week3 lecture
Post on 17-May-2015
259 Views
Preview:
TRANSCRIPT
Week3-Lecture: Access Control Chapter Covered: 3,4,8,11,22
CIT 515-Network and Internet SecurityDr. May El Barachi
Reading and Quiz Materials
• Chapter3 : Pages 53-56• Chapter4: Pages 66-76• Chpater8: Pages 199-203• Chapter11: Pages 264-280• Chapter22:Pages 577-581
Objectives Access Control Authentication Methods
Password, Token, Biometric Single Sign On vs. Password Synchronization Kerberos, Sesame
Access Control Models DAC, MAC, RMAC
Access Control Administration Centralized, Decentralized
Access Control Types Technical, Physical, Administrative
5. Access Control Categories Deterrent, Preventive, …. Access Control Principles Access Control Attacks & Countermeasures Access Control Assessment
Objectives Authentication: Who goes there?
Determine whether access is allowedVerify the identity of a subjectAuthenticate human to machineAuthenticate machine to machine
Authorization: Are you allowed to do that?Once you have access, what can you do?Enforces limits on actions
Authentication Methods
To verify their identity, users can provide:Something you know
Username and PasswordBirthday, Address, Passport Number
Something you haveSmart CardTokenATM Card
Something you are Biometrics
Where you are? IP GPS
Two Factor Authentication (Strong Authentication)
Combine two factors for authentication users
Password-Based AuthenticationHow is the password communicated?
Eavesdropping (to listen to someone's private conversation without them knowing) risk
How is the password stored? In the clear? Encrypted? Hashed?
How does the system check the password? Compute hash and compare to stored hash
How can we make the hashed passwords harder to guess? Use SALT
Some Comic
Password-Based Authentication How easy is it to identify the password? Electronic Monitoring (i.e. Network Sniffing) Keystroke loggers (HW & SW) Access the password file Password Guessing
Dictionary attacks Brute Force attacks Rainbow Tables
Social Engineering Phishing, Pharming, Vishing Shoulder Surfing Piggy Backing Dumpster Diving
Reverse Social Engineering
Password-Based Authentication – HW KeyLogger
Password-Based Authentication - Phishing
Password-Based Authentication
Password ControlsPassword length and compositionPassword agingPassword historyPassword attemptsPassword storageOne time passwordsUser educationLast successful login attempt
Password-Based Authentication - Hashing
LM hash is weak, no longer used in Win 7NT hash is stronger, but not salted
Token-Based Authentication
More secure than passwords, howeverTokens may suffer from battery failureCards may get damaged
Types of tokens:Synchronous – based on timeAsynchronous – based on challenge/response
Token-Based Authentication
Synchronous Tokens
Algorithm
Time Seeds
Algorithm
Time Seeds
Same seeds
Same time
Time Synchronized Authentication
Internet
RSA or Firewall with RSA ACE Agent
RSA ACE Server
Token-Based Authentication
Asynchronous Tokens
1.Send Response to Authen Server
2. Challenge Displayed on CRT
3.User enters pin into token
4. User resends response from token
5.User enters responses from token into computer
6.Responses sent to Authen server
7. Authentication Server Validates Client
Tokens Products - RSA
RSA Two-Factor Authentication Hacked – Mar 2011
RSA Two-Factor Authentication Hacked – Mar 2011
RSA Admits & Replaces 40 Million Tokens – 6/6/11
Tokens Products - Gemalto
Biometric-Based Authentication Face recognition
Error rates up to 20%, given reasonable variations in lighting, viewpoint and expression
Fingerprints Traditional method for identification Distinguish between 30-40 details about peaks,
valleys, and ridges of user’s fingerprint 1911: first US conviction on fingerprint evidence U.K. traditionally requires 16-point match Probability of false match is 1 in 10 billion Fingerprint damage impairs recognition
Forging Fingerprints Using Molding
Forging Fingerprints Using Surgical Operations
Forging Fingerprints Using Actual Fingers
Biometric-Based Authentication Iris scanning
Takes a picture of the iris (colored part of eye) Irises are very random, but stable through life Differs between the two eyes of the individual Equal error rate better than 1 in a million Works with contact lenses and glasses Best biometric mechanism currently known
Retina pattern Laser scans of blood vessels in the back of the eye Retina can change due to medical conditions Identifies user’s health (privacy issues?)
