lecture 15 access control processes
DESCRIPTION
Lecture 15 Access Control Processes. What is Access Control?. Access Control Access control is the policy-driven limitation of access to systems, data, and dialogs Prevent attackers from gaining access, stopping them if they do. What is Access Control?. First Steps Enumeration of Resources - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/1.jpg)
Lecture 15
Access Control Processes
![Page 2: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/2.jpg)
2
What is Access Control?
Access Control
Access control is the policy-driven limitation of access to systems, data, and dialogs
Prevent attackers from gaining access, stopping them if they do
![Page 3: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/3.jpg)
3
What is Access Control?
First Steps
Enumeration of Resources
Sensitivity of Each Resource
Next, who Should Have Access?
Can be made individual by individual
More efficient to define by roles (logged-in users, system administrators, project team members, etc.)
![Page 4: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/4.jpg)
4
Access Control
What Access Permissions (Authorizations) Should They Have?
Access permissions (authorizations) define whether a role or individual should have any access at all
If so, exactly what the role or individual should be allowed to do to the resource.
Usually given as a list of permissions for users to be able to do things (read, change, execute program, etc.) for each resource
![Page 5: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/5.jpg)
5
Access Control
How Should Access Control Be Implemented?
For each resource, need an access protection plan for how to implement protection in keeping with the selected control policy
For a file on a server, for instance, limit authorizations to a small group, harden the server against attack, use a firewall to thwart external attackers, etc.
…
![Page 6: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/6.jpg)
6
Access Control
Policy-Based Access Control and Protection
Have a specific access control policy and an access protection policy for each resource
Focuses attention on each resource
Guides the selection and configuration of firewalls and other protections
Guides the periodic auditing and testing of protection plans
![Page 7: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/7.jpg)
Password-Based Access Control
![Page 8: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/8.jpg)
8
Server Password Cracking
Reusable Passwords A password you use repeatedly to get access to
a resource on multiple occasions
Bad because attacker will have time to learn it; then can use it
Difficulty of Cracking Passwords by Guessing Remotely Usually cut off after a few attempts
However, if can steal the password file, can crack passwords at leisure
![Page 9: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/9.jpg)
9
Server Password Cracking
Hacking Root
Super accounts (can take any action in any directory)
Hacking root in UNIX
Super accounts in Windows (administrator) and NetWare (supervisor)
Hacking root is rare; usually can only hack an ordinary user account
May be able to elevate the privileges of the user account to take root action
![Page 10: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/10.jpg)
10
Server Password Cracking
Physical Access Password Cracking
l0phtcrack
Lower-case L, zero, phtcrack
Password cracking program
Run on a server (need physical access)
Or copy password file and run l0phtcrack on another machine.
![Page 11: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/11.jpg)
11
Server Password Cracking
Physical Access Password Cracking Brute-force password guessing
Try all possible character combinations
Longer passwords take longer to crack
Using more characters also takes longer Alphabetic, no case (26 possibilities) Alphabetic, case (52) Alphanumeric (letters and numbers) (62) All keyboard characters (~80)
![Page 12: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/12.jpg)
12
Password Length
PasswordLength In
Characters
1
2 (N2)
4 (N4)
6
8
10
Alphanumeric:Letters &
Digits (N=62)
62
3,844
14,776,336
56,800,235,584
2.1834E+14
8.39299E+17
All KeyboardCharacters
(N=~80)
80
6,400
40,960,000
2.62144E+11
1.67772E+15
1.07374E+19
Alphabetic,Case
(N=52)
52
2,704
7,311,616
19,770,609,664
5.34597E+13
1.44555E+17
Alphabetic,No
Case (N=26)
26
676
456,976
308,915,776
2.08827E+11
1.41167E+14
![Page 13: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/13.jpg)
13
Server Password Cracking
Physical Access Password Cracking Brute Force Attacks
Try all possible character combinations Slow with long passwords length
Dictionary attacks Try common words (“password”, “ouch,” etc.) There are only a few thousand of these Cracked very rapidly
Hybrid attacks Common word with single digit at end, etc.
