Embed Size (px)
Citation preview
CS363Week 8 - Monday
Last time
What did we talk about last time? Access control Authentication
Questions?
Project 2
Security PresentationAndrew Sandridge
Challenge Response
Pass Algorithms
Some systems have a special function f a user (or user's system) must know
Thus, the system will give the user a prompt, and the user must respond
Perhaps the system would issue a random value to the user, who must then encrypt it with his secret key and send it back to the system
Perhaps it's just some other way of processing the data
Monkey Island 2: LeChuck's Revenge hand puzzle
One-Time Passwords
A one-time password is invalidated as soon as it is used
Thus, an attacker stealing the password can do limited damage He can only log in once He has to act quickly before the legitimate
user logs in first How do you generate all these passwords? How do you synchronize the user and the
system?
One-time password implementations
RSA SecurID's change the password every 30 or 60 seconds
The user must be synchronized with the system within a few seconds to keep this practical
Using a secure hash function, we start with a seed value k, then h(k) = k1, h(k1) = k2, …, h(kn-1) = kn
Then passwords are in reverse order p1 = kn, p2 = kn-1, … pn-1 = k2, pn = k1
Biometrics
Biometrics
Biometrics means identifying humans by their physical and biological characteristics
This technology is often seen in spy and science fiction movies It does exist, but it is far from perfect
Like passwords, the actual biometric scans are usually not stored Instead specific features are stored for later
comparison Biometrics pose unique privacy concerns
because the information collected can reveal health conditions
Fingerprints
Historically, fingerprints are one of the most heavily used forms of biometric identification Especially useful for solving crimes Even identical twins have different fingerprints Fun fact: Koalas have fingerprints so similar to human
beings that even experts are fooled Optical scanners are available Cheap, capacitive scanners are now even
available on many laptops The image of the fingerprint is usually not stored Instead, specific, differentiable features are
recorded
Voice recognition
Voice recognition systems must be trained on your voice
They can be defeated with recording devices
If you have a cold, it throws off the characteristics of your voice
As a consequence, they are particularly susceptible to both false positives and false negatives
Eye recognition
As the technology matures and hardware becomes cheaper, eye recognition is becoming more common
Iris recognition looks at the patterns of light and dark areas in your iris (the colored part of your eye) For simplicity, the image is converted to grayscale for
comparison Newer iris scanners can make successful identifications at 10
feet away or more, even correcting for glasses! Retina scans exist but are unpopular
The retina is the tissue lining the inside of your eye and requires pupil dilation to get an accurate picture, blinding you for several minutes
There are even systems for recognizing the patterns of discolorations on the whites of your eyes!
Face recognition
The shape of your face, the distance between your eyes and nose, and other facial features are relatively distinctive Although they can be nearly the same for identical twins
Computer vision techniques must be used to locate the face, deal with changes in haircut, glasses, etc.
Participants must have a neutral facial expression or results can be thrown off
The US Department of State uses facial recognition and fingerprinting to document foreigners entering the country Their database has over 75 million photographs
Other biometrics
Hand geometry readers measure the shape of your hand
Keystroke dynamics are the patterns that you use when typing Users are quite distinctive, but
distractions and injuries can vary patterns a lot
Combinations of different biometrics are sometimes used
DNA sequencing is not (yet) fast enough to be used for authentication
Researchers are always coming up with new biometrics to use
Problems with biometrics People assume that they are more secure than
they are Attacks:
Fingerprints can be lifted off a champagne glass Voices can be recorded Iris recognition can be faked with special contact lenses
Both false positives and false negatives are possible
It is possible to tamper with transmission from the biometric reader
Biometric characteristics can change Identical twins sometimes pose a problem
Trusted Systems
What is trust?
To trust a program, we are looking for 4 things: Functional correctness▪ The program does what it should
Enforcement of integrity▪ The program’s data is still correct even if given bad or
unauthorized commands Limited privilege▪ If the program accesses secure data, it only accesses what
it needs, and it doesn’t leak rights or data to untrusted parties
Appropriate confidence level▪ The program has been examined carefully and given trust
appropriate for its job
Security policies
A security policy is a statement of the security we expect a system to enforce
A mechanism is a tool or protocol to enforce the policy It is possible to have good policies but bad
mechanisms or vice versa A trusted system has:
Enforcement of a security policy Sufficiency of measures and mechanisms Evaluation
Bell-LaPadula Model
Bell-LaPadula overview
Confidentiality access control system
Military-style classifications Uses a linear clearance
hierarchy All information is on a
need-to-know basis It uses clearance (or
sensitivity) levels as well as project-specific compartments
Unclassified
Restricted
Confidential
Secret
Top Secret
Security clearances
Both subjects (users) and objects (files) have security clearances
Below are the clearances arranged in a hierarchy
Clearance Levels Sample Subjects Sample Objects
Top Secret (TS) Tamara, Thomas Personnel Files
Secret (S) Sally, Samuel E-mail Files
Confidential (C) Claire, Clarence Activity Log Files
Restricted (R) Rachel, Riley Telephone List Files
Unclassified (UC) Ulaley, Ursula Address of Headquarters
Simple security condition
Let levelO be the clearance level of object O Let levelS be the clearance level of subject S The simple security condition states that S
can read O if and only if the levelO ≤ levelS and S has discretionary read access to O
In short, you can only read down Example? In a few slides, we will expand the simple
security condition to make the concept of level
*-Property
The *-property states that S can write O if and only if the levelS ≤ levelO and S has discretionary write access to O
In short, you can only write up Example?
