4. Auth-AC - Control Questions

Question 1

What do we mean by (user) authentication?

Answer 1

user authentication = process of proving a claimed identity

Question 2

What are the 3 approaches to user authentication in computer systems?

Answer 2

○ three basic approaches to user authentication
■ passwords and alike (what you know)
■ hardware tokens (what you have)
■ biometrics (what you are)

Question 3

What are the advantages and the disadvantages of passwords?

Answer 3

○ advantages
■ simple and intuitive (easy to understand by average users)
■ cheap to implement
○ disadvantages
■ password must be memorized by the user
● users tend to choose guessable passwords
● users tend to use the same password on multiple systems
■ passwords or password hashes must be stored by the verifier
● password files can be stolen and analyzed off-line
● brute force and dictionary attacks are possible
■ password can be obtained on its way from the user to the verifier
● key stroke logging, shoulder surfing
● eavesdropping (encrypted transport between remote parties is essential)
● replay attacks (encryption alone is not enough)
■ passwords are easy to reveal and share
● social engineering attacks are possible

Question 4

What is the model of password based authentication? (figure)

Answer 4

ábra

Question 5

What do salting and stretching mean and what is their goal in case of password hashing?

Answer 5

○ design principles:
○ multiple iterations make exhaustive search slower (stretching)
○ user salt makes pre-computation attacks impractical
○ modified DES prevented the use of off-the-shelf DES hardware
+ ábra

Question 6

What are the main weaknesses of Windows’ LM hash?

Answer 6

○ two halves can be cracked separately

○ conversion to uppercase reduces the size of the password space

Question 7

What is a dictionary attack in the context of password based authentication?

Answer 7

list contains words from a dictionary (and their variations)
■ user-chosen passwords are often meaningful words that can be found in dictionaries
■ password cracking programs using dictionaries are available on the Web

Question 8

Why does salting make a rainbow table based attack too expensive for the attacker?

Answer 8

time-memory trade-off:
■ given a fixed pre-computation effort t*m, we can adjust the time (~t 2 ) needed to break a
hash by changing the memory requirement (~2m)
■ hash cracking can be faster at the expense of more storage

Question 9

How can we measure the strength of a randomly chosen password?

Answer 9

○ strength of randomly chosen passwords against brute force attack can be calculated with
precision:
■ H = L * log 2 N
○ where N is the number of possible symbols and L is the length of the password (in symbols), and
the unit of H is a bit
○ H is essentially the entropy of a randomly chosen password

Question 10

What is the model of smart card based authentication? (figure)

Answer 10

ábra

Question 11

What is the untrusted terminal problem?

Answer 11

○ smart cards have no user interface → PIN must be entered through the user terminal
○ a malicious terminal can use the PIN to request a signature from the smart card on any message
examples for potentially untrusted terminals:
■ a terminal installed at a public place (e.g., a PC in a hotel or airport lounge, Internet cafe,
…)
■ a terminal operated by an untrusted principal (e.g., an ATM or a payment terminal of an
unknown merchant in a foreign country)
■ the user’s own PC or smart phone ???

Question 12

What is the basic model of biometric authentication? (figure)

Answer 12

ábra

Question 13

What properties should a physiological feature have to be usable for biometric authentication?

Answer 13

○ universality – every person should have the characteristic
○ uniqueness – no two persons should be the same in terms of the characteristic
○ permanence – the characteristic should be invariant with time
○ collectability – the characteristic can be measured quantitatively
○ circumvention – it should be difficult to fool the system by fraudulent techniques

Question 14

Give a few examples for biometric authentication approaches!

Answer 14

○ fingerprint
○ iris
○ retina
○ face
○ ear
○ hand
○ geometry
○ voice
○ thermogram (face)
○ key stroke dynamics (behavioral)
○ dynamics of handwritten signature (behavioral)

Question 15

What is a fingerprint minutia?

