Lecture 15 Access Control Processes
Download
Report
Transcript Lecture 15 Access Control Processes
Lecture 15
Access Control Processes
What is Access Control?
Access Control
Access control is the policy-driven limitation of
access to systems, data, and dialogs
Prevent attackers from gaining access, stopping
them if they do
2
What is Access Control?
First Steps
Enumeration of Resources
Sensitivity of Each Resource
Next, who Should Have Access?
Can be made individual by individual
More efficient to define by roles (logged-in
users, system administrators, project team
members, etc.)
3
Access Control
What Access Permissions
(Authorizations) Should They Have?
Access permissions (authorizations) define
whether a role or individual should have any
access at all
If so, exactly what the role or individual should
be allowed to do to the resource.
Usually given as a list of permissions for users
to be able to do things (read, change, execute
program, etc.) for each resource
4
Access Control
How Should Access Control Be
Implemented?
For each resource, need an access protection
plan for how to implement protection in keeping
with the selected control policy
For a file on a server, for instance, limit
authorizations to a small group, harden the
server against attack, use a firewall to thwart
external attackers, etc.
…
5
Access Control
Policy-Based Access Control and
Protection
Have a specific access control policy and an
access protection policy for each resource
Focuses attention on each resource
Guides the selection and configuration of
firewalls and other protections
Guides the periodic auditing and testing of
protection plans
6
Password-Based Access Control
Server Password Cracking
Reusable Passwords
A password you use repeatedly to get access to
a resource on multiple occasions
Bad because attacker will have time to learn it;
then can use it
Difficulty of Cracking Passwords by
Guessing Remotely
Usually cut off after a few attempts
However, if can steal the password file, can
crack passwords at leisure
8
Server Password Cracking
Hacking Root
Super accounts (can take any action in any
directory)
Hacking root in UNIX
Super accounts in Windows (administrator) and
NetWare (supervisor)
Hacking root is rare; usually can only hack an
ordinary user account
May be able to elevate the privileges of the user
account to take root action
9
Server Password Cracking
Physical Access Password Cracking
l0phtcrack
Lower-case L, zero, phtcrack
Password cracking program
Run on a server (need physical access)
Or copy password file and run l0phtcrack on
another machine.
10
Server Password Cracking
Physical Access Password Cracking
Brute-force password guessing
Try all possible character combinations
Longer passwords take longer to crack
Using more characters also takes longer
Alphabetic, no case (26 possibilities)
Alphabetic, case (52)
Alphanumeric (letters and numbers) (62)
All keyboard characters (~80)
11
Password Length
Password
Length In
Characters
Alphabetic,
No
Case (N=26)
Alphabetic,
Case
(N=52)
Alphanumeric:
Letters &
Digits (N=62)
All Keyboard
Characters
(N=~80)
1
26
52
62
80
2 (N2)
676
2,704
3,844
6,400
4 (N4)
456,976
7,311,616
14,776,336
40,960,000
6
308,915,776
19,770,609,664
56,800,235,584
2.62144E+11
8
2.08827E+11
5.34597E+13
2.1834E+14
1.67772E+15
10
1.41167E+14
1.44555E+17
8.39299E+17
1.07374E+19
12
Server Password Cracking
Physical Access Password Cracking
Brute Force Attacks
Try all possible character combinations
Slow with long passwords length
Dictionary attacks
Try common words (“password”, “ouch,” etc.)
There are only a few thousand of these
Cracked very rapidly
Hybrid attacks
Common word with single digit at end, etc.
13
Server Password Cracking
Password Policies
Good passwords
At least 6 characters long
Change of case not at beginning
Digit (0 through 9) not at end
Other keyboard character not at end
Example: triV6#ial
14
Server Password Cracking
Password Policies
Testing and enforcing password policies
Run password cracking program against own
servers
Caution: requires approval! SysAdmins have
been fired for doing this without permission—
and should be
Password duration policies: How often
passwords must be changed
15
Server Password Cracking
Password Policies
Password sharing policies: Generally, forbid
shared passwords
Removes ability to learn who took actions;
loses accountability
Usually is not changed often or at all because
of need to inform all sharers
16
Server Password Cracking
Password Policies
Disabling passwords that are no longer valid
As soon as an employee leaves the firm, etc.