![Page 14: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/14.jpg)
14
Server Password Cracking
Password Policies
Good passwords
At least 6 characters long
Change of case not at beginning
Digit (0 through 9) not at end
Other keyboard character not at end
Example: triV6#ial
![Page 15: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/15.jpg)
15
Server Password Cracking
Password Policies
Testing and enforcing password policies
Run password cracking program against own servers
Caution: requires approval! SysAdmins have been fired for doing this without permission—and should be
Password duration policies: How often passwords must be changed
![Page 16: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/16.jpg)
16
Server Password Cracking
Password Policies
Password sharing policies: Generally, forbid shared passwords
Removes ability to learn who took actions; loses accountability
Usually is not changed often or at all because of need to inform all sharers
![Page 17: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/17.jpg)
17
Server Password Cracking
Password Policies
Disabling passwords that are no longer valid
As soon as an employee leaves the firm, etc.
As soon as contractors, consultants leave
In many firms, a large percentage of all accounts are for people no longer with the firm
![Page 18: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/18.jpg)
18
Server Password Cracking
Password Policies
Lost passwords
Password resets: Help desk gives new password for the account
Opportunities for social engineering attacks
Leave changed password on answering machine
Biometrics: voice print identification for requestor (but considerable false rejection rate)
![Page 19: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/19.jpg)
19
Server Password Cracking
Password Policies
Lost passwords Automated password resets
Employee goes to website
Must answer a question, such as “In what city were you born?”
Problem of easily-guessed questions that can be answered with research
![Page 20: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/20.jpg)
20
UNIX/etc/passwd File Entries
Plee:x:47:3:Pat Lee:/usr/plee/:/bin/csh
plee:6babc345d7256:47:3:Pat Lee:/usr/plee/:/bin/cshPassword Group ID Home Directory
User Name User ID GCOS Shell
Without Shadow Password File
With Shadow Password File
The x indicates that the password is storedin a separate shadow password file
![Page 21: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/21.jpg)
21
UNIX/etc/passwd File Entries
Unix passwd File
Contains the username, password, and other information is semi-standard form
In the /etc directory that is accessible to anyone
Anyone can steal the passwd file and crack the passwords
Unix Shadow File
Newer versions of Unix store passwords in a protected shadow file
In the passwd file, there is an x in the password position
![Page 22: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/22.jpg)
22
Server Password Cracking
Password Policies
Encrypted (hashed) password files Passwords not stored in readable form
Encrypted with DES or hashed with MD5
In UNIX, etc/passwd puts x in place of password
Encrypted or hashed passwords are stored in a different (shadow) file to which only high-level accounts have access
![Page 23: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/23.jpg)
23
Password Hashing (or Encryption)
Client PCUser Lee
Server
1.User = Lee
Password = My4Bad
2.Hash
My4Bad=
11110000
3.Hashes Match
Hashed Password FileBrown 11001100Lee 11110000Chun 00110011Hatori 11100010
4. Hashes Match,
So User isAuthenticated
![Page 24: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/24.jpg)
24
Server Password Cracking
Password Policies
Windows passwords
Obsolete LAN manager passwords (7 characters maximum) should not be used
Windows NTLM passwords are better
Option (not default) to enforce strong passwords
![Page 25: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/25.jpg)
25
Server Password Cracking
Shoulder Surfing Watch someone as they type their password
Keystroke Capture Software
Professional versions of windows protect RAM during password typing
Consumer versions do not
Trojan horse throws up a login screen later, reports its finding to attackers
![Page 26: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/26.jpg)
26
Server Password Cracking
Windows Client PC Software Consumer version login screen is not for security
Windows professional and server versions provide good security with the login password
BIOS passwords allow boot-up security Can be disabled by removing the PC’s battery But during a battery removal, the attacker will
be very visible
Screen savers with passwords allow away-from-desk security after boot-up
![Page 27: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/27.jpg)
Physical Building Security
![Page 28: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/28.jpg)
28
Building Security
Building Security Basics
Single point of (normal) entry to building
Fire doors, etc.: use closed-circuit television (CCTV) and alarms to monitor them
Security centers Monitors for closed-circuit TV (CCTV) Videotapes that must be retained (Don’t
reuse too much or the quality will be bad) Alarms
![Page 29: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/29.jpg)
29
Building Security
Building Security Basics
Interior doors to control access between parts of the building Piggybacking: holding the door open so that
someone can enter without identification defeats this protection
Enforcing policies: You get what you enforce
Training security personnel
Training all employees
![Page 30: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/30.jpg)
