1 / 43

CS363

Week 8 - Monday. CS363. Last time. What did we talk about last time? Access control Authentication. Questions?. Project 2. Security Presentation. Andrew Sandridge. Challenge Response. Pass Algorithms. Some systems have a special function f a user (or user's system) must know

mali
Download Presentation

CS363

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Week 8 - Monday CS363

  2. Last time • What did we talk about last time? • Access control • Authentication

  3. Questions?

  4. Project 2

  5. Security Presentation Andrew Sandridge

  6. Challenge Response

  7. Pass Algorithms • Some systems have a special function f a user (or user's system) must know • Thus, the system will give the user a prompt, and the user must respond • Perhaps the system would issue a random value to the user, who must then encrypt it with his secret key and send it back to the system • Perhaps it's just some other way of processing the data • Monkey Island 2: LeChuck's Revenge hand puzzle

  8. One-Time Passwords • A one-time password is invalidated as soon as it is used • Thus, an attacker stealing the password can do limited damage • He can only log in once • He has to act quickly before the legitimate user logs in first • How do you generate all these passwords? • How do you synchronize the user and the system?

  9. One-time password implementations • RSA SecurID's change the password every 30 or 60 seconds • The user must be synchronized with the system within a few seconds to keep this practical • Using a secure hash function, we start with a seed value k, then • h(k) = k1, h(k1) = k2, …, h(kn-1) = kn • Then passwords are in reverse order • p1 = kn, p2 = kn-1, … pn-1 = k2, pn = k1

  10. Biometrics

  11. Biometrics • Biometrics means identifying humans by their physical and biological characteristics • This technology is often seen in spy and science fiction movies • It does exist, but it is far from perfect • Like passwords, the actual biometric scans are usually not stored • Instead specific features are stored for later comparison • Biometrics pose unique privacy concerns because the information collected can reveal health conditions

  12. Fingerprints • Historically, fingerprints are one of the most heavily used forms of biometric identification • Especially useful for solving crimes • Even identical twins have different fingerprints • Fun fact: Koalas have fingerprints so similar to human beings that even experts are fooled • Optical scanners are available • Cheap, capacitive scanners are now even available on many laptops • The image of the fingerprint is usually not stored • Instead, specific, differentiable features are recorded

  13. Voice recognition • Voice recognition systems must be trained on your voice • They can be defeated with recording devices • If you have a cold, it throws off the characteristics of your voice • As a consequence, they are particularly susceptible to both false positives and false negatives

  14. Eye recognition • As the technology matures and hardware becomes cheaper, eye recognition is becoming more common • Iris recognition looks at the patterns of light and dark areas in your iris (the colored part of your eye) • For simplicity, the image is converted to grayscale for comparison • Newer iris scanners can make successful identifications at 10 feet away or more, even correcting for glasses! • Retina scans exist but are unpopular • The retina is the tissue lining the inside of your eye and requires pupil dilation to get an accurate picture, blinding you for several minutes • There are even systems for recognizing the patterns of discolorations on the whites of your eyes!

  15. Face recognition • The shape of your face, the distance between your eyes and nose, and other facial features are relatively distinctive • Although they can be nearly the same for identical twins • Computer vision techniques must be used to locate the face, deal with changes in haircut, glasses, etc. • Participants must have a neutral facial expression or results can be thrown off • The US Department of State uses facial recognition and fingerprinting to document foreigners entering the country • Their database has over 75 million photographs

  16. Other biometrics • Hand geometry readers measure the shape of your hand • Keystroke dynamics are the patterns that you use when typing • Users are quite distinctive, but distractions and injuries can vary patterns a lot • Combinations of different biometrics are sometimes used • DNA sequencing is not (yet) fast enough to be used for authentication • Researchers are always coming up with new biometrics to use

  17. Problems with biometrics • People assume that they are more secure than they are • Attacks: • Fingerprints can be lifted off a champagne glass • Voices can be recorded • Iris recognition can be faked with special contact lenses • Both false positives and false negatives are possible • It is possible to tamper with transmission from the biometric reader • Biometric characteristics can change • Identical twins sometimes pose a problem

  18. Trusted Systems

  19. What is trust? • To trust a program, we are looking for 4 things: • Functional correctness • The program does what it should • Enforcement of integrity • The program’s data is still correct even if given bad or unauthorized commands • Limited privilege • If the program accesses secure data, it only accesses what it needs, and it doesn’t leak rights or data to untrusted parties • Appropriate confidence level • The program has been examined carefully and given trust appropriate for its job

  20. Security policies • A security policy is a statement of the security we expect a system to enforce • A mechanism is a tool or protocol to enforce the policy • It is possible to have good policies but bad mechanisms or vice versa • A trusted system has: • Enforcement of a security policy • Sufficiency of measures and mechanisms • Evaluation

  21. Bell-LaPadula Model

  22. Bell-LaPadula overview • Confidentiality access control system • Military-style classifications • Uses a linear clearance hierarchy • All information is on a need-to-know basis • It uses clearance (or sensitivity) levels as well as project-specific compartments

  23. Security clearances • Both subjects (users) and objects (files) have security clearances • Below are the clearances arranged in a hierarchy

  24. Simple security condition • Let levelO be the clearance level of object O • Let levelS be the clearance level of subject S • The simple security condition states that S can read O if and only if the levelO≤ levelS and S has discretionary read access to O • In short, you can only read down • Example? • In a few slides, we will expand the simple security condition to make the concept of level

  25. *-Property • The *-property states that S can write O if and only if the levelS≤ levelO and S has discretionary write access to O • In short, you can only write up • Example?

