CHAPTER 2 Access Control

Access Control
chapter 2 Access Control

Topic Objectives
• Introduce the mechanism of Access Control
• Relate mechanism to Confidentiality, Integrity and
Availability
• Introduce the Access Control Matrix Model and
Protection State Transitions

INTRODUCTION
• The objective of access control is to regulate
access and ensure that unauthorised access
attempts are detected and prevented.

Access Control

Authentication

Who Goes There?
• How to authenticate a human to a machine?

• Can be based on…
– Something you know
• For example, a password
– Something you have
• For example, a smartcard
– Something you are
• For example, your fingerprint

Something You Know

Trouble with Passwords
• “Passwords are one of the biggest practical problems

facing security engineers today.”
• “Humans are incapable of securely storing high-quality
cryptographic keys, and they have unacceptable speed
and accuracy when performing cryptographic
operations. (They are also large, expensive to
maintain, difficult to manage, and they pollute the
environment. It is astonishing that these devices
continue to be manufactured and deployed.)”

Why Passwords?

Keys vs Passwords
• Crypto keys • Passwords

• • Spse passwords are 8
Spse key is 64 bits
characters, and 256
• Then 264 keys different characters
• Choose key at random • Then 2568 = 264 pwds
• Then attacker must try • Users do not select
about 263 keys passwords at random
• Attacker has far less than
263 pwds to try (dictionary
attack)

7
Good and Bad Passwords

7
Password Experiment
• Three groups of users  each group
advised to select passwords as follows
– Group A: At least 6 chars, 1 non-letter
–
winner  Group B: Password based on passphrase
– Group C: 8 random characters
• Results
– Group A: About 30% of pwds easy to crack
– Group B: About 10% cracked
• Passwords easy to remember
– Group C: About 10% cracked
• Passwords hard to remember

Password Experiment

Attacks on Passwords

Password Retry

Password File
• Bad idea to store passwords in a file
• But need a way to verify passwords
• Cryptographic solution: hash the passwords
– Store y = h(password)
– Can verify entered password by hashing
– If attacker obtains password file, he does not
obtain passwords
– But attacker with password file can guess x and
check whether y = h(x)
– If so, attacker has found password!

Dictionary Attack
• Attacker pre-computes h(x) for all x in a

dictionary of common passwords
• Suppose attacker gets access to password
file containing hashed passwords
– Attacker only needs to compare hashes to his pre-
computed dictionary
– Same attack will work each time
• Can we prevent this attack? Or at least make
attacker’s job more difficult?

Password File
• Store hashed passwords
• Better to hash with salt
• Given password, choose random s, compute
y = h(password, s)
and store the pair (s,y) in the password file
• Note: The salt s is not secret
• Easy to verify password
• Attacker must recompute dictionary hashes
for each user  lots more work!
Password Cracking:
Do the Math
• Assumptions
• Pwds are 8 chars, 128 choices per character
– Then 1288 = 256 possible passwords
• There is a password file with 210 pwds
• Attacker has dictionary of 220 common pwds
• Probability of 1/4 that a pwd is in dictionary
• Work is measured by number of hashes

Password Cracking

Password Cracking
• Attack any of 1024 passwords in file
• Without dictionary
– Assume all 210 passwords are distinct
– Need 255 comparisons before expect to find
password
– If no salt, each hash computation gives 210
comparisons  the expected work (number of
hashes) is 255/210 = 245
– If salt is used, expected work is 255 since each
comparison requires a new hash computation

Password Cracking
• Attack any of 1024 passwords in file

• With dictionary
– Probability at least one password is in dictionary is
1 - (3/4)1024 = 1
– We ignore case where no pwd is in dictionary
– If no salt, work is about 219/210 = 29
– If salt, expected work is less than 222
– Note: If no salt, we can precompute all dictionary
hashes and amortize the work

Other Password Issues
• Too many passwords to remember
– Results in password reuse
– Why is this a problem?
• Who suffers from bad password?
– Login password vs ATM PIN
• Failure to change default passwords
• Social engineering
• Error logs may contain “almost” passwords
• Bugs, keystroke logging, spyware, etc.
Passwords
• The bottom line

• Password cracking is too easy!
– One weak password may break security
– Users choose bad passwords
– Social engineering attacks, etc.
• The bad guy has all of the advantages
• All of the math favors bad guys
• Passwords are a big security problem

Password Cracking Tools
• Popular password cracking tools
– Password Crackers
– Password Portal
– L0phtCrack and LC4 (Windows)
– John the Ripper (Unix)
• Admins should use these tools to test for
weak passwords since attackers will!
• Good article on password cracking
– Passwords - Conerstone of Computer Security

Biometrics

Something You Are
• Biometric
– “You are your key”  Schneier
 Examples
o Fingerprint
o Handwritten signature Are
o Facial recognition Have
Know
o Speech recognition
o Gait (walking) recognition
o “Digital doggie” (odor recognition)
o Many more!

