Week3 lecture

Week3-Lecture: Access Control
Chapter Covered: 3,4,8,11,22

CIT 515-Network and Internet Security
Dr. May El Barachi

Reading and Quiz Materials
• Chapter3 : Pages 53-56
• Chapter4: Pages 66-76
• Chpater8: Pages 199-203
• Chapter11: Pages 264-280
• Chapter22:Pages 577-581

Objectives
 Access Control Authentication Methods
 Password, Token, Biometric
 Single Sign On vs. Password Synchronization
 Kerberos, Sesame
 Access Control Models
 DAC, MAC, RMAC
 Access Control Administration
 Centralized, Decentralized
 Access Control Types
 Technical, Physical, Administrative
5. Access Control Categories
 Deterrent, Preventive, ….
 Access Control Principles
 Access Control Attacks & Countermeasures
 Access Control Assessment

Objectives
 Authentication: Who goes there?
 Determine whether access is allowed
 Verify the identity of a subject
 Authenticate human to machine
 Authenticate machine to machine
 Authorization: Are you allowed to do that?
 Once you have access, what can you do?
 Enforces limits on actions

Authentication Methods
To verify their identity, users can provide:
Something you know
Username and Password
Birthday, Address, Passport Number
Something you have
Smart Card
Token
ATM Card
Something you are
 Biometrics
Where you are?
 IP
 GPS

Two Factor Authentication (Strong
Authentication)
Combine two factors for authentication
users

Password-Based Authentication
 How is the password communicated?
 Eavesdropping (to listen to someone's private
conversation without them knowing) risk
 How is the password stored?
 In the clear? Encrypted? Hashed?
 How does the system check the password?
 Compute hash and compare to stored hash
 How can we make the hashed passwords
harder to guess?
 Use SALT

 How easy is it to identify the password?
 Electronic Monitoring (i.e. Network Sniffing)
 Keystroke loggers (HW & SW)
 Access the password file
 Password Guessing
 Dictionary attacks
 Brute Force attacks
 Rainbow Tables
 Social Engineering
 Phishing, Pharming, Vishing
 Shoulder Surfing
 Piggy Backing
 Dumpster Diving
 Reverse Social Engineering

Password-Based Authentication – HW
KeyLogger

Password-Based Authentication -
Phishing

Password Controls
 Password length and composition
 Password aging
 Password history
 Password attempts
 Password storage
 One time passwords
 User education
 Last successful login attempt

Password-Based Authentication -
Hashing
LM hash is weak, no longer used in Win 7
NT hash is stronger, but not salted

Token-Based Authentication
More secure than passwords, however
Tokens may suffer from battery failure
Cards may get damaged
Types of tokens:
Synchronous – based on time
Asynchronous – based on challenge/response

Synchronous Tokens
Time Synchronized Authentication
RSA or Firewall with RSA ACE Agent

Internet

RSA ACE Server

Algorithm Algorithm

Time Seeds Time Seeds

Same seeds

Same time

Asynchronous Tokens
6.Responses sent to Authen server

5.User enters responses from token into computer

1.Send Response to Authen Server

2. Challenge Displayed on CRT
4. User resends
response from
token
7. Authentication Server Validates Client
3.User
enters pin
into token

RSA Two-Factor Authentication Hacked
– Mar 2011

RSA Admits & Replaces 40 Million
Tokens – 6/6/11

Biometric-Based Authentication
 Face recognition
 Error rates up to 20%, given reasonable
variations in lighting, viewpoint and expression
 Fingerprints
 Traditional method for identification
 Distinguish between 30-40 details about peaks,
valleys, and ridges of user’s fingerprint
 1911: first US conviction on fingerprint
evidence
 U.K. traditionally requires 16-point match
 Probability of false match is 1 in 10 billion
 Fingerprint damage impairs recognition

