Lecture 15 Access Control Processes

Lecture 15

Access Control Processes

2

What is Access Control?

Access Control

Access control is the policy-driven limitation of access to systems, data, and dialogs

Prevent attackers from gaining access, stopping them if they do

3

What is Access Control?

First Steps

Enumeration of Resources

Sensitivity of Each Resource

Next, who Should Have Access?

Can be made individual by individual

More efficient to define by roles (logged-in users, system administrators, project team members, etc.)

4

Access Control

What Access Permissions (Authorizations) Should They Have?

Access permissions (authorizations) define whether a role or individual should have any access at all

If so, exactly what the role or individual should be allowed to do to the resource.

Usually given as a list of permissions for users to be able to do things (read, change, execute program, etc.) for each resource

5

Access Control

How Should Access Control Be Implemented?

For each resource, need an access protection plan for how to implement protection in keeping with the selected control policy

For a file on a server, for instance, limit authorizations to a small group, harden the server against attack, use a firewall to thwart external attackers, etc.

…

6

Access Control

Policy-Based Access Control and Protection

Have a specific access control policy and an access protection policy for each resource

Focuses attention on each resource

Guides the selection and configuration of firewalls and other protections

Guides the periodic auditing and testing of protection plans

Password-Based Access Control

8

Server Password Cracking

Reusable Passwords A password you use repeatedly to get access to

a resource on multiple occasions

Bad because attacker will have time to learn it; then can use it

Difficulty of Cracking Passwords by Guessing Remotely Usually cut off after a few attempts

However, if can steal the password file, can crack passwords at leisure

9


Hacking Root

Super accounts (can take any action in any directory)

Hacking root in UNIX

Super accounts in Windows (administrator) and NetWare (supervisor)

Hacking root is rare; usually can only hack an ordinary user account

May be able to elevate the privileges of the user account to take root action

10


Physical Access Password Cracking

l0phtcrack

Lower-case L, zero, phtcrack

Password cracking program

Run on a server (need physical access)

Or copy password file and run l0phtcrack on another machine.

11


Physical Access Password Cracking Brute-force password guessing

Try all possible character combinations

Longer passwords take longer to crack

Using more characters also takes longer Alphabetic, no case (26 possibilities) Alphabetic, case (52) Alphanumeric (letters and numbers) (62) All keyboard characters (~80)

12

Password Length

PasswordLength In

Characters

1

2 (N2)

4 (N4)

6

8

10

Alphanumeric:Letters &

Digits (N=62)

62

3,844

14,776,336

56,800,235,584

2.1834E+14

8.39299E+17

All KeyboardCharacters

(N=~80)

80

6,400

40,960,000

2.62144E+11

1.67772E+15

1.07374E+19

Alphabetic,Case

(N=52)

52

2,704

7,311,616

19,770,609,664

5.34597E+13

1.44555E+17

Alphabetic,No

Case (N=26)

26

676

456,976

308,915,776

2.08827E+11

1.41167E+14

13


Physical Access Password Cracking Brute Force Attacks

Try all possible character combinations Slow with long passwords length

Dictionary attacks Try common words (“password”, “ouch,” etc.) There are only a few thousand of these Cracked very rapidly

Hybrid attacks Common word with single digit at end, etc.

14


Password Policies

Good passwords

At least 6 characters long

Change of case not at beginning

Digit (0 through 9) not at end

Other keyboard character not at end

Example: triV6#ial

15


Password Policies

Testing and enforcing password policies

Run password cracking program against own servers

Caution: requires approval! SysAdmins have been fired for doing this without permission—and should be

Password duration policies: How often passwords must be changed

16


Password Policies

Password sharing policies: Generally, forbid shared passwords

Removes ability to learn who took actions; loses accountability

Usually is not changed often or at all because of need to inform all sharers

17


Password Policies

Disabling passwords that are no longer valid

As soon as an employee leaves the firm, etc.

