Cyber Security

Lecture for July 2, 2010

Access Control

Dr. Bhavani Thuraisingham

12/17/23 11:08

13-2

Outline
0 Access Control Overview
0 Identification, Authentication, Authorization, Accountability
0 Single Sign-on and Kerberos
0 Access Control Models
0 Access Control Techniques and Technologies
0 Access Control Administration
0 Access Control Monitoring: Intrusion Detection
0 Threats to Access Control
12/17/23 11:08

13-3

Access Control
0 Access control is a system which enables an authority to control
access to areas and resources in a given physical facility or
computer-based information system.
0 In computer security, access control includes authentication,
authorization and audit. It also includes measures such as physical
devices, including biometric scans and metal locks, hidden paths,
digital signatures, encryption, social barriers, and monitoring by
humans and automated systems.
0 In any access control model, the entities that can perform actions in
the system are called subjects, and the entities representing
resources to which access may need to be controlled are called
objects (see also Access Control Matrix). Subjects and objects
should both be considered as software entities and as human users
12/17/23 11:08

13-4

Access Control
0 Access control models used by current systems tend to fall into one
of two classes: those based on capabilities and those based on
access control lists (ACLs).
0 In a capability-based model, holding an unforgeable reference or
capability to an object provides access to the object
0 Access is conveyed to another party by transmitting such a
capability over a secure channel.
0 In an ACL-based model, a subject's access to an object depends on
whether its identity is on a list associated with the object
12/17/23 11:08

13-5

Identification, Authentication, Authorization

0 Access control systems provide the essential services of
identification and authentication (I&A), authorization, and
accountability where:
0 identification and authentication determine who can log on to a
system, and the association of users with the software subjects that
they are able to control as a result of logging in;
0 authorization determines what a subject can do;
0 accountability identifies what a subject (or all subjects associated
with a user) did.
12/17/23 11:08

13-6

Identification, Authentication, Authorization

0 Identification and authentication (I&A): Identification and
authentication (I&A) is the process of verifying that an identity is
bound to the entity that makes an assertion or claim of identity. The
I&A process assumes that there was an initial validation of the
identity, commonly called identity proofing. Various methods of
identity proofing are available ranging from in person validation
using government issued identification to anonymous methods that
allow the claimant to remain anonymous, but known to the system if
they return. The method used for identity proofing and validation
should provide an assurance level commensurate with the intended
use of the identity within the system. Subsequently, the entity
asserts an identity together with an authenticator as a means for
validation. The only requirements for the identifier is that it must be
unique within its security domain.
12/17/23 11:08

13-7

Identification, Authentication, Authorization

0 Authenticators are commonly based on at least one of the following
four factors:
0 Something you know, such as a password or a personal
identification number (PIN). This assumes that only the owner of the
account knows the password or PIN needed to access the account.
0 Something you have, such as a smart card or security token. This
assumes that only the owner of the account has the necessary smart
card or token needed to unlock the account.
0 Something you are, such as fingerprint, voice, retina, or iris
characteristics.
0 Where you are, for example inside or outside a company firewall, or
proximity of login location to a personal GPS device.
12/17/23 11:08

13-8

Identification, Authentication, Authorization

0 Authorization: Authorization applies to subjects. Authorization
determines what a subject can do on the system.
0 Most modern operating systems define sets of permissions that are
variations or extensions of three basic types of access:
0 Read (R): The subject can
- Read file contents, List directory contents
0 Write (W): The subject can change the contents of a file or directory
with the following tasks:
- Add, Create, Delete, Rename
0 Execute (X): If the file is a program, the subject can cause the
program to be run. (In Unix systems, the 'execute' permission
doubles as a 'traverse directory' permission when granted for a
directory.)
12/17/23 11:08

