resource security and protection chapter 14 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Resource Security and Protection Chapter 14 PowerPoint Presentation
Download Presentation
Resource Security and Protection Chapter 14

Resource Security and Protection Chapter 14

166 Vues Download Presentation
Télécharger la présentation

Resource Security and Protection Chapter 14

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Resource Security and ProtectionChapter 14

  2. Introduction • Deals with the control of unauthorized use of software and hardware. • Business applications such as banking requires high security and protection during any transaction • Security techniques should not only prevent the misuse of secret information but also its destruction

  3. Basics • Potential Security Violations [By AnderSon]: • Unauthorized information release : unauthorized person is able to read information, unauthorized use of computer program • Unauthorized information modification: unauthorized person is able to modify information e.g changing grade of a university student, changing account balances in bank databases 3. Unauthorized denial of service : Unauthorized person should not succeed in preventing an authorized person from accessing the information

  4. External vs Internal Security • External Security : • Also called physical security • Deals with regulating the access to premises of computer systems [ e.g hardware, disks, tapes] • Can be enforced by placing a guard at the door, by giving a secret key to authorized person. • Issues to be dealt are administrative • Internal Security : • Deals with the use of computer hardware and software information stored in computer systems • Requires an issue of authentication [Logs into]

  5. Policies and Mechanisms • Policy • What should be done? • Policy gives assignment of the access rights to users to various resources. • Policies Decides which user has access to what resources • Policies can change with Time and application • Mechanism • How it should be done? • Protection mechanism provides a set of tools that can be used to design or specify a wide array of protection policies • Protection mechanism in OS controls user access to system resources. • Protection Scheme must be amenable to a wide variety of policies. • Protection is a mechanism and Security is a policy. “Separation of policies and mechanism enhances design flexibility”

  6. Protection Domain of a Process • Specifies Resources that a process can access and type of operation that a process can perform on the resources. • Required for enforcing security • Allow the process to use only those resources that it requires. • Every process executes in its protection domain and protection domain is switched appropriately whenever control jumps from process to process. • Advantage : “Eliminates the possibility of a process breaching security maliciously or unintentionally and increases accountability”

  7. Design Principles for a Secure System[By Saltzer & Schroeder] • Economy : Protection mechanism should be economical to develop and use. Should add extra high costs for the system. • Complete Mediation :Requires that every request to access an object be checked for the authority to do so. • Open Design: A protection mechanism should work even if its underlying principles are known to the attcker. • Separation of Privileges: Protection Mechanism requires two keys to unlock a lock • Least Privilege : Subject should be given bare minimum rights for completion of task.

  8. Design Principles cont… 6. Least Common Mechanism : Portion common to more than one user should be minimized. [Coupling among users represents potential information path between users and hence a potential threat to their security] • Acceptability : Protection Mechanism must be simple to use. • Fail Safe Defaults : Default case should mean lack of access.

  9. Access Matrix Model • Model proposed by Lampson. Enhanced and Refined further by Graham, Denning and Harrison. • Protection System consists of mechanism to control user access for various resources or to control information flow. • Components : • Current Objects : Finite set (‘O’) of entities to which access is to be controlled. [Files] • Current Subjects: Finite set (‘S’) of entities that access current objects. E.g subject may be a process. Subjects themselves can be treated as objects and can be accessed like an object by other subjects. [Users] • Generic Rights : A finite set of generic rights R={r1,r2,r3,……rm} gives various access rights that subjects can have to objects. E.g read, write , execute .own , delete etc.

  10. Access Matrix Model cont.. • Protection State of a System : Protection state of a system is represented by a triplet (S,O,P) ( S , O , P ) Access Matrix Set of current subjects Set of current objects Note : Access Matrix has a row for every current subject and a column for every current object.

  11. Access Matrix Model cont.. Objects o s Subjects P[s,o] P[s,o] is a subset of generic rights subset R It also denotes the access rights which subjects s has to object o.

  12. Access Matrix Representing Protection State

  13. Access matrix Model cont… • Enforcing a Security Policy • A security Policy is enforced by validating every user access for appropriate access rights • Every Object has a monitor that validates all accesses to that object in the following manner: (i) A subject ‘s’ requests an access ‘α’ to object ‘o’. • Protection System presents triplet(s,α,o) to monitor of ‘o’ • Monitor looks into access rights of ‘s’ to ‘o’. If α belongs to subset of P[s,o] then access is permitted Else it is denied.

  14. Implementation of Access Matrix Model • Three Implementations of Access matrix model • Capabilities Based • Access ControlList • Lock-key Method

  15. Capabilities • Capability based method corresponds to the row-wise decomposition of the access matrix. • Each subject s is assigned a list of tuples (o, P [s , o]) for all objects o that it is allowed access. These tuples are known as capability. • Typical view of capability Object Descriptor Access Rights read , write, execute etc. • Capability has two fields. Object Descriptor is identifier for objects and the second allowed access rights for the object.

