3. Objectives
Access Control Authentication Methods
Password, Token, Biometric
Single Sign On vs. Password Synchronization
Kerberos, Sesame
Access Control Models
DAC, MAC, RMAC
Access Control Administration
Centralized, Decentralized
Access Control Types
Technical, Physical, Administrative
5. Access Control Categories
Deterrent, Preventive, ….
Access Control Principles
Access Control Attacks & Countermeasures
Access Control Assessment
4. Objectives
Authentication: Who goes there?
Determine whether access is allowed
Verify the identity of a subject
Authenticate human to machine
Authenticate machine to machine
Authorization: Are you allowed to do that?
Once you have access, what can you do?
Enforces limits on actions
5. Authentication Methods
To verify their identity, users can provide:
Something you know
Username and Password
Birthday, Address, Passport Number
Something you have
Smart Card
Token
ATM Card
Something you are
Biometrics
Where you are?
IP
GPS
7. Password-Based Authentication
How is the password communicated?
Eavesdropping (to listen to someone's private
conversation without them knowing) risk
How is the password stored?
In the clear? Encrypted? Hashed?
How does the system check the password?
Compute hash and compare to stored hash
How can we make the hashed passwords
harder to guess?
Use SALT
14. Token-Based Authentication
More secure than passwords, however
Tokens may suffer from battery failure
Cards may get damaged
Types of tokens:
Synchronous – based on time
Asynchronous – based on challenge/response
15. Token-Based Authentication
Synchronous Tokens
Time Synchronized Authentication
RSA or Firewall with RSA ACE Agent
Internet
RSA ACE Server
Algorithm Algorithm
Time Seeds Time Seeds
Same seeds
Same time
16. Token-Based Authentication
Asynchronous Tokens
6.Responses sent to Authen server
5.User enters responses from token into computer
1.Send Response to Authen Server
2. Challenge Displayed on CRT
4. User resends
response from
token
7. Authentication Server Validates Client
3.User
enters pin
into token
22. Biometric-Based Authentication
Face recognition
Error rates up to 20%, given reasonable
variations in lighting, viewpoint and expression
Fingerprints
Traditional method for identification
Distinguish between 30-40 details about peaks,
valleys, and ridges of user’s fingerprint
1911: first US conviction on fingerprint
evidence
U.K. traditionally requires 16-point match
Probability of false match is 1 in 10 billion
Fingerprint damage impairs recognition
26. Biometric-Based Authentication
Iris scanning
Takes a picture of the iris (colored part of eye)
Irises are very random, but stable through life
Differs between the two eyes of the individual
Equal error rate better than 1 in a million
Works with contact lenses and glasses
Best biometric mechanism currently known
Retina pattern
Laser scans of blood vessels in the back of the eye
Retina can change due to medical conditions
Identifies user’s health (privacy issues?)
Hand geometry
Identify the user by his fingers and hand
Voice recognition
27. Biometric-Based Authentication
False Rejection Rate (FRR)
When the system rejects an authorized individual
False Acceptance Rate (FAR)
When the system accepts an intruder who should
be rejected
Crossover Error Rate (CER)
Metric used to compare
biometric systems When
false rejection rate equals
false acceptance rate
28. Single Sign On
Single Sign On
A user authenticates once and then access resources in the
environment without having to re-authenticate into each.
The user authenticates once to the SSO application. Anytime
the user accesses a new application, the SSO application will
send the necessary authentication information
Can be difficult to integrate among different applications and
platforms
29. Reduced Single Sign On (Password
Synchronization)
Password Synchronization
Like single sign-on (SSO), single credential for many
systems
But no inter-system session management
User must log into each system separately, but they all
use the same username and password
Will the user choose a complex password?
Weakness of SSO and RSSO
Intruder can access all systems if password is
compromised
Best is to combine with two factor authentication
30. SSO Summary
Trusted authentication service on the network
Knows all passwords: users and servers
Time Sensitive
Convenient ☺
Single point of failure
Requires high level of physical security
31. SSO Summary
SOS Server Knows all users’ and servers’
passwords
User proves his identity;
requests ticket for some service
User gets ticket
Servers
Ticket is used to access desired network service
User
32. SSO: Kerberos
Network Authentication Protocol
Developed by MIT
Consists of 3 components:
Client
Server
Key Distribution Center (KDC)
Authentication Server (AS)
Ticket Granting Server (TGS)
Process:
Client obtains service ticket from KDC and present the tickets to
servers when connections are established
Cryptography
Kerberos uses symmetric key encryption (DES)
33. SSO: Kerberos Steps
User Ahmed
Ticket Granting Ticket (TGT):
User Name + User Address + Validity+ Session Key
Key-TGS Kerberos
User +
Session Key Authentication
Key-User
Service
Key-User
TGT services
Kerberos
TGT-Key Ticket
Granting
user Service
Key-Session Key
User
Ticket:
Key-User +Session
User Name + User Address + Validity + Session Key
Key+ (TGT)
Key-Service
35. SSO: Sesame
Another SSO option is Sesame:
Secure European System and Applications in a
Multivendor Environment
Kerberos uses symmetric encryption only
Sesame uses symmetric and asymmetric
encryption
36. Objectives
Authentication: Who goes there?
