CSC432 – INFORMATION

SECURITY

Sidra Nasir
 Module # 3

AUTHENTICATION &
AUTHORIZATION
Goals of security
 Prevention
 How to prevent an attack
 Detection
 How to detect an attack
 Recover
 How to recover from an attack
Authentication vs.
Authorization
 Authentication
 Who are you
 Passwords

 Authorization
 What you can do
 Access control
Passwords
 Confirms an entity’s identity
 Various approaches
 Something you know
 passwords
 Something you have
 University ID cards
 ATM cards
 Something you are
 Fingerprints
 Face recognition
 Voice recognition
 Retina recognition

 Examples ?
 Also use in combinations…
Passwords

What is a Password?
 Combination of characters (available from
keyboard)
 Should be secure and easy to use
 Passphrase: sequence of words or text
 Spaces allowed
 Usually longer than password
Passwords

Problems With Passwords

 Attacker may see the password when it is used
 Attacker may read the file where computer
stores password
 Your password might be easy to guess at your
computer
 Your password might be crack-able offline (brute
force)
 Your password might be secure, but the system
may become too inconvenient to use (e.g. very
long password)
Passwords

Online Password Guessing

 Try to guess the password while system in use
 Attacker has only a limited time
 Guesses can be recorded/tracked
 Security depends on:
 Number of incorrect guesses allowed
 Consequence of too many incorrect guesses
 Approaches to make system more secure:
 Lock system (e.g. account) if too many guesses
 Limit the speed that guesses can be made
 Try to find the attacker
 Make passwords harder to guess
Passwords

Offline Password Guessing

 Try to guess the password outside of normal
operation of system
 Attacker has no restrictions on time or computing
resources
 Guesses are not recorded
 Passwords are stored on system
 Store cryptographic hash of password
 Limit read-access to password file/database
Attacks on password system
 Dictionary attack
 Guessing of password by repeated trial and error.

 26 combination ?
 26length
 Counter Guessing
 Proactive password checker
 Rejects easy passwords
 Rejects re-used passwords
 Implements password aging
Passwords

 The best way to explain how to choose a

good password is to explain how they're
broken
Passwords
 Generally, the attacks on passwords are based on
a model known as an offline password-guessing
attack
 The attacker gets a file of encrypted passwords
 Turn that encrypted file into unencrypted
passwords, by guessing passwords, and then
seeing if they're correct
 Yes, there are ways to foil this attack, and that's
why we can still have four-digit PINs on ATM cards,
but it's the correct model for breaking passwords

 There are commercial programs (hacker tools)

that do password cracking, and they're really good
Passwords
 The efficiency of password cracking depends on
two largely independent things: power and
efficiency

 Power (computing power) means powerful

computers, test more passwords per second
 one program advertises eight million per second

 Efficiency, on the other hand, is the ability to

guess passwords cleverly
 Try the most common passwords first
 It doesn't make sense to run through every eight-letter
combination (200 billion possible passwords) from
"aaaaaaaa" to "zzzzzzzz“, in order
Passwords
 Typically passwords consists of a root plus an
appendage
 Root not necessarily a dictionary word, but
usually something pronounceable
 An appendage is either a suffix (90% of the
time) or a prefix (10% of the time)

 Examples of root, "letmein" "temp" "123456“

 Examples of suffix appendages, "1" "4u" “2014"
“007" "!"
Passwords
 Password cracking programs use different dictionaries
 English words, names, foreign words, phonetic patterns and so
on for roots
 Two digits, dates, postal codes, single symbols and so on for
appendages
 They run the dictionaries with various capitalizations and
common substitutions: "$" for "s", "@" for "a," "1" for "l" and
so on

 Modern password crackers combine different words

from their dictionaries
 They can be fed with any personal information about the
password creator
 They can test names and addresses from the address book,
meaningful dates, and any other personal information
 If you ever saved an e-mail with your password, or kept it in an
obscure file somewhere, or if your program ever stored it in
memory, they can grab it
Passwords
 There are schemes for generating passwords, e.g.
string together individual words like
"correcthorsebatterystaple“
 No longer good practice (password crackers are on
to this trick)

 Last year, Ars Technica gave three experts a 16,000-

entry encrypted password file, and asked them to
break as many as possible
 The winner got 90% of them, the loser 62%
 It's the same sort of thing we saw in 2012, 2007, and earlier
 If there's any new news, it's that this kind of thing is
getting easier faster than people think
 Pretty much anything that can be remembered
can be cracked
Passwords
 So, what’s the solution, how to create a
strong (secure) password?
 Define your own scheme

“So if you want your password to be hard to guess,

you should choose something that this process will
miss. My advice is to take a sentence and turn it
into a password. Something like "This little piggy
went to market" might become "tlpWENT2m". That
nine-character password won't be in anyone's
dictionary. Of course, don't use this one, because
I've written about it. Choose your own sentence,
‘something personal’.”
"Schneier scheme"
Passwords
 Here are some examples:

 WIw7,mstmstootc = When I was seven, my sister

threw my stuffed teddy out of the car
 Wow,doestcst = Wow, does that couch smell terrible
 Ltime@go-inag~faaa! = Long time ago in a galaxy
not far away at all
 uTVM,TPw55:utvm,tpwstillsecure = Until this very
moment, these passwords were still secure

 The idea is to combine a personally memorable

sentence with some personally memorable tricks to
modify that sentence into a password
 Even better is to use random unmemorable alphanumeric
passwords
Passwords
There's more to passwords than simply choosing a
good one:
 Never reuse a password you care about
 Even if you choose a secure password, the site it's for
could leak it because of its own incompetence
 You don't want someone who gets your password for one
application or site to be able to use it for another
 Don't bother updating your password regularly
 The requirement 90-day (or whatever) password upgrades
do more harm than good
 Unless you think your password might be compromised,
don't change it
 Beware the "secret question“
 This backup system is easier to break than your password
 Never write your passwords on a piece of paper and
secure that piece of paper
Authorization
 What can someone do?

 Function of specifying access rights to resources

 The system uses this to decide

 whether access requests from (authenticated)
consumers shall be approved (granted) or disapproved
(rejected).
Important Terms
 Policy
 high-level requirements that specifies
 how access is managed
 who may access
 what information
 A statement of what is, and what is not, allowed
 Model
 provides a formal representation of the access control
policy and its working.
 Mechanism
 defines the low level (software and hardware) functions
 implement the controls imposed by the policy and formally
stated in the model.

 Models bridge the wide gap in abstraction

between policy and mechanism.
Lampson 1969
 Emergence of multiuser environment
 people realized the need to prevent interference from
each other

 So, a model was developed

 associates users with identities and
 assigns permissions over system resources based on
those identities.

 That earliest model in 1969,

 introduced the formal notions of subjects
 and objects,
 and an access control matrix to hold the access
permission.
Lampson 1969
Bell-LaPadula model 1973
 Formulated the military rules for military
security applications into a mathematical
model.
 military security form a hierarchy
 higher rank documents are only accessible to higher
rank officials

 The model introduced the multilevel secure

system.
 Users are only allowed to access information
which is classified as lower than their own
security clearance.

 This way confidential information is restricted

Bell-LaPadula model 1973
Biba’s integrity model 1977
 BLP was designed for the confidentiality of the data
 does nothing for integrity.
 To bridge this gap, Biba’s integrity model was
introduced.

 The Biba model allows a subject to read an object, if

the object has greater security level than the subject.
 The model further extends that a subject can only
write to an object if the security level of the subject is
higher than the object.
 In general, an object can only be written from the
higher levels and read from the lower levels.

 It was not an alternative to Bell-LaPadula but can act

as an adjunct to it.
DoD models 1985
 United States Department of Defense (DoD)
published its own standards for military and
personal applications, commonly known as

 MAC (mandatory access control)

 one administrator who controls every system resource
and manages its access for all the users in the system.

 DAC (discretionary access control)

 support ownership, local control and other requirements
of personal applications.
Clark Wilson model 1987
 There are two central concepts in their model,

 well-formed transaction
 constraints the user to modify data only in authorized
way

 separation of duty (SoD)

 ensures that every critical operation must be completed
by at least two users.
Chinese wall policy 1989
 Brewer and Nash model

 Distributes objects in company wise dataset

 and categorized them into conflict of interest
(COI) circles.

 A subject can read an object if

 If the object belongs to the same dataset from which
the subject has previously read
 if the subject had not read some other object from the
same conflict of interest circle.
Chinese wall policy
Role based access control
1992
 system wide roles
 which were assigned permissions over resources.

 In order to access a resource,

 the user needs to be a part of some role and
 that role must have access rights over the requested
resource.
Rule based access control
 supports the context
 In banking system
 access decisions at day should be different than the
same decisions at night,
 In military applications
 some decision at war may be completely different than
the same decision during peace times.

 To handle such cases, Rule base access control

was introduced to support the context in access
control decisions
dRBAC
 Introduced when the software systems were
extended to cross domains

 Agreement of all the companies over rights

associated to some role existing in multiple
domains.

 Also, the working rights of one role of one company

are restricted to its domain only, which makes the
situation more complex.

 The solution to these problems is given by

distributed role based access control (dRBAC) by
maintaining separate system domains for each
company in the collation.
Evolution of access control
Application Requirements Model
Mainframe computers Time sharing, Prevent users from Lampson
interfering
Military applications Users’ clearance, Multilevel security Bell-LaPadula

Military applications Hierarchy of users, confidentiality, secure MAC

system state, Admin control

Personal applications Ownership, No administrator, user control DAC

Commercial Integrity, Separation of duties, well- Clark Wilson
applications formed transaction

Commercial and System wide roles, complexity, user RBAC

government overhead, organizational structures
organizations

Organizations Context aware, situation based Rule based

Collation environment Security and availability in overlapping dRBAC
domains
Module # 3

THANKS