30
Building Security
Building Security Basics
Phone stickers with security center phone number
Thwarting piggybacking by employee education and sanctions for allowing it
Dumpster diving by keeping Dumpsters in locked, lighted area
Drive shredding programs for discarded disk drives that do more than reformat drives
![Page 31: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/31.jpg)
31
Physical building Cabling
1. Equipment Room (Usually in Basement)
2. ToWAN
3. EntranceFacility withTerminationEquipment
5. CoreSwitch
(Chassis)
6. VerticalRiserSpace4. Router
![Page 32: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/32.jpg)
32
Physical building Cabling
3. TelecommunicationsCloset on Floor
2. Optical FiberOne Pair per Floor
4. Workgroup Switch
5. Horizontal Distribution
1. VerticalDistribution
![Page 33: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/33.jpg)
33
WorkgroupSwitch inTelecoms
Closet
Physical building Cabling
1. Horizontal DistributionOne 4-Pair UTP Cord
Horizontal and Final Distribution
![Page 34: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/34.jpg)
34
Building Security
Data Wiring Security
Telecommunications closets should be locked
Wiring conduits should be hard to cut into
Servers rooms should have strong access security
![Page 35: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/35.jpg)
Access Cards and Tokens
![Page 36: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/36.jpg)
36
Access Cards
Magnetic Stripe Cards
Smart Cards
Have a microprocessor and RAM
More sophisticated than mag stripe cards
Release only selected information to different access devices
![Page 37: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/37.jpg)
37
Access Cards
Tokens Small device with constantly-changing password
Or device that can plug into USB port or another port
Proximity Tokens Use short-range radio transmission
Can be detected and tested without physical contact
Allows easier access; used in Tokyo subways
![Page 38: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/38.jpg)
38
Access Cards
Card Cancellation
Requires a central system
PINs
Personal Identification Numbers
Short: about 4 digits
Can be short because attempts are manual (10,000 combinations to try with 4 digits)
![Page 39: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/39.jpg)
39
Access Cards
PINs
Should not allow obvious combinations (1111, 1234) or important dates
Provide two-factor authentication E.g., PIN and card Don’t allow writing PIN on card
![Page 40: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/40.jpg)
Biometric Authentication
![Page 41: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/41.jpg)
41
Biometric Authentication
Biometric Authentication
Authentication based on body measurements and motions
Because you always bring your body with you
Biometric Systems
Enrollment
Later access attempts Acceptance or rejection
![Page 42: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/42.jpg)
42
Biometric Authentication System
1. Initial Enrollment
2. Subsequent Access
User LeeScanning
ApplicantScanning
Template DatabaseBrown 10010010Lee 01101001Chun 00111011Hirota 1101110… …
3. Match IndexDecision Criterion(Close Enough?)
Processing(Key Feature Extraction)
A=01, B=101, C=001
User LeeTemplate
(01101001)
UserAccess Data(01111001)
Processing(Key Feature Extraction)
A=01, B=111, C=001
![Page 43: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/43.jpg)
43
Biometric Authentication
Verification Versus Identification
Verification: Are applicants who they claim to be? (compare with single template)
Identification: Who is the applicant? (compare with all templates) More difficult than verification because must compare
to many templates
Watch list: is this person a member of a specific group (e.g., known terrorists) Intermediate in difficulty
![Page 44: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/44.jpg)
44
Biometric Authentication
Verification Versus Identification
Verification is good for replacing passwords in logins
Identification is good for door access and other situations where entering a name would be difficult
![Page 45: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/45.jpg)
45
Biometric Authentication
Precision
False acceptance rates (FARs): Percentage of unauthorized people allowed in
Person falsely accepted as member of a group
Person allowed through a door who should be allowed through it
Very bad for security
FAR
![Page 46: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/46.jpg)
46
Biometric Authentication
Precision
False rejection rates (FRRs): Percentage of authorized people not recognized as being members of the group
Valid person denied door access or server login because not recognized
Can be reduced by allowing multiple access attempts
High FRRs will harm user acceptance because users are angered by being falsely forbidden
FRR
![Page 47: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/47.jpg)
47
Biometric Authentication
Precision
Vendor claims for FARs and FRRs tend to be exaggerated because they often perform tests under ideal circumstances
For instance, having only small numbers of users in the database
For instance, by using perfect lighting, extremely clean readers, and other conditions rarely seen in the real world
![Page 48: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/48.jpg)
48
Biometric Authentication
User Acceptance is Crucial Strong user resistance can kill a system
Fingerprint recognition may have a criminal connotation
Some methods are difficult to use, such as iris recognition, which requires the eye to be lined up carefully.