Hand geometry Identify the user by his fingers and hand
Voice recognition
Biometric-Based Authentication
False Rejection Rate (FRR)When the system rejects an authorized individual
False Acceptance Rate (FAR) When the system accepts an intruder who should
be rejectedCrossover Error Rate (CER)
Metric used to compare biometric systems Whenfalse rejection rate equalsfalse acceptance rate
Single Sign On Single Sign On
A user authenticates once and then access resources in the environment without having to re-authenticate into each.
The user authenticates once to the SSO application. Anytime the user accesses a new application, the SSO application will send the necessary authentication information
Can be difficult to integrate among different applications and platforms
Reduced Single Sign On (Password Synchronization)
Password SynchronizationLike single sign-on (SSO), single credential for many systemsBut no inter-system session managementUser must log into each system separately, but they all use
the same username and passwordWill the user choose a complex password?
Weakness of SSO and RSSO Intruder can access all systems if password is compromisedBest is to combine with two factor authentication
SSO Summary
Trusted authentication service on the networkKnows all passwords: users and serversTime SensitiveConvenient ☺Single point of failure Requires high level of physical security
SSO SummaryKnows all users’ and servers’ passwords
Ticket is used to access desired network service
User gets ticket
User proves his identity;requests ticket for some service
User
Servers
SOS Server
SSO: Kerberos Network Authentication Protocol
Developed by MIT Consists of 3 components: Client Server Key Distribution Center (KDC)
Authentication Server (AS) Ticket Granting Server (TGS)
Process: Client obtains service ticket from KDC and present the tickets toservers when connections are established Cryptography Kerberos uses symmetric key encryption (DES)
SSO: Kerberos StepsUser Ahmed
Ticket Granting Ticket (TGT):User Name + User Address + Validity+ Session Key
Session Key
Key-User
servicesTGT
TGT-Key
user
Ticket:User Name + User Address + Validity + Session Key
Key-Service
Key-Session Key
User +Key-User
UserKey-User +Session Key+ (TGT)
Kerberos Authentication Service
KerberosTicket Granting Service
Key-TGS
SSO: Kerberos Steps
User +Key-User +Session Key+ (TGT)
Servers
Tickets
ConfirmationKey Session Key
Key-Service
SSO: SesameAnother SSO option is Sesame:Secure European System and Applications in a
Multivendor EnvironmentKerberos uses symmetric encryption only
Sesame uses symmetric and asymmetric encryption
Objectives Authentication: Who goes there?
Determine whether access is allowedVerify the identity of a subjectAuthenticate human to machineAuthenticate machine to machine
Authorization: Are you allowed to do that?Once you have access, what can you do?Enforces limits on actions
Basic Access Control Concepts
SubjectsActive entities that do thingse.g. humans
ObjectsPassive things that things are done to e.g. files, data, websites
RightsActions that are takene.g. read, write, share
Access Control Models
Authenticated users can access the system based on:Discretionary Access Control (DAC)Mandatory Access Control (MAC)Role-Based Access Control (RMAC)Rule-Based Access Control (RMAC)
Access Control Models
Discretionary Access Control (DAC) Subjects have full control of objects they have The “discretionary” part of DAC means that a file owner has the
ability to change the permissions on that file Most Common access control system. Commonly used in both
UNIX and Windows operating systems Uses file permissions and ACLs to restrict access based on the
user’s identity or group membership File’s owner can change the file’s permissions any time they want
Access Control Models
Mandatory Access Control (MAC) Restricts access based on the sensitivity of the information
and whether or not the user has the authority to access that information.
