4. Auth-AC - Control Questions Flashcards

1
Q

What do we mean by (user) authentication?

A

user authentication = process of proving a claimed identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the 3 approaches to user authentication in computer systems?

A

○ three basic approaches to user authentication
■ passwords and alike (what you know)
■ hardware tokens (what you have)
■ biometrics (what you are)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the advantages and the disadvantages of passwords?

A

○ advantages
■ simple and intuitive (easy to understand by average users)
■ cheap to implement
○ disadvantages
■ password must be memorized by the user
● users tend to choose guessable passwords
● users tend to use the same password on multiple systems
■ passwords or password hashes must be stored by the verifier
● password files can be stolen and analyzed off-line
● brute force and dictionary attacks are possible
■ password can be obtained on its way from the user to the verifier
● key stroke logging, shoulder surfing
● eavesdropping (encrypted transport between remote parties is essential)
● replay attacks (encryption alone is not enough)
■ passwords are easy to reveal and share
● social engineering attacks are possible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the model of password based authentication? (figure)

A

ábra

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What do salting and stretching mean and what is their goal in case of password hashing?

A

○ design principles:
○ multiple iterations make exhaustive search slower (stretching)
○ user salt makes pre-computation attacks impractical
○ modified DES prevented the use of off-the-shelf DES hardware
+ ábra

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the main weaknesses of Windows’ LM hash?

A

○ two halves can be cracked separately

○ conversion to uppercase reduces the size of the password space

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a dictionary attack in the context of password based authentication?

A

list contains words from a dictionary (and their variations)
■ user-chosen passwords are often meaningful words that can be found in dictionaries
■ password cracking programs using dictionaries are available on the Web

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Why does salting make a rainbow table based attack too expensive for the attacker?

A

time-memory trade-off:
■ given a fixed pre-computation effort t*m, we can adjust the time (~t 2 ) needed to break a
hash by changing the memory requirement (~2m)
■ hash cracking can be faster at the expense of more storage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How can we measure the strength of a randomly chosen password?

A

○ strength of randomly chosen passwords against brute force attack can be calculated with
precision:
■ H = L * log 2 N
○ where N is the number of possible symbols and L is the length of the password (in symbols), and
the unit of H is a bit
○ H is essentially the entropy of a randomly chosen password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the model of smart card based authentication? (figure)

A

ábra

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the untrusted terminal problem?

A

○ smart cards have no user interface → PIN must be entered through the user terminal
○ a malicious terminal can use the PIN to request a signature from the smart card on any message
examples for potentially untrusted terminals:
■ a terminal installed at a public place (e.g., a PC in a hotel or airport lounge, Internet cafe,
…)
■ a terminal operated by an untrusted principal (e.g., an ATM or a payment terminal of an
unknown merchant in a foreign country)
■ the user’s own PC or smart phone ???

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the basic model of biometric authentication? (figure)

A

ábra

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What properties should a physiological feature have to be usable for biometric authentication?

A

○ universality – every person should have the characteristic
○ uniqueness – no two persons should be the same in terms of the characteristic
○ permanence – the characteristic should be invariant with time
○ collectability – the characteristic can be measured quantitatively
○ circumvention – it should be difficult to fool the system by fraudulent techniques

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Give a few examples for biometric authentication approaches!

A
○ fingerprint
○ iris
○ retina
○ face
○ ear
○ hand
○ geometry
○ voice
○ thermogram (face)
○ key stroke dynamics (behavioral)
○ dynamics of handwritten signature (behavioral)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a fingerprint minutia?

A
○ ending: termination of a ridge
○ bifurcation: split of a ridge from a single path to two paths (Y-junction)
○ minutiae are represented by their:
■ type (ending, bifurcation)
■ position
■ direction
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What types of global fingerprint patterns do exist?

A

○ Arch
○ Loop
○ Whorl

17
Q

What are the fingerprint processing steps?

A

○ image capture
■ obtaining the fingerprint image
○ noise reduction and image enhancement
■ uses inherent redundancy of parallel ridges
■ ridges oriented in the same direction as those in the same locality are enhanced, and
anything oriented differently are decreased
■ this eliminates noise that may join adjacent ridges (flowing perpendicular to the local
flow)
○ feature extraction
■ binarization of the image from gray-scale to black and white
■ reducing the widths of the ridges down to a single pixel (thinning)
■ minutia detection

18
Q

How does fingerprint matching work?

A

○ the most common is minutiae based matching –
○ coarse alignment of the two fingerprints based on local minutia structures, and consolidation of
the local matching results at a global level
○ consists of four steps:
■ 1. compute pairwise similarity between minutiae
● use minutia descriptors that are invariant to rotation and transposition
■ 2. alignment of the two fingerprints according to the most similar minutia pairs
■ 3. establishment of minutia correspondence
● minutiae that are close enough both in location and direction are deemed to be
matching
■ 4. computing a global similarity score and making a decision
● if the similarity score is beyond a threshold, then the fingerprints are considered to
be matching

19
Q

What do false positives and a false negatives mean in biometric authentication?

A

○ false rejection (FR) or Type I error

○ false acceptance (FA) or Type II error

20
Q

What is the basic model of access control? (figure and terminology)

A

model and terminology:
■ subject:
● an active entity that tries to
perform some access
operation
● typically a process running
on behalf of a user or some other principal
■ object:
● a passive entity representing the resource being accessed by the subject
● typical examples: files, channels, programs, memory locations, devices, …
■ access operation:
● defines the nature of access
● typical examples: read, write, append, execute, create, delete, search, …
■ reference monitor:
● guards the resource by enforcing some access control

21
Q

What is the difference between a discretionary and a mandatory access control system?