These require a disciplined group
![Page 49: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/49.jpg)
49
Biometric Authentication
Biometric Methods
Fingerprint recognition
Dominates the biometric market today
Based on a finger’s distinctive pattern of whorls, arches, and loops
Simple, inexpensive, well-proven
Weak security: can be defeated fairly easily with copies
Useful in modest-security areas
![Page 50: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/50.jpg)
50
Biometric Authentication
Biometric Methods
Iris recognition
Pattern in colored part of eye
Very low FARs
High FRR if eye is not lined up correctly can harm acceptance
Reader is a camera—does not send light into the eye!
![Page 51: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/51.jpg)
51
Biometric Authentication
Biometric Methods
Face recognition Can be put in public places for
surreptitious identification (identification without citizen or employee knowledge). More later.
Hand geometry: shape of hand
Voice recognition High error rates Easy to fool with recordings
![Page 52: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/52.jpg)
52
Biometric Authentication
Biometric Methods
Keystroke recognition Rhythm of typing Normally restricted to passwords Ongoing during session could allow
continuous authentication
Signature recognition Pattern and writing dynamics
![Page 53: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/53.jpg)
53
Biometric Authentication
Biometric Standards
Almost no standardization
Worst for user data (fingerprint feature databases)
Get locked into single vendors
![Page 54: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/54.jpg)
54
Biometric Authentication
Can Biometrics be Fooled?
Airport face recognition
Identification of people passing in front of a camera
False rejection rate: rate of not identifying person as being in the database
Fail to recognize a criminal, terrorist, etc.
FRRs are bad
![Page 55: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/55.jpg)
55
Biometric Authentication
Can Biometrics be Fooled?
Airport face recognition
4-week trial of face recognition at Palm Beach International Airport
Only 250 volunteers in the user database (unrealistically small)
Volunteers were scanned 958 times during the trial
Only recognized 455 times! (47%)
53% FRR
![Page 56: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/56.jpg)
56
Biometric Authentication
Can Biometrics be Fooled?
Airport face recognition
Recognition rate fell if wore glasses (especially tinted), looked away
Would be worse with larger database
Would be worse if photographs were not good
![Page 57: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/57.jpg)
57
Biometric Authentication
Can Biometrics be Fooled?
DOD Tests indicate poor acceptance rates when subjects were not attempting to evade
270-person test
Face recognition recognized person only 51 percent of time
Even iris recognition only recognized the person 94 percent of the time!
![Page 58: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/58.jpg)
58
Biometrics Authentication
Can Biometrics be Fooled?
Other research has shown that evasion is often successful for some methods
German c’t magazine fooled most face and fingerprint recognition systems
Prof. Matsumoto fooled fingerprint scanners 80 percent of the time with a gelatin finger created from a latent (invisible to the naked eye) print on a drinking glass
![Page 59: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/59.jpg)
802.11 Wireless LAN Security
![Page 60: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/60.jpg)
60
802.11 Wireless LAN (WLAN) Security
802.11 Wireless LAN Family of Standards
Basic Operation (Figure 2-12 on next slide)
Main wired network for servers (usually 802.3 Ethernet)
Wireless stations with wireless NICs
Access points
Access points are bridges that link 802.11 LANs to 802.3 Ethernet LANs
![Page 61: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/61.jpg)
61
802.11 FrameContaining Packet
802.11 Wireless LAN
NotebookWith PC CardWireless NIC
EthernetSwitch
AccessPoint
Server
802.3 FrameContaining Packet
(2)
(3)
Client PC
(1)
![Page 62: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/62.jpg)
62
802.11 Wireless LAN
NotebookWith PC CardWireless NIC
EthernetSwitch
AccessPoint
Server
802.11 FrameContaining Packet
802.3 FrameContaining Packet
(2)
(1)
Client PC
(3)
![Page 63: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/63.jpg)
63
802.11 Wireless LAN (WLAN) Security
Basic Operation
Propagation distance: farther for attackers than users
Attackers can have powerful antennas and amplifiers
Attackers can benefit even if they can only read some messages
Don’t be lulled into complacency by internal experiences with useable distances
![Page 64: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/64.jpg)
64
802.11 Wireless LAN Standards
StandardRated Speed
(a)UnlicensedRadio Band
EffectiveDistance (b)
802.11b 11 Mbps 2.4 GHz ~30-50 meters
802.11a 54 Mbps 5 GHz ~10-30 meters
802.11g 54 Mbps 2.4 GHz ?
