Access Control Flashcards
Authentication
Are you actually who you say you are? This is typically done with passwords, but we have several factors that can (and should) be used for more secure authentication.
Authorization
Are you allowed to do what you are trying to do? Simply, authorization is the process of enforcing policies (i.e., determining what sorts of computing resources a user is allowed to use).
Accounting
What happened and when? Here we measure what resources a user used, how much data was sent, what time it was sent, and more. All of this is done through the logging of data.
AAA Framework
• Identification
—This is who you claim to be
—Usually your username
• Authentication
—Prove you are who you say you are
—Password and other authentication factors
• Authorization
—Based on your identification and authentication, what access do you have?
•Accounting
—Resources used: Login time, data sent and received, logout time
Multi-factor authentication
• More than one factor —Something you are —Something you have —Something you know —Somewhere you are —Something you do • Can be expensive —Separate hardware tokens —Specialized scanning equipment • Can be inexpensive —Free smartphone applications
Something you are
• Biometric authentication —Fingerprint, iris scan, voiceprint • Usually stores a mathematical representation of your biometric —Your actual fingerprint isn't usually saved • Difficult to change —You can change your password —You can't change your fingerprint • Used in very specific situations — Not foolproof
Something you have
• Smart card —Integrates with devices —May require a PIN • USB token —Certificate is on the USB device • Hardware or software tokens —Generates pseudo-random authentication codes •Your phone —SMS a code to your phone
Something you know
• Password —Secret word/phrase, string of characters —Very common authentication factor • PIN —Personal identification number — Not typically contained anywhere on a smart card or ATM card pattern —Complete a series of patterns —Only you know the right format
Somewhere you are
• Provide a factor based on your location
—The transaction only completes
if you are in a particular geography
• IP address
—Not perfect, but can help provide more info
—Works with IPv4, not so much with IPv6
• Mobile device location services
—Geolocation to a very specific area
—Must be in a location that can receive GPS information
or near an identified mobile or 802.11 network
—Still not a perfect identifier of location
Something you do
•A personal way of doing things —You're special • Handwriting analysis —Signature comparison —Writing technique •Typing technique —Delays between keystrokes • Very similar to biometrics —Close to something you are
Federation
• Provide network access to others — Not just employees —Partners, suppliers, customers, etc. •Third-parties can establish a federated network —Authenticate and authorize between the two organizations —Login with your Facebook credentials •The third-parties must establish a trust relationship —And the degree of the trust
Single sign-on (SSO)
•Authenticate one time —Gain access to everything! • Saves time —A seamless process —End-user doesn't see any of the complexities under the surface • Many different methods —Kerberos authentication and authorization — 3rd-party options
Transitive trust
•Trust relationships need to be established early
—Difficult to change once in place
• One-way trust
—Domain B trusts Domain A, Domain A doesn’t trust Domain B
• Two-way trust
—Both domains are peers, both trust each other equally
• Non-transitive trust
—A trust is specifically created and applies only to that domain
• Transitive trust
—Domain A trusts Domain B, Domain B trusts Domain C,
therefore Domain A trusts Domain C
Access control
There are many different way to assign user rights and permissions to files, folders, and other objects.• Authorization
—The process of ensuring only
authorized rights are exercised
• Policy enforcement
—The process of determining rights
• Policy definition
• Users receive rights based on
Access Control models
—Different business needs
or mission requirementsMandatory Access Control (MAC)
•The operating system limits the operation on an object —Based on security clearance levels • Every object gets a label —Confidential, secret, top secret, etc. • Labeling of objects uses predefined rules —The administrator decides who gets access to what security level —Users cannot change these settings
Discretionary Access Control (DAC)
• Used in most operating systems —A familiar access control model •You create a spreadsheet —As the owner, you control who has access —You can modify access at any time • Very flexible access control —And very weak security
Role-based access control (RBAC)
•You have a role in your organization
—Manager, director, team lead, project manager
• Administrators provide access
based on the role of the user
—Rights are gained implicitly instead of explicitly
• In Windows, use Groups to
provide role-based access control
—You are in shipping and receiving,
so you can use the shipping software
—You are the manager, so you can review shipping logs
Attribute-based access control (ABAC)
• Users can have complex relationships to applications and data —Access may be based on many different criteria • ABAC can consider many parameters —A "next generation" authorization model —Aware of context • Combine and evaluate multiple parameters —Resource information, IP address, time of day, desired action, relationship to the data, etc.
Rule-based access control
• Generic term for following rules
—Conditions other than who you are
• Access is determined through system-enforced rules
—System administrators, not users
• The rule is associated with the object
—System checks the ACLs for that object
• Rule examples
—Lab network access is only available
between 9 AM and 5 PM
—Only Chrome browsers may
complete this web formFile system security
• Store files and access them —Hard drive, SSDs, flash drives, DVDs — Part of most operating systems • Accessing information —Access control list —Group/user rights and permissions —Can be centrally administered and/or users can manage files they own • Encryption can be built-in —The file system handles encryption and decryption
Database security
• Databases have their own access control
—Username, password, permissions
• Encryption may be an option
— Most databases support data encryption
• Data integrity is usually an option
—No data is lost because of a fault
—Part of the database server operation
• Applications can provide a secure front-end
—Prevent SQL injections and
inappropriate access to data
Proximity cards
• Close range card
—Contactless smart card
• Passive device
—No power in the card
— Powered from the reader
• Not a large data storage device
—Often used as an identifier
— Keycard door access, library cards,
payment systems
—The identifier is linked to
data stored elsewhereSmart Cards
• Integrate circuit card Contact or contactless • Common on credit cards Also used for access control • Must have physical card To provide digital access A digital certificate • Multiple Factors Use the card for a PIN or fingerprint
Biometric factors
• Fingerprint scanner —Phones, laptops, door access • Retinal scanner —Unique capillary structure in the back of the eye • Iris scanner —Texture, color • Voice recognition —Talk for access • Facial recognition —Shape of the face and features
Biometric acceptance rates
• False acceptance rate (FAR)
—Likelihood that an unauthorized user will be accepted
—This would be bad
• False rejection rate ( FRR)
—Likelihood that an authorized user will be rejected
—No, it’s really me
— Let’s try again
• Crossover error rate (CER)
—The rate at which FAR and FRR are equal
—Adjust sensitivity to equalize both values
—Used to quantitatively compare biometric systems
Token generators
• Pseudo-random token generators —A useful authentication factor • Carry around a physical hardware token generator —Where are my keys again? • Use software-based token generator on your phone —Powerful and convenient
HOTP
• One-time passwords
—Use them once, and never again
—Once a session, once each authentication attempt
• HMAC-based One-Time Password algorithm
—Keyed-hash message authentication code (HMAC)
—The keys are based on a secret key and a counter
•Token-based authentication
—The hash is different every time
• Hardware and software tokens available
—You’ll need additional technology to make this work
TOTP
•Time-based One-Time Password algorithm
—Use a secret key and the time of day
—No incremental counter
• Secret key is configured ahead of time
—Timestamps are synchronized via NTP
•Timestamp usually increments every 30 seconds
—Put in your username, password, and TOTP code
• One of the more common OTP methods
—Used by Google, Facebook, Microsoft, etc.
Certificate-based authentication
• Smart card
—Private key is on the card
• PIV (Personal Identity Verification) card
—US Federal Government smart card
—Picture and identification information
• CAC (Common Access Card)
—US Department of Defense smart card
—Picture and identification
• IEEE 802.1X
—Gain access to the network using a certificate
—On device storage or separate physical device
