Access Control Identification and Authentication.

Access ControlAccess Control

Identification Identification and and

AuthenticationAuthentication

SECURITY INNOVATION ©20032

Security Policy:Security Policy:

• Generally speaking, a security policy describes how people may access documents or other information.

• A computer’s version of a security policy consists of a precise set of rules for determining authorization as a basis for making access control decisions.

• This section and the following section present several security policies that are commonly implemented in computer systems.

SECURITY INNOVATION ©20033

Security Policy:Security Policy:

• Policies presented include:– Access to systems based upon user

identification.– Access to objects (such as files, directories,

etc.) based upon user identification, where owners of objects can, at their discretion, grant access to other users.

– Access to objects (such as files, directories, etc.) based upon the clearance level of the user.

SECURITY INNOVATION ©20034

System Access ControlSystem Access Control

• Controlling Access to the System Physically– Guards

• need at least 4 for 24-hour coveragemust recognize someone, or tokenno record of access

– Locks• cheaper than a guard• no record of access

SECURITY INNOVATION ©20035

Identification and Identification and AuthenticationAuthentication

• Controlling Access to the System Using Identification and Authentication Two Step Process

• Identification– Telling the system who you are.

• Authentication– Proving to the system that you are who you say

you are.

• Three classic ways of establishing proof.– Something you know.– Something you have.– Something you are.

SECURITY INNOVATION ©20036

Benefits of Identification Benefits of Identification and Authenticationand Authentication

• Can provide a complete log of access and attempted accesses.

• Access privileges granted/removed quickly

SECURITY INNOVATION ©20037

PasswordsPasswords

• Something you know.– Agreed upon code words entered by

user.

• Subject to:– Loss– Disclosure– Attack

SECURITY INNOVATION ©20038

Attacks on PasswordsAttacks on Passwords

• Brute force attack.– Try all words.

• Probable password attack.– Try short words.– Try common words.

• Probable user password attack.– Family names.– Birth dates.

SECURITY INNOVATION ©20039

Password FilePassword File

• Conventional encryption.– Enter password.– Decrypt stored password from table.– Compare passwords.

• One way cipher.– Enter password.– Encrypt password.– Compare to encrypted password.

SECURITY INNOVATION ©200310

Attacks Using Password Attacks Using Password FileFile

• Readable password file.• Backup tapes.

Guessing PasswordsGuessing Passwords

SECURITY INNOVATION ©200312

Password Space:Password Space:

• The password space is the set of all passwords.

• The size of a password space is determined by:– The length of passwords, denoted by L. – The size of the password alphabet, denoted by

A.• If passwords only consist of lower case letters, A =

26.• If passwords consist of lower and upper case letters

and digits, A = 62.

• The size of the password space is AL .

SECURITY INNOVATION ©200313

Brute Force: Brute Force: exhaustively trying all exhaustively trying all

passwordspasswords• On the average, you will need to try half of

them.• On a 400-MHz Quad Pentium II, L0phtcrack

(LC4) can try every 7 character alphanumeric password in 5.5 hours.

• …every possible 7 character keyboard password in 480 hours (~947=64850000000000).

• Zn5e937o72q204 - 1 day to crack• picnic - 30 seconds to crack

SECURITY INNOVATION ©200314

Exhaustively trying all Exhaustively trying all passwords:passwords:

• Consider that at one of the largest technology companies, where policy required that passwords exceed 8 characters, mix cases, and include numbers or symbols...

• LC4 obtained 18% of the passwords in 10 minutes • 90% of the passwords were recovered within 48 hours

on a Pentium II/300 • The Administrator and most Domain Admin

passwords were cracked

SECURITY INNOVATION ©200315

L0phtcrackL0phtcrack

2 Passwords <1 2 Passwords <1 secondsecond

SECURITY INNOVATION ©200316

But my system uses 128-bit But my system uses 128-bit encryption…. encryption….

• Many keys generated from passwords or passphrases

• A system that accepts 10 character ASCII passwords might require 80 bits

• However passwords have <4 bits entropy per character. Now we are down to 40 bits….

• Time to solution measured in minutes….

Password IssuesPassword Issues

SECURITY INNOVATION ©200318

Password Issues Password Issues • Sane password management

– You can't improve the performance of human memory by making rules or even by restricting password selection. lost passwords represent 20% to 50% of help desk calls and cost $80 each to resolve.