A

○ discretional access control (DAC):
■ each resource has an owner (can be an untrusted user)
■ owner can decide who is allowed to have access to the resource
■ thus, access control is at the discretion of the (potentially untrusted) owner
○ mandatory access control (MAC):
■ resources have no owners, they belong to security classes
■ a system-wide policy determines if a subject from a given security class can access an
object in another security class
■ only trusted administrators can modify the policy, and only by using trusted programs

22
Q

What is an ACL and a C-List?

A

○ access control list (ACL)
■ describes which subjects have which types of access to a particular object
■ can be considered as a column of the access matrix
■ instead of individual subjects, access operations are often defined for groups of subjects
■ makes it convenient to manage access rights on a given resource
○ capability list (C-List)
■ defines what access operations a given subject is permitted on different objects
■ can be considered as a row of the access control matrix
■ not widely used
● operating systems tend to be geared towards managing objects (system resources),
so the concept of ACLs attached to objects fits better
● revocation of access rights on a given object may be difficult

23
Q

How is a security label defined in MAC systems?

A

○ let H be a set of classifications with linear ordering
■ e.g., unclassified < confidential < secret < top secret
○ let C be a set of categories
■ e.g., project names, company divisions, …
○ let us call a subset of C as a compartment
○ a security label is a (classification, compartment) pair (h, c)
○ security labels are partially ordered

24
Q

What is the Bell-LaPadula model? (objective, enforcement rules)

A

○ subjects and objects have security labels assigned to them
○ the BLP model defines two key properties for information flow secrecy enforcement:
■ simple-security property
■ security property
○ intuition:
■ the simple-security property is quite obvious (it prevents unauthorized subjects from
reading sensitive data)
■ the *-security property prevents any process from writing secrets to a security class that
they dominate even if the process is a Trojan horse, it cannot leak data to unauthorized
subjects

25
Q

What are the components of the Reference Monitor concept? (figure)

A

Authorization module
- core of the reference monitor
– takes interface inputs (e.g., process identity, object references, and high
level operation) and converts these to a low-level query for the
reference monitor’s policy store

Policy store
– database for storing the access control policy
– takes low-level queries (e.g., {subject label, object label, access
operation} triplets) and returns a binary authorization reply

26
Q

What are the necessary conditions for the security of the Reference Monitor approach?

A

○ complete mediation: the system ensures that its access enforcement mechanism mediates all
security-sensitive operations
○ tamperproof: the system ensures that its access enforcement mechanism cannot be modified by
untrusted processes
○ verifiable: the access enforcement mechanism must be small enough to be subject to analysis and
tests, the completeness of which can be assured

27
Q

How the basic access control model is mapped to Linux? (subjects, objects, access operations,
reference monitor)

A

○ a Linux system consists of an OS kernel and many processes (executing programs)
○ each process (and the kernel) has its own address space
■ defines the memory addresses that the process can access
■ allows for some level of isolation between different processes
○ persistent system resources (e.g., disk storage, I/O devices, network connections) are represented
as files
○ access to files is limited by the identity associated with the accessing process and the access rights
assigned to the file
■ Linux implements a discretionary access control (DAC) system
● while trusted services associate processes with user identities
● users can control the assignment of access rights to files that they own
○ some processes run with the identity of a privileged user (root)
○ the kernel and the root processes have full system access
○ subjects are processes
● identified by process IDs (PID)
● created by exec or fork
■ each process is associated with a real UID/GID and an effective UID/GID
● real UID is inherited from the parent process
● effective UID is inherited from the parent process or from the file being executed
by the process (setUID programs)
■ objects are files
● in Linux, every resource is handled as a file (files, directories, memory,
device-drivers, named pipes, and other system resources)

28
Q

Does Linux implement a DAC or a MAC model? Why?

A

Linux implements a discretionary access control (DAC) system
■ while trusted services associate processes with user identities
■ users can control the assignment of access rights to files that they own

29
Q

What is a SetUID program? Why is it dangerous?

A

○ effective UID is inherited from the parent process or from the file being executed by the process
(setUID programs)
○ if it has an exploitable buffer overflow or similar vulnerability, then users executing it may be
able to open a shell with root privileges

30
Q

Does Linux satisfy the necessary conditions for a secure OS?

Give some examples to support your response!

A

?

31
Q

What is SELinux? How is it more secure than Linux?

A

○ Security-Enhanced Linux
■ the NSA’s implementation of mandatory access control for Linux
○ Linux DAC still applies: if the ordinary Linux permissions on a given file block a particular
action, then that action will indeed be blocked
○ however, if Linux permissions allow the action, SELinux will evaluate the action against its own
security policies before allowing it to occur
■ SELinux implements a Mandatory Access Control scheme
● security labels associated to objects and subjects
■ objects include not only files and directories, but also other processes, and various system
resources in both kernel space and userland
■ different object classes have different sets of possible permissions
● e.g., directories have permissions: search, rmdir, getattr, remove_name, reparent
■ heavy use of grouping subjects, permissions, and objects in various ways
■ strict default deny policy: which is not explicitly permitted, is denied

32
Q

What are the main differences between Linux and Windows in terms of access control?

A

○ Windows protection system enables the description of a wider variety of policies
■ more types of objects » up to 30 operations per object type
■ even for files, there are more operations, including operations to access file attributes and
synchronize file operations
■ an operation on an object can be granted or denied (negative access rights)
○ extensibility
■ applications may define new object types, and add them to the active directory
(hierarchical name space for all objects known to the system)
■ for new objects, new operations can be defined