security overview. security objectives confidentiality: prevent/detect/deter improper disclosure of...

Security Overview

Security Objectives

Confidentiality: prevent/detect/deter improper disclosure of information

Integrity: prevent/detect/deter improper modification of information

Availability: prevent/detect/deter improper denial of access to services

2Farkas CSCE 824

Distributed applications

Authenticity Non-repudiation

CSCE 824 3Farkas

Sample Questions

What is the trade off between the security objectives?

Give an example of the security objectives in the domain of college education.

Consider the trend about attack sophistication and intruder’s knowledge. Recommend an approach to enhance the security of future computing systems.

4Farkas CSCE 824

Achieving Security

PolicyWhat to protect?

MechanismHow to protect?

AssuranceHow good is the protection?

5Farkas CSCE 824

Security Policy

Organizational Policy

Computerized Information SystemPolicy

6Farkas CSCE 824

Sample Questions Why do we need to fit the security policy into the

organizational policy? Why is it recommended to separate policy from

mechanism? What does “assurance” mean in the context of security? Give an example security policy enforced on your

personal computer/CSE computing system/CEC computing system and recommend security mechanism to implement the policy.

7Farkas CSCE 824

Security Mechanism

Prevention Detection Tolerance/Recovery

8Farkas CSCE 824

Security Tradeoffs

COST

Security Functionality

Ease of Use

9Farkas CSCE 824

Threats, Attacks, Vulnerability, Risk

Types of threats Types of attacks Relation to security objectivesM(ethod), O(pportunity), and M(otive) of

attacksMethods of defense – Security planningRisk Management

10Farkas CSCE 824

Risk Management Framework(Business Context)

Understand BusinessContext

Identify Business and Technical Risks

Synthesize and RankRisks

Define RiskMitigation Strategy

Carry Out Fixesand Validate

Measurement and Reporting

11Farkas CSCE 824

Sample Questions

Give an example of vulnerability, threat, risk, and attack in the domain of …

What does it mean “weakest link” of defense? Recommend a way to increase computing

system’s security by incorporating security trade offs into the security planning.

Why do we need to understand the business context to have effective security?

12Farkas CSCE 824

Cryptography

Insecure communications

Sender

Snooper

Recipient

Insecure channelConfidential

Cryptographic Protocols

Messages should be transmitted to destinationMessages should be transmitted to destination Only the recipient should see itOnly the recipient should see it Only the recipient should get itOnly the recipient should get it Proof of the sender’s identityProof of the sender’s identity Message shouldn’t be corrupted in transitMessage shouldn’t be corrupted in transit Message should be sent/received once onlyMessage should be sent/received once only

Conventional (Secret Key) Cryptosystem

Encryption DecryptionPlaintext PlaintextCiphertext

K

Sender Recipient

C=E(K,M)M=D(K,C)

K needs secure channel

Public Key Cryptosystem

Encryption DecryptionPlaintext PlaintextCiphertext

Sender Recipient

C=E(Kpub,M)M=D(Kpriv,C)

Recipient’s public Key (Kpub)

Recipient’s private Key (Kpriv)

Kpub needs reliable channel

Cryptography Cryptanalyst’s goal:

Break messageBreak keyBreak algorithm

Taxonomy of attacks Breakable vs. unbreakable cryptographic system Properties of good cryptosystem.

Cryptosystem Vulnerabilities

• Passive Attacker (Eavesdropper)• Active Attacker

• Capabilities

Basic Encryption Techniques

Substitution Permutation Combinations and iterations of these Techniques and attacks ADVANTAGES/DISADVANTAGES!

Inherent Weaknesses of Symmetric Cryptography

Key distribution must be done secretly (difficult when parties are geographically distant, or don't know each other)

Need a key for each pair of users n users need n*(n-1)/2 keys

If the secret key (and cryptosystem) is compromised, the adversary will be able to decrypt all traffic and produce fake messages

Product CiphersOne encryption applied to the result of the other

En(En-1(…(E1(M)))), e.g.,Double transpositionSubstitution followed by permutation, followed

by substitution, followed by permutation… Broken for

Chosen plaintext

22Farkas CSCE 824

Trustworthy Encryption Systems

Based on sound mathematics Has been analyzed by experts Has stood the test of time

Examples: Data Encryption Standard (DES), Advanced Encryption Standard (AES), River-Shamir-Adelman (RSA)

Public Key Encryption

24Farkas CSCE 824

CSCE 522 - Farkas 25

Public-Key Encryption Two keys – one is private one is public Solves the key distribution problem (but need

reliable channel) Provides electronic signatures Slower than secret-key encryption