Answer 15

○ ending: termination of a ridge
○ bifurcation: split of a ridge from a single path to two paths (Y-junction)
○ minutiae are represented by their:
■ type (ending, bifurcation)
■ position
■ direction

Question 16

What types of global fingerprint patterns do exist?

Answer 16

○ Arch
○ Loop
○ Whorl

Question 17

What are the fingerprint processing steps?

Answer 17

○ image capture
■ obtaining the fingerprint image
○ noise reduction and image enhancement
■ uses inherent redundancy of parallel ridges
■ ridges oriented in the same direction as those in the same locality are enhanced, and
anything oriented differently are decreased
■ this eliminates noise that may join adjacent ridges (flowing perpendicular to the local
flow)
○ feature extraction
■ binarization of the image from gray-scale to black and white
■ reducing the widths of the ridges down to a single pixel (thinning)
■ minutia detection

Question 18

How does fingerprint matching work?

Answer 18

○ the most common is minutiae based matching –
○ coarse alignment of the two fingerprints based on local minutia structures, and consolidation of
the local matching results at a global level
○ consists of four steps:
■ 1. compute pairwise similarity between minutiae
● use minutia descriptors that are invariant to rotation and transposition
■ 2. alignment of the two fingerprints according to the most similar minutia pairs
■ 3. establishment of minutia correspondence
● minutiae that are close enough both in location and direction are deemed to be
matching
■ 4. computing a global similarity score and making a decision
● if the similarity score is beyond a threshold, then the fingerprints are considered to
be matching

Question 19

What do false positives and a false negatives mean in biometric authentication?

Answer 19

○ false rejection (FR) or Type I error

○ false acceptance (FA) or Type II error

Question 20

What is the basic model of access control? (figure and terminology)

Answer 20

model and terminology:
■ subject:
● an active entity that tries to
perform some access
operation
● typically a process running
on behalf of a user or some other principal
■ object:
● a passive entity representing the resource being accessed by the subject
● typical examples: files, channels, programs, memory locations, devices, …
■ access operation:
● defines the nature of access
● typical examples: read, write, append, execute, create, delete, search, …
■ reference monitor:
● guards the resource by enforcing some access control

Question 21

What is the difference between a discretionary and a mandatory access control system?

Answer 21

○ discretional access control (DAC):
■ each resource has an owner (can be an untrusted user)
■ owner can decide who is allowed to have access to the resource
■ thus, access control is at the discretion of the (potentially untrusted) owner
○ mandatory access control (MAC):
■ resources have no owners, they belong to security classes
■ a system-wide policy determines if a subject from a given security class can access an
object in another security class
■ only trusted administrators can modify the policy, and only by using trusted programs

Question 22

What is an ACL and a C-List?

Answer 22

○ access control list (ACL)
■ describes which subjects have which types of access to a particular object
■ can be considered as a column of the access matrix
■ instead of individual subjects, access operations are often defined for groups of subjects
■ makes it convenient to manage access rights on a given resource
○ capability list (C-List)
■ defines what access operations a given subject is permitted on different objects
■ can be considered as a row of the access control matrix
■ not widely used
● operating systems tend to be geared towards managing objects (system resources),
so the concept of ACLs attached to objects fits better
● revocation of access rights on a given object may be difficult

Question 23

How is a security label defined in MAC systems?

Answer 23

○ let H be a set of classifications with linear ordering
■ e.g., unclassified < confidential < secret < top secret
○ let C be a set of categories
■ e.g., project names, company divisions, …
○ let us call a subset of C as a compartment
○ a security label is a (classification, compartment) pair (h, c)
○ security labels are partially ordered

Question 24

What is the Bell-LaPadula model? (objective, enforcement rules)

Answer 24

○ subjects and objects have security labels assigned to them
○ the BLP model defines two key properties for information flow secrecy enforcement:
■ simple-security property
■ security property
○ intuition:
■ the simple-security property is quite obvious (it prevents unauthorized subjects from
reading sensitive data)
■ the *-security property prevents any process from writing secrets to a security class that
they dominate even if the process is a Trojan horse, it cannot leak data to unauthorized
subjects