Determine whether access is allowed
Verify the identity of a subject
Authenticate human to machine
Authenticate machine to machine
Authorization: Are you allowed to do that?
Once you have access, what can you do?
Enforces limits on actions
37. Basic Access Control Concepts
Subjects
Active entities that do things
e.g. humans
Objects
Passive things that things are done to
e.g. files, data, websites
Rights
Actions that are taken
e.g. read, write, share
38. Access Control Models
Authenticated users can access the
system based on:
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RMAC)
Rule-Based Access Control (RMAC)
39. Access Control Models
Discretionary Access Control (DAC)
Subjects have full control of objects they have
The “discretionary” part of DAC means that a file owner has the ability
to change the permissions on that file
Most Common access control system. Commonly used in both UNIX
and Windows operating systems
Uses file permissions and ACLs to restrict access based on the user’s
identity or group membership
File’s owner can change the file’s permissions any time they want
40. Access Control Models
Mandatory Access Control (MAC)
Restricts access based on the sensitivity of the
information and whether or not the user has the
authority to access that information.
Each subject and object is labeled with a sensitivity level
U.S. Government security labels:
• Top Secret (grave damage)
• Secret (serious damage)
• Confidential (damage)
• Unclassified
A subject may access an object only if its clearance is
equal to or greater than the object’s label
MAC systems are usually focused on preserving the confidentiality
of data
41. Access Control Models
Role-Based Access Control (RBAC)
Role-based access control (RBAC) is the process of
managing access and privileges based on the user’s
assigned roles
Example: SecurityAdmin, DatabaseAdmin,
EmailAdmin, Nurse
Rule-Based Access Control (RBAC)
Access is either allowed or denied based on a set of
predefined rules that are established by the
administrator
Example: Limited login hours, Limited BitTorrent traffic
42. Access Control Models Examples
Organization Goal Preferred Access
Control Model
Normal Level of Security
High Turnover Rate
High Level of Security
43. What Next? … Access Control
Administration
Once the organization determine what type of access control
model it will be using
Its needs to identify administration type to support that model
Access control administration can be:
Centralized
Maintain username and permissions in one location
One entity makes all access decisions about AAA:
Authentication, Authorization, and Accountability
e.g. SSO, RADIUS, Diameter, TACACS
Decentralized
Store username and permissions in different locations
Allows the IT administration to be closer to the mission and
operations of the organization
44. Centralized Access Control
Administration
RADIUS
Remote Authentication Dial In User Service (RADIUS)
The protocol is a third party authentication system
Considered an “AAA” system, comprising three
components: authentication, authorization, and
accounting
Authenticates a subject’s credentials against an
authentication
database
Authorizes users by allowing specific users access to
specific
data objects
Accounts for each data session by creating a log entry for
each
RADIUS connection made
45. Centralized Access Control
Administration
Diameter
RADIUS’s successor, designed to provide an improved
Authentication, Authorization, and Accounting (AAA) framework
RADIUS provides limited accountability and has problems with
flexibility, scalability, reliability, and security
Diameter more flexible, allowing support for mobile remote users
TACACS & TACACS+
Terminal Access Controller Access Control System (TACACS)
A centralized access control system that requires users to send an
ID and a static (reusable) password for authentication
Reusable passwords are a security vulnerability:
Improved TACACS+ provides better password protection by
allowing two-factor strong authentication
46. Centralized Access Control
Administration
Password Authentication Protocol (PAP)
Not a strong authentication method
A user enters a password, which is sent across the network in
clear text.