25Farkas CSCE 824

CSCE 522 - Farkas 26Lecture 6

Public-Key Encryption

Needed for security:One of the keys must be kept secretImpossible (at least impractical) to decipher

message if no other information is availableKnowledge of algorithm, one of the keys, and

samples of ciphertext must be insufficient to determine the other key

26Farkas CSCE 824


RSA – NotationC = E(KE-B, M)M = D(KD-B,C)

KE-B: public key of BKD-B: private key of BE: encryption alg.D: decryption alg.M: plaintextC: ciphertext

27Farkas CSCE 824


RSA Both sender and receiver know n Sender knows e Only receiver knows d Modulus: Remainder after division, i.e., if a mod n=b then

a=c*n+b Need:

Find values e,d,n such that

Easy to calculate Me, Cd for all M < n Infeasible to determine d give e

Med mod n = M mod n

28Farkas CSCE 824


Signature and Encryption

D E D E

A B

Plaintext Plaintext

SignedPlaintext

SignedPlaintext

Encrypted Signed Plaintext

A’s private key

B’s public keyB’s private key

A’s public key

29Farkas CSCE 824


Non-repudiation Requires notarized signature, involving a third

party

Large system: hierarchies of notarization

30Farkas CSCE 824

Cryptographic Hash Functions

31Farkas CSCE 824

CSCE 522 - Farkas 32Lecture 8-9

Hash Functions

Hash function h maps an input x of arbitrary length to a fixed length output h(x) (compression)

Accidental or intentional change to the data will change the hash value

Given h and x, h(x) is easy to compute (ease of computation)

32Farkas CSCE 824

CSCE 522 - Farkas 33Lecture 8-9

Good Hash Function

1. It is easy to compute the hash value for any given message

2. It is infeasible to find a message that has a given hash

3. It is infeasible to modify a message without changing its hash

4. It is infeasible to find two different messages with the same hash

33Farkas CSCE 824

Cryptographic Protocols

34Farkas CSCE 824


ProtocolsGood protocol characteristics: Established in advance Mutually subscribed Unambiguous Complete

35Farkas CSCE 824


Symmetric-Key Distribution: Symmetric-Key Techniques

Symmetric-Key without Server Symmetric-Key with Server

36Farkas CSCE 824


Symmetric-Key Distribution: Public-Key Techniques

Simple secret key distribution Secret key distribution with confidentiality

and authentication Diffie-Hellman Key Exchange

37Farkas CSCE 824


Simple secret key distribution

Sender Recipient

1. KE-S ||ID-S

2. E KE-S(Ksession)

Vulnerable to active attack!HOW?

Public key of S

Secret Session key

38Farkas CSCE 824


With confidentiality and authentication

Sender Recipient

1. E KE-R[N1||ID-A]

2. E KE-S[N1||N2]

3. E KE-R[N2]

4. E KE-R E KD-S(Ksession)

Assume: KE-R and KE-S are known in advanceNonce

Question: Why do we need reliable distribution of public keys?

39Farkas CSCE 824


Intruder in the Middle Attack

John RoseIntruderHi Rose, I’m John.

Hi John, I’m Rose. Hi John, I’m Rose.

Hi Rose, I’m John.

Intruder and John Uses Diffie-HellmanTo agree on key K.

Intruder and RoseUses Diffie-HellmanTo agree on key K’.

Question: the attacker may want to have K and K’ be the same, Why?

40Farkas CSCE 824


Asymmetric-Key Exchange Without server

BroadcastingPublicly available directory

With serverPublic key distribution centerCertificates

41Farkas CSCE 824


Public-key certificates

Certificate Authority

Sender Recipient

KE-S

C-S=EKD-CAuth[Time1,ID-S,KE-S]

1. C-S

2. C-R

KE-R

CR=EKD-CAuth[Time2,ID-R,KE-R]

42Farkas CSCE 824


Certificates

Guarantees the validity of the information Establishing trust Public key and user identity are bound

together, then signed by someone trusted Need: digital signature

43Farkas CSCE 824


Digital Signature Need the same effect as a real signature

Un-forgeableAuthenticNon-alterableNot reusable

44Farkas CSCE 824


Digital signature

Direct digital signature: public-key cryptography based

Arbitrated digital signature:Conventional encryption:

Arbiter sees message Arbiter does not see message

Public-key based Arbiter does not see message

45Farkas CSCE 824

Identification and Authentication

46Farkas CSCE 824

Authentication Allows an entity (a user or a system) to prove

its identity to another entity Typically, the entity whose identity is verified

reveals knowledge of some secret S to the verifier

Strong authentication: the entity reveals knowledge of S to the verifier without revealing S to the verifier

Authentication Information

Must be securely maintained by the system.