As soon as contractors, consultants leave
In many firms, a large percentage of all
accounts are for people no longer with the
firm
17
Server Password Cracking
Password Policies
Lost passwords
Password resets: Help desk gives new
password for the account
Opportunities for social engineering attacks
Leave changed password on answering
machine
Biometrics: voice print identification for
requestor (but considerable false rejection rate)
18
Server Password Cracking
Password Policies
Lost passwords
Automated password resets
Employee goes to website
Must answer a question, such as “In what
city were you born?”
Problem of easily-guessed questions that
can be answered with research
19
UNIX/etc/passwd File Entries
Without Shadow Password File
User Name
User ID
GCOS
Shell
plee:6babc345d7256:47:3:Pat Lee:/usr/plee/:/bin/csh
Password
Group ID
Home Directory
With Shadow Password File
Plee:x:47:3:Pat Lee:/usr/plee/:/bin/csh
The x indicates that the password is stored
in a separate shadow password file
20
UNIX/etc/passwd File Entries
Unix passwd File
Contains the username, password, and other
information is semi-standard form
In the /etc directory that is accessible to anyone
Anyone can steal the passwd file and crack the
passwords
Unix Shadow File
Newer versions of Unix store passwords in a
protected shadow file
In the passwd file, there is an x in the password
position
21
Server Password Cracking
Password Policies
Encrypted (hashed) password files
Passwords not stored in readable form
Encrypted with DES or hashed with MD5
In UNIX, etc/passwd puts x in place of
password
Encrypted or hashed passwords are stored in
a different (shadow) file to which only highlevel accounts have access
22
Password Hashing (or Encryption)
2.
Hash
My4Bad
=
11110000
1.
User = Lee
Password = My4Bad
Client PC
User Lee
3.
Hashes Match
Server
4.
Hashes Match,
So User is
Authenticated
Hashed Password File
Brown 11001100
Lee
11110000
Chun
00110011
Hatori 11100010
23
Server Password Cracking
Password Policies
Windows passwords
Obsolete LAN manager passwords (7
characters maximum) should not be used
Windows NTLM passwords are better
Option (not default) to enforce strong
passwords
24
Server Password Cracking
Shoulder Surfing
Watch someone as they type their password
Keystroke Capture Software
Professional versions of windows protect RAM
during password typing
Consumer versions do not
Trojan horse throws up a login screen later,
reports its finding to attackers
25
Server Password Cracking
Windows Client PC Software
Consumer version login screen is not for security
Windows professional and server versions
provide good security with the login password
BIOS passwords allow boot-up security
Can be disabled by removing the PC’s battery
But during a battery removal, the attacker will
be very visible
Screen savers with passwords allow away-fromdesk security after boot-up
26
Physical Building Security
Building Security
Building Security Basics
Single point of (normal) entry to building
Fire doors, etc.: use closed-circuit television
(CCTV) and alarms to monitor them
Security centers
Monitors for closed-circuit TV (CCTV)
Videotapes that must be retained (Don’t
reuse too much or the quality will be bad)
Alarms
28
Building Security
Building Security Basics
Interior doors to control access between parts of
the building
Piggybacking: holding the door open so that
someone can enter without identification
defeats this protection
Enforcing policies: You get what you enforce
Training security personnel
Training all employees
29
Building Security
Building Security Basics
Phone stickers with security center phone
number
Thwarting piggybacking by employee education
and sanctions for allowing it
Dumpster diving by keeping Dumpsters in
locked, lighted area
Drive shredding programs for discarded disk
drives that do more than reformat drives
30
Physical building Cabling
3. Entrance
Facility with
Termination
Equipment
4. Router
5. Core
Switch
(Chassis)
6. Vertical
Riser
Space
2. To
WAN
1. Equipment Room (Usually in Basement)
31
Physical building Cabling
1. Vertical
Distribution
5. Horizontal Distribution
4. Workgroup Switch
3. Telecommunications
Closet on Floor
2. Optical Fiber
One Pair per Floor
32
Physical building Cabling
Horizontal and Final Distribution
Workgroup
Switch in
Telecoms
Closet
1. Horizontal Distribution
One 4-Pair UTP Cord
33
Building Security
Data Wiring Security
Telecommunications closets should be locked
Wiring conduits should be hard to cut into
Servers rooms should have strong access
security
34
Access Cards and Tokens
Access Cards
Magnetic Stripe Cards
Smart Cards
Have a microprocessor and RAM
More sophisticated than mag stripe cards
Release only selected information to different
access devices
36
Access Cards
Tokens
Small device with constantly-changing password
Or device that can plug into USB port or another
port
Proximity Tokens
Use short-range radio transmission
Can be detected and tested without physical contact
Allows easier access; used in Tokyo subways
37
Access Cards
Card Cancellation
Requires a central system
PINs
Personal Identification Numbers
Short: about 4 digits
Can be short because attempts are manual
(10,000 combinations to try with 4 digits)
38
Access Cards
PINs
Should not allow obvious combinations (1111, 1234)
or important dates
Provide two-factor authentication
E.g., PIN and card
Don’t allow writing PIN on card
39
Biometric Authentication
Biometric Authentication
Biometric Authentication
Authentication based on body measurements
and motions
Because you always bring your body with you
Biometric Systems
Enrollment
Later access attempts
Acceptance or rejection
41
Biometric Authentication System
1. Initial Enrollment
User Lee
Scanning
User Lee
Template
Processing
(Key Feature Extraction) (01101001)
A=01, B=101, C=001
2. Subsequent Access
Applicant
Scanning
3. Match Index
Decision Criterion
(Close Enough?)