Question 25

What are the components of the Reference Monitor concept? (figure)

Answer 25

Authorization module
- core of the reference monitor
– takes interface inputs (e.g., process identity, object references, and high
level operation) and converts these to a low-level query for the
reference monitor’s policy store

Policy store
– database for storing the access control policy
– takes low-level queries (e.g., {subject label, object label, access
operation} triplets) and returns a binary authorization reply

Question 26

What are the necessary conditions for the security of the Reference Monitor approach?

Answer 26

○ complete mediation: the system ensures that its access enforcement mechanism mediates all
security-sensitive operations
○ tamperproof: the system ensures that its access enforcement mechanism cannot be modified by
untrusted processes
○ verifiable: the access enforcement mechanism must be small enough to be subject to analysis and
tests, the completeness of which can be assured

Question 27

How the basic access control model is mapped to Linux? (subjects, objects, access operations,
reference monitor)

Answer 27

○ a Linux system consists of an OS kernel and many processes (executing programs)
○ each process (and the kernel) has its own address space
■ defines the memory addresses that the process can access
■ allows for some level of isolation between different processes
○ persistent system resources (e.g., disk storage, I/O devices, network connections) are represented
as files
○ access to files is limited by the identity associated with the accessing process and the access rights
assigned to the file
■ Linux implements a discretionary access control (DAC) system
● while trusted services associate processes with user identities
● users can control the assignment of access rights to files that they own
○ some processes run with the identity of a privileged user (root)
○ the kernel and the root processes have full system access
○ subjects are processes
● identified by process IDs (PID)
● created by exec or fork
■ each process is associated with a real UID/GID and an effective UID/GID
● real UID is inherited from the parent process
● effective UID is inherited from the parent process or from the file being executed
by the process (setUID programs)
■ objects are files
● in Linux, every resource is handled as a file (files, directories, memory,
device-drivers, named pipes, and other system resources)

Question 28

Does Linux implement a DAC or a MAC model? Why?

Answer 28

Linux implements a discretionary access control (DAC) system
■ while trusted services associate processes with user identities
■ users can control the assignment of access rights to files that they own

Question 29

What is a SetUID program? Why is it dangerous?

Answer 29

○ effective UID is inherited from the parent process or from the file being executed by the process
(setUID programs)
○ if it has an exploitable buffer overflow or similar vulnerability, then users executing it may be
able to open a shell with root privileges

Question 30

Does Linux satisfy the necessary conditions for a secure OS?

Give some examples to support your response!

Answer 30

?

Question 31

What is SELinux? How is it more secure than Linux?

Answer 31

○ Security-Enhanced Linux
■ the NSA’s implementation of mandatory access control for Linux
○ Linux DAC still applies: if the ordinary Linux permissions on a given file block a particular
action, then that action will indeed be blocked
○ however, if Linux permissions allow the action, SELinux will evaluate the action against its own
security policies before allowing it to occur
■ SELinux implements a Mandatory Access Control scheme
● security labels associated to objects and subjects
■ objects include not only files and directories, but also other processes, and various system
resources in both kernel space and userland
■ different object classes have different sets of possible permissions
● e.g., directories have permissions: search, rmdir, getattr, remove_name, reparent
■ heavy use of grouping subjects, permissions, and objects in various ways
■ strict default deny policy: which is not explicitly permitted, is denied

Question 32

What are the main differences between Linux and Windows in terms of access control?

Answer 32

○ Windows protection system enables the description of a wider variety of policies
■ more types of objects » up to 30 operations per object type
■ even for files, there are more operations, including operations to access file attributes and
synchronize file operations
■ an operation on an object can be granted or denied (negative access rights)
○ extensibility
■ applications may define new object types, and add them to the active directory
(hierarchical name space for all objects known to the system)
■ for new objects, new operations can be defined