Sniffing the network may disclose plaintext passwords
Challenge Handshake Authentication Protocol (CHAP)
Provides protection against playback attacks
Uses a central location that challenges remote users
CHAP depends upon a “secret” known only to the authenticator
and the peer. The secret is not sent over the link. Although the
authentication is only one-way, by negotiating CHAP in both
directions the same secret set may easily be used for mutual
47. What Next? … Access Control
Techniques
Once the organization determine what type of
access
control model and administration it will be using
It needs to identify techniques to support that
model
Access control techniques can have three types:
Administrative
Technical
Physical
Access control techniques can have six
categories:
Preventive, Deterrent, Detective, Corrective,
Recovery, Compensating
48. Access Controls Types
Administrative
Policy, procedures, standards
e.g. Password policies, pre-employment checks, security
awareness
Technical
Hardware or software for IT security
Authentication, encryption, firewalls, anti-virus
Physical
Controls that you typically see
Key card entry, fencing, video surveillance, locks, guard
dogs, gates, guards, alarms, badges
49. Access Control Categories
The access controls can be used in six categories:
Preventive – Avoids an incident from happening
Deterrent – Discourages a potential attacker
Detective – Alerts and aids in identification after
the fact
Corrective – Repairs damage and restore systems
after an event
Recovery – Restores normal operations
Compensating – Contains weaknesses in other
systems
50. Access Control Categories
Preventive controls
Intended to avoid an incident from
happening
e.g. Firewalls, Anti-virus software, Fence,
Policies, Pre-employment, screening
51. Access Control Categories
Deterrent controls
Intended to discourage a potential attacker
Highly Visible
e.g. Guards, guard dogs, electric fence sign
Detective controls
Alerts and aids in identification after the fact
e.g. Video surveillance, audit logs, IDS motion
detector
52. Access Control Categories
Corrective controls
Fixes components or systems after an incident
has occurred
Post-event controls to prevent recurrence
Can be
preventive, detective, deterrent, administrativ
e
e.g.
Termination, Reassignment, Reboot, Restart, Fi
re Extinguisher, Antivirus
53. Access Control Categories
Recovery controls
Intended to bring controls back to regular operations
e.g. Hot-site, backups, incident response plan
Compensating controls
Additional security control put in place to compensate
for weaknesses in others
e.g. Daily monitoring of anti-virus console, Monthly
review of administrative logins, Web Application
Firewall used to protect buggy application
56. Access Control Principles
1. Least Privilege
2. Separation of Duties
3. Implicit Deny
4. Job Rotation
5. Layered Security
6. Diversity of Defense
7. Security Through Obscurity
8. Keep it Simple
57. Access Control Principles
Least Privilege
A subject (user, application, or process) should
have only the necessary rights and privileges to
perform its task with no additional permissions
By limiting an object's privilege, we limit the
amount of harm that can be caused
For example, a person should not be logged in
as an administrator— they should be logged in
with a regular user account, and change their
context to do administrative duties
58. Access Control Principles
Separation of Duties
For any given task, more than one individual needs to be involved
Applicable to physical environments as well as network and host
security
No single individual can abuse the system Important tasks include:
• Financial transactions
• Software changes
• User account creation / changes
Potential drawback is the cost
• Time – Tasks take longer
• Money – Must pay two people instead of one
59. Access Control Principles
Implicit Deny
If a particular situation is not covered by any of
the rules, then access can not be granted
Any individual without proper authorization
cannot be granted access
The alternative to implicit deny is to allow access
unless a specific rule forbids it
60. Access Control Principles
Job Rotation
The rotation of individuals through different tasks
and duties in the organization's IT department
The individuals gain a better perspective of all the
elements of how the various parts of the IT
department can help or hinder the organization
Prevents a single point of failure, where only one
employee knows mission critical job tasks
61. Access Control Principles
Diversity of Defense
This concept complements the layered security
approach
Diversity of defense involves making different
layers of security dissimilar
Even if attackers know how to get through a
system that compromises one layer; they may
not know how to get through the next layer
that employs a different system of security
62. Access Control Principles
Keep it Simple
The simple security rule is the practice of
keeping security processes and tools is
simple and elegant
Security processes and tools should be
simple to use, simple to administer, and easy
to troubleshoot
A system should only run the services that it
needs to provide and no more
63. Access Control Threats &
Countermeasures
Attack Countermeasure
Port Scanning
Application Vulnerability Scanning
Denial Of Service (DOS or DDOS)
Man in the Middle Attacks
(Sniffing & TCP Hijacking)
Virus, Worm, Trojan, Logic Bomb
Password Attacks
(Guessing, Dictionary, Brute Force)
Social Engineering
(Spoofing, Phishing)
Physical Attacks
64. Access Control Assessment
Penetration Testing Performed by an authorized white hat hacker to
determine whether a black hat hacker can do the same
Hacker can have:
Zero knowledge “blind” – has public information only
Full knowledge – has internal information, e.g. network
diagrams, policies, procedures, reports from previous testers
Partial knowledge – has limited trusted information
Vulnerability Testing
Scans network or system for list of predefined vulnerabilities
Examples of automatic tools: Nessus, MBSS, Retina, ISS
Security Audit
Organization is tested against a published standard
e.g. Payment Card Industry (PCI) compliant
66. KERBEROS
Kerberos
In Greek mythology, a many headed dog, the
guardian of the entrance of Hades
Henric Johnson 66
67. KERBEROS
Kerberos
• Problem statement:
– Users wish to access services on distributed servers.
