Top Banner
ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice
46

ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Dec 29, 2015

Download

Documents

Toby Andrews
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

ISA 562 1

Access Control

ISA 562Internet Security Theory & Practice

Page 2: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

2

Objectives and References

General (from ISC2 CBK Material ): Discuss Access Control mechanisms, measures and threats

Details (from Bishop’s Chapters 2): Access control assurance methods

General (from ISC2 CBK Material ): Intrusion detection/ intrusion prevention

Page 3: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Requirements & Concepts Some basic requirements of an access

control: Avoid disclosing sensitive data to unauthorized

users (Confidential) Provide sensitive information to authorized

users (Available) Reliable and dependable (Integrity preserving) Scalable and expandable (long life)

Some of the key concepts in Access control systems are: Separation of duties Least privilege Need-to-know Need-to-share (a contemporary buzz-phrase) Handle with care 3

Page 4: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

What to protect?: Information classification

Based on business risk of content released to mal-actors

Example the US government classification Unclassified Confidential Secret Top secret

Will be discussed in detail

4

Page 5: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Kinds of Access Control Preventive Access controls

Avoid having unwanted actions/events by blocking the ability to do them.

Detective Identify unwanted actions or events after they occur.

Corrective Remedy circumstances that enabled the unwanted activity. Return to state prior to the unwanted activity.

Directive Dictated by higher authority in laws or regulations or those

specified in organization policy Deterrent

Prescribe punishment for noncompliance Recovery

Restore lost computing resources or capabilities. Compensating

Reinforce or replace normal controls that are unavailable

5

Page 6: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

3 Types of access controls Administrative

Examples: separation of duties, dual control, etc

Physical Examples: fences, alarms, badges, CCTV, etc

Technical Examples: antivirus, antis-spam, logs, etc

Further examples in ISC2 book show how controls map to the access control types.

6

Page 7: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Steps in Accessing Systems Authentication

Use a unique identifier– Example: user ID, Account number, PIN

3 main datum used for authentication Something requester know

Passwords Pass-phrases

Something the requester is Biometrics Physical characteristics

Something the requester has Tokens (one-time passwords, time synchronized token) Smart Cards USB Tokens

Authorization Accounting

7

Page 8: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Using Tokens & Smartcards for Authentication

Asynchronous Token – challenge response

Synchronous token Time or event based Using one-time password or hashed values Authentication server knows expected value from the token

Smart Cards Contact Contact-less

8

Page 9: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Using Biometrics for Authentication

Have false (rejection, acceptance) rates. Crossover = they are equal, both tunable to

need. Examples static biometrics

Fingerprint or palm print Hand Geometry Retina

Example Dynamic biometrics Face /gesture Recognition Keystrokes Voice pattern

9

Page 10: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Identity Management

What is Identity management? Set of technologies used to manage user identity

information. When is it needed?

For manual service provisioning Manage sophisticated and complex environments To comply with regulations

What are the major challenges? Reliability of user profiles Consistency of user profiles across different systems/devices Scalability by supporting data volumes and peaks

More details in the IC3 book

10

Page 11: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Identity Management: benefits and technologies

Benefits Increasing productivity Reducing head-counting

Technologies Found in systems that support the identity

management process and managing data consistently and efficiently across multiple systems within an organization

Directories Web Access Management Password Management Legacy single sign-on’s

11

Page 12: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Access Control technologies

12

Page 13: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Single Sign-on

How they work One user ID and password for multiple

application servers through an authentication server.

Benefits Efficient log-on process Users may create stronger passwords No need for multiple passwords

Major Drawback A compromised password allows intruder into

all resources of the owner of that account

13

Page 14: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Single Sign-on using Kerberos

14

Page 15: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Single Sign-on – Kerberos and SESAME

Kerberos Key Distribution Center serves two functions Authentication Server (AS) Ticket Granting Server (TGS)

Kerberos Issues Security depends on careful implementation and maintenance Lifetime for authentication credentials should be as short as feasible

using time stamps to minimize the threat of replayed credentials The KDC must be physically secured, it could be a point of single

failure Redundancy is recommended The KDC should be hardened and not allow any non-Kerberos

activity SESAME

Stands for Secure European System for applications in a multi-vendor environment

Developed to address some of the Kerberos weaknesses Supports SSO Improves key management by using both Symmetric and