As soon as contractors, consultants leave

In many firms, a large percentage of all accounts are for people no longer with the firm

18


Password Policies

Lost passwords

Password resets: Help desk gives new password for the account

Opportunities for social engineering attacks

Leave changed password on answering machine

Biometrics: voice print identification for requestor (but considerable false rejection rate)

19


Password Policies

Lost passwords Automated password resets

Employee goes to website

Must answer a question, such as “In what city were you born?”

Problem of easily-guessed questions that can be answered with research

20

UNIX/etc/passwd File Entries

Plee:x:47:3:Pat Lee:/usr/plee/:/bin/csh

plee:6babc345d7256:47:3:Pat Lee:/usr/plee/:/bin/cshPassword Group ID Home Directory

User Name User ID GCOS Shell

Without Shadow Password File

With Shadow Password File

The x indicates that the password is storedin a separate shadow password file

21

UNIX/etc/passwd File Entries

Unix passwd File

Contains the username, password, and other information is semi-standard form

In the /etc directory that is accessible to anyone

Anyone can steal the passwd file and crack the passwords

Unix Shadow File

Newer versions of Unix store passwords in a protected shadow file

In the passwd file, there is an x in the password position

22


Password Policies

Encrypted (hashed) password files Passwords not stored in readable form

Encrypted with DES or hashed with MD5

In UNIX, etc/passwd puts x in place of password

Encrypted or hashed passwords are stored in a different (shadow) file to which only high-level accounts have access

23

Password Hashing (or Encryption)

Client PCUser Lee

Server

1.User = Lee

Password = My4Bad

2.Hash

My4Bad=

11110000

3.Hashes Match

Hashed Password FileBrown 11001100Lee 11110000Chun 00110011Hatori 11100010

4. Hashes Match,

So User isAuthenticated

24


Password Policies

Windows passwords

Obsolete LAN manager passwords (7 characters maximum) should not be used

Windows NTLM passwords are better

Option (not default) to enforce strong passwords

25


Shoulder Surfing Watch someone as they type their password

Keystroke Capture Software

Professional versions of windows protect RAM during password typing

Consumer versions do not

Trojan horse throws up a login screen later, reports its finding to attackers

26


Windows Client PC Software Consumer version login screen is not for security

Windows professional and server versions provide good security with the login password

BIOS passwords allow boot-up security Can be disabled by removing the PC’s battery But during a battery removal, the attacker will

be very visible

Screen savers with passwords allow away-from-desk security after boot-up

Physical Building Security

28

Building Security

Building Security Basics

Single point of (normal) entry to building

Fire doors, etc.: use closed-circuit television (CCTV) and alarms to monitor them

Security centers Monitors for closed-circuit TV (CCTV) Videotapes that must be retained (Don’t

reuse too much or the quality will be bad) Alarms

29

Building Security


Interior doors to control access between parts of the building Piggybacking: holding the door open so that

someone can enter without identification defeats this protection

Enforcing policies: You get what you enforce

Training security personnel

Training all employees

30

Building Security


Phone stickers with security center phone number

Thwarting piggybacking by employee education and sanctions for allowing it

Dumpster diving by keeping Dumpsters in locked, lighted area

Drive shredding programs for discarded disk drives that do more than reformat drives

31

Physical building Cabling

1. Equipment Room (Usually in Basement)

2. ToWAN

3. EntranceFacility withTerminationEquipment

5. CoreSwitch

(Chassis)

6. VerticalRiserSpace4. Router

32


3. TelecommunicationsCloset on Floor

2. Optical FiberOne Pair per Floor

4. Workgroup Switch

5. Horizontal Distribution

1. VerticalDistribution

33

WorkgroupSwitch inTelecoms

Closet


1. Horizontal DistributionOne 4-Pair UTP Cord

Horizontal and Final Distribution

34

Building Security

Data Wiring Security

Telecommunications closets should be locked

Wiring conduits should be hard to cut into

Servers rooms should have strong access security

Access Cards and Tokens

36

Access Cards

Magnetic Stripe Cards

Smart Cards

Have a microprocessor and RAM

More sophisticated than mag stripe cards

Release only selected information to different access devices

37

Access Cards

Tokens Small device with constantly-changing password

Or device that can plug into USB port or another port

Proximity Tokens Use short-range radio transmission

Can be detected and tested without physical contact

Allows easier access; used in Tokyo subways

38

Access Cards

Card Cancellation

Requires a central system

PINs

Personal Identification Numbers

Short: about 4 digits

Can be short because attempts are manual (10,000 combinations to try with 4 digits)