Template Database
Brown
10010010
Lee
01101001
Chun
00111011
Hirota
1101110
…
…
User
Access Data
Processing
(Key Feature Extraction) (01111001)
A=01, B=111, C=001
42
Biometric Authentication
Verification Versus Identification
Verification: Are applicants who they claim to
be? (compare with single template)
Identification: Who is the applicant? (compare
with all templates)
More difficult than verification because must compare
to many templates
Watch list: is this person a member of a specific
group (e.g., known terrorists)
Intermediate in difficulty
43
Biometric Authentication
Verification Versus Identification
Verification is good for replacing passwords in
logins
Identification is good for door access and other
situations where entering a name would be
difficult
44
Biometric Authentication
Precision
FAR
False acceptance rates (FARs): Percentage of
unauthorized people allowed in
Person falsely accepted as member of a
group
Person allowed through a door who should
be allowed through it
Very bad for security
45
Biometric Authentication
Precision
FRR
False rejection rates (FRRs): Percentage of
authorized people not recognized as being
members of the group
Valid person denied door access or server
login because not recognized
Can be reduced by allowing multiple access
attempts
High FRRs will harm user acceptance
because users are angered by being falsely
forbidden
46
Biometric Authentication
Precision
Vendor claims for FARs and FRRs tend to be
exaggerated because they often perform tests
under ideal circumstances
For instance, having only small numbers of
users in the database
For instance, by using perfect lighting, extremely
clean readers, and other conditions rarely seen
in the real world
47
Biometric Authentication
User Acceptance is Crucial
Strong user resistance can kill a system
Fingerprint recognition may have a criminal
connotation
Some methods are difficult to use, such as iris
recognition, which requires the eye to be lined
up carefully.
These require a disciplined group
48
Biometric Authentication
Biometric Methods
Fingerprint recognition
Dominates the biometric market today
Based on a finger’s distinctive pattern of
whorls, arches, and loops
Simple, inexpensive, well-proven
Weak security: can be defeated fairly easily
with copies
Useful in modest-security areas
49
Biometric Authentication
Biometric Methods
Iris recognition
Pattern in colored part of eye
Very low FARs
High FRR if eye is not lined up
correctly can harm acceptance
Reader is a camera—does not
send light into the eye!
50
Biometric Authentication
Biometric Methods
Face recognition
Can be put in public places for
surreptitious identification
(identification without citizen or
employee knowledge). More later.
Hand geometry: shape of hand
Voice recognition
High error rates
Easy to fool with recordings
51
Biometric Authentication
Biometric Methods
Keystroke recognition
Rhythm of typing
Normally restricted to passwords
Ongoing during session could allow
continuous authentication
Signature recognition
Pattern and writing dynamics
52
Biometric Authentication
Biometric Standards
Almost no standardization
Worst for user data (fingerprint feature
databases)
Get locked into single vendors
53
Biometric Authentication
Can Biometrics be Fooled?
Airport face recognition
Identification of people passing in front of a
camera
False rejection rate: rate of not identifying person
as being in the database
Fail to recognize a criminal, terrorist, etc.
FRRs are bad
54
Biometric Authentication
Can Biometrics be Fooled?
Airport face recognition
4-week trial of face recognition at Palm Beach
International Airport
Only 250 volunteers in the user database
(unrealistically small)
Volunteers were scanned 958 times during the
trial
Only recognized 455 times! (47%)
53% FRR
55
Biometric Authentication
Can Biometrics be Fooled?