  16. Capabilities cont.. • Possession of a capability treated as a evidence that user has authority to access the object in the ways specified in the capability. • At any point of time, a subject is autorized to access only those objects for which it has capabilities.

  17. Capability Based Addressing • Capabilities can be used for addressing mechanism by the system using object descriptor • The Main advantage of using capability as an addressing mechanism that it provides an address that is context independent[ Absolute Address] • However, System must allow embedding of capabilities in user programs and data structures.

  18. length base Object Table Capability Based Addressing cont.. An address in a program Capability id Offset length offset Object Descriptor Access Rights Capability list of the user

  19. Capability Based Addressing cont.. • A user Program issues a request to access a word with an object. • Address contains capability ID of the object and an offset with in the object • System uses capability ID to search the capability list of the user to locate the capability that contains the allowed access rights and an object descriptor. • System checks the access rights. • Object descriptor is used to search the object table to locate entry for the object. • Object entry contains the base address of the object in main memory.

  20. Capability Based Addressing cont.. • Two Salient features : • Relocatability [ An object can be relocated any where within main memory without changing the capability] • Sharing[ Several programs can share the same object with different names for the same object] • Implementation Considerations: • To maintain a forgery-free capability, a user should not be able to access [read,modify or construct] a capability. • Two ways for implemenattion: (i) Tagged approach (ii) Partitioned approach

  21. Capability Based Addressing cont.. • Tagged approach : • One or more bits are attached to each memory location and every processor • Tag indicates whether a memory word or register contains a capability. • If tag = ON , the information is capability otherwise ordinary data. • When tag =ON user can not manipulate the word. • Example: Burrough’s B6700 • Partitioned Approach: • Capabilities and Ordinary data are partitioned[ stored separately] • Every object has two segments : one for data other for capabilities • Processor has two sets of registers : one for data other for capabilities • Examples : Chicago Magic Number Machine, Plessey System

  22. Advantages Drawbacks of Capabilities • Advantages • Efficient : validity can be easily tested • Simple : due to natural correspondence between structural properties of capabilities and semantic properties of addressing variables. • Flexible : user can decide which of his address contain capabilities • Disadvantages: • Control of propagation • Review • Revocation of access rights • Garbage Collection

  23. Access Control List Method • Column wise decomposition of the access matrix. • Each object ‘o’ is assigned a pairs (s, P[s,o]) for all subjects s that are allowed to access the object. • P[s,o] denotes the access rights that subject s has to ‘o’ • When a subject ‘s’ requests access ‘α’ to object ‘o’, it is executed in the following manner: • System searches the access control list of ‘o’ to find out if an entry(s,Ø) exists for subject ‘s’. • If exists then system checks for whether access is permitted (α belongs to Ø) • If yes access is granted otherwise a Exception is raised.

  24. Schematic of an access control list Subjects Access Rights Smith read,write,execute Jones read Lee write Grant execute Execution Efficiency of the access control list method is poor because an access control list must be searched for every access to a protected object.

  25. Access Control List Method cont.. • Main features : • Easy Revocation: Revocation of access rights is simple, fast and efficient. Can be achieved simply by removing subject’s entry from object’s access control list. • Easy review of an access: Can be easily determined what subjects have access rights to an object • Implementation Considerations • Efficiency of Execution : Since access control list needs to be searched for every access to a protected object, it can be very slow. [Can be avoided using shadow registers] • Efficiency of storage: List may require a huge amount of storage [ Can be avoided using protection groups]

  26. Lock Key Method • Hybrid of the capability-based method and access control list method • Every subject has a capability list that contains tuples of the form (O,k) indicating that the subject can access Object O using key k. • Every Object has an access control list that contains tuples of the form (l,y) called a lock entry. It indicates that any subject which can lock l can access this object in modes contained in y. • When a subject makes a request to access object o in α , the system is executed in the following manner: • System locates tuple (o,k) in the capability list of the subject. If no such tuple is found access is not permitted • Otherwise access is permitted only if there exists a lock entry (l,y) in the access control list of the object o such that k=l and α belongs to y.