39

Access Cards

PINs

Should not allow obvious combinations (1111, 1234) or important dates

Provide two-factor authentication E.g., PIN and card Don’t allow writing PIN on card

Biometric Authentication

41



Authentication based on body measurements and motions

Because you always bring your body with you

Biometric Systems

Enrollment

Later access attempts Acceptance or rejection

42

Biometric Authentication System

1. Initial Enrollment

2. Subsequent Access

User LeeScanning

ApplicantScanning

Template DatabaseBrown 10010010Lee 01101001Chun 00111011Hirota 1101110… …

3. Match IndexDecision Criterion(Close Enough?)

Processing(Key Feature Extraction)

A=01, B=101, C=001

User LeeTemplate

(01101001)

UserAccess Data(01111001)

Processing(Key Feature Extraction)

A=01, B=111, C=001

43


Verification Versus Identification

Verification: Are applicants who they claim to be? (compare with single template)

Identification: Who is the applicant? (compare with all templates) More difficult than verification because must compare

to many templates

Watch list: is this person a member of a specific group (e.g., known terrorists) Intermediate in difficulty

44


Verification Versus Identification

Verification is good for replacing passwords in logins

Identification is good for door access and other situations where entering a name would be difficult

45


Precision

False acceptance rates (FARs): Percentage of unauthorized people allowed in

Person falsely accepted as member of a group

Person allowed through a door who should be allowed through it

Very bad for security

FAR

46


Precision

False rejection rates (FRRs): Percentage of authorized people not recognized as being members of the group

Valid person denied door access or server login because not recognized

Can be reduced by allowing multiple access attempts

High FRRs will harm user acceptance because users are angered by being falsely forbidden

FRR

47


Precision

Vendor claims for FARs and FRRs tend to be exaggerated because they often perform tests under ideal circumstances

For instance, having only small numbers of users in the database

For instance, by using perfect lighting, extremely clean readers, and other conditions rarely seen in the real world

48


User Acceptance is Crucial Strong user resistance can kill a system

Fingerprint recognition may have a criminal connotation

Some methods are difficult to use, such as iris recognition, which requires the eye to be lined up carefully.

These require a disciplined group

49


Biometric Methods

Fingerprint recognition

Dominates the biometric market today

Based on a finger’s distinctive pattern of whorls, arches, and loops

Simple, inexpensive, well-proven

Weak security: can be defeated fairly easily with copies

Useful in modest-security areas

50


Biometric Methods

Iris recognition

Pattern in colored part of eye

Very low FARs

High FRR if eye is not lined up correctly can harm acceptance

Reader is a camera—does not send light into the eye!

51


Biometric Methods

Face recognition Can be put in public places for

surreptitious identification (identification without citizen or employee knowledge). More later.

Hand geometry: shape of hand

Voice recognition High error rates Easy to fool with recordings

52


Biometric Methods

Keystroke recognition Rhythm of typing Normally restricted to passwords Ongoing during session could allow

continuous authentication

Signature recognition Pattern and writing dynamics

53


Biometric Standards

Almost no standardization

Worst for user data (fingerprint feature databases)

Get locked into single vendors

54


Can Biometrics be Fooled?

Airport face recognition

Identification of people passing in front of a camera

False rejection rate: rate of not identifying person as being in the database

Fail to recognize a criminal, terrorist, etc.

