1 / 46

Access Control Mechanisms and Measures: Theory & Practice

This article discusses access control mechanisms, measures, and threats in internet security theory and practice, covering topics such as access control assurance methods, intrusion detection/prevention, information classification, kinds of access control, steps in accessing systems, token-based and biometric authentication, identity management, and single sign-on technologies.

ewillis
Télécharger la présentation

Access Control Mechanisms and Measures: Theory & Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISA 562Internet Security Theory & Practice Access Control

  2. Objectives and References General (from ISC2 CBK Material ): Discuss Access Control mechanisms, measures and threats Details (from Bishop’s Chapters 2): Access control assurance methods General (from ISC2 CBK Material ): Intrusion detection/ intrusion prevention 2

  3. Requirements & Concepts • Some basic requirements of an access control: • Avoid disclosing sensitive data to unauthorized users (Confidential) • Provide sensitive information to authorized users (Available) • Reliable and dependable (Integrity preserving) • Scalable and expandable (long life) • Some of the key concepts in Access control systems are: • Separation of duties • Least privilege • Need-to-know • Need-to-share (a contemporary buzz-phrase) • Handle with care 3

  4. What to protect?: Information classification • Based on business risk of content released to mal-actors • Example the US government classification • Unclassified • Confidential • Secret • Top secret • Will be discussed in detail 4

  5. Kinds of Access Control • Preventive Access controls • Avoid having unwanted actions/events by blocking the ability to do them. • Detective • Identify unwanted actions or events after they occur. • Corrective • Remedy circumstances that enabled the unwanted activity. • Return to state prior to the unwanted activity. • Directive • Dictated by higher authority in laws or regulations or those specified in organization policy • Deterrent • Prescribe punishment for noncompliance • Recovery • Restore lost computing resources or capabilities. • Compensating • Reinforce or replace normal controls that are unavailable 5

  6. 3 Types of access controls • Administrative • Examples: separation of duties, dual control, etc • Physical • Examples: fences, alarms, badges, CCTV, etc • Technical • Examples: antivirus, antis-spam, logs, etc • Further examples in ISC2 book show how controls map to the access control types. 6

  7. Steps in Accessing Systems • Authentication • Use a unique identifier– • Example: user ID, Account number, PIN • 3 main datum used for authentication • Something requester know • Passwords • Pass-phrases • Something the requester is • Biometrics • Physical characteristics • Something the requester has • Tokens (one-time passwords, time synchronized token) • Smart Cards • USB Tokens • Authorization • Accounting 7

  8. Using Tokens & Smartcards for Authentication • Asynchronous Token – challenge response • Synchronous token • Time or event based • Using one-time password or hashed values • Authentication server knows expected value from the token • Smart Cards • Contact • Contact-less 8

  9. Using Biometrics for Authentication • Have false (rejection, acceptance) rates. • Crossover = they are equal, both tunable to need. • Examples static biometrics • Fingerprint or palm print • Hand Geometry • Retina • Example Dynamic biometrics • Face /gesture Recognition • Keystrokes • Voice pattern 9

  10. Identity Management • What is Identity management? • Set of technologies used to manage user identity information. • When is it needed? • For manual service provisioning • Manage sophisticated and complex environments • To comply with regulations • What are the major challenges? • Reliability of user profiles • Consistency of user profiles across different systems/devices • Scalability by supporting data volumes and peaks • More details in the IC3 book 10

  11. Identity Management: benefits and technologies • Benefits • Increasing productivity • Reducing head-counting • Technologies • Found in systems that support the identity management process and managing data consistently and efficiently across multiple systems within an organization • Directories • Web Access Management • Password Management • Legacy single sign-on’s 11

  12. Access Control technologies 12

  13. Single Sign-on • How they work • One user ID and password for multiple application servers through an authentication server. • Benefits • Efficient log-on process • Users may create stronger passwords • No need for multiple passwords • Major Drawback • A compromised password allows intruder into all resources of the owner of that account 13