  27. Data Security • Unauthorized User can gain access to confidential information • User may by pass protection mechanism of s ystem • To add extra protection techniques are needed to ensure the an intruder is unable to understand or make use of any information obtained by wrongful access. • Cryptography can be used for extra protection • Converting one piece text in to cryptic form before storing it on to computer

  28. Model of Cryptography • Plaintext [cleartext or original message] • cipherText [message in encrypted form] • Encryption [ Process of converting Plaintext to ciphered text] • Decryption [Process of converting ciphered to Plaintext text] • Cryptosystem [System for encryption and decryption of information] • Symetric Cryptography : If the key is same for both encryption and decryption • Asymetric Cryptography : If the key is not same for both encryption and decryption

  29. General Structure of a Cryptographic System CA SI m E D M M C = Eke(M) Ke Kd Encrption key Decrption key M = Plain text , C = Ciphertext = EKe(M) EKe = Encryption operation using Ke

  30. Design Principles • Shannon’s principle : • Principle of Diffusion : Spreading the correlation and dependencies among key- string variables over substrings as much as possible so as to maximize the length of the plaintext needed to break the system • Principle of confusion : change the piece of information so that output has no oblivious relation with the input. • Exhaustive search principle: • Determination of key needed to break the system • Requires exhaustive search of a space.

  31. Classification of Cryptographic Systems Cryptographic Systems Conventional Systems Modern Systems Private key Systems Public key Systems Open design

  32. Conventional Cryptography • Caesar Cipher • A letter is transformed into third letter following in the alphabetical sequence • E : M-(M+3)%26 where 0<=M<=25 • Simple sunstitution • Any permutation of letters can be mapped to English Letters • Positional correlation is eliminated 3. Polyalphabetic Ciphers: • Uses periodic sequence of n substitution alphabetic ciphers • System switches among n substitution alphabet ciphers periodically

  33. Private key Cryptography • DES developed by IBM • Two basic operations : • Permutation : permutes the bits of a word. [ To provide diffusion] • Substitution : replaces m-bit input by an n-bit output. [ No simple correlation between input and output. To provide confusion] (i) Convert m-bit input to decimal form (ii) Decimal output is permuted to give another decimal number (iii) Final decimal output is converted into n-bit output.

  34. Data Encryption Standard [DES] • DES is a block cipher that crypts 64-bit data blocks using 56-bit key • Error detection is provided by adding 8-bit parity • Three steps: • Plain text undergoes initial permutation(IP) in which 64 bits of the block is permuted • Permuted block goes a complex transformation using a key and involves 16 iterations • The output of step(2) goes a final permutation which is the inverse of step(1) << The output of step(3) is ciphered text>>

  35. Li-1 Ri-1 f Ki Key θ Li Ri=Li θ f(Ri-1,Ki) Li Ri Data Encryption Standard [DES]Iterative Transformation • Iterative Transformation step consists of 16 functionally identical iterations • Let Li = left 32-bit hals and Ri= Right 32-bit half after ith iteration • Steps: • 32-bit Ri-1 is expanded to 48-bit E(Ri-1) • Ex-OR operation is performed between 48-bit key Ki and E(Ri-1). 48 bit output is partitioned into 8 partitions Q1,Q2,….Q8 of 6bit each • Each Qi, i<=i<=8 is fed into a separate 6-to-4 substitution box. • 32-bit output of 8 substitution boxes is fed to a permutation box whose 32 bit output is f

  36. Public Key Cryptography • Encryption Procedure E is in public domain • Decryption Procedure is secret • Encryption procedure E and Decryption procedure D must satisfy following properties: • For every message M, D(E(M)) = M • E and D can be efficiently applied to any message M • Knowledge of E does not compromise seurity. << It should be impossible to derive D from E>> “Public key cryptography allows two users to have secure communication even if they have not communicated before”

  37. Rivest-Shamir-Adleman Method • Popularly known as RSA method • Binary Plaintext is divided into blocks. Each block is represented by an integer between 0 and n-1 • Encryption key is a pair (e , n) where e is positive integer • Message M is encrypted by raising it to eth power modulo n. • C = M modulo n • Cipher text C is an integer between 0 and n-1. • Encryption does not increase the length of plaintext • Decryption key (d,n) is a pair where d is a positive integer. e Cont..

  38. Rivest-Shamir-Adleman cont.. • Cipher text block C is decrypted by raising it to dth power modulo n • M = C modulo n • User possesses an encryption key(eX,nX) and a decryption key(dX,nX) where as encryption key is available in public domain but decrytion key is known to user only d

  39. Rivest-Shamir-Adleman cont.. M mod n e C mod n M e C = M mod n d M (e , n) (d , n) << Decryption Key for user>> << Encryption Key for user>>

  40. Rivest-Shamir-Adleman Method • Determination of Keys • Chose two large prime numbers p and q and define n as n = p * q • p and q should be chosen such that it will be practically impossible to determine p and q by factoring n. • Chose any large integer d as follows: GCD(d,(p-1)*(q-1)) == 1 4. Compute integer e such that it is multiplicative inverse of d in modulo (p-1)*(q-1)