4. Auth-AC - Control Questions Flashcards
What do we mean by (user) authentication?
user authentication = process of proving a claimed identity
What are the 3 approaches to user authentication in computer systems?
○ three basic approaches to user authentication
■ passwords and alike (what you know)
■ hardware tokens (what you have)
■ biometrics (what you are)
What are the advantages and the disadvantages of passwords?
○ advantages
■ simple and intuitive (easy to understand by average users)
■ cheap to implement
○ disadvantages
■ password must be memorized by the user
● users tend to choose guessable passwords
● users tend to use the same password on multiple systems
■ passwords or password hashes must be stored by the verifier
● password files can be stolen and analyzed off-line
● brute force and dictionary attacks are possible
■ password can be obtained on its way from the user to the verifier
● key stroke logging, shoulder surfing
● eavesdropping (encrypted transport between remote parties is essential)
● replay attacks (encryption alone is not enough)
■ passwords are easy to reveal and share
● social engineering attacks are possible
What is the model of password based authentication? (figure)
ábra
What do salting and stretching mean and what is their goal in case of password hashing?
○ design principles:
○ multiple iterations make exhaustive search slower (stretching)
○ user salt makes pre-computation attacks impractical
○ modified DES prevented the use of off-the-shelf DES hardware
+ ábra
What are the main weaknesses of Windows’ LM hash?
○ two halves can be cracked separately
○ conversion to uppercase reduces the size of the password space
What is a dictionary attack in the context of password based authentication?
list contains words from a dictionary (and their variations)
■ user-chosen passwords are often meaningful words that can be found in dictionaries
■ password cracking programs using dictionaries are available on the Web
Why does salting make a rainbow table based attack too expensive for the attacker?
time-memory trade-off:
■ given a fixed pre-computation effort t*m, we can adjust the time (~t 2 ) needed to break a
hash by changing the memory requirement (~2m)
■ hash cracking can be faster at the expense of more storage
How can we measure the strength of a randomly chosen password?
○ strength of randomly chosen passwords against brute force attack can be calculated with
precision:
■ H = L * log 2 N
○ where N is the number of possible symbols and L is the length of the password (in symbols), and
the unit of H is a bit
○ H is essentially the entropy of a randomly chosen password
What is the model of smart card based authentication? (figure)
ábra
What is the untrusted terminal problem?
○ smart cards have no user interface → PIN must be entered through the user terminal
○ a malicious terminal can use the PIN to request a signature from the smart card on any message
examples for potentially untrusted terminals:
■ a terminal installed at a public place (e.g., a PC in a hotel or airport lounge, Internet cafe,
…)
■ a terminal operated by an untrusted principal (e.g., an ATM or a payment terminal of an
unknown merchant in a foreign country)
■ the user’s own PC or smart phone ???
What is the basic model of biometric authentication? (figure)
ábra
What properties should a physiological feature have to be usable for biometric authentication?
○ universality – every person should have the characteristic
○ uniqueness – no two persons should be the same in terms of the characteristic
○ permanence – the characteristic should be invariant with time
○ collectability – the characteristic can be measured quantitatively
○ circumvention – it should be difficult to fool the system by fraudulent techniques
Give a few examples for biometric authentication approaches!
○ fingerprint ○ iris ○ retina ○ face ○ ear ○ hand ○ geometry ○ voice ○ thermogram (face) ○ key stroke dynamics (behavioral) ○ dynamics of handwritten signature (behavioral)
What is a fingerprint minutia?
○ ending: termination of a ridge ○ bifurcation: split of a ridge from a single path to two paths (Y-junction) ○ minutiae are represented by their: ■ type (ending, bifurcation) ■ position ■ direction
What types of global fingerprint patterns do exist?
○ Arch
○ Loop
○ Whorl
What are the fingerprint processing steps?
○ image capture
■ obtaining the fingerprint image
○ noise reduction and image enhancement
■ uses inherent redundancy of parallel ridges
■ ridges oriented in the same direction as those in the same locality are enhanced, and
anything oriented differently are decreased
■ this eliminates noise that may join adjacent ridges (flowing perpendicular to the local
flow)
○ feature extraction
■ binarization of the image from gray-scale to black and white
■ reducing the widths of the ridges down to a single pixel (thinning)
■ minutia detection
How does fingerprint matching work?
○ the most common is minutiae based matching –
○ coarse alignment of the two fingerprints based on local minutia structures, and consolidation of
the local matching results at a global level
○ consists of four steps:
■ 1. compute pairwise similarity between minutiae
● use minutia descriptors that are invariant to rotation and transposition
■ 2. alignment of the two fingerprints according to the most similar minutia pairs
■ 3. establishment of minutia correspondence
● minutiae that are close enough both in location and direction are deemed to be
matching
■ 4. computing a global similarity score and making a decision
● if the similarity score is beyond a threshold, then the fingerprints are considered to
be matching
What do false positives and a false negatives mean in biometric authentication?
○ false rejection (FR) or Type I error
○ false acceptance (FA) or Type II error
What is the basic model of access control? (figure and terminology)
model and terminology:
■ subject:
● an active entity that tries to
perform some access
operation
● typically a process running
on behalf of a user or some other principal
■ object:
● a passive entity representing the resource being accessed by the subject
● typical examples: files, channels, programs, memory locations, devices, …
■ access operation:
● defines the nature of access
● typical examples: read, write, append, execute, create, delete, search, …
■ reference monitor:
● guards the resource by enforcing some access control
What is the difference between a discretionary and a mandatory access control system?