Basic security theorem
Assume your system starts in a secure initial state
Let T be all the possible state transformations
If every element in T preserves the simple security condition and the *-property, every reachable state is secure
This is sort of a stupid theorem, because we define “secure” to mean a system that preserves the security condition and the *-property
Adding compartments
We add compartments such as NUC = Non-Union Countries, EUR = Europe, and US = United States
The possible sets of compartments are: {NUC} {EUR} {US} {NUC, EUR} {NUC, US} {EUR, US} {NUC, EUR, US}
Put a clearance level with a compartment set and you get a security level
The literature does not always agree on terminology
Romaine lattice
The subset relationship induces a lattice {NUC, EUR, US}
{NUC, US}
{EUR}
{NUC, EUR} {EUR, US}
{NUC} {US}
Updated properties
Let L be a security level and C be a category Instead of talking about levelO ≤ levelS, we
say that security level (L, C) dominates security level (L’, C’) if and only if L’ ≤ L and C’ C
Simple security now requires (LS, CS) to dominate (LO, CO) and S to have read access
*-property now requires (LO, CO) to dominate (LS, CS) and S to have write access
Problems?
Clark-Wilson Model
Clark-Wilson model
Commercial model that focuses on transactions Just like a bank, we want certain conditions to hold
before a transaction and the same conditions to hold after
If conditions hold in both cases, we call the system consistent
Example: D is the amount of money deposited today W is the amount of money withdrawn today YB is the amount of money in accounts at the end of
business yesterday TB is the amount of money currently in all accounts Thus,
D + YB – W = TB
Clark-Wilson definitions
Data that has to follow integrity controls are called constrained data items or CDIs
The rest of the data items are unconstrained data items or UDIs
Integrity constraints (like the bank transaction rule) constrain the values of the CDIs
Two kinds of procedures: Integrity verification procedures (IVPs) test that
the CDIs conform to the integrity constraints Transformation procedures (TPs) change the
data in the system from one valid state to another
Clark-Wilson rules
Clark-Wilson has a system of 9 rules designed to protect the integrity of the system
There are five certification rules that test to see if the system is in a valid state
There are four enforcement rules that give requirements for the system
Certification Rules 1 and 2
CR1: When any IVP is run, it must ensure that all CDIs are in a valid state
CR2: For some associated set of CDIs, a TP must transform those CDIs in a valid state into a (possibly different) valid state By inference, a TP is only certified to
work on a particular set of CDIs
Enforcement Rules 1 and 2 ER1: The system must maintain the certified
relations, and must ensure that only TPs certified to run on a CDI manipulate that CDI
ER2: The system must associate a user with each TP and set of CDIs. The TP may access those CDIs on behalf of the associated user. If the user is not associated with a particular TP and CDI, then the TP cannot access that CDI on behalf of that user. Thus, a user is only allowed to use certain TPs on
certain CDIs
Certification Rule 3 and Enforcement Rule 3
CR3: The allowed relations must meet the requirements imposed by the principle of separation of duty
ER3: The system must authenticate each user attempting to execute a TP In theory, this means that users don't
necessarily have to log on if they are not going to interact with CDIs
Certification Rules 4 and 5 CR4: All TPs must append enough
information to reconstruct the operation to an append-only CDI Logging operations
CR5: Any TP that takes input as a UDI may perform only valid transformations, or no transformations, for all possible values of the UDI. The transformation either rejects the UDI or transforms it into a CDI Gives a rule for bringing new information into
the integrity system
Enforcement Rule 4
ER4: Only the certifier of a TP may change the list of entities associated with that TP. No certifier of a TP, or of any entity associated with that TP, may ever have execute permission with respect to that entity. Separation of duties
Clark-Wilson summary
Designed close to real commercial situations No rigid multilevel scheme Enforces separation of duty
Certification and enforcement are separated
Enforcement in a system depends simply on following given rules
Certification of a system is difficult to determine
Mid-Semester Feedback
Upcoming
Next time…
Chinese Wall and Biba models Theoretical limitations (HRU result) Trusted system design elements Yuki Gage presents
Reminders
Read Sections 5.1 – 5.3 Keep working on Project 2