Asymmetric keys

15

Page 16: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Directory Service and Security Domains

Directory Services Consist of applications that provide the means

to hierarchically organize and manage information about network users and resources and to retrieve the information by name association

Security Domains Set of objects that a subject in an information

system is allowed to access Hierarchical domain relationship Equivalence classes of subjects

16

Page 17: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Access Control & Assurance

Mechanisms used to assure that access control mechanisms are in place and in a good standing: Audit Trail analysis and monitoring

is a record of system activities Assessment tools

Audit tools cover a wide spectrum of cost, complexity, etc and must be tailored to the specific goals of the audit

17

Page 18: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

The Access Control Matrix ModelChapter 2 from Bishop’s book

Page 19: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Chapter 2: Access Control Matrix Overview Access Control Matrix Model

Boolean Expression Evaluation History

Protection State Transitions Commands Conditional Commands

Special Rights Principle of Attenuation of Privilege

Page 20: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Overview Protection state of system

Describes current settings, values of system relevant to protection

Access control matrix Describes protection state precisely Matrix describing rights of subjects State transitions change elements of matrix

Page 21: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Description

objects (entities)

subj

ects

s1

s2

sn

o1 … om s1 … sn

Subjects S = { s1,…,sn } Objects O = { o1,…,om } Rights R = { r1,…,rk }

Entries A[si, oj] R A[si, oj] = { rx, …, ry }

means subject si has rights rx, …, ry over object oj

Page 22: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Example 1 Processes (subjects) p, q Files (objects) f, g Rights r, w, x, a, o

f g p qp rwo r rwxo wq a ro r rwxo

Page 23: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Example 2 Procedures inc_ctr, dec_ctr, manage Variable counter Rights +, –, call

counter inc_ctr dec_ctr manageinc_ctr +dec_ctr –manage call call call

Page 24: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Boolean Expression Evaluation ACM controls access to database fields

Subjects have attributes Verbs define type of access

example, read, write Rules associated with (objects, verb) pair

(foo, write)

Subject attempts to access object Rule for object, verb evaluated, grants or

denies access

Page 25: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Example Subject Alice

Attributes role (artist), groups (creative) Verb paint

Default 0 (deny unless explicitly granted) Object picture

Rule:paint: ‘artist’ in subject.role and

‘creative’ in subject.groups andtime.hour ≥ 0 and time.hour < 5

Page 26: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

ACM at 3AM and 10AM

… picture …

… a

nnie

paint

At 3AM, time conditionmet; ACM is:

… picture …

… a

nnie

At 10AM, time conditionnot met; ACM is:

Page 27: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

AC by History and Inference

Database:name position age salaryAlice teacher 45 $40,000Bob aide 20 $20,000Cathy principal37 $60,000Dilbert teacher 50 $50,000Eve teacher 33 $50,000

Queries:1.sum(salary, “position = teacher”) = 140,0002.sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Eve’s salary)

Page 28: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

ACM of Database Queries

Oi = { objects referenced in query i }

f(oi) = permission set of query i

f(oi) = {read} for oj Oi, if |j = 1,…,iOj| < 2

f(oi) = for oj Oi, otherwise

O1 = { Alice, Dilbert, Eve } and no previous query set, so: A[asker, Alice] = f(Alice) = { read } A[asker, Dilbert] = f(Dilbert) = { read} A[asker, Eve] = f(Eve) = { read }

and the query can be answered

Page 29: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

But Query 2

From last slide:f(oi) = { read } for oj in Oi, if | j = 1,…,iOj|

<2f(oi) = for oj in Oi, otherwise

2. O2 = { Alice, Dilbert } but | O2 O1 | = 2 soA[asker, Alice] = f(Alice) = A[asker, Dilbert] = f(Dilbert) = and query cannot be answered

Page 30: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

State Transitions Change the protection state of system Xi is a state of the ACM at time i |– represents transition