Why Biometrics?
• Biometrics seen as desirable replacement for
passwords
• Cheap and reliable biometrics needed
• Today, a very active area of research
• Biometrics are used in security today
– Thumbprint mouse
– Palm print for secure entry
– Fingerprint to unlock car door, etc.
• But biometrics not too popular
– Has not lived up to its promise (yet)
Ideal Biometric
• Universal  applies to (almost) everyone
– In reality, no biometric applies to everyone
• Distinguishing  distinguish with certainty
– In reality, cannot hope for 100% certainty
• Permanent  physical characteristic being
measured never changes
– In reality, want it to remain valid for a long time
• Collectable  easy to collect required data
– Depends on whether subjects are cooperative
• Safe, easy to use, etc., etc.
Biometric Modes
• Identification  Who goes there?
– Compare one to many
– Example: The FBI fingerprint database
• Authentication  Is that really you?
– Compare one to one
– Example: Thumbprint mouse
• Identification problem more difficult
– More “random” matches since more comparisons
• We are interested in authentication

Enrollment vs Recognition
• Enrollment phase
– Subject’s biometric info put into database
– Must carefully measure the required info
– OK if slow and repeated measurement needed
– Must be very precise for good recognition
– A weak point of many biometric schemes
• Recognition phase
– Biometric detection when used in practice
– Must be quick and simple
– But must be reasonably accurate

Cooperative Subjects
• We are assuming cooperative subjects
• In identification problem often have
uncooperative subjects
• For example, facial recognition
– Proposed for use in Las Vegas casinos to detect
known cheaters
– Also as way to detect terrorists in airports, etc.
– Probably do not have ideal enrollment conditions
– Subject will try to confuse recognition phase
• Cooperative subject makes it much easier!
– In authentication, subjects are cooperative
Biometric Errors
• Fraud rate versus insult rate
– Fraud  user A mis-authenticated as user B
– Insult  user A not authenticate as user A
• For any biometric, can decrease fraud or insult,
but other will increase
• For example
– 99% voiceprint match  low fraud, high insult
– 30% voiceprint match  high fraud, low insult
• Equal error rate: rate where fraud == insult
– The best measure for comparing biometrics
Fingerprint History

Fingerprint History
• 1888  Sir Francis Galton (cousin of Darwin)

developed classification system
– His system of “minutia” is still in use today
– Also verified that fingerprints do not change
• Some countries require a number of points
(i.e., minutia) to match in criminal cases
– In Britain, 15 points
– In US, no fixed number of points required

Fingerprint Comparison
• Examples of loops, whorls and arches

• Minutia extracted from these features
Loop (double) Whorl Arch

Fingerprint Biometric
• Capture image of fingerprint

• Enhance image
• Identify minutia

Fingerprint Biometric
• Extracted minutia are compared with user’s

minutia stored in a database
• Is it a statistical match?

Hand Geometry
 Popular form of biometric
 Measures shape of hand
o Width of hand, fingers
o Length of fingers, etc.
 Human hands not unique
 Hand geometry sufficient
for many situations
 Suitable for authentication
 Not useful for ID problem

Hand Geometry

Iris Patterns
• Iris pattern development is “chaotic”

• Little or no genetic influence
• Different even for identical twins
• Pattern is stable through lifetime
Iris Recognition: History
• 1936  suggested by Frank Burch

• 1980s  James Bond films
• 1986  first patent appeared
• 1994  John Daugman patented best current
approach
– Patent owned by Iridian Technologies

Iris Scan
• Scanner locates iris
• Take b/w photo
• Use polar coordinates…
• Find 2-D wavelet trans
• Get 256 byte iris code

Measuring Iris Similarity
• Based on Hamming distance
• Define d(x,y) to be
– # of non match bits/# of bits compared
– d(0010,0101) = 3/4 and d(101111,101001) = 1/3
• Compute d(x,y) on 2048-bit iris code
– Perfect match is d(x,y) = 0
– For same iris, expected distance is 0.08
– At random, expect distance of 0.50
– Accept as match if distance less than 0.32