Notes: (a) Actual speeds are much lower and decline with distance. (b) These are distances for good communication; attackers can read some signals and send attack frames from longer distances.
![Page 65: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/65.jpg)
65
802.11 Wireless LAN (WLAN) Security
Apparent 802.11 Security
Spread spectrum transmission does not provide security
Signal is spread over a broad range of frequencies
Methods used by military are hard to detect
802.11 spread spectrum methods are easy to detect so devices can find each other
Used in 802.11 to prevent frequency-dependent propagation problems rather than for security
![Page 66: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/66.jpg)
66
802.11 Wireless LAN (WLAN) Security
Apparent 802.11 Security SSIDs
Mobile devices must know the access point’s service set identifier (SSID) to talk to the access point
Usually broadcast frequently by the access point for ease of discovery, so offers no security.
Sent in the clear in messages sent between stations and access points
![Page 67: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/67.jpg)
67
802.11 Wireless LAN (WLAN) Security
Wired Equivalent Privacy (WEP)
Biggest security problem: Not enabled by default
40-bit encryption keys are too small Nonstandard 128-bit (really 104-bit) keys are
reasonable interoperable
![Page 68: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/68.jpg)
68
802.11 Wireless LAN (WLAN) Security
Wired Equivalent Privacy (WEP)
Shared passwords
Access points and all stations use the same password
Difficult to change, so rarely changed
People tend to share shared passwords too widely
Flawed security algorithms Algorithms were selected by cryptographic
amateurs
![Page 69: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/69.jpg)
69
802.11 Wireless LAN (WLAN) Security
802.1x and 802.11i (Figure 2-14)
Authentication server
User data server
Individual keys give out at access point
![Page 70: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/70.jpg)
70
802.1x Authentication for 802.11i WLANs
AccessPoint
Applicant(Lee)
1.Authentication
Data
2.Pass on Request to
RADIUS Server
3.Get User Lee’s Data(Optional; RADIUSServer May Store
This Data)
4. AcceptApplicant Key=XYZ
5. OKUse
Key XYZ
DirectoryServer orKerberos
Server
RADIUS Server
![Page 71: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/71.jpg)
71
802.11 Wireless LAN (WLAN) Security
802.1x and 802.11
Control access when the user connects to the network At a wired RJ-45 jack At a wireless access point
802.1x is a general approach to port authentication 802.11i is the implementation of 802.1x on
802.11 wireless LANs
![Page 72: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/72.jpg)
72
802.11 Wireless LAN (WLAN) Security
802.1x and 802.11
Extensible Authentication Protocol (EAP) Supports multiple forms of authentication
EAP-TLS EAP-TTLS PEAP
![Page 73: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/73.jpg)
73
802.11 Wireless LAN (WLAN) Security
802.1x and 802.11
Extensible Authentication Protocol (EAP) Authentication mechanisms
Passwords Simple and inexpensive to implement Low security
Digital Certificate Complex and expensive to install digital
certificates on many devices Very strong authentication
![Page 74: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/74.jpg)
74
802.11 Wireless LAN (WLAN) Security
Client Authentication
Access Point Authentication
Comment
EAP-TLS Digital Certificate orNothing at all
Digital Certificate
Expensive client authentication or none
EAP-TTLS Password or other authentication method
Digital Certificate
Fits reality that many users have passwords
PEAP (Protected EAP)
Password or other authentication method
Digital Certificate
Strong. Supported by Microsoft, Cisco, and RSA
![Page 75: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/75.jpg)
75
802.11 Wireless LAN (WLAN) Security
TLS The default for 802.11i security but choice of
either digital certificates for clients or no client authentication is undesirable
PEAP and TTLS Very similar in terms of the authentication
methods they support
PEAP is supported by Microsoft, Cisco, and RSA
TTLS is supported by a consortium of other vendors
![Page 76: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/76.jpg)
76
802.11 Wireless LAN (WLAN) Security
802.1x and 802.11i (Figure 2-14)
After authentication, the client must be given a key for confidentiality
Temporal Key Integrity Protocol (TKIP) is used in 802.11i and 802.1x
Key changed every 10,000 frames to foil data collection for key guessing
This is an Advanced Encryption Standard (AES) key
![Page 77: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/77.jpg)
77
Wi-Fi and WPA
Wi-Fi Alliance
Industry group that certifies 802.11 systems
Created the Wi-Fi Protected Access (WPA) system in 2002
WPA is basically 802.11i But does not use AES keys Many installed wireless products can be
upgraded to WPA Stop-gap measure before 802.11i
![Page 78: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/78.jpg)
78
802.11i Today
802.11i standard was released in July 2004
But products started appearing in 2003
What must firms do?