Forging Fingerprints Using Molding

Forging Fingerprints Using Surgical
Operations

Forging Fingerprints Using Actual
Fingers

 Iris scanning
 Takes a picture of the iris (colored part of eye)
 Irises are very random, but stable through life
 Differs between the two eyes of the individual
 Equal error rate better than 1 in a million
 Works with contact lenses and glasses
 Best biometric mechanism currently known
 Retina pattern
 Laser scans of blood vessels in the back of the eye
 Retina can change due to medical conditions
 Identifies user’s health (privacy issues?)
 Hand geometry
 Identify the user by his fingers and hand
 Voice recognition

False Rejection Rate (FRR)
When the system rejects an authorized individual
False Acceptance Rate (FAR)
 When the system accepts an intruder who should
be rejected
Crossover Error Rate (CER)
Metric used to compare
biometric systems When
false rejection rate equals
false acceptance rate

Single Sign On
 Single Sign On
 A user authenticates once and then access resources in the
environment without having to re-authenticate into each.
 The user authenticates once to the SSO application. Anytime
the user accesses a new application, the SSO application will
send the necessary authentication information
 Can be difficult to integrate among different applications and
platforms

Reduced Single Sign On (Password
Synchronization)
 Password Synchronization
Like single sign-on (SSO), single credential for many
systems
But no inter-system session management
User must log into each system separately, but they all
use the same username and password
Will the user choose a complex password?
Weakness of SSO and RSSO
Intruder can access all systems if password is
compromised
Best is to combine with two factor authentication

SSO Summary
Trusted authentication service on the network
Knows all passwords: users and servers
Time Sensitive
Convenient ☺
Single point of failure
Requires high level of physical security

SSO Summary
SOS Server Knows all users’ and servers’
passwords

User proves his identity;
requests ticket for some service

User gets ticket

Servers
Ticket is used to access desired network service
User

SSO: Kerberos
 Network Authentication Protocol
 Developed by MIT
 Consists of 3 components:
 Client
 Server
 Key Distribution Center (KDC)
 Authentication Server (AS)
 Ticket Granting Server (TGS)
 Process:
 Client obtains service ticket from KDC and present the tickets to
servers when connections are established
 Cryptography
 Kerberos uses symmetric key encryption (DES)

SSO: Kerberos Steps
User Ahmed

Ticket Granting Ticket (TGT):
User Name + User Address + Validity+ Session Key

Key-TGS Kerberos
User +
Session Key Authentication
Key-User
Service
Key-User

TGT services
Kerberos
TGT-Key Ticket
Granting
user Service

Key-Session Key
User
Ticket:
Key-User +Session
User Name + User Address + Validity + Session Key
Key+ (TGT)
Key-Service

SSO: Kerberos Steps

Tickets
Key-Service

User +Key-User +
Session Key+ (TGT) Confirmation
Servers
Key Session Key

SSO: Sesame
Another SSO option is Sesame:
Secure European System and Applications in a
Multivendor Environment
Kerberos uses symmetric encryption only
Sesame uses symmetric and asymmetric
encryption

Basic Access Control Concepts
Subjects
Active entities that do things
e.g. humans
Objects
Passive things that things are done to
 e.g. files, data, websites
Rights
Actions that are taken
e.g. read, write, share

Access Control Models
Authenticated users can access the
system based on:
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RMAC)
Rule-Based Access Control (RMAC)

Discretionary Access Control (DAC)
 Subjects have full control of objects they have
 The “discretionary” part of DAC means that a file owner has the ability
to change the permissions on that file
 Most Common access control system. Commonly used in both UNIX
and Windows operating systems
 Uses file permissions and ACLs to restrict access based on the user’s
identity or group membership
 File’s owner can change the file’s permissions any time they want

Mandatory Access Control (MAC)
 Restricts access based on the sensitivity of the
information and whether or not the user has the
authority to access that information.
 Each subject and object is labeled with a sensitivity level
 U.S. Government security labels:
• Top Secret (grave damage)
• Secret (serious damage)
• Confidential (damage)
• Unclassified
 A subject may access an object only if its clearance is
equal to or greater than the object’s label
 MAC systems are usually focused on preserving the confidentiality
of data