Authentication Requirements Network must ensure

Data exchange is established with addressed peer entity not with an entity that masquerades or replays previous messages

Network must ensure data source is the one claimed

Authentication generally follows identification Establish validity of claimed identity Provide protection against fraudulent transactions

User Authentication What the user knows

Password, personal information What the user possesses

Physical key, ticket, passport, token, smart card

What the user is (biometrics)Fingerprints, voiceprint, signature dynamics

Passwords Commonly used method For each user, system stores (user name,

F(password)), where F is some transformation (e.g., one-way hash) in a password file F(password) is easy to compute From F(password), password is difficult to compute Password is not stored in the system

When user enters the password, system computes F(password); match provides proof of identity

Vulnerabilities of Passwords Inherent vulnerabilities

Easy to guess or snoop No control on sharing

Practical vulnerabilities Visible if unencrypted in distributed and network

environment Susceptible for replay attacks if encrypted naively

Password advantage Easy to modify compromised password.

Attacks on Password Guessing attack/dictionary attack Social Engineering Sniffing Trojan login Van Eck sniffing

One-time Password

Use the password exactly once!

Lamport’s scheme Doesn’t require any special hardware System computes F(x),F2(x),…, F100(x) (this allows

100 logins before password change) System stores user’s name and F100(x) User supplies F99(x) the first time If the login is correct, system replaces F100(x) with

F99(x) Next login: user supplies F98(x) … and so on User calculates Fn(x) using a hand-held calculator,

a workstation, or other devices

Time Synchronized

Secret key

Time

One Time Password

DES

56Farkas CSCE 824

Challenge Response

Work station Host

Network

• Non-repeating challenges from the host is used• The device requires a keypad

User IDChallengeResponse

57Farkas CSCE 824

Access Control

58Farkas CSCE 824

Access Control Protection objects: system resources for which

protection is desirable Memory, file, directory, hardware resource, software

resources, etc. Subjects: active entities requesting accesses to

resources User, owner, program, etc.

Access mode: type of access Read, write, execute

Access Control Requirement Cannot be bypassed Enforce least-privilege and need-to-know

restrictions Enforce organizational policy

Access ControlAccess Control

Access control: ensures that all direct accesses to object are authorized

Protects against accidental and malicious threats by regulating the reading, writing and execution of data and programs

Need:– Proper user identification and authentication– Information specifying the access rights is protected form

modification

61Farkas CSCE 824

Access ControlAccess Control

Access control components:– Access control policy: specifies the authorized accesses of a

system– Access control mechanism: implements and enforces the policy

Separation of components allows to:– Define access requirements independently from implementation– Compare different policies– Implement mechanisms that can enforce a wide range of policies

62Farkas CSCE 824

Closed vs. Open SystemsClosed vs. Open SystemsClosed system Open System

Access requ. Access requ.

Exists Rule? Exists Rule?

Access permitted

Access denied

Access denied

Access permitted

Allowed accesses

Disallowed accesses

yes no yesno

(minimum privilege) (maximum privilege)

63Farkas CSCE 824

Access Control ModelsAll accesses

Discretionary AC

Mandatory AC Role-Based AC

64Farkas CSCE 824

Discretionary Access Control Access control is based on

User’s identity and Access control rules

Most common administration: owner basedUsers can protect what they ownOwner may grant access to othersOwner may define the type of access given to

others

Access Matrix Model

ReadWriteOwn

Read

ReadWriteOwn

OBJECTS AND SUBJECTS

SUBJECTS

Joe

Sam

File 1 File 2

66Farkas CSCE 824

Grant and RevokeGRANT <privilege> ON <relation>To <user>[WITH GRANT OPTION]------------------------------------------------------------------------------------------------------------------------------------

GRANT SELECT * ON Student TO Matthews GRANT SELECT *, UPDATE(GRADE) ON Student TO

FARKAS GRANT SELECT(NAME) ON Student TO Brown

GRANT command applies to base relations as well as views

Grant and RevokeREVOKE <privileges> [ON <relation>]FROM <user>-------------------------------------------------------------------------------------------------------------------------

REVOKE SELECT* ON Student FROM Blue REVOKE UPDATE ON Student FROM Black REVOKE SELECT(NAME) ON Student FROM Brown

Non-cascading Revoke

A

B

C

D

E

F

A

B

C

A revokes D’s privileges

E

F

69Farkas CSCE 824

Cascading Revoke

A

B

C

D

E

F

A

B

C

A revokes D’s privileges

70Farkas CSCE 824

Positive and Negative Authorization

Problem:Contradictory authorizations• GRANT <privilege> ON X TO <user>• DENY <privilege> ON X TO <user>

A

B

C

E

D

+

-

+

-

71Farkas CSCE 824

Negative Authorization

A

B

C

E

D

+

-

+

-

-

Positive authorization granted By A to D becomes blocked but NOT deleted.