– The help desk process also opens the risk of social engineering attacks on password protected resources.

– Many people try to avoid the help desk by writing down their passwords, and that introduces yet another dynamic into the security mix.

SECURITY INNOVATION ©200319

Password IssuesPassword Issues• Strong passwords that resist dictionary

attacks should contain at least eight characters and a mixture of upper- and lowercase letters, digits, and special characters.

• Reusable passwords should never be used over the Internet unless they are encrypted by a strong, separately established cryptographic key.

• Consider one-time password authentication tokens, smart cards, or similar devices

SECURITY INNOVATION ©200320

Implementation Issues:Implementation Issues:• System may actually give away information.

– Which part of login is incorrect.– Which system is being accessed.

• Limit access attempts.• Enforce password time limits.• Employ password checking programs.

– Proactive checkers are best.– Ensures adequate password length.– Ensures adequate password alphabet (forces the

inclusion of capital letters, punctuation, or numbers).

– Avoids the use of English words.

Authentication Authentication DevicesDevices

SECURITY INNOVATION ©200322

Tokens and Smart CardsTokens and Smart Cards

• Something you have.– A token is an object which

authenticates its possessor.

– Must be unforgettable and unique.

– Not foolproof since it may be lost or stolen.

– Smart card may compute the response to challenge.

– Smart card may perform encryption.

ACEACEaccess control encryptionaccess control encryption

166575

SSECURECURIDID

SECURITY INNOVATION ©200323

Personal Characteristic Personal Characteristic Recognition (Biometric Recognition (Biometric

Devices)Devices)• Something you

are.– Retinal scanners.– Palm/fingerprints.– Voice pattern

recognition.– Difficult for

imposter to duplicate.

SECURITY INNOVATION ©200324

Challenge and Response Challenge and Response SystemsSystems

• Something you have and something you know.

• Passwords are in the clear from time of entry until accepted by host.– Normal passwords are static.

SECURITY INNOVATION ©200325

Challenge and Response Challenge and Response SystemsSystems

• Challenge and reply systems create a pseudo one time password system.– Passwords become dynamic.

• To ensure security:– Encryption keys should be changed regularly.– Algorithms should be changed occasionally.

• Challenge and reply systems are most appropriate for host-to-host communications because of the computing power available.

• This method affords authentication and identification as well as eliminates the replay problem.

Login SpoofingLogin Spoofing

SECURITY INNOVATION ©200327

Problem:Problem:

• A key logger is malicious software that is installed and left running as a background process.

• “Our keylogger has unique remote installation feature. You can attach keylogger to any other program and send it by e-mail to install on the remote PC in the stealth mode. Attach keylogger to a beautiful screensaver and send it to your friend!”

• “…… is the first keylogger which is absolutely invisible in the Windows NT/2000/XP Task Manager!”

SECURITY INNOVATION ©200328

KeyloggerKeylogger

System Password

SECURITY INNOVATION ©200329

Keylogger Insider AttackKeylogger Insider Attack

• Instant privilege escalation. Install a keylogger on a machine with user privilege.

• Call the help desk and report a problem with the machine.

• The first technician to your machine will immediately log in to their system account.

SECURITY INNOVATION ©200330

Solution:Solution:

• The Trusted Path• Two components can mutually authenticate

each other so that no impersonation can take place.

• When the trusted path is invoked, all user processes to a terminal are killed and the system trusted path screen or menu is displayed.– It provides a means where the user can be sure

that they are communicating with the REAL system.

– Before logging in, users ALWAYS invoke the trusted path.

SECURITY INNOVATION ©200331

Solution:Solution:An example of establishing a trusted

path:

• CTRL+ALT+DEL. This is NT's default Security Attention Sequence

• The SAS is a signal to the operating system that someone is trying to logon.

• After the SAS is triggered, all user mode applications pause until the security operation completes or is cancelled.

• In theory during this pausing of applications, logon related Trojans, and key loggers are stopped.

SECURITY INNOVATION ©200332

Note:Note:

• Passwords and biometric devices are ONLY good for authenticating the user to the system.

• A trusted path is required to authenticate the system to the user.

• Identification and Authentication consists of both identifying and authenticating the user to the system and identifying and authenticating the system to the user.