Airport face recognition
Recognition rate fell if wore glasses (especially
tinted), looked away
Would be worse with larger database
Would be worse if photographs were not good
56
Biometric Authentication
Can Biometrics be Fooled?
DOD Tests indicate poor acceptance rates when
subjects were not attempting to evade
270-person test
Face recognition recognized person only 51
percent of time
Even iris recognition only recognized the
person 94 percent of the time!
57
Biometrics Authentication
Can Biometrics be Fooled?
Other research has shown that evasion is often
successful for some methods
German c’t magazine fooled most face and
fingerprint recognition systems
Prof. Matsumoto fooled fingerprint scanners
80 percent of the time with a gelatin finger
created from a latent (invisible to the naked
eye) print on a drinking glass
58
802.11 Wireless LAN Security
802.11 Wireless LAN (WLAN) Security
802.11 Wireless LAN Family of Standards
Basic Operation (Figure 2-12 on next
slide)
Main wired network for servers (usually 802.3
Ethernet)
Wireless stations with wireless NICs
Access points
Access points are bridges that link 802.11 LANs
to 802.3 Ethernet LANs
60
802.11 Wireless LAN
Ethernet
Switch
(2)
802.3 Frame
Containing Packet
(3)
Access
Point
802.11 Frame
Containing Packet
(1)
Server
Client PC
Notebook
With PC Card
Wireless NIC
61
802.11 Wireless LAN
Ethernet
Switch
(2)
802.3 Frame
Containing Packet
(1)
802.11 Frame
Containing Packet
Access
Point
(3)
Server
Client PC
Notebook
With PC Card
Wireless NIC
62
802.11 Wireless LAN (WLAN) Security
Basic Operation
Propagation distance: farther for attackers than
users
Attackers can have powerful antennas and
amplifiers
Attackers can benefit even if they can only
read some messages
Don’t be lulled into complacency by internal
experiences with useable distances
63
802.11 Wireless LAN Standards
Standard
Rated Speed
(a)
Unlicensed
Radio Band
Effective
Distance (b)
802.11b
11 Mbps
2.4 GHz
~30-50 meters
802.11a
54 Mbps
5 GHz
~10-30 meters
802.11g
54 Mbps
2.4 GHz
?
Notes: (a) Actual speeds are much lower and decline with distance. (b)
These are distances for good communication; attackers can read some
signals and send attack frames from longer distances.
64
802.11 Wireless LAN (WLAN) Security
Apparent 802.11 Security
Spread spectrum transmission does not provide
security
Signal is spread over a broad range of
frequencies
Methods used by military are hard to detect
802.11 spread spectrum methods are easy to
detect so devices can find each other
Used in 802.11 to prevent frequency-dependent
propagation problems rather than for security
65
802.11 Wireless LAN (WLAN) Security
Apparent 802.11 Security
SSIDs
Mobile devices must know the access point’s
service set identifier (SSID) to talk to the
access point
Usually broadcast frequently by the access
point for ease of discovery, so offers no
security.
Sent in the clear in messages sent between
stations and access points
66
802.11 Wireless LAN (WLAN) Security
Wired Equivalent Privacy (WEP)
Biggest security problem: Not enabled by default
40-bit encryption keys are too small
Nonstandard 128-bit (really 104-bit) keys are
reasonable interoperable
67
802.11 Wireless LAN (WLAN) Security
Wired Equivalent Privacy (WEP)
Shared passwords
Access points and all stations use the same
password
Difficult to change, so rarely changed
People tend to share shared passwords too
widely
Flawed security algorithms
Algorithms were selected by cryptographic
amateurs
68
802.11 Wireless LAN (WLAN) Security
802.1x and 802.11i (Figure 2-14)
Authentication server
User data server
Individual keys give out at access point
69
802.1x Authentication for 802.11i WLANs
2.
Pass on Request to
RADIUS Server
1.
Authentication
Data
5. OK
Use
Key XYZ
Applicant
(Lee)
Access
Point
RADIUS Server
4. Accept
Applicant Key=XYZ
Directory
Server or
Kerberos
Server
3.