– Servers wish to restrict access to authorized users and
authenticate requests for service.
• Three threats exist:
– User pretend to be another user.
– User alter the network address of a workstation.
– User eavesdrop on exchanges and use a replay attack.
Henric Johnson 67
68. What is is Kerberos?
What KERBEROS ?
• A key distribution and users authentication
service developed at MIT
– Provides a centralized authentication server to
authenticate users to servers and servers to users.
– Relies on conventional encryption, making no use of
public-key encryption
• Two versions: version 4 and 5
• Version 4 makes use of DES
Henric Johnson 68
69. Kerberos Requirements
Kerberos Requirements
• Its first report identified requirements as:
– secure
– reliable
– transparent
– scalable
• Implemented using an authentication protocol
based on Needham-Schroeder
70. Kerberos v4 Overview
- Overview
a basic third-party authentication scheme
have an Authentication Server (AS)
users initially negotiate with AS to identify self
AS provides a non-corruptible authentication
credential (ticket granting ticket TGT)
have a Ticket Granting server (TGS)
users subsequently request access to other services
from TGS on basis of users TGT
using a complex protocol using DES
71. Kerberos Version–4related terms
Kerberos v4 – related terms
• Terms:
– C = Client
– AS = authentication server
– V = server
– IDc = identifier of user on C
– IDv = identifier of V
– Pc = password of user on C
– ADc = network address of C
– Kv = secret encryption key shared by AS an V
– TS = timestamp
– || = concatenation
Henric Johnson 71
72. A simple authentication dialogue
(1) C AS: IDc || Pc || IDv
(2) AS C: Ticket
(3) C V: IDc || Ticket
Ticket = EKv[IDc || Pc || IDv]
Henric Johnson 72
73. Version 4 Authentication Dialogue
Version 4 Authentication Dialogue
• Problems:
– Lifetime associated with the ticket-granting ticket
– If to short repeatedly asked for password
– If to long greater opportunity to replay
• The threat is that an opponent will steal the ticket
and use it before it expires
Henric Johnson 73
74. Version 4 Authentication Dialogue
Version 4 Authentication Dialogue
Authentication Service Exhange: To obtain Ticket-Granting Ticket
(1) C AS: IDc || IDtgs ||TS1
(2) AS C: EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs]
Ticket-Granting Service Echange: To obtain Service-Granting Ticket
(3) C TGS: IDv ||Tickettgs ||Authenticatorc
(4) TGS C: EKc [Kc,¨v|| IDv || TS4 || Ticketv]
Client/Server Authentication Exhange: To Obtain Service
(5) C V: Ticketv || Authenticatorc
(6) V C: EKc,v[TS5 +1]
Henric Johnson 74
77. Kerberos Realms
Kerberos Realms
• A Kerberos environment consists of:
– a Kerberos server
– a number of clients, all registered with server
– application servers, sharing keys with server
• this is termed a realm
– typically a single administrative domain
• if have multiple realms, their Kerberos servers
must share keys and trust
79. Main Differences Between Version 4 and 5
• Kerberos V5 was developed in mid 1990’s
• Specified as Internet standard RFC 1510
• Provides improvements over v4, in terms of:
– Encryption system dependence (V.4 DES)
– Internet protocol dependence
– Message byte ordering
– Ticket lifetime
– Authentication forwarding
– Inter-realm authentication
Henric Johnson 79
80. Kerberos-in practice
Kerberos in practice
Currently have two Kerberos versions:
• 4 : restricted to a single realm
• 5 : allows inter-realm authentication, in beta test
• Kerberos v5 is an Internet standard
• specified in RFC1510, and used by many utilities
To use Kerberos:
• need to have a KDC on your network
• need to have Kerberised applications running on all participating
systems
• major problem - US export restrictions
• Kerberos cannot be directly distributed outside the US in source
format (& binary versions must obscure crypto routine entry points
and have no encryption)
• else crypto libraries must be reimplemented locally
Henric Johnson 80
Notas del editor
Kerberos was developed at MIT and is part of Project Athena. The idea is to have a centralized server that authorizes every client-server connection on a distributed network.
Kerberos was developed at MIT and is part of Project Athena. The idea is to have a centralized server that authorizes every client-server connection on a distributed network.