Xi |– Xi+1: command moves system from state Xi to Xi+1

Xi |– * Xi+1: a sequence of commands moves system from state Xi to Xi+1

Commands often called transformation procedures, because the transform the sate of the access control matrix

Page 31: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Primitive Operations create subject s, create object o

Creates new row, column in ACM; creates new column in ACM

destroy subject s, destroy object o Deletes row, column from ACM; deletes

column from ACM enter r into A[s, o]

Adds r rights for subject s over object o delete r from A[s, o]

Removes r rights from subject s over object o

Page 32: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Access control requests Transforms sate of the access control

matrix An access control request can be precisely

defined using Pre-conditions Post-conditions

Use notation (from Z) Pre-state without primes Post-state with primes

Example: pre-state - A[alice, file1] is the permission set of Alice to file 1 before a requests, and A’[alice, file1] is a post-state

Page 33: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Create Subject – pre and post conditions

Pre-condition: s S Primitive command: create subject s Post-conditions:

S = S { s }, O = O { s } (y O)[a[s, y] = ] (x S)[a[x, s] = ] (x S)(y O)[a[x, y] = a[x, y]]

Page 34: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Create Object Precondition: o O Primitive command: create object o Post-conditions:

S = S, O = O { o } (x S)[a[x, o] = ] (x S)(y O)[a[x, y] = a[x, y]]

Page 35: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Add Right Precondition: s S, o O Primitive command: enter r into a[s, o] Post-conditions:

S = S, O = O a[s, o] = a[s, o] { r } (x S)(y O – { o }) [a[x, y] = a[x, y]] (x S – { s })(y O) [a[x, y] = a[x, y]]

Page 36: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Delete Right Precondition: s S, o O Primitive command: delete r from a[s, o] Postconditions:

S = S, O = O a[s, o] = a[s, o] – { r } (x S)(y O – { o }) [a[x, y] = a[x, y]] (x S – { s })(y O) [a[x, y] = a[x, y]]

Page 37: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Destroy Subject Precondition: s S Primitive command: destroy subject s Postconditions:

S = S – { s }, O = O – { s } (y O)[a[s, y] = ], (x S)[a´[x, s] = ] (x S)(y O) [a[x, y] = a[x, y]]

Page 38: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Destroy Object Precondition: o O Primitive command: destroy object o Postconditions:

S = S, O = O – { o } (x S)[a[x, o] = ] (x S)(y O) [a[x, y] = a[x, y]]

Page 39: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Creating File Process p creates file f with r and w

permissioncommand create•file(p, f)

create object f;enter own into A[p, f];enter r into A[p, f];enter w into A[p, f];

end

Page 40: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Mono-Operational Commands Make process p the owner of file gcommand make•owner(p, g)

enter own into A[p, g];end

Mono-operational command Single primitive operation in this command

Page 41: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Conditional Commands Let p give q r rights over f, if p owns fcommand grant•read•file•1(p, f, q)

if own in A[p, f]then

enter r into A[q, f];end

Mono-conditional command Single condition in this command

Page 42: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Multiple Conditions Let p give q r and w rights over f, if p

owns f and p has c rights over qcommand grant•read•file•2(p, f, q)

if own in A[p, f] and c in A[p, q]then

enter r into A[q, f];enter w into A[q, f];

end

Page 43: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Copy Right Allows possessor to give rights to another Often attached to a right, so only applies

to that right r is read right that cannot be copied rc is read right that can be copied

Is copy flag copied when giving r rights? Depends on the model and its instantiation

Page 44: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Own Right Usually allows possessor to change entries

in ACM column Owner of an object can add, delete rights for

others May depend on what system allows

Can’t give rights to specific (set of) users Can’t pass copy flag to specific (set of) users

Page 45: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Attenuation of Privilege Principle says you can’t give rights you do

not possess Restricts addition of rights within a system Usually ignored for owner

Why? Owner gives herself rights, gives them to others, deletes her rights.

Page 46: ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

Main Points Access control matrix simplest abstraction

mechanism for representing protection state

Transitions alter protection state 6 primitive operations that alter the

matrix Transitions can be expressed as commands

composed of these operations and, possibly, conditions