Access ControlAccess Control
Identification Identification and and
AuthenticationAuthentication
SECURITY INNOVATION ©20032
Security Policy:Security Policy:
• Generally speaking, a security policy describes how people may access documents or other information.
• A computer’s version of a security policy consists of a precise set of rules for determining authorization as a basis for making access control decisions.
• This section and the following section present several security policies that are commonly implemented in computer systems.
SECURITY INNOVATION ©20033
Security Policy:Security Policy:
• Policies presented include:– Access to systems based upon user
identification.– Access to objects (such as files, directories,
etc.) based upon user identification, where owners of objects can, at their discretion, grant access to other users.
– Access to objects (such as files, directories, etc.) based upon the clearance level of the user.
SECURITY INNOVATION ©20034
System Access ControlSystem Access Control
• Controlling Access to the System Physically– Guards
• need at least 4 for 24-hour coveragemust recognize someone, or tokenno record of access
– Locks• cheaper than a guard• no record of access
SECURITY INNOVATION ©20035
Identification and Identification and AuthenticationAuthentication
• Controlling Access to the System Using Identification and Authentication Two Step Process
• Identification– Telling the system who you are.
• Authentication– Proving to the system that you are who you say
you are.
• Three classic ways of establishing proof.– Something you know.– Something you have.– Something you are.
SECURITY INNOVATION ©20036
Benefits of Identification Benefits of Identification and Authenticationand Authentication
• Can provide a complete log of access and attempted accesses.
• Access privileges granted/removed quickly
SECURITY INNOVATION ©20037
PasswordsPasswords
• Something you know.– Agreed upon code words entered by
user.
• Subject to:– Loss– Disclosure– Attack
SECURITY INNOVATION ©20038
Attacks on PasswordsAttacks on Passwords
• Brute force attack.– Try all words.
• Probable password attack.– Try short words.– Try common words.
• Probable user password attack.– Family names.– Birth dates.
SECURITY INNOVATION ©20039
Password FilePassword File
• Conventional encryption.– Enter password.– Decrypt stored password from table.– Compare passwords.
• One way cipher.– Enter password.– Encrypt password.– Compare to encrypted password.
SECURITY INNOVATION ©200310
Attacks Using Password Attacks Using Password FileFile
• Readable password file.• Backup tapes.
Guessing PasswordsGuessing Passwords
SECURITY INNOVATION ©200312
Password Space:Password Space:
• The password space is the set of all passwords.
• The size of a password space is determined by:– The length of passwords, denoted by L. – The size of the password alphabet, denoted by
A.• If passwords only consist of lower case letters, A =
26.• If passwords consist of lower and upper case letters
and digits, A = 62.
• The size of the password space is AL .
SECURITY INNOVATION ©200313
Brute Force: Brute Force: exhaustively trying all exhaustively trying all
passwordspasswords• On the average, you will need to try half of
them.• On a 400-MHz Quad Pentium II, L0phtcrack
(LC4) can try every 7 character alphanumeric password in 5.5 hours.
• …every possible 7 character keyboard password in 480 hours (~947=64850000000000).
• Zn5e937o72q204 - 1 day to crack• picnic - 30 seconds to crack
SECURITY INNOVATION ©200314
Exhaustively trying all Exhaustively trying all passwords:passwords:
• Consider that at one of the largest technology companies, where policy required that passwords exceed 8 characters, mix cases, and include numbers or symbols...
• LC4 obtained 18% of the passwords in 10 minutes • 90% of the passwords were recovered within 48 hours
on a Pentium II/300 • The Administrator and most Domain Admin
passwords were cracked
SECURITY INNOVATION ©200315
L0phtcrackL0phtcrack
2 Passwords <1 2 Passwords <1 secondsecond
SECURITY INNOVATION ©200316
But my system uses 128-bit But my system uses 128-bit encryption…. encryption….
• Many keys generated from passwords or passphrases
• A system that accepts 10 character ASCII passwords might require 80 bits
• However passwords have <4 bits entropy per character. Now we are down to 40 bits….
• Time to solution measured in minutes….
Password IssuesPassword Issues
SECURITY INNOVATION ©200318
Password Issues Password Issues • Sane password management
– You can't improve the performance of human memory by making rules or even by restricting password selection. lost passwords represent 20% to 50% of help desk calls and cost $80 each to resolve.