Throw out WEP-only products In security, legacy technologies are not
acceptable
Decide if it can have WPA and 802.11i products co-exist
![Page 79: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/79.jpg)
79
802.11 Wireless LAN (WLAN) Security
Virtual Private Networks (VPNs)
Add security on top of network technology to compensate for WLAN weaknesses
Discussed in Chapter 8
WLAN, etc.
VPN
![Page 80: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/80.jpg)
80
The Situation Today in Wireless Security
Wireless security is poor in most installations today
The situation is improving, and technology will soon be good
But old installations are likely to remain weak links in corporate security
![Page 81: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/81.jpg)
81
Topics Covered
Policy-Driven Access Control
Identify resources
Create an access policy for each
Let the policy drive implementation and testing
![Page 82: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/82.jpg)
82
Topics Covered
Password-Based Access Control
Reusable passwords are inexpensive because built into servers
Usually weak because people often pick cracked passwords
Hacking root is a key goal
Password resets are necessary but dangerous
![Page 83: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/83.jpg)
83
Topics Covered
Building Security
Single point of (normal) entry to building
Fire doors, etc.: use CCTV and alarms
Security centers
Interior doors locked (but piggybacking)
Dumpster diving control
Securing building wiring, including telecommunications closets
![Page 84: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/84.jpg)
84
Topics Covered
Access Cards and Tokens
Magnetic strip cards
Smart cards with CPU and Memory
Tokens Tokens with constantly-changing passwords Tokens that plug into USB ports
Proximity cards with radio communication
Pins can be short because of manual entry
![Page 85: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/85.jpg)
85
Topics Covered
Biometric Authentication Can replace reusable passwords
Fingerprint scanning dominates biometrics Inexpensive, somewhat secure
Iris recognition is more precise
Face recognition can be done surreptitiously
Identification vs verification vs watch list
FARs and FRRs
Often easily deceived by attackers
![Page 86: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/86.jpg)
86
Topics Covered
802.11 Wireless LAN Security
Signals travel outside building, allowing drive-by hacking
Initial security was WEP Often not even turned on Very easily cracked because uses shared
static key for both confidentiality and authentication
Some firms added passwords and/or VPNs to allow secure communication anyway
![Page 87: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/87.jpg)
87
Topics Covered
802.11 Wireless LAN Security
Now, 802.11i security
Based on 802.1x security for wired LANs
Sophisticated authentication
EAP supports multiple methods
Not a single standard, so problems with equipment interoperability
Strong AES confidentiality
![Page 88: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/88.jpg)
88
Topics Covered
802.11 Wireless LAN Security
Now, 802.11i security Requires an infrastructure
Central authentication server Adequate for corporate needs
Today Buy only 802.11i equipment See if can keep WPA (post-WEP/pre-802.11i)
products Discard WEP products
![Page 89: Lecture 15 Access Control Processes](https://reader036.vdocuments.mx/reader036/viewer/2022062805/56814d5d550346895dba9d98/html5/thumbnails/89.jpg)
89
End of Lecture