1 / 21

CH 2: SECURITY – THE TECHNICAL ELEMENTS

CH 2: SECURITY – THE TECHNICAL ELEMENTS Services – are means to implement secure systems operations Can be applied at many levels – Operating System, application, in a network protocol – multiple levels are good – in-depth security Key Services/functions (recap):

Download Presentation

CH 2: SECURITY – THE TECHNICAL ELEMENTS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CH 2: SECURITY – THE TECHNICAL ELEMENTS Services – are means to implement secure systems operations Can be applied at many levels – Operating System, application, in a network protocol – multiple levels are good – in-depth security Key Services/functions (recap): Authentication - who are you? Authorization - what are you authorized to do? Auditing - what did you do? Integrity - has anything changed? Availability - is the system/data/network available? Confidentiality (privacy/secrecy) - can I keep it secret? Non-Repudiation - who sent/received the message? Chapter 2: Elements of Security

  2. Authentication Service Asserting and validating the identity of a system or user. Password - Something you know - Proof by knowledge Token - Something you have - Proof by possession Biometric - Something you are - Proof by property Based on single factor, or multi-factor identification. Most common use – system admission authentication Can also be used for message authentication: Is the message content the same as the content originally sent? Is the sender who they claim to be in the source address field? Is the receiver the same entity that received the message? Chapter 2: Elements of Security

  3. Passwords - Single factor authentication Enter “username, password” pair Authenticated against a stored password file on match, user is authenticated. Stored password file must be secure (encrypt?) So what’s the problem? (the carbon-based system – people): Use easily guessed password (dog’s name, “password”, etc.) To short - easily broken by exhaustive search Uses a dictionary word - get encrypted file, try dictionary words until a match occurs (requires access to password file) Uses limited symbol set (e.g., only alpha characters) Writes it down and posts in plain sight Shares it with others, doesn’t ever change it Chapter 2: Elements of Security

  4. Passwords – Technical Problems Stored in clear text on the system - any access to the system discloses the password - remedy is to securely store the password (this also has problems as we shall see later) Sent over the network (e.g., login) in clear text - remedy is to avoid clear text password transmission Sometimes are encrypted, but not strong enough - easy to break by trial and error or exhaustive search - remedy is to use robust encryption (this would appear to be common sense, but many encryption implementations are weak) Chapter 2: Elements of Security

  5. Breaking Passwords Assume an encrypted password file Assume an adversary has access to the encrypted password file - always a good assumption!!!!!! Adversary can run many programs (e.g., Crack, a hacker tool) These tools request a password, the password is encrypted using the standard algorithm for the host operating system, and the tool searches for a match to the acquired password file Uses multi-level attacks -- guesses common words first, then dictionary words, then permutations of dictionary words (e.g., substitutes (1 for l and 0 for o) in common words, plus others. Commonly returns passwords quickly, often in minutes. Chapter 2: Elements of Security

  6. Password Cracking Difficulty All possible passwords are: Bn where B is = Number of symbols available n is = Length (#symbols) of the password For 4 character alpha-only symbols = 264 If passwords are attempted 1 per second, then guess time is: lower bound = 1 second (guessed on 1st attempt) upper bound = 264 seconds (guessed on last attempt) nominal bound = 264/2 (half were examined) This is about 64 hours and the guess rate is slow. Real machines are much faster and will be more so in the future!!! Chapter 2: Elements of Security

  7. Password Cracking Difficulty Extend to all ASCII printing symbols (about 100) and extend length to 8 characters: # of passwords now is 1008 = 1 x 1016 Even at speeds of 106 tries per second = 1010 seconds (about 4822/2 days (/2 for scanning 1/2 to a hit)) Assumes all possible combinations of the 100 symbols are selected with equal probability to construct the password. Not the case if users can generate their own passwords. It may not be the case for an automated password generator - depends on the quality of the design. Chapter 2: Elements of Security

  8. Good Password Policies Length - 8 characters, or longer. Composition - all printable ASCII characters, no dictionary words, mixed upper lower case, no personal information, no well known phrases, use one, or more special characters (#, %). Change - defaults, when 1st issued, when compromise suspected, periodically (3-6 months). Stored - never store unencrypted, never in Unix etc/password (it is publicly readable), always in etc/shadow. Generation - automatic generation with composition rules enforced is preferable. Sharing – never. Re-use - preferably never, but not for 2-3 cycles maximum.. Display - never in public, if written down put in wallet. Chapter 2: Elements of Security

  9. Password Compromises Guessing - Defaults (eg., system, system), personal information (dog’s name, spouse’s name, birthdate, etc. Retrieval - acquire password file in clear or encrypted form and brute force crack. Capture - Intercept clear text password on network (sniff). Replay - Capture encrypted passwords and re-play later. NOTE: Should be clear that one-time, encrypted passwords, with strong encryption are the only reliable password mechanism. Chapter 2: Elements of Security

