430 likes | 549 Views
Week 8 - Monday. CS363. Last time. What did we talk about last time? Access control Authentication. Questions?. Project 2. Security Presentation. Andrew Sandridge. Challenge Response. Pass Algorithms. Some systems have a special function f a user (or user's system) must know
E N D
Week 8 - Monday CS363
Last time • What did we talk about last time? • Access control • Authentication
Security Presentation Andrew Sandridge
Pass Algorithms • Some systems have a special function f a user (or user's system) must know • Thus, the system will give the user a prompt, and the user must respond • Perhaps the system would issue a random value to the user, who must then encrypt it with his secret key and send it back to the system • Perhaps it's just some other way of processing the data • Monkey Island 2: LeChuck's Revenge hand puzzle
One-Time Passwords • A one-time password is invalidated as soon as it is used • Thus, an attacker stealing the password can do limited damage • He can only log in once • He has to act quickly before the legitimate user logs in first • How do you generate all these passwords? • How do you synchronize the user and the system?
One-time password implementations • RSA SecurID's change the password every 30 or 60 seconds • The user must be synchronized with the system within a few seconds to keep this practical • Using a secure hash function, we start with a seed value k, then • h(k) = k1, h(k1) = k2, …, h(kn-1) = kn • Then passwords are in reverse order • p1 = kn, p2 = kn-1, … pn-1 = k2, pn = k1
Biometrics • Biometrics means identifying humans by their physical and biological characteristics • This technology is often seen in spy and science fiction movies • It does exist, but it is far from perfect • Like passwords, the actual biometric scans are usually not stored • Instead specific features are stored for later comparison • Biometrics pose unique privacy concerns because the information collected can reveal health conditions
Fingerprints • Historically, fingerprints are one of the most heavily used forms of biometric identification • Especially useful for solving crimes • Even identical twins have different fingerprints • Fun fact: Koalas have fingerprints so similar to human beings that even experts are fooled • Optical scanners are available • Cheap, capacitive scanners are now even available on many laptops • The image of the fingerprint is usually not stored • Instead, specific, differentiable features are recorded
Voice recognition • Voice recognition systems must be trained on your voice • They can be defeated with recording devices • If you have a cold, it throws off the characteristics of your voice • As a consequence, they are particularly susceptible to both false positives and false negatives
Eye recognition • As the technology matures and hardware becomes cheaper, eye recognition is becoming more common • Iris recognition looks at the patterns of light and dark areas in your iris (the colored part of your eye) • For simplicity, the image is converted to grayscale for comparison • Newer iris scanners can make successful identifications at 10 feet away or more, even correcting for glasses! • Retina scans exist but are unpopular • The retina is the tissue lining the inside of your eye and requires pupil dilation to get an accurate picture, blinding you for several minutes • There are even systems for recognizing the patterns of discolorations on the whites of your eyes!
Face recognition • The shape of your face, the distance between your eyes and nose, and other facial features are relatively distinctive • Although they can be nearly the same for identical twins • Computer vision techniques must be used to locate the face, deal with changes in haircut, glasses, etc. • Participants must have a neutral facial expression or results can be thrown off • The US Department of State uses facial recognition and fingerprinting to document foreigners entering the country • Their database has over 75 million photographs
Other biometrics • Hand geometry readers measure the shape of your hand • Keystroke dynamics are the patterns that you use when typing • Users are quite distinctive, but distractions and injuries can vary patterns a lot • Combinations of different biometrics are sometimes used • DNA sequencing is not (yet) fast enough to be used for authentication • Researchers are always coming up with new biometrics to use
Problems with biometrics • People assume that they are more secure than they are • Attacks: • Fingerprints can be lifted off a champagne glass • Voices can be recorded • Iris recognition can be faked with special contact lenses • Both false positives and false negatives are possible • It is possible to tamper with transmission from the biometric reader • Biometric characteristics can change • Identical twins sometimes pose a problem
What is trust? • To trust a program, we are looking for 4 things: • Functional correctness • The program does what it should • Enforcement of integrity • The program’s data is still correct even if given bad or unauthorized commands • Limited privilege • If the program accesses secure data, it only accesses what it needs, and it doesn’t leak rights or data to untrusted parties • Appropriate confidence level • The program has been examined carefully and given trust appropriate for its job
Security policies • A security policy is a statement of the security we expect a system to enforce • A mechanism is a tool or protocol to enforce the policy • It is possible to have good policies but bad mechanisms or vice versa • A trusted system has: • Enforcement of a security policy • Sufficiency of measures and mechanisms • Evaluation
Bell-LaPadula overview • Confidentiality access control system • Military-style classifications • Uses a linear clearance hierarchy • All information is on a need-to-know basis • It uses clearance (or sensitivity) levels as well as project-specific compartments
Security clearances • Both subjects (users) and objects (files) have security clearances • Below are the clearances arranged in a hierarchy
Simple security condition • Let levelO be the clearance level of object O • Let levelS be the clearance level of subject S • The simple security condition states that S can read O if and only if the levelO≤ levelS and S has discretionary read access to O • In short, you can only read down • Example? • In a few slides, we will expand the simple security condition to make the concept of level
*-Property • The *-property states that S can write O if and only if the levelS≤ levelO and S has discretionary write access to O • In short, you can only write up • Example?