13-9

Identification, Authentication, Authorization

0 These rights and permissions are implemented differently in systems based
on discretionary access control (DAC) and mandatory access control (MAC).
0 Accountability: Accountability uses such system components as audit trails
(records) and logs to associate a subject with its actions. The information
recorded should be sufficient to map the subject to a controlling user.
0 Audit trails and logs are important for Detecting security violations, Re-
creating security incidents
0 If no one is regularly reviewing your logs and they are not maintained in a
secure and consistent manner, they may not be admissible as evidence.
0 Many systems can generate automated reports based on certain predefined
criteria or thresholds, known as clipping levels. For example, a clipping level
may be set to generate a report for the following: More than three failed logon
attempts in a given period, Any attempt to use a disabled user account, These
reports help a system administrator or security administrator to more easily
identify possible break-in attempts.
12/17/23 11:08

13-10

Single Sign-On
0 Single sign-on (SSO) is a property of access control of multiple,
related, but independent software systems. With this property a user
logs in once and gains access to all systems without being
prompted to log in again at each of them. Single sign-off is the
reverse property whereby a single action of signing out terminates
access to multiple software systems.
0 As different applications and resources support different
authentication mechanisms, single sign-on has to internally
translate to and store different credentials compared to what is used
for initial authentication.
12/17/23 11:08

13-11

Single Sign-on Kerberos

0 Kerberos is a computer network authentication protocol, which
allows nodes communicating over a non-secure network to prove
their identity to one another in a secure manner. It is also a suite of
free software published by MIT that implements this protocol. Its
designers aimed primarily at a client–server model, and it provides
mutual authentication — both the user and the server verify each
other's identity. Kerberos protocol messages are protected against
eavesdropping and replay attacks.
0 Kerberos builds on symmetric key cryptography and requires a
trusted third party, and optionally may use public-key cryptography
by utilizing asymmetric key cryptography during certain phases of
authentication
12/17/23 11:08

13-12

Kerberos
0 Kerberos uses as its basis the symmetric Needham-Schroeder
protocol. It makes use of a trusted third party, termed a key
distribution center (KDC), which consists of two logically separate
parts: an Authentication Server (AS) and a Ticket Granting Server
(TGS). Kerberos works on the basis of "tickets" which serve to prove
the identity of users.
0 The KDC maintains a database of secret keys; each entity on the
network — whether a client or a server — shares a secret key known
only to itself and to the KDC. Knowledge of this key serves to prove
an entity's identity. For communication between two entities, the
KDC generates a session key which they can use to secure their
interactions.
0 The security of the protocol relies heavily on participants
maintaining loosely synchronized time and on short-lived assertions
of authenticity called Kerberos tickets.
12/17/23 11:08

13-13

Kerberos
0 The client authenticates itself to the Authentication Server and
receives a ticket. (All tickets are time-stamped.)
0 It then contacts the Ticket Granting Server, and using the ticket it
demonstrates its identity and asks for a service.
0 If the client is eligible for the service, then the Ticket Granting
Server sends another ticket to the client.
0 The client then contacts the Service Server, and using this ticket it
proves that it has been approved to receive the service.
12/17/23 11:08

13-14

Kerberos: Drawbacks
0 Single point of failure: It requires continuous availability of a central server.
When the Kerberos server is down, no one can log in. This can be mitigated
by using multiple Kerberos servers and fallback authentication mechanisms.
0 Kerberos requires the clocks of the involved hosts to be synchronized. The
tickets have a time availability period and if the host clock is not
synchronized with the Kerberos server clock, the authentication will fail. The
default configuration requires that clock times are no more than five minutes
apart. In practice Network Time Protocol daemons are usually used to keep
the host clocks synchronized.
0 The administration protocol is not standardized and differs between server
implementations.
0 Since all authentication is controlled by a centralized KDC, compromise of
this authentication infrastructure will allow an attacker to impersonate any
user.
12/17/23 11:08

13-15

Access Control Techniques

0 Role based access control
0 Constrained user interfaces
0 Access control Matrix
0 Content dependent access control
0 Content dependent access control
12/17/23 11:08

