Lesson 4Computer Security

Overview

Definition/Goals Access Controls Security Models Authentication Protocols

Secrets

In a world where data is coin of the realm, and transmissions are guarded by no better sentinels than man-made codes and corruptible devices, there is no such thing as a secret.

Secrets

In a world where data is coin of the realm, and transmissions are guarded by no better sentinels than man-made codes and corruptible devices, there is no such thing as a secret.

“This Alien Shore”, C. S. Friedman (C) 1998

Computer Security

The Prevention and/or detection of unauthorized actions by users of a computer system.

In the beginning, this meant ensuring privacy on shared systems.Today, interesting aspect of security is in enabling different access levels.

What are our goals in Security?

The “CIA” of security Confidentiality Integrity

Data integritySoftware Integrity

AvailabilityAccessible and usable on demand

(authentication) (nonrepudiation)

Access Controls

“Access controls serve to enforce an authorization policy, which specifies what activity is allowed and who is allowed to initiate it.”

Governs not only activities by human actors but non-human actors as well.

Can apply to any media – print, tapes, networks, memory, . . .

Access modes

Read – allows entity to read the file or view the file’s attributes

Write – allows the entity to write to the file, which may include creating, modifying, or appending to the file.

Execute – the entity may load the file and run it.

Delete – the entity may remove the file from the system.

Change Permissions, change ownership

Protection Table

Illustrates what access controls are designed to do

File 1 File 2 File 3 Printer DiskUser 1 Read Write

WriteUser 2 Execute Read Write Read

WriteProg 1 Read Read

Write

• Protection Table seems like an easy solution to access control problem but . . .• Required table extremely large• Table generally sparsely populated

File Passwords

In order to gain access to a file the user must present the system with the file’s password.

Initial assignment can be accomplished by sysadmin or creator of file.

In order to control the type of access granted to the file, multiple passwords for each file may be necessary.

Method is easy to implement and understand.

File passwords - problems

Since users will have to remember different passwords for each file it will mean LOTS of passwords to remember (or write down!).

No easy way to keep track of who has access to the password for a file. Passwords distributed manually which leaves no automated audit

trail. Hard to control.

Revocation easy to do (change a password), problem is doing it without affecting all of the other users.

Files (programs) that require access to other files requires that all passwords be identified before program is executed or execution has to be interrupted to wait for a user to enter the required password.

Biometrics

Basic premise: “you are the indentification and authenticator” physical recognition voice recognition finger prints retinal scans iris scans

Access Tokens

Basic premise: a physical object serves to authenticate the holder, most systems combine access token with a password

ATM Card (authentication example : insert token, enter PIN)

Smart cards Credit Card (authentication example : signature,

expiration date, addition ID)

Access Control Lists (ACL)

Divides protection table by columns. ACLs are created for each object.

User 1 ExecuteUser 2 Read, Write, ListUser 4 Read, ListProgram 1 Write

User 1 ReadUser 2 ReadUser 3 Read, Execute, ListProgram 1 Write

File 1 Disk 1

Access Control Lists

Can easily answer question “which subjects have access to a specific object?” This is the more frequently asked question. Hard to answer “which objects does a specific

subject have access to?”

Access to a file can easily be revoked. Storage space is saved.

Generally more objects than subjects

Protection Bits

A modification of ACLs. Protection bits are attached to each file but instead of

providing a complete list of all users they specify permissions for specific classes.

Sometimes referred to as “permission bits”. Example classes: Owner, Group, World

File 1 r,w,x, , , r, ,x, , , , , x, , ,File 2 r, ,x,d, , r, ,x, , , , , , , ,

Protection Bits

Owner

R W E

Group

R W E

World

R W E

UNIX Example

UNIX Example: R W E, R, , E, , , E 1 1 1 1 0 1 0 0 1

7 5 1Thus, permission set for this object can be contained in 9 bits

Security Models

Bell-LaPadula Aimed at “military style” security

Multi-level security Two main properties

“Simple Security Property” No subject is allowed to read information which is of a

higher classification (no read up) *-Property

A subject may not write to an object with a lower classification (no write down)

Disclosure (confidentiality) is the issue But, doesn’t address data aggregation

Security Models

Chinese Wall Separation between mutually distrustful individuals

(but that have same “clearance”) Clark-Wilson

Concerned with data integrity as opposed to confidentiality Thus, commercial applications in mind