Basic security theorem • Assume your system starts in a secure initial state • Let T be all the possible state transformations • If every element in T preserves the simple security condition and the *-property, every reachable state is secure • This is sort of a stupid theorem, because we define “secure” to mean a system that preserves the security condition and the *-property
Adding compartments • We add compartments such as NUC = Non-Union Countries, EUR = Europe, and US = United States • The possible sets of compartments are: • • {NUC} • {EUR} • {US} • {NUC, EUR} • {NUC, US} • {EUR, US} • {NUC, EUR, US} • Put a clearance level with a compartment set and you get a security level • The literature does not always agree on terminology
Romaine lattice • The subset relationship induces a lattice {NUC, EUR, US} {NUC, EUR} {NUC, US} {EUR, US} {NUC} {EUR} {US}
Updated properties • Let L be a security level and C be a category • Instead of talking about levelO≤ levelS, we say that security level (L, C) dominates security level (L’, C’) if and only if L’ ≤ L and C’ C • Simple security now requires (LS, CS) to dominate (LO, CO) and S to have read access • *-property now requires (LO, CO) to dominate (LS, CS) and S to have write access • Problems?
Clark-Wilson model • Commercial model that focuses on transactions • Just like a bank, we want certain conditions to hold before a transaction and the same conditions to hold after • If conditions hold in both cases, we call the system consistent • Example: • D is the amount of money deposited today • W is the amount of money withdrawn today • YB is the amount of money in accounts at the end of business yesterday • TB is the amount of money currently in all accounts • Thus, D + YB – W = TB
Clark-Wilson definitions • Data that has to follow integrity controls are called constrained data items or CDIs • The rest of the data items are unconstrained data items or UDIs • Integrity constraints (like the bank transaction rule) constrain the values of the CDIs • Two kinds of procedures: • Integrity verification procedures (IVPs) test that the CDIs conform to the integrity constraints • Transformation procedures (TPs) change the data in the system from one valid state to another
Clark-Wilson rules • Clark-Wilson has a system of 9 rules designed to protect the integrity of the system • There are five certification rules that test to see if the system is in a valid state • There are four enforcement rules that give requirements for the system
Certification Rules 1 and 2 • CR1: When any IVP is run, it must ensure that all CDIs are in a valid state • CR2: For some associated set of CDIs, a TP must transform those CDIs in a valid state into a (possibly different) valid state • By inference, a TP is only certified to work on a particular set of CDIs
Enforcement Rules 1 and 2 • ER1: The system must maintain the certified relations, and must ensure that only TPs certified to run on a CDI manipulate that CDI • ER2: The system must associate a user with each TP and set of CDIs. The TP may access those CDIs on behalf of the associated user. If the user is not associated with a particular TP and CDI, then the TP cannot access that CDI on behalf of that user. • Thus, a user is only allowed to use certain TPs on certain CDIs
Certification Rule 3 and Enforcement Rule 3 • CR3: The allowed relations must meet the requirements imposed by the principle of separation of duty • ER3: The system must authenticate each user attempting to execute a TP • In theory, this means that users don't necessarily have to log on if they are not going to interact with CDIs
Certification Rules 4 and 5 • CR4: All TPs must append enough information to reconstruct the operation to an append-only CDI • Logging operations • CR5: Any TP that takes input as a UDI may perform only valid transformations, or no transformations, for all possible values of the UDI. The transformation either rejects the UDI or transforms it into a CDI • Gives a rule for bringing new information into the integrity system
Enforcement Rule 4 • ER4: Only the certifier of a TP may change the list of entities associated with that TP. No certifier of a TP, or of any entity associated with that TP, may ever have execute permission with respect to that entity. • Separation of duties
Clark-Wilson summary • Designed close to real commercial situations • No rigid multilevel scheme • Enforces separation of duty • Certification and enforcement are separated • Enforcement in a system depends simply on following given rules • Certification of a system is difficult to determine
Next time… • Chinese Wall and Biba models • Theoretical limitations (HRU result) • Trusted system design elements • Yuki Gage presents
Reminders • Read Sections 5.1 – 5.3 • Keep working on Project 2