Role-Based Access Control (RBAC)
Role-based access control (RBAC) is the process of
managing access and privileges based on the user’s
assigned roles
Example: SecurityAdmin, DatabaseAdmin,
EmailAdmin, Nurse
Rule-Based Access Control (RBAC)
Access is either allowed or denied based on a set of
predefined rules that are established by the
administrator
Example: Limited login hours, Limited BitTorrent traffic

Access Control Models Examples

Organization Goal Preferred Access
Control Model
Normal Level of Security
High Turnover Rate
High Level of Security

What Next? … Access Control
Administration
 Once the organization determine what type of access control
model it will be using
 Its needs to identify administration type to support that model
 Access control administration can be:
 Centralized
 Maintain username and permissions in one location
 One entity makes all access decisions about AAA:
Authentication, Authorization, and Accountability
 e.g. SSO, RADIUS, Diameter, TACACS
 Decentralized
 Store username and permissions in different locations
 Allows the IT administration to be closer to the mission and
 operations of the organization

Centralized Access Control
Administration
 RADIUS
 Remote Authentication Dial In User Service (RADIUS)
 The protocol is a third party authentication system
 Considered an “AAA” system, comprising three
components: authentication, authorization, and
accounting
 Authenticates a subject’s credentials against an
authentication
 database
 Authorizes users by allowing specific users access to
specific
 data objects
 Accounts for each data session by creating a log entry for
each
 RADIUS connection made

Administration
 Diameter
 RADIUS’s successor, designed to provide an improved
Authentication, Authorization, and Accounting (AAA) framework
 RADIUS provides limited accountability and has problems with
flexibility, scalability, reliability, and security
 Diameter more flexible, allowing support for mobile remote users
 TACACS & TACACS+
 Terminal Access Controller Access Control System (TACACS)
 A centralized access control system that requires users to send an
 ID and a static (reusable) password for authentication
 Reusable passwords are a security vulnerability:
 Improved TACACS+ provides better password protection by
allowing two-factor strong authentication

Administration
 Password Authentication Protocol (PAP)
 Not a strong authentication method
 A user enters a password, which is sent across the network in
 clear text.
 Sniffing the network may disclose plaintext passwords
 Challenge Handshake Authentication Protocol (CHAP)
 Provides protection against playback attacks
 Uses a central location that challenges remote users
 CHAP depends upon a “secret” known only to the authenticator
and the peer. The secret is not sent over the link. Although the
authentication is only one-way, by negotiating CHAP in both
directions the same secret set may easily be used for mutual

What Next? … Access Control
Techniques
 Once the organization determine what type of
access
control model and administration it will be using
 It needs to identify techniques to support that
model
 Access control techniques can have three types:
 Administrative
 Technical
 Physical
 Access control techniques can have six
categories:
Preventive, Deterrent, Detective, Corrective,
Recovery, Compensating

Access Controls Types
 Administrative
 Policy, procedures, standards
 e.g. Password policies, pre-employment checks, security
awareness
 Technical
 Hardware or software for IT security
 Authentication, encryption, firewalls, anti-virus
 Physical
 Controls that you typically see
 Key card entry, fencing, video surveillance, locks, guard
dogs, gates, guards, alarms, badges

Access Control Categories
The access controls can be used in six categories:
 Preventive – Avoids an incident from happening
 Deterrent – Discourages a potential attacker
 Detective – Alerts and aids in identification after
the fact
 Corrective – Repairs damage and restore systems
after an event
 Recovery – Restores normal operations
 Compensating – Contains weaknesses in other
systems

 Preventive controls
Intended to avoid an incident from
happening
e.g. Firewalls, Anti-virus software, Fence,
Policies, Pre-employment, screening

 Deterrent controls
 Intended to discourage a potential attacker
Highly Visible
 e.g. Guards, guard dogs, electric fence sign
 Detective controls
 Alerts and aids in identification after the fact
 e.g. Video surveillance, audit logs, IDS motion
detector