– The help desk process also opens the risk of social engineering attacks on password protected resources.
– Many people try to avoid the help desk by writing down their passwords, and that introduces yet another dynamic into the security mix.
SECURITY INNOVATION ©200319
Password IssuesPassword Issues• Strong passwords that resist dictionary
attacks should contain at least eight characters and a mixture of upper- and lowercase letters, digits, and special characters.
• Reusable passwords should never be used over the Internet unless they are encrypted by a strong, separately established cryptographic key.
• Consider one-time password authentication tokens, smart cards, or similar devices
SECURITY INNOVATION ©200320
Implementation Issues:Implementation Issues:• System may actually give away information.
– Which part of login is incorrect.– Which system is being accessed.
• Limit access attempts.• Enforce password time limits.• Employ password checking programs.
– Proactive checkers are best.– Ensures adequate password length.– Ensures adequate password alphabet (forces the
inclusion of capital letters, punctuation, or numbers).
– Avoids the use of English words.
Authentication Authentication DevicesDevices
SECURITY INNOVATION ©200322
Tokens and Smart CardsTokens and Smart Cards
• Something you have.– A token is an object which
authenticates its possessor.
– Must be unforgettable and unique.
– Not foolproof since it may be lost or stolen.
– Smart card may compute the response to challenge.
– Smart card may perform encryption.
ACEACEaccess control encryptionaccess control encryption
166575
SSECURECURIDID
SECURITY INNOVATION ©200323
Personal Characteristic Personal Characteristic Recognition (Biometric Recognition (Biometric
Devices)Devices)• Something you
are.– Retinal scanners.– Palm/fingerprints.– Voice pattern
recognition.– Difficult for
imposter to duplicate.
SECURITY INNOVATION ©200324
Challenge and Response Challenge and Response SystemsSystems
• Something you have and something you know.
• Passwords are in the clear from time of entry until accepted by host.– Normal passwords are static.
SECURITY INNOVATION ©200325
Challenge and Response Challenge and Response SystemsSystems
• Challenge and reply systems create a pseudo one time password system.– Passwords become dynamic.
• To ensure security:– Encryption keys should be changed regularly.– Algorithms should be changed occasionally.
• Challenge and reply systems are most appropriate for host-to-host communications because of the computing power available.
• This method affords authentication and identification as well as eliminates the replay problem.
Login SpoofingLogin Spoofing
SECURITY INNOVATION ©200327
Problem:Problem:
• A key logger is malicious software that is installed and left running as a background process.
• “Our keylogger has unique remote installation feature. You can attach keylogger to any other program and send it by e-mail to install on the remote PC in the stealth mode. Attach keylogger to a beautiful screensaver and send it to your friend!”
• “…… is the first keylogger which is absolutely invisible in the Windows NT/2000/XP Task Manager!”
SECURITY INNOVATION ©200328
KeyloggerKeylogger
System Password
SECURITY INNOVATION ©200329
Keylogger Insider AttackKeylogger Insider Attack
• Instant privilege escalation. Install a keylogger on a machine with user privilege.
• Call the help desk and report a problem with the machine.
• The first technician to your machine will immediately log in to their system account.
SECURITY INNOVATION ©200330
Solution:Solution:
• The Trusted Path• Two components can mutually authenticate
each other so that no impersonation can take place.
• When the trusted path is invoked, all user processes to a terminal are killed and the system trusted path screen or menu is displayed.– It provides a means where the user can be sure
that they are communicating with the REAL system.
– Before logging in, users ALWAYS invoke the trusted path.
SECURITY INNOVATION ©200331
Solution:Solution:An example of establishing a trusted
path:
• CTRL+ALT+DEL. This is NT's default Security Attention Sequence
• The SAS is a signal to the operating system that someone is trying to logon.
• After the SAS is triggered, all user mode applications pause until the security operation completes or is cancelled.
• In theory during this pausing of applications, logon related Trojans, and key loggers are stopped.
SECURITY INNOVATION ©200332
Note:Note:
• Passwords and biometric devices are ONLY good for authenticating the user to the system.
• A trusted path is required to authenticate the system to the user.
• Identification and Authentication consists of both identifying and authenticating the user to the system and identifying and authenticating the system to the user.