○ discretional access control (DAC):
■ each resource has an owner (can be an untrusted user)
■ owner can decide who is allowed to have access to the resource
■ thus, access control is at the discretion of the (potentially untrusted) owner
○ mandatory access control (MAC):
■ resources have no owners, they belong to security classes
■ a system-wide policy determines if a subject from a given security class can access an
object in another security class
■ only trusted administrators can modify the policy, and only by using trusted programs
What is an ACL and a C-List?
○ access control list (ACL)
■ describes which subjects have which types of access to a particular object
■ can be considered as a column of the access matrix
■ instead of individual subjects, access operations are often defined for groups of subjects
■ makes it convenient to manage access rights on a given resource
○ capability list (C-List)
■ defines what access operations a given subject is permitted on different objects
■ can be considered as a row of the access control matrix
■ not widely used
● operating systems tend to be geared towards managing objects (system resources),
so the concept of ACLs attached to objects fits better
● revocation of access rights on a given object may be difficult
How is a security label defined in MAC systems?
○ let H be a set of classifications with linear ordering
■ e.g., unclassified < confidential < secret < top secret
○ let C be a set of categories
■ e.g., project names, company divisions, …
○ let us call a subset of C as a compartment
○ a security label is a (classification, compartment) pair (h, c)
○ security labels are partially ordered
What is the Bell-LaPadula model? (objective, enforcement rules)
○ subjects and objects have security labels assigned to them
○ the BLP model defines two key properties for information flow secrecy enforcement:
■ simple-security property
■ security property
○ intuition:
■ the simple-security property is quite obvious (it prevents unauthorized subjects from
reading sensitive data)
■ the *-security property prevents any process from writing secrets to a security class that
they dominate even if the process is a Trojan horse, it cannot leak data to unauthorized
subjects
What are the components of the Reference Monitor concept? (figure)
Authorization module
- core of the reference monitor
– takes interface inputs (e.g., process identity, object references, and high
level operation) and converts these to a low-level query for the
reference monitor’s policy store
Policy store
– database for storing the access control policy
– takes low-level queries (e.g., {subject label, object label, access
operation} triplets) and returns a binary authorization reply
What are the necessary conditions for the security of the Reference Monitor approach?
○ complete mediation: the system ensures that its access enforcement mechanism mediates all
security-sensitive operations
○ tamperproof: the system ensures that its access enforcement mechanism cannot be modified by
untrusted processes
○ verifiable: the access enforcement mechanism must be small enough to be subject to analysis and
tests, the completeness of which can be assured
How the basic access control model is mapped to Linux? (subjects, objects, access operations,
reference monitor)
○ a Linux system consists of an OS kernel and many processes (executing programs)
○ each process (and the kernel) has its own address space
■ defines the memory addresses that the process can access
■ allows for some level of isolation between different processes
○ persistent system resources (e.g., disk storage, I/O devices, network connections) are represented
as files
○ access to files is limited by the identity associated with the accessing process and the access rights
assigned to the file
■ Linux implements a discretionary access control (DAC) system
● while trusted services associate processes with user identities
● users can control the assignment of access rights to files that they own
○ some processes run with the identity of a privileged user (root)
○ the kernel and the root processes have full system access
○ subjects are processes
● identified by process IDs (PID)
● created by exec or fork
■ each process is associated with a real UID/GID and an effective UID/GID
● real UID is inherited from the parent process
● effective UID is inherited from the parent process or from the file being executed
by the process (setUID programs)
■ objects are files
● in Linux, every resource is handled as a file (files, directories, memory,
device-drivers, named pipes, and other system resources)
Does Linux implement a DAC or a MAC model? Why?
Linux implements a discretionary access control (DAC) system
■ while trusted services associate processes with user identities
■ users can control the assignment of access rights to files that they own
What is a SetUID program? Why is it dangerous?
○ effective UID is inherited from the parent process or from the file being executed by the process
(setUID programs)
○ if it has an exploitable buffer overflow or similar vulnerability, then users executing it may be
able to open a shell with root privileges
Does Linux satisfy the necessary conditions for a secure OS?
Give some examples to support your response!
?
What is SELinux? How is it more secure than Linux?
○ Security-Enhanced Linux
■ the NSA’s implementation of mandatory access control for Linux
○ Linux DAC still applies: if the ordinary Linux permissions on a given file block a particular
action, then that action will indeed be blocked
○ however, if Linux permissions allow the action, SELinux will evaluate the action against its own
security policies before allowing it to occur
■ SELinux implements a Mandatory Access Control scheme
● security labels associated to objects and subjects
■ objects include not only files and directories, but also other processes, and various system
resources in both kernel space and userland
■ different object classes have different sets of possible permissions
● e.g., directories have permissions: search, rmdir, getattr, remove_name, reparent
■ heavy use of grouping subjects, permissions, and objects in various ways
■ strict default deny policy: which is not explicitly permitted, is denied
What are the main differences between Linux and Windows in terms of access control?
○ Windows protection system enables the description of a wider variety of policies
■ more types of objects » up to 30 operations per object type
■ even for files, there are more operations, including operations to access file attributes and
synchronize file operations
■ an operation on an object can be granted or denied (negative access rights)
○ extensibility
■ applications may define new object types, and add them to the active directory
(hierarchical name space for all objects known to the system)
■ for new objects, new operations can be defined