FRRs are bad

55




4-week trial of face recognition at Palm Beach International Airport

Only 250 volunteers in the user database (unrealistically small)

Volunteers were scanned 958 times during the trial

Only recognized 455 times! (47%)

53% FRR

56




Recognition rate fell if wore glasses (especially tinted), looked away

Would be worse with larger database

Would be worse if photographs were not good

57



DOD Tests indicate poor acceptance rates when subjects were not attempting to evade

270-person test

Face recognition recognized person only 51 percent of time

Even iris recognition only recognized the person 94 percent of the time!

58

Biometrics Authentication


Other research has shown that evasion is often successful for some methods

German c’t magazine fooled most face and fingerprint recognition systems

Prof. Matsumoto fooled fingerprint scanners 80 percent of the time with a gelatin finger created from a latent (invisible to the naked eye) print on a drinking glass

802.11 Wireless LAN Security

60

802.11 Wireless LAN (WLAN) Security

802.11 Wireless LAN Family of Standards

Basic Operation (Figure 2-12 on next slide)

Main wired network for servers (usually 802.3 Ethernet)

Wireless stations with wireless NICs

Access points

Access points are bridges that link 802.11 LANs to 802.3 Ethernet LANs

61

802.11 FrameContaining Packet

802.11 Wireless LAN

NotebookWith PC CardWireless NIC

EthernetSwitch

AccessPoint

Server


(2)

(3)

Client PC

(1)

62

802.11 Wireless LAN

NotebookWith PC CardWireless NIC

EthernetSwitch

AccessPoint

Server



(2)

(1)

Client PC

(3)

63


Basic Operation

Propagation distance: farther for attackers than users

Attackers can have powerful antennas and amplifiers

Attackers can benefit even if they can only read some messages

Don’t be lulled into complacency by internal experiences with useable distances

64

802.11 Wireless LAN Standards

StandardRated Speed

(a)UnlicensedRadio Band

EffectiveDistance (b)

802.11b 11 Mbps 2.4 GHz ~30-50 meters

802.11a 54 Mbps 5 GHz ~10-30 meters

802.11g 54 Mbps 2.4 GHz ?

Notes: (a) Actual speeds are much lower and decline with distance. (b) These are distances for good communication; attackers can read some signals and send attack frames from longer distances.

65


Apparent 802.11 Security

Spread spectrum transmission does not provide security

Signal is spread over a broad range of frequencies

Methods used by military are hard to detect

802.11 spread spectrum methods are easy to detect so devices can find each other

Used in 802.11 to prevent frequency-dependent propagation problems rather than for security

66


Apparent 802.11 Security SSIDs

Mobile devices must know the access point’s service set identifier (SSID) to talk to the access point

Usually broadcast frequently by the access point for ease of discovery, so offers no security.

Sent in the clear in messages sent between stations and access points

67


Wired Equivalent Privacy (WEP)

Biggest security problem: Not enabled by default

40-bit encryption keys are too small Nonstandard 128-bit (really 104-bit) keys are

reasonable interoperable

68


Wired Equivalent Privacy (WEP)

Shared passwords

Access points and all stations use the same password

Difficult to change, so rarely changed

People tend to share shared passwords too widely

Flawed security algorithms Algorithms were selected by cryptographic

amateurs

69


802.1x and 802.11i (Figure 2-14)

Authentication server

User data server

Individual keys give out at access point

70

802.1x Authentication for 802.11i WLANs

AccessPoint

Applicant(Lee)

1.Authentication

Data

2.Pass on Request to

RADIUS Server

3.Get User Lee’s Data(Optional; RADIUSServer May Store

This Data)

4. AcceptApplicant Key=XYZ

5. OKUse

Key XYZ

DirectoryServer orKerberos

Server

RADIUS Server

71


802.1x and 802.11

Control access when the user connects to the network At a wired RJ-45 jack At a wireless access point

802.1x is a general approach to port authentication 802.11i is the implementation of 802.1x on

802.11 wireless LANs

72


802.1x and 802.11

Extensible Authentication Protocol (EAP) Supports multiple forms of authentication