Iris Scan Error Rate
distance Fraud rate
0.29 1 in 1.31010
0.30 1 in 1.5109
0.31 1 in 1.8108
0.32 1 in 2.6107
0.33 1 in 4.0106
0.34 1 in 6.9105
0.35 1 in 1.3105
: equal error rate
distance

Attack on Iris Scan
• Good photo of eye can be scanned
– Attacker could use photo of eye
 Afghan woman was authenticated by

iris scan of old photo
o Story is here
 To prevent photo attack, scanner could
use light to be sure it is a “live” iris

Equal Error Rate Comparison
• Equal error rate (EER): fraud == insult rate
• Fingerprint biometric has EER of about 5%
• Hand geometry has EER of about 10-3
• In theory, iris scan has EER of about 10-6
– But in practice, hard to achieve
– Enrollment phase must be extremely accurate
• Most biometrics much worse than fingerprint!
• Biometrics useful for authentication…
• But ID biometrics are almost useless today

Biometrics: The Bottom Line
• Biometrics are hard to forge
• But attacker could
– Steal Alice’s thumb
– Photocopy Bob’s fingerprint, eye, etc.
– Subvert software, database, “trusted path”, …
• Also, how to revoke a “broken” biometric?
• Biometrics are not foolproof!
• Biometric use is limited today
• That should change in the future…

Something You Have
• Something in your possession

• Examples include
– Car key
– Laptop computer
• Or specific MAC address
– Password generator
• We’ll look at this next
– ATM card, smartcard, etc.

Password Generator
1. “I’m Alice”
3. PIN, R
2. R
4. F(R)
5. F(R)
Password
generator Alice Bob
• Alice gets “challenge” R from Bob

• Alice enters R into password generator
• Alice sends “response” back to Bob
• Alice has pwd generator and knows PINs
2-factor Authentication
• Requires 2 out of 3 of
1. Something you know
2. Something you have
3. Something you are
• Examples
– ATM: Card and PIN
– Credit card: Card and signature
– Password generator: Device and PIN
– Smartcard with password/PIN

Single Sign-on
• A hassle to enter password(s) repeatedly
– Users want to authenticate only once
– “Credentials” stay with user wherever he goes
– Subsequent authentication is transparent to user
• Single sign-on for the Internet?
– Microsoft: Passport
– Everybody else: Liberty Alliance
– Security Assertion Markup Language (SAML)

Web Cookies
• Cookie is provided by a Website and stored on
user’s machine
• Cookie indexes a database at Website
• Cookies maintain state across sessions
• Web uses a stateless protocol: HTTP
• Cookies also maintain state within a session
• Like a single sign-on for a website
– Though a very weak form of authentication
• Cookies and privacy concerns

Authorization

Authentication vs Authorization
• Authentication  Who goes there?

– Restrictions on who (or what) can access system
• Authorization  Are you allowed to do that?
– Restrictions on actions of authenticated users
• Authorization is a form of access control
• Authorization enforced by
– Access Control Lists
– Capabilities

Lampson’s Access Control Matrix
• Subjects (users) index the rows
• Objects (resources) index the columns
Accounting Accounting Insurance Payroll
OS program data data data
Bob rx rx r --- ---

Alice
rx rx r rw rw
Sam rwx rwx r rw rw
Accounting
program rx rx rw rw rw
Are You Allowed to Do That?
• Access control matrix has all relevant info

• But how to manage a large access control (AC)
matrix?
• Could be 1000’s of users, 1000’s of resources
• Then AC matrix with 1,000,000’s of entries
• Need to check this matrix before access to any
resource is allowed
• Hopelessly inefficient

Access Control Lists (ACLs)
• ACL: store access control matrix by column
• Example: ACL for insurance data is in blue
Bob rx rx r --- ---

Alice
rx rx r rw rw
Sam
rwx rwx r rw rw
Accounting
Capabilities (or C-Lists)
• Store access control matrix by row
• Example: Capability for Alice is in red
Bob rx rx r --- ---

Alice
rx rx r rw rw
Sam rwx rwx r rw rw
Accounting
ACLs vs Capabilities
r r
Alice --- file1 Alice w file1
r rw
w ---
Bob r file2 Bob r file2
--- r
rw r
Fred r file3 Fred --- file3
r r
Access Control List Capability
• Note that arrows point in opposite directions!