Corrective controls
Fixes components or systems after an incident
has occurred
Post-event controls to prevent recurrence
Can be
preventive, detective, deterrent, administrativ
e
e.g.
Termination, Reassignment, Reboot, Restart, Fi
re Extinguisher, Antivirus

Recovery controls
 Intended to bring controls back to regular operations
e.g. Hot-site, backups, incident response plan
Compensating controls
Additional security control put in place to compensate
for weaknesses in others
e.g. Daily monitoring of anti-virus console, Monthly
review of administrative logins, Web Application
Firewall used to protect buggy application

Access Control Types & Categories

Access Control Principles
1. Least Privilege
2. Separation of Duties
3. Implicit Deny
4. Job Rotation
5. Layered Security
6. Diversity of Defense
7. Security Through Obscurity
8. Keep it Simple

Least Privilege
A subject (user, application, or process) should
have only the necessary rights and privileges to
perform its task with no additional permissions
By limiting an object's privilege, we limit the
amount of harm that can be caused
 For example, a person should not be logged in
as an administrator— they should be logged in
with a regular user account, and change their
context to do administrative duties

Separation of Duties
 For any given task, more than one individual needs to be involved
 Applicable to physical environments as well as network and host
 security
 No single individual can abuse the system Important tasks include:
• Financial transactions
• Software changes
• User account creation / changes
 Potential drawback is the cost
• Time – Tasks take longer
• Money – Must pay two people instead of one

Implicit Deny
If a particular situation is not covered by any of
the rules, then access can not be granted
Any individual without proper authorization
cannot be granted access
The alternative to implicit deny is to allow access
unless a specific rule forbids it

Job Rotation
The rotation of individuals through different tasks
and duties in the organization's IT department
The individuals gain a better perspective of all the
elements of how the various parts of the IT
department can help or hinder the organization
Prevents a single point of failure, where only one
employee knows mission critical job tasks

 Diversity of Defense
 This concept complements the layered security
approach
 Diversity of defense involves making different
layers of security dissimilar
 Even if attackers know how to get through a
system that compromises one layer; they may
not know how to get through the next layer
that employs a different system of security

 Keep it Simple
The simple security rule is the practice of
keeping security processes and tools is
simple and elegant
 Security processes and tools should be
simple to use, simple to administer, and easy
to troubleshoot
 A system should only run the services that it
needs to provide and no more

Access Control Threats &
Countermeasures
Attack Countermeasure
Port Scanning
Application Vulnerability Scanning
Denial Of Service (DOS or DDOS)
Man in the Middle Attacks
(Sniffing & TCP Hijacking)
Virus, Worm, Trojan, Logic Bomb
Password Attacks
(Guessing, Dictionary, Brute Force)
Social Engineering
(Spoofing, Phishing)
Physical Attacks

Access Control Assessment
 Penetration Testing Performed by an authorized white hat hacker to
determine whether a black hat hacker can do the same
Hacker can have:
 Zero knowledge “blind” – has public information only
 Full knowledge – has internal information, e.g. network
 diagrams, policies, procedures, reports from previous testers
 Partial knowledge – has limited trusted information
 Vulnerability Testing
 Scans network or system for list of predefined vulnerabilities
 Examples of automatic tools: Nessus, MBSS, Retina, ISS
 Security Audit
 Organization is tested against a published standard
 e.g. Payment Card Industry (PCI) compliant

KERBEROS
Kerberos

In Greek mythology, a many headed dog, the
guardian of the entrance of Hades

Henric Johnson 66

KERBEROS
Kerberos
• Problem statement:
– Users wish to access services on distributed servers.
– Servers wish to restrict access to authorized users and
authenticate requests for service.
• Three threats exist:
– User pretend to be another user.
– User alter the network address of a workstation.
– User eavesdrop on exchanges and use a replay attack.