  14. Single Sign-on using Kerberos 14

  15. Single Sign-on – Kerberos and SESAME • Kerberos Key Distribution Center serves two functions • Authentication Server (AS) • Ticket Granting Server (TGS) • Kerberos Issues • Security depends on careful implementation and maintenance • Lifetime for authentication credentials should be as short as feasible using time stamps to minimize the threat of replayed credentials • The KDC must be physically secured, it could be a point of single failure • Redundancy is recommended • The KDC should be hardened and not allow any non-Kerberos activity • SESAME • Stands for Secure European System for applications in a multi-vendor environment • Developed to address some of the Kerberos weaknesses • Supports SSO • Improves key management by using both Symmetric and Asymmetric keys 15

  16. Directory Service and Security Domains • Directory Services • Consist of applications that provide the means to hierarchically organize and manage information about network users and resources and to retrieve the information by name association • Security Domains • Set of objects that a subject in an information system is allowed to access • Hierarchical domain relationship • Equivalence classes of subjects 16

  17. Access Control & Assurance • Mechanisms used to assure that access control mechanisms are in place and in a good standing: • Audit Trail analysis and monitoring • is a record of system activities • Assessment tools • Audit tools cover a wide spectrum of cost, complexity, etc and must be tailored to the specific goals of the audit 17

  18. The Access Control Matrix ModelChapter 2 from Bishop’s book

  19. Chapter 2: Access Control Matrix • Overview • Access Control Matrix Model • Boolean Expression Evaluation • History • Protection State Transitions • Commands • Conditional Commands • Special Rights • Principle of Attenuation of Privilege

  20. Overview • Protection state of system • Describes current settings, values of system relevant to protection • Access control matrix • Describes protection state precisely • Matrix describing rights of subjects • State transitions change elements of matrix

  21. Subjects S = { s1,…,sn } Objects O = { o1,…,om } Rights R = { r1,…,rk } Entries A[si, oj] R A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj objects (entities) o1 … oms1 … sn s1 s2 … sn subjects Description

  22. Example 1 • Processes (subjects) p, q • Files (objects) f, g • Rights r, w, x, a, o f g p q p rwo r rwxo w q a ro r rwxo

  23. Example 2 • Procedures inc_ctr, dec_ctr, manage • Variable counter • Rights +, –, call counterinc_ctr dec_ctr manage inc_ctr + dec_ctr – manage call call call

  24. Boolean Expression Evaluation • ACM controls access to database fields • Subjects have attributes • Verbs define type of access • example, read, write • Rules associated with (objects, verb) pair • (foo, write) • Subject attempts to access object • Rule for object, verb evaluated, grants or denies access

  25. Example • Subject Alice • Attributes role (artist), groups (creative) • Verb paint • Default 0 (deny unless explicitly granted) • Object picture • Rule: paint: ‘artist’ in subject.role and ‘creative’ in subject.groups and time.hour ≥ 0 and time.hour < 5

  26. ACM at 3AM and 10AM At 3AM, time condition met; ACM is: At 10AM, time condition not met; ACM is: … picture … … picture … paint … annie … … annie …

  27. AC by History and Inference Database: name position age salary Alice teacher 45 $40,000 Bob aide 20 $20,000 Cathy principal 37 $60,000 Dilbert teacher 50 $50,000 Eve teacher 33 $50,000 Queries: • sum(salary, “position = teacher”) = 140,000 • sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Eve’s salary)

  28. ACM of Database Queries Oi = { objects referenced in query i } f(oi) = permission set of query i f(oi) = {read} for ojOi, if |j = 1,…,iOj| < 2 f(oi) =  for ojOi, otherwise O1 = { Alice, Dilbert, Eve } and no previous query set, so: A[asker, Alice] = f(Alice) = { read } A[asker, Dilbert] = f(Dilbert) = { read} A[asker, Eve] = f(Eve) = { read } and the query can be answered

  29. But Query 2 From last slide: f(oi) = { read } for oj in Oi, if | j = 1,…,iOj| <2 f(oi) =  for oj in Oi, otherwise • O2 = { Alice, Dilbert } but | O2O1 | = 2 so A[asker, Alice] = f(Alice) =  A[asker, Dilbert] = f(Dilbert) =  and query cannot be answered