EAP-TLS EAP-TTLS PEAP

73


802.1x and 802.11

Extensible Authentication Protocol (EAP) Authentication mechanisms

Passwords Simple and inexpensive to implement Low security

Digital Certificate Complex and expensive to install digital

certificates on many devices Very strong authentication

74


Client Authentication

Access Point Authentication

Comment

EAP-TLS Digital Certificate orNothing at all

Digital Certificate

Expensive client authentication or none

EAP-TTLS Password or other authentication method

Digital Certificate

Fits reality that many users have passwords

PEAP (Protected EAP)

Password or other authentication method

Digital Certificate

Strong. Supported by Microsoft, Cisco, and RSA

75


TLS The default for 802.11i security but choice of

either digital certificates for clients or no client authentication is undesirable

PEAP and TTLS Very similar in terms of the authentication

methods they support

PEAP is supported by Microsoft, Cisco, and RSA

TTLS is supported by a consortium of other vendors

76


802.1x and 802.11i (Figure 2-14)

After authentication, the client must be given a key for confidentiality

Temporal Key Integrity Protocol (TKIP) is used in 802.11i and 802.1x

Key changed every 10,000 frames to foil data collection for key guessing

This is an Advanced Encryption Standard (AES) key

77

Wi-Fi and WPA

Wi-Fi Alliance

Industry group that certifies 802.11 systems

Created the Wi-Fi Protected Access (WPA) system in 2002

WPA is basically 802.11i But does not use AES keys Many installed wireless products can be

upgraded to WPA Stop-gap measure before 802.11i

78

802.11i Today

802.11i standard was released in July 2004

But products started appearing in 2003

What must firms do?

Throw out WEP-only products In security, legacy technologies are not

acceptable

Decide if it can have WPA and 802.11i products co-exist

79


Virtual Private Networks (VPNs)

Add security on top of network technology to compensate for WLAN weaknesses

Discussed in Chapter 8

WLAN, etc.

VPN

80

The Situation Today in Wireless Security

Wireless security is poor in most installations today

The situation is improving, and technology will soon be good

But old installations are likely to remain weak links in corporate security

81

Topics Covered

Policy-Driven Access Control

Identify resources

Create an access policy for each

Let the policy drive implementation and testing

82

Topics Covered

Password-Based Access Control

Reusable passwords are inexpensive because built into servers

Usually weak because people often pick cracked passwords

Hacking root is a key goal

Password resets are necessary but dangerous

83

Topics Covered

Building Security

Single point of (normal) entry to building

Fire doors, etc.: use CCTV and alarms

Security centers

Interior doors locked (but piggybacking)

Dumpster diving control

Securing building wiring, including telecommunications closets

84

Topics Covered

Access Cards and Tokens

Magnetic strip cards

Smart cards with CPU and Memory

Tokens Tokens with constantly-changing passwords Tokens that plug into USB ports

Proximity cards with radio communication

Pins can be short because of manual entry

85

Topics Covered

Biometric Authentication Can replace reusable passwords

Fingerprint scanning dominates biometrics Inexpensive, somewhat secure

Iris recognition is more precise

Face recognition can be done surreptitiously

Identification vs verification vs watch list

FARs and FRRs

Often easily deceived by attackers

86

Topics Covered


Signals travel outside building, allowing drive-by hacking

Initial security was WEP Often not even turned on Very easily cracked because uses shared

static key for both confidentiality and authentication

Some firms added passwords and/or VPNs to allow secure communication anyway

87

Topics Covered


Now, 802.11i security

Based on 802.1x security for wired LANs

Sophisticated authentication

EAP supports multiple methods

Not a single standard, so problems with equipment interoperability

Strong AES confidentiality

88

Topics Covered


Now, 802.11i security Requires an infrastructure

Central authentication server Adequate for corporate needs

Today Buy only 802.11i equipment See if can keep WPA (post-WEP/pre-802.11i)

products Discard WEP products

89

End of Lecture

Documents

Lecture 15 Access Control Processes