Constrained data – limit what processes an individual can run which will limit the data they can view/affect

The “Orange Book”

The NCSC (NSA) developed the Trusted Computer System Evaluation Criteria (TCSEC)

Designed to meet three objectives to provide guidance to manufacturers as to what security

features to build into their products to provide the DoD customers with a metric to evaluate the

degree of trust they could place in a computer system to provide a basis for specifying security requirements in

acquisition specifications Particular emphasis is on preventing unauthorized

disclosure of information. Based on Bell-La Padula security model

The Orange Book

Discretionary –vs- MandatoryAccess Controls

Controls so far have granted access at the “discretion” of the user.

Mandatory access controls are designed to maintain controls that have been mandated – There MUST be a separation.

Mandatory access controls place additional restrictions on access by attaching a label to all subjects and objects indicating the clearance or security level classification. Considerable overhead associated with this.

Covert Channels

Covert channels take advantage of illicit communication through a legitimate information channel.

An issue for Mandatory Access Controls. Two types of covert channels

storage channels any communication path that results when one process causes

an object to be written and another process observes the effect. timing channels

any communication path that results when a process produces some effect on system performance that is observable by another process and is measurable with a timing base such as a real-time clock

Security Kernel

The HW and SW that implements the “reference monitor” All accesses that subjects make to objects are authorized on information

in an access control database. The specific checks that are made and all modifications to the access

control database are controlled by the reference monitor in accordance with the established security policy.

Audit File

ReferenceMonitor

AccessControl

Database

ObjectsSubjects

Authentication

“Authentication is the process of determining whether information is trustworthy and genuine.”

Key question for computers and networks is how do you verify that the user is who they claim to be?

3 general methods to authenticate Something you know Something you have Something about you/that you are

Something you Know

Most common technique for Authentication -- userids/password combination Theoretically not a bad technique if chosen correctly Length and size of character set have direct relationship on the

strength of the chosen passwordFor example, if lower case alphabet used:

1 character length = 26 possible passwords 2 character length = 26 x 26 = 676 possible passwords 3 character length = 26 x 26 x 26 = 17,576, and so on

If upper and lower case alphabetic characters used 1 character length = 52 possible passwords 2 character length = 52 x 52 = 2704 possible passwords 3 character length = 52 x 52 x 52 = 140,608 possible passwords

Password Cracking NT, brute force Unix, Dictionary attack

Something you have (access tokens)

May combine this method and userid/password Physical keys Magnetic cards

information stored on card, example is credit card Smart cards

more information stored, may be encrypted “calculators”

device that looks like (and may even function as) a calculator.

Process may proceed as follows:user presents userid or namesystem responds with challengechallenge punched into calculator - returns responseuser supplies response to system

Something about you

Biometrics Voice prints Fingerprint Retinal Scan Hand Geometry Signature analysis

Problems with the 3 basic Authentication Techniques

Something you know: people write things down, they choose poorly

Something you have requires additional hardware ($) People lose them

Something about you requires additional hardware ($$) things about you can change

Authentication Protocols

Basic Approach

Client Server

User types in name and password.The client sends them in the clear.

Server looks name up inDB and retrieves password.If retrieved and sent passwords match, user is allowed access.

Authentication Protocols

Updated Approach

Client Server

The client sends name in the clear.

Server looks name up inDB and retrieves hashed password. If retrieved and sent hashed passwords match, user is allowed access.

User types in name and password.Client produces hashed version of password.

Client sends hashed password.

Authentication ProtocolsKerberos Model

Client

Server

Server validates everything. (Server and Kerberos server share long-term key. The ticket is a message from the Kerberos server to the server encrypted with this key)

Client uses session key to create an “authenticator” that will be used to prove identity of user to server.

Kerberosserver

User requests permission from Kerberos Server to log into server.

If user is allowed on server, Kerberos responds with Ticket and session key.

Client sends Ticket and authenticator

Summary

Definition/Goals The “CIA” of security

Access Controls Modes, Passwords, ACLS, Biometrics

Security Models Bell-LaPadula, Chinese Wall, Clark-Wilson

Authentication Protocols Basic, Hashing, Kerberos