Each subject and object is labeled with a sensitivity level U.S. Government security labels:
• Top Secret (grave damage)• Secret (serious damage)• Confidential (damage)• Unclassified
A subject may access an object only if its clearance is equal to or greater than the object’s label MAC systems are usually focused on preserving the confidentiality of
data
Access Control Models
Role-Based Access Control (RBAC)Role-based access control (RBAC) is the process of
managing access and privileges based on the user’s assigned roles
Example: SecurityAdmin, DatabaseAdmin, EmailAdmin, Nurse
Rule-Based Access Control (RBAC)Access is either allowed or denied based on a set of
predefined rules that are established by the administrator
Example: Limited login hours, Limited BitTorrent traffic
Access Control Models Examples
Organization Goal Preferred AccessControl Model
Normal Level of SecurityHigh Turnover RateHigh Level of Security
What Next? … Access Control Administration
Once the organization determine what type of access control model it will be using Its needs to identify administration type to support that model
Access control administration can be: Centralized
Maintain username and permissions in one location One entity makes all access decisions about AAA: Authentication, Authorization, and Accountability e.g. SSO, RADIUS, Diameter, TACACS
Decentralized Store username and permissions in different locations Allows the IT administration to be closer to the mission and operations of the organization
Centralized Access Control Administration
RADIUS Remote Authentication Dial In User Service (RADIUS) The protocol is a third party authentication system Considered an “AAA” system, comprising three
components: authentication, authorization, and accounting
Authenticates a subject’s credentials against an authentication database Authorizes users by allowing specific users access to specific data objects Accounts for each data session by creating a log entry for each RADIUS connection made
Centralized Access Control Administration
Diameter RADIUS’s successor, designed to provide an improvedAuthentication, Authorization, and Accounting (AAA) framework RADIUS provides limited accountability and has problems withflexibility, scalability, reliability, and security Diameter more flexible, allowing support for mobile remote users
TACACS & TACACS+ Terminal Access Controller Access Control System (TACACS) A centralized access control system that requires users to send an ID and a static (reusable) password for authentication Reusable passwords are a security vulnerability:
Improved TACACS+ provides better password protection by
allowing two-factor strong authentication
Centralized Access Control Administration
Password Authentication Protocol (PAP) Not a strong authentication method A user enters a password, which is sent across the network in clear text. Sniffing the network may disclose plaintext passwords
Challenge Handshake Authentication Protocol (CHAP) Provides protection against playback attacks Uses a central location that challenges remote users CHAP depends upon a “secret” known only to the authenticator
and the peer. The secret is not sent over the link. Although theauthentication is only one-way, by negotiating CHAP in bothdirections the same secret set may easily be used for mutual
What Next? … Access Control Techniques
Once the organization determine what type of access
control model and administration it will be using It needs to identify techniques to support that model
Access control techniques can have three types: Administrative Technical Physical
Access control techniques can have six categories:Preventive, Deterrent, Detective, Corrective, Recovery, Compensating
Access Controls TypesAdministrative Policy, procedures, standards
e.g. Password policies, pre-employment checks, security
awarenessTechnical
Hardware or software for IT security Authentication, encryption, firewalls, anti-virus
Physical Controls that you typically see Key card entry, fencing, video surveillance, locks, guard dogs,
gates, guards, alarms, badges
Access Control Categories
The access controls can be used in six categories: Preventive – Avoids an incident from happeningDeterrent – Discourages a potential attackerDetective – Alerts and aids in identification after the
factCorrective – Repairs damage and restore systems after
an eventRecovery – Restores normal operationsCompensating – Contains weaknesses in other systems
Access Control Categories
Preventive controlsIntended to avoid an incident from
happeninge.g. Firewalls, Anti-virus software, Fence,
Policies, Pre-employment, screening
Access Control Categories
Deterrent controls Intended to discourage a potential attackerHighly Visible