72Farkas CSCE 824

DAC and Trojan Horse

Employee

Black’s Employee

Brown: read, write

Black, Brown: read, writeBrown

Black

Read Employee

REJECTED!Black is not allowed To access Employee

73Farkas CSCE 824

DAC and Trojan Horse

Employee

Black’s Employee

Brown: read, write


Black

Word Processor

THInserts Trojan HorseInto shared program

Uses shared program Reads Employee

CopiesEmployeeTo Black’sEmployee

74Farkas CSCE 824

DAC Overview Advantages:

IntuitiveEasy to implement

Disadvantages: Inherent vulnerability (look TH example)Maintenance of ACL or Capability listsMaintenance of Grant/RevokeLimited power of negative authorization

Mandatory Access Control

Objects: security classification e.g., grades=(confidential, {student-info})Subjects: security clearancese.g., Joe=(confidential, {student-info})Access rules: defined by comparing the security classification of the requested objects with the security clearance of the subject e.g., subject can read object only if label(subject) dominates label(object)

76Farkas CSCE 824


If access control rules are satisfied, access is permittede.g., Joe wants to read grades.label(Joe)=(confidential,{student-info})label(grades)=(confidential,{student-info})Joe is permitted to read grades

Granularity of access rights!

77Farkas CSCE 824

Mandatory Access ControlSecurity Classes (labels): (A,C)

A – total order authority level C – set of categories

e.g., A = confidential > public , C = {student-info, dept-info}

(confidential,{ })

(confidential,{dept-info})

(confidential,{student-info,dept-info})

(confidential,{student-info})

(public,{student-info,dept-info})(public,{,dept-info})

(public,{ })

(public,{student-info})

78Farkas CSCE 824


Dominance (): label l=(A,C) dominates l’=(A’,C’) iff A A’ and C C’

e.g., (confidential,{student-info}) (public,{student-info})BUT

(confidential, {student-info}) (public,{student-info, department-info})

79Farkas CSCE 824

Bell- LaPadula (BLP) Model

Confidentiality protection Lattice-based access control

SubjectsObjectsSecurity labels

Supports decentralized administration

80Farkas CSCE 824

BLP Reference Monitor

All accesses are controlled by the reference monitor

Cannot be bypassed Access is allowed iff the resulting system

state satisfies all security properties Trusted subjects: subjects trusted not to

compromise security

81Farkas CSCE 824

BLP Axioms 1.

Simple-security property: a subject s is allowed to read an object o only if the security label of s dominates the security label of oNo read upApplies to all subjects

82Farkas CSCE 824

*-property: a subject s is allowed to write an object o only if the security label of o dominates the security label of s

No write downApplies to un-trusted subjects only

BLP Axioms 2.

83Farkas CSCE 824

Blind Writes

Improper modification of data Most implementations disallow blind writes

84Farkas CSCE 824

Trojan Horse and BLP

Employee

Black’s Employee

Brown: read, write


Black

Word Processor

TH

Insert Trojan HorseInto shared program

Use shared program ReadEmployee

CopyEmployeeTo Black’sEmployee

Secret

Public

Secret PublicPublic

Secret

Reference Monitor

85Farkas CSCE 824

RBAC Motivation

Multi-user systems Multi-application systems Permissions are associated with roles Role-permission assignments are persistent v.s.

user-permission assignments Intuitive: competency, authority and

responsibility

RBAC

Allows to express security requirements but CANNOT ENFORCE THESE PRINCIPLES

e.g., RBAC can be configured to enforce BLP rules but its correctness depend on the configuration done by the system security officer.

Roles

User group: collection of user with possibly different permissions

Role: mediator between collection of users and collection of permissions

RBAC independent from DAC and MAC (they may coexist)

RBAC is policy neutral: configuration of RBAC determines the policy to be enforced

RBAC

RBAC3 consolidated model

RBAC1

role hierarchy RBAC2

constraints

RBAC0 base model

89Farkas CSCE 824

RBAC0

.

.

UUsers

RRoles

PPermissions

. SSessions

User assignment

Permissionassignment

90Farkas CSCE 824

RBAC1

.

.

UUsers

RRoles

PPermissions

. SSessions

User assignment


Role Hierarchy

91Farkas CSCE 824

RBAC1

Role Hierarchy

Primary-care Physician

Physician

Specialist Physician

Health-care provider

Inheritanceof

privileges

92Farkas CSCE 824

RBAC2

.

.

UUsers

RRoles

PPermissions

. SSessions

User assignment


Constraints

93Farkas CSCE 824

RBAC3

.

.

UUsers

RRoles

PPermissions

. SSessions

User assignment


Constraints

94Farkas CSCE 824

Next Class

Information Warfare

Farkas CSCE 824 95

security overview. security objectives confidentiality: prevent/detect/deter improper disclosure of...

Documents