  26. Basic security theorem • Assume your system starts in a secure initial state • Let T be all the possible state transformations • If every element in T preserves the simple security condition and the *-property, every reachable state is secure • This is sort of a stupid theorem, because we define “secure” to mean a system that preserves the security condition and the *-property

  27. Adding compartments • We add compartments such as NUC = Non-Union Countries, EUR = Europe, and US = United States • The possible sets of compartments are: •  • {NUC} • {EUR} • {US} • {NUC, EUR} • {NUC, US} • {EUR, US} • {NUC, EUR, US} • Put a clearance level with a compartment set and you get a security level • The literature does not always agree on terminology

  28. Romaine lattice • The subset relationship induces a lattice {NUC, EUR, US} {NUC, EUR} {NUC, US} {EUR, US} {NUC} {EUR} {US} 

  29. Updated properties • Let L be a security level and C be a category • Instead of talking about levelO≤ levelS, we say that security level (L, C) dominates security level (L’, C’) if and only if L’ ≤ L and C’ C • Simple security now requires (LS, CS) to dominate (LO, CO) and S to have read access • *-property now requires (LO, CO) to dominate (LS, CS) and S to have write access • Problems?

  30. Clark-Wilson Model

  31. Clark-Wilson model • Commercial model that focuses on transactions • Just like a bank, we want certain conditions to hold before a transaction and the same conditions to hold after • If conditions hold in both cases, we call the system consistent • Example: • D is the amount of money deposited today • W is the amount of money withdrawn today • YB is the amount of money in accounts at the end of business yesterday • TB is the amount of money currently in all accounts • Thus, D + YB – W = TB

  32. Clark-Wilson definitions • Data that has to follow integrity controls are called constrained data items or CDIs • The rest of the data items are unconstrained data items or UDIs • Integrity constraints (like the bank transaction rule) constrain the values of the CDIs • Two kinds of procedures: • Integrity verification procedures (IVPs) test that the CDIs conform to the integrity constraints • Transformation procedures (TPs) change the data in the system from one valid state to another

  33. Clark-Wilson rules • Clark-Wilson has a system of 9 rules designed to protect the integrity of the system • There are five certification rules that test to see if the system is in a valid state • There are four enforcement rules that give requirements for the system

  34. Certification Rules 1 and 2 • CR1: When any IVP is run, it must ensure that all CDIs are in a valid state • CR2: For some associated set of CDIs, a TP must transform those CDIs in a valid state into a (possibly different) valid state • By inference, a TP is only certified to work on a particular set of CDIs

  35. Enforcement Rules 1 and 2 • ER1: The system must maintain the certified relations, and must ensure that only TPs certified to run on a CDI manipulate that CDI • ER2: The system must associate a user with each TP and set of CDIs. The TP may access those CDIs on behalf of the associated user. If the user is not associated with a particular TP and CDI, then the TP cannot access that CDI on behalf of that user. • Thus, a user is only allowed to use certain TPs on certain CDIs

  36. Certification Rule 3 and Enforcement Rule 3 • CR3: The allowed relations must meet the requirements imposed by the principle of separation of duty • ER3: The system must authenticate each user attempting to execute a TP • In theory, this means that users don't necessarily have to log on if they are not going to interact with CDIs

  37. Certification Rules 4 and 5 • CR4: All TPs must append enough information to reconstruct the operation to an append-only CDI • Logging operations • CR5: Any TP that takes input as a UDI may perform only valid transformations, or no transformations, for all possible values of the UDI. The transformation either rejects the UDI or transforms it into a CDI • Gives a rule for bringing new information into the integrity system

  38. Enforcement Rule 4 • ER4: Only the certifier of a TP may change the list of entities associated with that TP. No certifier of a TP, or of any entity associated with that TP, may ever have execute permission with respect to that entity. • Separation of duties

  39. Clark-Wilson summary • Designed close to real commercial situations • No rigid multilevel scheme • Enforces separation of duty • Certification and enforcement are separated • Enforcement in a system depends simply on following given rules • Certification of a system is difficult to determine

  40. Mid-Semester Feedback

  41. Upcoming

  42. Next time… • Chinese Wall and Biba models • Theoretical limitations (HRU result) • Trusted system design elements • Yuki Gage presents

  43. Reminders • Read Sections 5.1 – 5.3 • Keep working on Project 2

More Related