13-16

Access Control
0 Access control techniques: Access control techniques are sometimes
categorized as either discretionary or non-discretionary. The three most
widely recognized models are Discretionary Access Control (DAC),
Mandatory Access Control (MAC), and Role Based Access Control (RBAC).
MAC and RBAC are both non-discretionary.
0 Attribute-based Access Control: In attribute-based access control, access is
granted not based on the rights of the subject associated with a user after
authentication, but based on attributes of the user. The user has to prove so
called claims about his attributes to the access control engine. An attribute-
based access control policy specifies which claims need to satisfied in order
to grant access to an object. For instance the claim could be "older than 18" .
Any user that can prove this claim is granted access. Users can be
anonymous as authentication and identification are not strictly required. One
does however require means for proving claims anonymously. This can for
instance be achieved using Anonymous credentials.
12/17/23 11:08

13-17

Access Control
0 Discretionary access control: (DAC) is an access policy determined
by the owner of an object. The owner decides who is allowed to
access the object and what privileges they have.
0 Two important concepts in DAC are
0 File and data ownership: Every object in the system has an owner. In
most DAC systems, each object's initial owner is the subject that
caused it to be created. The access policy for an object is
determined by its owner.
0 Access rights and permissions: These are the controls that an owner
can assign to other subjects for specific resources.
0 Access controls may be discretionary in ACL-based or capability-
based access control systems. (In capability-based systems, there is
usually no explicit concept of 'owner', but the creator of an object
has a similar degree of control over its access policy.)
12/17/23 11:08

13-18

Access Control
0 Mandatory access control: (MAC) is an access policy determined by the
system, not the owner. MAC is used in multilevel systems that process highly
sensitive data, such as classified government and military information. A
multilevel system is a single computer system that handles multiple
classification levels between subjects and objects.
0 Sensitivity labels: In a MAC-based system, all subjects and objects must have
labels assigned to them. A subject's sensitivity label specifies its level of
trust. An object's sensitivity label specifies the level of trust required for
access. In order to access a given object, the subject must have a sensitivity
level equal to or higher than the requested object.
0 Data import and export: Controlling the import of information from other
systems and export to other systems (including printers) is a critical function
of MAC-based systems, which must ensure that sensitivity labels are properly
maintained and implemented so that sensitive information is appropriately
protected at all times.
12/17/23 11:08

13-19

Access Control
0 Two methods are commonly used for applying mandatory access
control:
0 Rule-based (or label-based) access control: This type of control
further defines specific conditions for access to a requested object.
All MAC-based systems implement a simple form of rule-based
access control to determine whether access should be granted or
denied by matching:
- An object's sensitivity label
- A subject's sensitivity label
0 Lattice-based access control: These can be used for complex access
control decisions involving multiple objects and/or subjects. A
lattice model is a mathematical structure that defines greatest lower-
bound and least upper-bound values for a pair of elements, such as
a subject and an object.
12/17/23 11:08

13-20

Access Control
0 Role-based access control: (RBAC) is an access policy determined
by the system, not the owner. RBAC is used in commercial
applications and also in military systems, where multi-level security
requirements may also exist. RBAC differs from DAC in that DAC
allows users to control access to their resources, while in RBAC,
access is controlled at the system level, outside of the user's
control.
0 Although RBAC is non-discretionary, it can be distinguished from
MAC primarily in the way permissions are handled. MAC controls
read and write permissions based on a user's clearance level and
additional labels. RBAC controls collections of permissions that may
include complex operations such as an e-commerce transaction, or
may be as simple as read or write. A role in RBAC can be viewed as
a set of permissions.
12/17/23 11:08

13-21

Access Control
0 Three primary rules are defined for RBAC:
0 1. Role assignment: A subject can execute a transaction only if the
subject has selected or been assigned a role.
0 2. Role authorization: A subject's active role must be authorized for
the subject. With rule 1 above, this rule ensures that users can take
on only roles for which they are authorized.
0 3. Transaction authorization: A subject can execute a transaction
only if the transaction is authorized for the subject's active role. With
rules 1 and 2, this rule ensures that users can execute only
transactions for which they are authorized.
0 Additional constraints may be applied as well, and roles can be
combined in a hierarchy where higher-level roles subsume
permissions owned by sub-roles.
0 Most IT vendors offer RBAC in one or more products.
12/17/23 11:08

13-22

What is Biometrics?
0 Biometrics are automated methods of recognizing a person based
on a physiological or behavioral characteristic
0 Features measured: Face, Fingerprints, Hand geometry, handwriting,
Iris, Retinal, Vein and Voice
0 Identification and personal certification solutions for highly secure
applications
0 Numerous applications: medical, financial, child care, computer
access etc.
0 Biometrics replaces Traditional Authentication Methods
0 Provides better security
0 More convenient
0 Better accountability
0 Applications on Fraud detection and Fraud deterrence
0 Dual purpose: Cyber Security and National Security
12/17/23 11:08

13-23

What is the Process?

