the oldest access control techniques.
However, during the past several years and with heightened security, it
has become increasingly popular.
Can be used to permit access to a network or a building, and become an
increasingly reliable, convenient and cost-effective means of security.
Improvements in biometrics are essential because bad biometric security
can suspend system and network administrators into a false sense of
safety.
In addition, it can also lock out a legitimate user and admit an intruder.
So care must be taken when procuring biometric devices.
75
Authorization
This is the determination of whether a user has permission to access,
read, modify, insert, or delete certain data, or to execute certain
programs.
Authorization is also commonly referred to as access permissions and it
determines the privileges a user has on a system and what the user should
be allowed to do to the resource.
Access permissions are normally specified by a list of possibilities. For
example, UNIX allows the list { read, write, execute} as the list of
possibilities for a user or group of users on a UNIX file.
The process of authorization itself has traditionally been composed of two
separate processes:
Authentication
Access control.
To get a good picture let us put them together. In brief authentication
deals with ascertaining that the user is who he or she claims he or she is.
Access control then deals with a more refined problem of being able to
find out “what a specific user can do to a certain resource.”
76
So authorization techniques such as the traditional centralized access
control uses ACL as a dominant mechanism to create user lists and
user access rights to the requested resource.
However, in more modern and distributed system environments,
authorization takes a different approach from this.
In fact the traditional separation of authorization process into
authentication and access control also does not apply.
As with access control, authorization has three components:
a set of objects we will designate as O,
a set of subjects designed as S,
a set of access permissions designated as A.
The authorization rule is a function f that takes the triple (s, o, a)
where s S, o O, a A and maps then into a binary-value T,
where T = {true, false} as f : S×O×A (True, False).
When the value of the function f is true, this signals full
authorization to the resource. 77
Authorization Mechanisms
Authorization mechanisms, especially those in database management systems
(DBMSs), can be classified into two main categories:
Discretionary Authorization Mandatory Authorization
non-compulsory Mandatory policies, unlike the
This is a mechanism grants access discretionary ones seen above, ensure a
privileges to users based on control high degree of protection in that they
policies that govern the access of subjects prevent any illegal flow of information
to objects using the subjects’ identity and through the enforcement of multilevel
authorization rules. security by classifying the data and users
These mechanisms are discretionary in
into various security classes.
that they allow subjects to grant other They are, therefore, suitable for
users authorization to access the data. contexts that require structured but
They are highly flexible, making them graded levels of security such as the
military.
suitable for a large variety of application
domains. However, mandatory policies have the
However, the same characteristics that drawback of being too rigid, in that they
make them flexible also make them require a strict classification of subjects
vulnerable to malicious attacks, such as and objects in security levels, and are,
Trojan Horses embedded in application therefore, applicable only to very few
programs. environments. 78
Types of Authorization Systems
Centralized
Only one central authorization unit grants and delegates access to system
resources.
This means that any process or program that needs access to any system resource
has to request from the one omniscient central authority.
Decentralized
This differs from the centralized system in that the subjects own the objects they
have created and are, therefore, responsible for their security, which is locally
maintained.
Each subject may, however, delegate access rights to its objects to another
subject. Because of these characteristics, decentralized authorization is found to be
very flexible and easily adoptable to particular requirements of individual subjects.
Implicit
In implicit authorization, the subject is authorized to use a requested system
resource indirectly because the objects in the system are referenced in terms of
other objects.
Explicit
Explicit authorization is the opposite of the implicit. It explicitly stores all
authorizations for all system objects whose access has been requested.
79
80