Get User Lee’s Data
(Optional; RADIUS
Server May Store
This Data)
70
802.11 Wireless LAN (WLAN) Security
802.1x and 802.11
Control access when the user connects to
the network
At a wired RJ-45 jack
At a wireless access point
802.1x is a general approach to port
authentication
802.11i is the implementation of 802.1x on
802.11 wireless LANs
71
802.11 Wireless LAN (WLAN) Security
802.1x and 802.11
Extensible Authentication Protocol (EAP)
Supports multiple forms of authentication
EAP-TLS
EAP-TTLS
PEAP
72
802.11 Wireless LAN (WLAN) Security
802.1x and 802.11
Extensible Authentication Protocol (EAP)
Authentication mechanisms
Passwords
Simple and inexpensive to implement
Low security
Digital Certificate
Complex and expensive to install digital
certificates on many devices
Very strong authentication
73
802.11 Wireless LAN (WLAN) Security
Client
Authentication
EAP-TLS
Digital
Certificate or
Nothing at all
EAP-TTLS Password or
other
authentication
method
PEAP
Password or
(Protected other
EAP)
authentication
method
Access Point
Authentication
Comment
Digital
Certificate
Expensive client
authentication or
none
Fits reality that
many users have
passwords
Digital
Certificate
Digital
Certificate
Strong. Supported
by Microsoft,
Cisco, and RSA
74
802.11 Wireless LAN (WLAN) Security
TLS
The default for 802.11i security but choice of
either digital certificates for clients or no client
authentication is undesirable
PEAP and TTLS
Very similar in terms of the authentication
methods they support
PEAP is supported by Microsoft, Cisco, and
RSA
TTLS is supported by a consortium of other
vendors
75
802.11 Wireless LAN (WLAN) Security
802.1x and 802.11i (Figure 2-14)
After authentication, the client must be given a
key for confidentiality
Temporal Key Integrity Protocol (TKIP) is used in
802.11i and 802.1x
Key changed every 10,000 frames to foil data
collection for key guessing
This is an Advanced Encryption Standard (AES)
key
76
Wi-Fi and WPA
Wi-Fi Alliance
Industry group that certifies 802.11 systems
Created the Wi-Fi Protected Access (WPA) system
in 2002
WPA is basically 802.11i
But does not use AES keys
Many installed wireless products can be
upgraded to WPA
Stop-gap measure before 802.11i
77
802.11i Today
802.11i standard was released in July
2004
But products started appearing in 2003
What must firms do?
Throw out WEP-only products
In security, legacy technologies are not
acceptable
Decide if it can have WPA and 802.11i products
co-exist
78
802.11 Wireless LAN (WLAN) Security
Virtual Private Networks (VPNs)
Add security on top of network technology to
compensate for WLAN weaknesses
Discussed in Chapter 8
WLAN, etc.
VPN
79
The Situation Today in Wireless Security
Wireless security is poor in most
installations today
The situation is improving, and technology
will soon be good
But old installations are likely to remain
weak links in corporate security
80
Topics Covered
Policy-Driven Access Control
Identify resources
Create an access policy for each
Let the policy drive implementation and testing
81
Topics Covered
Password-Based Access Control
Reusable passwords are inexpensive because
built into servers
Usually weak because people often pick cracked
passwords
Hacking root is a key goal
Password resets are necessary but dangerous
82
Topics Covered
Building Security
Single point of (normal) entry to building
Fire doors, etc.: use CCTV and alarms
Security centers
Interior doors locked (but piggybacking)
Dumpster diving control
Securing building wiring, including
telecommunications closets
83
Topics Covered
Access Cards and Tokens
Magnetic strip cards
Smart cards with CPU and Memory
Tokens
Tokens with constantly-changing passwords
Tokens that plug into USB ports
Proximity cards with radio communication
Pins can be short because of manual entry
84
Topics Covered
Biometric Authentication
Can replace reusable passwords
Fingerprint scanning dominates biometrics
Inexpensive, somewhat secure
Iris recognition is more precise
Face recognition can be done surreptitiously
Identification vs verification vs watch list
FARs and FRRs
Often easily deceived by attackers
85
Topics Covered
802.11 Wireless LAN Security
Signals travel outside building, allowing drive-by
hacking
Initial security was WEP
Often not even turned on
Very easily cracked because uses shared
static key for both confidentiality and
authentication
Some firms added passwords and/or VPNs to
allow secure communication anyway
86
Topics Covered
802.11 Wireless LAN Security
Now, 802.11i security
Based on 802.1x security for wired LANs
Sophisticated authentication
EAP supports multiple methods
Not a single standard, so problems with
equipment interoperability
Strong AES confidentiality
87
Topics Covered
802.11 Wireless LAN Security
Now, 802.11i security
Requires an infrastructure
Central authentication server
Adequate for corporate needs
Today
Buy only 802.11i equipment
See if can keep WPA (post-WEP/pre-802.11i)
products
Discard WEP products
88
End of Lecture
89