e.g. Guards, guard dogs, electric fence signDetective controls Alerts and aids in identification after the fact
e.g. Video surveillance, audit logs, IDS motion detector
Access Control Categories
Corrective controlsFixes components or systems after an incident
has occurredPost-event controls to prevent recurrence
Can be preventive, detective, deterrent, administrative
e.g. Termination, Reassignment, Reboot, Restart, Fire Extinguisher, Antivirus
Access Control Categories
Recovery controls Intended to bring controls back to regular operationse.g. Hot-site, backups, incident response plan
Compensating controlsAdditional security control put in place to
compensate for weaknesses in otherse.g. Daily monitoring of anti-virus console, Monthly
review of administrative logins, Web Application Firewall used to protect buggy application
Access Control Types & Categories
Access Control Types & Categories
Access Control Principles
1. Least Privilege2. Separation of Duties3. Implicit Deny4. Job Rotation5. Layered Security6. Diversity of Defense7. Security Through Obscurity8. Keep it Simple
Access Control Principles
Least PrivilegeA subject (user, application, or process) should
have only the necessary rights and privileges to perform its task with no additional permissions
By limiting an object's privilege, we limit the amount of harm that can be caused
For example, a person should not be logged in as an administrator— they should be logged in with a regular user account, and change their context to do administrative duties
Access Control Principles
Separation of Duties For any given task, more than one individual needs to be involved Applicable to physical environments as well as network and host security No single individual can abuse the system Important tasks include:
• Financial transactions• Software changes• User account creation / changes
Potential drawback is the cost• Time – Tasks take longer• Money – Must pay two people instead of one
Access Control Principles
Implicit DenyIf a particular situation is not covered by any of
the rules, then access can not be grantedAny individual without proper authorization
cannot be granted accessThe alternative to implicit deny is to allow access
unless a specific rule forbids it
Access Control Principles
Job RotationThe rotation of individuals through different tasks
and duties in the organization's IT departmentThe individuals gain a better perspective of all the
elements of how the various parts of the IT department can help or hinder the organization
Prevents a single point of failure, where only one employee knows mission critical job tasks
Access Control PrinciplesDiversity of Defense
This concept complements the layered security approach
Diversity of defense involves making different layers of security dissimilar
Even if attackers know how to get through a system that compromises one layer; they may not know how to get through the next layer that employs a different system of security
Access Control PrinciplesKeep it SimpleThe simple security rule is the practice of keeping
security processes and tools is simple and elegantSecurity processes and tools should be simple to
use, simple to administer, and easy to troubleshoot
A system should only run the services that it needs to provide and no more
Access Control Threats & Countermeasures
Attack Countermeasure
Port Scanning
Application Vulnerability Scanning
Denial Of Service (DOS or DDOS)
Man in the Middle Attacks
(Sniffing & TCP Hijacking)
Virus, Worm, Trojan, Logic Bomb
Password Attacks
(Guessing, Dictionary, Brute Force)
Social Engineering
(Spoofing, Phishing)
Physical Attacks
Access Control Assessment Penetration Testing Performed by an authorized white hat hacker to
determine whether a black hat hacker can do the same Hacker can have:
Zero knowledge “blind” – has public information only Full knowledge – has internal information, e.g. network diagrams, policies, procedures, reports from previous testers Partial knowledge – has limited trusted information
Vulnerability Testing Scans network or system for list of predefined vulnerabilities Examples of automatic tools: Nessus, MBSS, Retina, ISS Security Audit Organization is tested against a published standard e.g. Payment Card Industry (PCI) compliant
Extra reading
Henric Johnson 66
KERBEROS
In Greek mythology, a many headed dog, the guardian of the entrance of Hades
Kerberos
Henric Johnson 67
KERBEROS• Problem statement:– Users wish to access services on distributed servers.– Servers wish to restrict access to authorized users and
authenticate requests for service.• Three threats exist:– User pretend to be another user.– User alter the network address of a workstation.– User eavesdrop on exchanges and use a replay attack.