0 Three-steps: Capture-Process-Verification
0 Capture: A raw biometric is captured by a sensing device
such as fingerprint scanner or video camera
0 Process: The distinguishing characteristics are extracted
from the raw biometrics sample and converted into a
processed biometric identifier record
- Called biometric sample or template
0 Verification and Identification
- Matching the enrolled biometric sample against a single
record; is the person really what he claims to be?
- Matching a biometric sample against a database of
identifiers
12/17/23 11:08

13-24

Why Biometrics?
0 Authentication mechanisms often used are User ID and Passwords
0 However password mechanisms have vulnerabilities: Stealing
passwords
0 Biometrics systems are less prone to attacks
0 Need sophisticated techniques for attacks
- Cannot steal facial features and fingerprints
- Need sophisticated image processing techniques for modifying
facial features
0 Biometrics systems are more convenient, Need not have multiple
passwords or difficult passwords
- E.g., characters, numbers and special symbols, Need not
remember passwords
0 Need not carry any cards or tokens
0 Better accountability: Can determine who accessed the system with
less complexity
12/17/23 11:08

13-25

What is Secure Biometrics?

0 Study the attacks of biometrics systems
- Modifying fingerprints
- Modifying facial features
0 Develop a security policy and model for the system
- Application independent and Application specific policies
- Enforce Security constraints
= Entire face is classified but the nose can be displayed
- Develop a formal model
- Formalize the policy
0 Design the system and identify security critical components
- Reference monitor for biometrics systems
12/17/23 11:08

13-26

Security Vulnerabilities
0 Type 1 attack: present fake biometric such a synthetic
biometric
0 Type 2 attack: Submit a previously intercepted biometric
data: replay
0 Type 3 attack: Compromising the feature extractor module to
give results desired by attacker
0 Type 4 attack: Replace the genuine feature values produced
by the system by fake values desired by attacker
0 Type 5 attack: Produce a high number of matching results
0 Type 6 attack: Attack the template database: add templates,
modify templates etc.
12/17/23 11:08

13-27

Biometric Terms: Verification and Identification

0 Verification
- User claims an identity for biometric comparison
- User then provides biometric data
- System tries to match the user’s biometric with the large
number of biometric data in the database
- Determines whether there is a match or a no match
- Network security utilizes this process
0 Identification
- User does not claim an identity, but gives biometric data
- System searches the database to see if the biometric
provided is stored in the database
- Positive or negative identification
- Prevents from enrolling twice for claims
- Used to enter buildings
12/17/23 11:08

13-28

Biometric Process
0 User enrolls in a system and provides biometric data
0 Data is converted into a template
0 Later on user provides biometric data for verification or
identification
0 The latter biometric data is converted into a template
0 The verification/identification template is compared with the
enrollment template
0 The result of the match is specified as a confidence level
0 The confidence level is compared to the threshold level
0 If the confidence score exceeds the threshold, then there is a
match
0 If not, there is no match
12/17/23 11:08

13-29

Enrollment and Template Creation

0 Enrollment
- This is the process by which the user’s biometric data is
acquired
- Templates are created
0 Presentation
- User presents biometric data using hardware such as
scanning systems, voice recorders, etc.
0 Biometric data
- Unprocessed image or recording
0 Feature extraction
- Locate and encode distinctive characteristics from
biometric data
12/17/23 11:08

13-30
Data Types and Associated Biometric
Technologies
0 Finger scan: Fingerprint Image
0 Voice scan: Voice recording
0 Face scan: Facial image
0 Iris scan: Iris image
0 Retina scan: Retina image
0 Hand scan: Image of hand
0 Signature scan: Image of signature
0 Keystroke scan: Recording of character types
12/17/23 11:08