• With ACLs, still need to associate users to filess
Multilevel Security (MLS) Models

Classifications and Clearances
• Classifications apply to objects
• Clearances apply to subjects
• US Department of Defense uses 4 levels of
classifications/clearances
TOP SECRET
SECRET
CONFIDENTIAL
UNCLASSIFIED

Clearances and Classification
• To obtain a SECRET clearance requires a

routine background check
• A TOP SECRET clearance requires extensive
background check
• Practical classification problems
– Proper classification not always clear
– Level of granularity to apply classifications
– Aggregation  flipside of granularity

Subjects and Objects
• Let O be an object, S a subject

– O has a classification
– S has a clearance
– Security level denoted L(O) and L(S)
• For DoD levels, we have
TOP SECRET > SECRET > CONFIDENTIAL > UNCLASSIFIED

Multilevel Security (MLS)
• MLS needed when subjects/objects at
different levels use same system
• MLS is a form of Access Control
• Military/government interest in MLS for many
decades
– Lots of funded research into MLS
– Strengths and weaknesses of MLS relatively well
understood (theoretical and practical)
– Many possible uses of MLS outside military

MLS Applications
• Classified government/military information
• Business example: info restricted to
– Senior management only
– All management
– Everyone in company
– General public
• Network firewall
– Keep intruders at low level to limit damage
• Confidential medical info, databases, etc.

MLS Security Models
• MLS models explain what needs to be done
• Models do not tell you how to implement
• Models are descriptive, not prescriptive
– High level description, not an algorithm
• There are many MLS models
• We’ll discuss simplest MLS model
– Other models are more realistic
– Other models also more complex, more difficult to
enforce, harder to verify, etc.

Multilateral Security
• Multilevel Security (MLS) enforces access
control up and down
• Simple hierarchy of security labels may not be
flexible enough
• Multilateral security enforces access control
across by creating compartments
• Suppose TOP SECRET divided into TOP
SECRET {CAT} and TOP SECRET {DOG}
• Both are TOP SECRET but information flow
restricted across the TOP SECRET level

Firewalls

Firewalls
Internal
Internet Firewall network
• Firewall must determine what to let in to

internal network and/or what to let out
• Access control for the network
Firewall as Secretary
• A firewall is like a secretary
• To meet with an executive
– First contact the secretary
– Secretary decides if meeting is reasonable
– Secretary filters out many requests
• You want to meet chair of CS department?
– Secretary does some filtering
• You want to meet President of US?
– Secretary does lots of filtering!

Firewall Terminology
• No standard terminology
• Types of firewalls
– Packet filter  works at network layer
– Stateful packet filter  transport layer
– Application proxy  application layer
– Personal firewall  for single user, home network,
etc.

Packet Filter
• Operates at network layer application
• Can filters based on transport

– Source IP address
– Destination IP address network
– Source Port
– Destination Port link
– Flag bits (SYN, ACK, etc.) physical
– Egress or ingress

Packet Filter
• Advantage application
– Speed
transport
• Disadvantages
– No state network
– Cannot see TCP connections
link
– Blind to application data
physical

Packet Filter
• Configured via Access Control Lists (ACLs)
– Different meaning of ACL than previously
Source Dest Source Dest Flag
Actio IP IP Port Port Protocol Bits
n
Allow Inside Outside Any 80 HTTP Any
Allow Outside Inside 80 > 1023 HTTP ACK
Deny All All All All All All
 Intention is to restrict incoming packets to

Web responses
TCP ACK Scan
• Attacker sends packet with ACK bit set,
without prior 3-way handshake
• Violates TCP/IP protocol
• ACK packet pass thru packet filter firewall
– Appears to be part of an ongoing connection
• RST sent by recipient of such packet
• Attacker scans for open ports thru firewall

TCP ACK Scan
ACK dest port 1207
ACK dest port 1208
ACK dest port 1209
Trudy RST Internal

Packet
Network
Filter
• Attacker knows port 1209 open thru firewall

• A stateful packet filter can prevent this (next)
– Since ACK scans not part of established connections

Stateful Packet Filter
• Adds state to packet filter application

• Operates at transport layer transport
• Remembers TCP connections and
flag bits network
• Can even remember UDP packets
link
(e.g., DNS requests)
physical

Stateful Packet Filter
• Advantages application
– Can do everything a packet filter can
transport
do plus...
– Keep track of ongoing connections
network
• Disadvantages
– Cannot see application data
link
– Slower than packet filtering
physical

Application Proxy
• A proxy is something that acts on
application
your behalf
• Application proxy looks at incoming Transport
application data
• Verifies that data is safe before network
letting it in
link
physical

Application Proxy
• Advantages
application
– Complete view of connections and
applications data Transport
– Filter bad data at application layer
(viruses, Word macros) network
• Disadvantage
– Speed link
physical

Application Proxy

Firewalk

Firewalk and Proxy Firewall
Packet
filter
Trudy Router Router Router
Dest port 12343, TTL=4