Kerberos
Henric Johnson 68
What is KERBEROS ?
• A key distribution and users authentication service developed at MIT– Provides a centralized authentication server to
authenticate users to servers and servers to users.– Relies on conventional encryption, making no use of
public-key encryption• Two versions: version 4 and 5• Version 4 makes use of DES
What is Kerberos?
Kerberos Requirements
• Its first report identified requirements as:– secure– reliable– transparent– scalable
• Implemented using an authentication protocol based on Needham-Schroeder
Kerberos Requirements
Kerberos v4 Overviewa basic third-party authentication schemehave an Authentication Server (AS)
users initially negotiate with AS to identify self AS provides a non-corruptible authentication
credential (ticket granting ticket TGT) have a Ticket Granting server (TGS)
users subsequently request access to other services from TGS on basis of users TGT
using a complex protocol using DES
Kerberos v4 - Overview
Henric Johnson 71
Kerberos Version 4 – related terms
• Terms:– C = Client– AS = authentication server– V = server– IDc = identifier of user on C– IDv = identifier of V– Pc = password of user on C– ADc = network address of C– Kv = secret encryption key shared by AS an V– TS = timestamp– || = concatenation
Kerberos v4 – related terms
Henric Johnson 72
(1) C AS: IDc || Pc || IDv
(2) AS C: Ticket
(3) C V: IDc || Ticket
Ticket = EKv[IDc || Pc || IDv]
A simple authentication dialogue
Henric Johnson 73
Version 4 Authentication Dialogue
• Problems:– Lifetime associated with the ticket-granting ticket– If to short repeatedly asked for password– If to long greater opportunity to replay
• The threat is that an opponent will steal the ticket and use it before it expires
Version 4 Authentication Dialogue
Henric Johnson 74
Version 4 Authentication DialogueAuthentication Service Exhange: To obtain Ticket-Granting Ticket
(1) C AS: IDc || IDtgs ||TS1(2) AS C: EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs]
Ticket-Granting Service Echange: To obtain Service-Granting Ticket
(3) C TGS: IDv ||Tickettgs ||Authenticatorc
(4) TGS C: EKc [Kc,¨v|| IDv || TS4 || Ticketv]
Client/Server Authentication Exhange: To Obtain Service
(5) C V: Ticketv || Authenticatorc
(6) V C: EKc,v[TS5 +1]
Version 4 Authentication Dialogue
Kerberos v4 – detailed DialogueKerberos v4 – detailed Dialogue
Henric Johnson 76
Kerberos operationKerberos operation
Kerberos Realms
• A Kerberos environment consists of:– a Kerberos server– a number of clients, all registered with server– application servers, sharing keys with server
• this is termed a realm– typically a single administrative domain
• if have multiple realms, their Kerberos servers must share keys and trust
Kerberos Realms
Request for Service in Another Realm
Henric Johnson 79
• Kerberos V5 was developed in mid 1990’s• Specified as Internet standard RFC 1510• Provides improvements over v4, in terms of:– Encryption system dependence (V.4 DES)– Internet protocol dependence– Message byte ordering– Ticket lifetime– Authentication forwarding– Inter-realm authentication
Main Differences Between Version 4 and 5
Henric Johnson 80
Kerberos - in practice Currently have two Kerberos versions:
• 4 : restricted to a single realm • 5 : allows inter-realm authentication, in beta test • Kerberos v5 is an Internet standard • specified in RFC1510, and used by many utilities To use Kerberos: • need to have a KDC on your network • need to have Kerberised applications running on all participating systems • major problem - US export restrictions • Kerberos cannot be directly distributed outside the US in source format (&
binary versions must obscure crypto routine entry points and have no encryption)
• else crypto libraries must be reimplemented locally
Kerberos in practice
top related