13-31

Templates
0 Templates are NOT compressions of biometric data; they are
constructed from distinctive features extracted
0 Cannot reconstruct the biometric data from templates
0 Same biometric data supplied by a user at different times may
results in different templates
0 When the biometric algorithm is applied to these templates, it
will recognize them as the same biometric data
0 Templates may consist of strings of characters and numeric
values
0 Vendor systems are heterogeneous; standards are used for
common templates and for interoperability
12/17/23 11:08

13-32

Biometric Matching
0 Part of the Biometric process: Compares the user provided
template with the enrolled templates
0 Scoring:
- Each vendor may use a different score for matching; 1-10
or -1 to 1
- Scores also generated during enrollment depending on
the quality of the biometric data
- User may have to provide different data if enrollment
score is low
0 Threshold is generated by system administrator and varies
from system to system and application to application
0 Decision depending on match/ nomatch
- 100% accuracy is generally not possible
12/17/23 11:08

13-33

False Match Rate

0 System gives a false positive by matching a user’s biometric
with another user’s enrollment
- Problem as an imposter can enter the system
0 Occurs when two people have high degree of similarity
- Facial features, shape of face etc.
- Template match gives a score that is higher than the
threshold
- If threshold is increased then false match rate is reduced,
but False no match rate is increased
0 False match rate may be used to eliminate the non-matches
and then do further matching
12/17/23 11:08

13-34

False Nonmatch rate

0 User’s template is matched with the enrolled templates and
an incorrect decision of nonmatch is made
0 Consequence: user is denied entry
0 False nonmatch occurs for the following reasons
- Changes in user’s biometric data
- Changes in how a user presents biometric data
- Changes in environment in which data is presented
0 Major focus has been on reducing false match rate and as a
result there are higher false nonmatch rates
12/17/23 11:08

13-35

Access Conrol Administration

0 Access Contol Administration will work out how the organiztion will
adninistrw access control: Centralzied or Distributed.
0 Terminal Access Controller Access-Control System (TACACS) is a remote
authentication protocol that is used to communicate with an authentication
server commonly used in UNIX networks.
0 TACACS allows a client to accept a username and password and send a
query to a TACACS authentication server, sometimes called a TACACS
daemon or XTACACS. This server was normally a program running on a host.
The host would determine whether to accept or deny the request and send a
response back. The TIP (routing node accepting dial-up line connections,
which the user would normally want to log in into) would then allow access or
not, based upon the response.
0 TACACS+ and RADIUS have generally replaced TACACS. TACACS+ is an
entirely new protocol and not compatible with TACACS or XTACACS.
TACACS+ uses the Transmission Control Protocol (TCP) and RADIUS uses
the User Datagram Protocol (UDP).
12/17/23 11:08

13-36

Intrusion Detection System

0 An IDS is a device (or application) that monitors network and/or
system activities for malicious activities or policy violations and
produces reports to a Management Station.[
0 Intrusion prevention is the process of performing intrusion detection
and attempting to stop detected possible incidents.
0 Intrusion detection and prevention systems (IDPS) are primarily
focused on identifying possible incidents, logging information about
them, attempting to stop them, and reporting them to security
administrators.
12/17/23 11:08

13-37

Intrusion Detection System

0 For the purpose of dealing with IT, there are two main types of IDS's:
network-based and host-based IDS.
0 In a network-based intrusion-detection system (NIDS), the sensors
are located at choke points in the network to be monitored, often in
the demilitarized zone (DMZ) or at network borders. The sensor
captures all network traffic and analyzes the content of individual
packets for malicious traffic.
0 In a host-based system, the sensor usually consists of a software
agent, which monitors all activity of the host on which it is installed,
including file system, logs and the kernel. Some application-based
IDS are also part of this category.
12/17/23 11:08

13-38

Threats to Access Control

0 Dictionary Attack
0 Brute Force Attack
0 Spoofing at Logon
0 Phishing
0 Identity Theft