Time exceeded
• This will not work thru an application proxy

• The proxy creates a new packet, destroys old TTL

Personal Firewall

Firewalls and Defense in Depth
• Example security architecture
DMZ
FTP server
WWW server
DNS server
Intranet with
Packet Application Personal
Internet Filter Proxy Firewalls

Intrusion Detection Systems

Intrusion Prevention
• Want to keep bad guys out
• Intrusion prevention is a traditional focus of
computer security
– Authentication is to prevent intrusions
– Firewalls a form of intrusion prevention
– Virus defenses also intrusion prevention
• Comparable to locking the door on your car

Intrusion Detection
• In spite of intrusion prevention, bad guys will
sometime get into system
• Intrusion detection systems (IDS)
– Detect attacks
– Look for “unusual” activity
• IDS developed out of log file analysis
• IDS is currently a very hot research topic
• How to respond when intrusion detected?
– We don’t deal with this topic here

Intrusion Detection Systems
• Who is likely intruder?
– May be outsider who got thru firewall
– May be evil insider
• What do intruders do?
– Launch well-known attacks
– Launch variations on well-known attacks
– Launch new or little-known attacks
– Use a system to attack other systems
– Etc.

IDS
• Intrusion detection approaches

– Signature-based IDS
– Anomaly-based IDS
• Intrusion detection architectures
– Host-based IDS
– Network-based IDS
• Most systems can be classified as above
– In spite of marketing claims to the contrary!

Host-based IDS

Network-based IDS
• Monitor activity on the network for
– Known attacks
– Suspicious network activity
• Designed to detect attacks such as
– Denial of service
– Network probes
– Malformed packets, etc.
• Can be some overlap with firewall
• Little or no view of host-base attacks
• Can have both host and network IDS
Signature Detection Example
• Failed login attempts may indicate password
cracking attack
• IDS could use the rule “N failed login attempts
in M seconds” as signature
• If N or more failed login attempts in M
seconds, IDS warns of attack
• Note that the warning is specific
– Admin knows what attack is suspected
– Admin can verify attack (or false alarm)

Signature Detection
• Suppose IDS warns whenever N or more
failed logins in M seconds
• Must set N and M so that false alarms not
common
• Can do this based on normal behavior
• But if attacker knows the signature, he can try
N-1 logins every M seconds!
• In this case, signature detection slows the
attacker, but might not stop him

Signature Detection
• Many techniques used to make signature

detection more robust
• Goal is usually to detect “almost signatures”
• For example, if “about” N login attempts in
“about” M seconds
– Warn of possible password cracking attempt
– What are reasonable values for “about”?
– Can use statistical analysis, heuristics, other
– Must take care not to increase false alarm rate

Signature Detection
• Advantages of signature detection
– Simple
– Detect known attacks
– Know which attack at time of detection
– Efficient (if reasonable number of signatures)
• Disadvantages of signature detection
– Signature files must be kept up to date
– Number of signatures may become large
– Can only detect known attacks
– Variation on known attack may not be detected

Access Control Summary
• Authentication and authorization

– Authentication  who goes there?
• Passwords  something you know
• Biometrics  something you are (or “you
are your key”)
• Something you have

Access Control Summary
• Authorization  are you allowed to do that?
– Access control matrix/ACLs/Capabilities
– MLS/Multilateral security
– Firewalls
– IDS

CHAPTER 2 Access Control

Uploaded by

Copyright:

Available Formats

CHAPTER 2 Access Control

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CHAPTER 2 Access Control

Uploaded by

Copyright:

Available Formats

Access Control

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

• How to authenticate a human to a machine?

chapter 2 Access Control

chapter 2 Access Control

• “Passwords are one of the biggest practical problems

chapter 2 Access Control

chapter 2 Access Control

• Crypto keys • Passwords

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

• Attacker pre-computes h(x) for all x in a

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

• Attack any of 1024 passwords in file

chapter 2 Access Control

• The bottom line

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

• 1888  Sir Francis Galton (cousin of Darwin)

chapter 2 Access Control

• Examples of loops, whorls and arches

Loop (double) Whorl Arch

chapter 2 Access Control

• Capture image of fingerprint

chapter 2 Access Control

• Extracted minutia are compared with user’s

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

• Iris pattern development is “chaotic”

• 1936  suggested by Frank Burch

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

 Afghan woman was authenticated by

chapter 2 Access Control

chapter 2 Access Control

chapter 2 Access Control

• Something in your possession

chapter 2 Access Control

• Alice gets “challenge” R from Bob

chapter 2 Access Control