Henric Johnson 67

What is is Kerberos?
What KERBEROS ?
• A key distribution and users authentication
service developed at MIT
– Provides a centralized authentication server to
authenticate users to servers and servers to users.
– Relies on conventional encryption, making no use of
public-key encryption
• Two versions: version 4 and 5
• Version 4 makes use of DES

Henric Johnson 68

Kerberos Requirements
Kerberos Requirements
• Its first report identified requirements as:
– secure
– reliable
– transparent
– scalable
• Implemented using an authentication protocol
based on Needham-Schroeder

Kerberos v4 Overview
- Overview
a basic third-party authentication scheme
have an Authentication Server (AS)
users initially negotiate with AS to identify self
AS provides a non-corruptible authentication
credential (ticket granting ticket TGT)
have a Ticket Granting server (TGS)
users subsequently request access to other services
from TGS on basis of users TGT
using a complex protocol using DES

Kerberos Version–4related terms
Kerberos v4 – related terms
• Terms:
– C = Client
– AS = authentication server
– V = server
– IDc = identifier of user on C
– IDv = identifier of V
– Pc = password of user on C
– ADc = network address of C
– Kv = secret encryption key shared by AS an V
– TS = timestamp
– || = concatenation

Henric Johnson 71

A simple authentication dialogue
(1) C  AS: IDc || Pc || IDv
(2) AS  C: Ticket
(3) C  V: IDc || Ticket

Ticket = EKv[IDc || Pc || IDv]

Henric Johnson 72

Version 4 Authentication Dialogue

• Problems:
– Lifetime associated with the ticket-granting ticket
– If to short  repeatedly asked for password
– If to long  greater opportunity to replay
• The threat is that an opponent will steal the ticket
and use it before it expires

Henric Johnson 73

Authentication Service Exhange: To obtain Ticket-Granting Ticket
(1) C  AS: IDc || IDtgs ||TS1
(2) AS  C: EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs]

Ticket-Granting Service Echange: To obtain Service-Granting Ticket
(3) C  TGS: IDv ||Tickettgs ||Authenticatorc
(4) TGS  C: EKc [Kc,¨v|| IDv || TS4 || Ticketv]

Client/Server Authentication Exhange: To Obtain Service
(5) C  V: Ticketv || Authenticatorc
(6) V  C: EKc,v[TS5 +1]

Henric Johnson 74

Kerberos v4 ––detailed Dialogue
Kerberos v4 detailed Dialogue

Kerberos operation
Kerberos operation

Henric Johnson 76

Kerberos Realms
Kerberos Realms
• A Kerberos environment consists of:
– a Kerberos server
– a number of clients, all registered with server
– application servers, sharing keys with server
• this is termed a realm
– typically a single administrative domain
• if have multiple realms, their Kerberos servers
must share keys and trust

Request for Service in Another Realm

Main Differences Between Version 4 and 5

• Kerberos V5 was developed in mid 1990’s
• Specified as Internet standard RFC 1510
• Provides improvements over v4, in terms of:
– Encryption system dependence (V.4 DES)
– Internet protocol dependence
– Message byte ordering
– Ticket lifetime
– Authentication forwarding
– Inter-realm authentication

Henric Johnson 79

Kerberos-in practice
Kerberos in practice
Currently have two Kerberos versions:
• 4 : restricted to a single realm
• 5 : allows inter-realm authentication, in beta test
• Kerberos v5 is an Internet standard
• specified in RFC1510, and used by many utilities
To use Kerberos:
• need to have a KDC on your network
• need to have Kerberised applications running on all participating
systems
• major problem - US export restrictions
• Kerberos cannot be directly distributed outside the US in source
format (& binary versions must obscure crypto routine entry points
and have no encryption)
• else crypto libraries must be reimplemented locally

Henric Johnson 80

Week3 lecture

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (16)

Similar a Week3 lecture

Similar a Week3 lecture (20)

Último

Último (20)

Week3 lecture

Notas del editor