  10. Variations on Passwords Dial-back - Initial dial up, request access, enter dial-back number, hang up. Dial-back system validates phone number and places a return call, then normal validation occurs - not used much. Face Recognition - Present 20 faces (5 x 4 grid) form a large database, user selects three to memorize. On login, user is presented the selected faces along with others in the same grid with numbered positions. Faces persist about 1-2 seconds. User enters numbers for the selected faces. This is a form of a one-time password - not used much. Voice recognition – a potential comer, but still relatively immature. Chapter 2: Elements of Security

  11. Token Authentication - Two factor authentication Something you possess, typically a credit card sized device with an embedded processor and display window. Example technologies are Smart Cards, Cyrptocards, Forrteza Cards. Display window shows changing (e.g., once per minute) number string. When issued, the card is synchronized to the authenticating host time base by using a seed number. User is issued a PIN associated with the seed number. Chapter 2: Elements of Security

  12. Token Authentication - Two factor authentication Access can be via dial-up or Internet. On access the user is prompted to enter the PIN followed by the current number displayed on the card. The transmitted information is encrypted. The authenticating host uses the PIN to locate the seed and computes the current number being displayed (some clock variance is allowable). Chapter 2: Elements of Security

  13. Token Authentication - More Success is indicated when the entered number is compared to the host number and Match = Validate. Following validation a conventional password entry or challenge - response is used. Card self-destructs if tampered with! Summary: Two-factor authentication (card number and password) This is also a one-time password (number changes every minute and is not re-usable) & exchanges are encrypted Costly to own ($50/card), management of card clumsy, battery has finite life. Chapter 2: Elements of Security

  14. Biometric Authentication Include fingerprint readers, retinal scanners, handshape readers, voice recognition. Theoretically ideal. Practically difficult due to variations in reading accuracy. Human only, not useful to cross authenticate computers. Costly. Often used for building, entrance access. BUT - all subject to change as quality improves/cost goes down and/or perceived need increases – pre and post 9/11/01. Chapter 2: Elements of Security

  15. Authorization The process after authentication - grants specific privileges to users/systems. Also called access control. Typically done using Access Control Lists (ACLs) for: Processing privilege - User, Superuser, root. Specifies resources (h/w, s/w) available to user (processing permissions) File privilege- Directory view, read only, read/write, read/write/ edit, read/write/edit/delete (file permissions) Services - Specifies services available to the user on the system Types: Role-based (central role database) Individual permissions (system-by-system) Some other property (e.g., clearance, need-to-know) Chapter 2: Elements of Security

  16. Auditing Key components - Log files form basis for auditing a system. Logs - capture information about system activities & events Use of administrator (e.g., root in Unix) commands, successful and unsuccessful login attempts, account creation/deletion, file access. Must be protected so they cannot be compromised Example: Write to CD or remote system (so adversary can’t erase) In Windows 2000 – three types: System log – security log – application log Chapter 2: Elements of Security

  17. Integrity Ensure the state of an object (e.g., a file) has not been altered Uses digital signatures and/or configuration management. Digital signatures create digests of files that uniquely fingerprint those files and allow the detection of changes. Can be applied to stored information or information in transit. Configuration management establishes a baseline and requires the system administrator to follow specific procedures before changes are implemented. For example, a change may require the system to be scanned for any vulnerability after the change. Chapter 2: Elements of Security

  18. Availability Key idea - ensure resources are available to legitimate users – if not This constitutes a denial of service. Denial of service can be caused by: Hardware failure (e.g., electronics, fire, flood) Software failure (e.g., virus, Trojan, bug) Procedural failure (e.g., user error) Attacks (e.g., login floods, syn floods, penetration) Assurance methods include backups, early detection, and mitigation Chapter 2: Elements of Security

  19. Confidentiality/Privacy/Secrecy Key idea - protection against unauthorized disclosure of information. May be caused by unauthorized access, eavesdropping, interception, spoofing, social engineering, and others. Cryptography offers the strongest defense. Non-Repudiation key idea - avoids plausible deniability that messages were sent and/or received by the sender and/or recipient. Proof of senders identity, OR proof of receivers identity. Chapter 2: Elements of Security

  20. Security - The Basic Tools Encryption provides confidentiality/secrecy/privacy and can also be used to provide authentication and integrity. Digital signatures are used to provide authentication, integrity, and non-repudiation. Hash algorithms provide integrity and authentication. Combinations of these tools can be mixed and matched to provide all of the necessary security services. Some deliver these services better than others, and much of our effort will focus on the fundamentals of these tools and how they are mixed and matched to provide the complete range of services. Chapter 2: Elements of Security

  21. An Example Security Service - Application Internet Credit Card Transactions (electronic commerce) - Service/Protocol Secure Socket Layer (SSL) - Tools/Methods Encryption Signature Hash - Algorithms RSA DES RSA DSA MD5 SHA Applications are supported by services/protocols Services/Protocols are built from tools/mechanisms Tools/mechanisms are constructed from algorithms Chapter 2: Elements of Security

More Related