  30. State Transitions • Change the protection state of system • Xi is a state of the ACM at time i • |– represents transition • Xi|– Xi+1: command  moves system from state Xi to Xi+1 • Xi|– *Xi+1: a sequence of commands moves system from state Xi to Xi+1 • Commands often called transformation procedures, because the transform the sate of the access control matrix

  31. Primitive Operations • create subjects, create object o • Creates new row, column in ACM; creates new column in ACM • destroy subjects, destroy object o • Deletes row, column from ACM; deletes column from ACM • enterrinto A[s, o] • Adds r rights for subject s over object o • deleterfrom A[s, o] • Removes r rights from subject s over object o

  32. Access control requests • Transforms sate of the access control matrix • An access control request can be precisely defined using • Pre-conditions • Post-conditions • Use notation (from Z) • Pre-state without primes • Post-state with primes • Example: pre-state - A[alice, file1] is the permission set of Alice to file 1 before a requests, and A’[alice, file1] is a post-state

  33. Create Subject – pre and post conditions • Pre-condition: s  S • Primitive command: create subjects • Post-conditions: • S = S { s }, O = O { s } • (y  O)[a[s, y] = ] • (x  S)[a[x, s] = ] • (x  S)(y  O)[a[x, y] = a[x, y]]

  34. Create Object • Precondition: oO • Primitive command: create objecto • Post-conditions: • S = S, O = O { o } • (xS)[a[x, o] = ] • (xS)(yO)[a[x, y] = a[x, y]]

  35. Add Right • Precondition: sS, oO • Primitive command: enterrintoa[s, o] • Post-conditions: • S = S, O = O • a[s, o] = a[s, o]  { r } • (xS)(yO – { o }) [a[x, y] = a[x, y]] • (xS – { s })(yO) [a[x, y] = a[x, y]]

  36. Delete Right • Precondition: sS, oO • Primitive command: deleterfroma[s, o] • Postconditions: • S = S, O = O • a[s, o] = a[s, o] – { r } • (xS)(yO – { o }) [a[x, y] = a[x, y]] • (xS – { s })(yO) [a[x, y] = a[x, y]]

  37. Destroy Subject • Precondition: sS • Primitive command: destroysubjects • Postconditions: • S = S – { s }, O = O – { s } • (yO)[a[s, y] = ], (xS)[a´[x, s] = ] • (xS)(yO) [a[x, y] = a[x, y]]

  38. Destroy Object • Precondition: oO • Primitive command: destroyobjecto • Postconditions: • S = S, O = O – { o } • (xS)[a[x, o] = ] • (xS)(yO) [a[x, y] = a[x, y]]

  39. Creating File • Process p creates file f with r and w permission command create•file(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end

  40. Mono-Operational Commands • Make process p the owner of file g command make•owner(p, g) enter own into A[p, g]; end • Mono-operational command • Single primitive operation in this command

  41. Conditional Commands • Let p give qr rights over f, if p owns f command grant•read•file•1(p, f, q) if own in A[p, f] then enter r into A[q, f]; end • Mono-conditional command • Single condition in this command

  42. Multiple Conditions • Let p give qr and w rights over f, if p owns f and p has c rights over q command grant•read•file•2(p, f, q) if own in A[p, f] and c in A[p, q] then enter r into A[q, f]; enter w into A[q, f]; end

  43. Copy Right • Allows possessor to give rights to another • Often attached to a right, so only applies to that right • r is read right that cannot be copied • rc is read right that can be copied • Is copy flag copied when giving r rights? • Depends on the model and its instantiation

  44. Own Right • Usually allows possessor to change entries in ACM column • Owner of an object can add, delete rights for others • May depend on what system allows • Can’t give rights to specific (set of) users • Can’t pass copy flag to specific (set of) users

  45. Attenuation of Privilege • Principle says you can’t give rights you do not possess • Restricts addition of rights within a system • Usually ignored for owner • Why? Owner gives herself rights, gives them to others, deletes her rights.

  46. Main Points • Access control matrix simplest abstraction mechanism for representing protection state • Transitions alter protection state • 6 primitive operations that alter the matrix • Transitions can be expressed as commands composed of these operations and, possibly, conditions

More Related