Software Security - Week 09

Authentication

• Authentication is the process of identifying and maintaining a digital identity on a computer system.
• Necessary tools for two information assurances:
  • Confidentiality
  • Integrity

NIST SP 800-63-2 E-Authentication Architectural Model

• Involves registration, credential issuance, and maintenance.
• Includes:
  • Registration authority (RA)
  • Credential service provider (CSP)
  • Relying party (RP)
• E-Authentication uses token and credential validation.

Password-based Authentication

• Widely used defense against intruders.
• Compares entered password to a stored password linked to the user ID in a password file.

Hashed Passwords

• Technique involves hashed passwords and a salt value; found on UNIX variants.
• Process:
  • User selects password.
  • Password combined with a fixed-length salt value (older implementations related to assignment time, newer use pseudorandom numbers).
  • Password and salt input into a hashing algorithm to produce a fixed-length hash code.
  • Hashed password and plaintext copy of the salt stored in password file with corresponding user ID.

Verifying a Password

• User provides ID and password.
• OS uses ID to retrieve plaintext salt and encrypted password from password file.
• OS uses salt and user-supplied password as input to the encryption routine.
• If the result matches the stored value, the password is accepted.

Purpose of Salt Value

• Prevents duplicate passwords from being visible in the password file; different salt values even if passwords are the same.
• Increases difficulty of offline dictionary attacks. For a salt of length b bits, the number of possible passwords increases by a factor of 2^b.
• Makes it nearly impossible to determine if a person uses the same password across multiple systems.

Token-based Authentication

• Uses objects a user possesses for authentication.

Memory Cards

• Store but cannot process data.
• Example: Bank card with magnetic stripe.
• Magnetic stripe stores a simple security code.
• Used alone for physical access (e.g., hotel room).
• For authentication: memory card + PIN.
• Typical application: ATM.
• Drawbacks:
  • Requires special reader.
  • Token loss prevents system access.
  • User inconvenience.

Smart Cards

• Physical card with embedded integrated chip as a security token.
• Size of driver's license or credit card, made of metal or plastic.
• Connects via physical contact (chip and dip) or wireless (RFID, near-field communication).

Electronic Identity Cards

• Smart card as national identity card (eID) for access to government and commercial services.

Biometric Authentication

• Authenticates based on unique physical characteristics.
• Includes static (fingerprints, hand geometry, facial characteristics, retinal and iris patterns) and dynamic (voiceprint, signature) characteristics.
• Based on pattern recognition.
• Technically more complex and expensive than passwords and tokens.

Generic Biometric System

• Enrollment: Biometric sensor captures data, feature extractor creates a template, stored in biometric database.
• Verification: Biometric sensor captures data, feature extractor creates a template, feature matcher compares to stored template (one template).
• Identification: Biometric sensor captures data, feature extractor creates a template, feature matcher compares to stored templates (N templates) to identify user.

Remote User Authentication

• Verifies user identity accessing a system from outside the physical premises.
• Allows secure remote access to resources, services, or data over a network like the internet.

Kerberos

• Authentication service developed at MIT as part of Project Athena.
• Computer network security protocol that authenticates service requests between trusted hosts across an untrusted network.
• Default authorization technology for Microsoft Windows.
• Implementations exist for Apple OS, FreeBSD, UNIX, and Linux.
• Named after the three-headed dog Kerberos; three heads represent the client, server, and Key Distribution Center (KDC).

Kerberos Scenario and Threats

• Open distributed environment with users at workstations accessing services on distributed servers.
• Possible threats:
  • User gaining access to a workstation and impersonating another user.
  • User altering a workstation's network address to mimic another workstation.
  • User eavesdropping and using replay attacks.
• Kerberos provides a centralized authentication server to authenticate users to servers and vice versa.

Overview of Kerberos Process

1. User logs on to workstation and requests service on host; requests ticket-granting ticket.
2. Authentication Server (AS) verifies user's access rights in database, and creates ticket-granting ticket and session key; encrypted using key derived from user's password.
3. Workstation prompts user for password to decrypt incoming message, and sends ticket and authenticator (user's name, network address, time) to Ticket Granting Server (TGS).
4. TGS decrypts ticket and authenticator, verifies request, and creates ticket for requested application server.
5. Workstation sends ticket and authenticator to host.
6. Host verifies that ticket and authenticator match, and grants access to service; server returns an authenticator if mutual authentication is required.

Access Control

• "The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner."
• Central element of computer security.
• Involves users and groups, authentication to system, and assigned access rights to resources.

Access Control Principles

• Authentication: Verification of identity.
• Authorization: Granting access rights or permissions to a system entity to access a resource; determines who is trusted for what.
• Audit: Review and analysis of activity logs to ensure security policies, detect unauthorized access, and suggest improvements.

Subjects, Objects, and Access Rights

• Basic elements: subject, object, and access right.

Subject

• Entity capable of accessing objects.
  • Owner: Creator of a resource; system administrator for system resources, project administrator for project resources.
  • Group: Named group of users with granted access rights.
  • World: Least access granted to users not in owner or group categories.

Object

• Resource to which access is controlled; entity containing/receiving information.
• Examples: records, blocks, pages, segments, files, directories, mailboxes, messages, programs.

Access Right

• Describes how a subject may access an object.
  • Read: User may view information.
  • Write: User may add, modify, or delete data; includes read access.
  • Execute: User may execute specified programs.
  • Delete: User may delete resources.
  • Create: User may create new resources.
  • Search: User may list files in a directory.

Access Control Policies

Discretionary Access Control (DAC)

• Entity can grant access to another entity.
• Example: WhatsApp status, MobileApp, Document file.
• Uses access matrix with identified subjects and accessible objects.
• Decomposed by columns, yielding Access Control Lists (ACLs) where each object lists users and permitted access rights.
• Decomposition by rows yields capability tickets specifying authorized objects and operations for a particular user.

Mandatory Access Control (MAC)

• Limits access based on information sensitivity and user authorization.
• Example: Patient records.
  • Administrator configures access policies and defines security attributes (confidentiality levels, clearances).
  • Administrator assigns attributes to each subject (user or resource accessing data) and object (file, database, port).
  • Operating system examines subject’s security attributes and decides whether access can be granted.
  • User provides credentials to obtain access.

Role-Based Access Control (RBAC)

• Controls access based on user roles within the system and rules specifying access permissions for given roles.

Attribute-Based Access Control (ABAC)

• Controls access based on attributes of the user, resource, and current environmental conditions.
• Example policy: "If the user/subject is in the US marketing department, they should have read and write access to the US sales and marketing data, and their location while accessing data should be the US."

ABAC Logical Architecture

1. Subject requests access to an object.
2. Access control mechanism assesses attributes of the subject, object, and current environmental conditions based on preconfigured access control policy rules.
3. Access control mechanism grants or denies access based on authorization.

Comparison of Access Control Methods