security overview. security objectives confidentiality: prevent/detect/deter improper disclosure of...
DESCRIPTION
Distributed applications Authenticity Non-repudiation CSCE FarkasTRANSCRIPT
Security Overview
Security Objectives
Confidentiality: prevent/detect/deter improper disclosure of information
Integrity: prevent/detect/deter improper modification of information
Availability: prevent/detect/deter improper denial of access to services
2Farkas CSCE 824
Distributed applications
Authenticity Non-repudiation
CSCE 824 3Farkas
Sample Questions
What is the trade off between the security objectives?
Give an example of the security objectives in the domain of college education.
Consider the trend about attack sophistication and intruder’s knowledge. Recommend an approach to enhance the security of future computing systems.
4Farkas CSCE 824
Achieving Security
PolicyWhat to protect?
MechanismHow to protect?
AssuranceHow good is the protection?
5Farkas CSCE 824
Security Policy
Organizational Policy
Computerized Information SystemPolicy
6Farkas CSCE 824
Sample Questions Why do we need to fit the security policy into the
organizational policy? Why is it recommended to separate policy from
mechanism? What does “assurance” mean in the context of security? Give an example security policy enforced on your
personal computer/CSE computing system/CEC computing system and recommend security mechanism to implement the policy.
7Farkas CSCE 824
Security Mechanism
Prevention Detection Tolerance/Recovery
8Farkas CSCE 824
Security Tradeoffs
COST
Security Functionality
Ease of Use
9Farkas CSCE 824
Threats, Attacks, Vulnerability, Risk
Types of threats Types of attacks Relation to security objectivesM(ethod), O(pportunity), and M(otive) of
attacksMethods of defense – Security planningRisk Management
10Farkas CSCE 824
Risk Management Framework(Business Context)
Understand BusinessContext
Identify Business and Technical Risks
Synthesize and RankRisks
Define RiskMitigation Strategy
Carry Out Fixesand Validate
Measurement and Reporting
11Farkas CSCE 824
Sample Questions
Give an example of vulnerability, threat, risk, and attack in the domain of …
What does it mean “weakest link” of defense? Recommend a way to increase computing
system’s security by incorporating security trade offs into the security planning.
Why do we need to understand the business context to have effective security?
12Farkas CSCE 824
Cryptography
Insecure communications
Sender
Snooper
Recipient
Insecure channelConfidential
Cryptographic Protocols
Messages should be transmitted to destinationMessages should be transmitted to destination Only the recipient should see itOnly the recipient should see it Only the recipient should get itOnly the recipient should get it Proof of the sender’s identityProof of the sender’s identity Message shouldn’t be corrupted in transitMessage shouldn’t be corrupted in transit Message should be sent/received once onlyMessage should be sent/received once only
Conventional (Secret Key) Cryptosystem
Encryption DecryptionPlaintext PlaintextCiphertext
K
Sender Recipient
C=E(K,M)M=D(K,C)
K needs secure channel
Public Key Cryptosystem
Encryption DecryptionPlaintext PlaintextCiphertext
Sender Recipient
C=E(Kpub,M)M=D(Kpriv,C)
Recipient’s public Key (Kpub)
Recipient’s private Key (Kpriv)
Kpub needs reliable channel
Cryptography Cryptanalyst’s goal:
Break messageBreak keyBreak algorithm
Taxonomy of attacks Breakable vs. unbreakable cryptographic system Properties of good cryptosystem.
Cryptosystem Vulnerabilities
• Passive Attacker (Eavesdropper)• Active Attacker
• Capabilities
Basic Encryption Techniques
Substitution Permutation Combinations and iterations of these Techniques and attacks ADVANTAGES/DISADVANTAGES!
Inherent Weaknesses of Symmetric Cryptography
Key distribution must be done secretly (difficult when parties are geographically distant, or don't know each other)
Need a key for each pair of users n users need n*(n-1)/2 keys
If the secret key (and cryptosystem) is compromised, the adversary will be able to decrypt all traffic and produce fake messages
Product CiphersOne encryption applied to the result of the other
En(En-1(…(E1(M)))), e.g.,Double transpositionSubstitution followed by permutation, followed
by substitution, followed by permutation… Broken for
Chosen plaintext
22Farkas CSCE 824
Trustworthy Encryption Systems
Based on sound mathematics Has been analyzed by experts Has stood the test of time
Examples: Data Encryption Standard (DES), Advanced Encryption Standard (AES), River-Shamir-Adelman (RSA)
Public Key Encryption
24Farkas CSCE 824
CSCE 522 - Farkas 25
Public-Key Encryption Two keys – one is private one is public Solves the key distribution problem (but need
reliable channel) Provides electronic signatures Slower than secret-key encryption
25Farkas CSCE 824
CSCE 522 - Farkas 26Lecture 6
Public-Key Encryption
Needed for security:One of the keys must be kept secretImpossible (at least impractical) to decipher
message if no other information is availableKnowledge of algorithm, one of the keys, and
samples of ciphertext must be insufficient to determine the other key
26Farkas CSCE 824
CSCE 522 - Farkas 27Lecture 6
RSA – NotationC = E(KE-B, M)M = D(KD-B,C)
KE-B: public key of BKD-B: private key of BE: encryption alg.D: decryption alg.M: plaintextC: ciphertext
27Farkas CSCE 824
CSCE 522 - Farkas 28Lecture 6
RSA Both sender and receiver know n Sender knows e Only receiver knows d Modulus: Remainder after division, i.e., if a mod n=b then
a=c*n+b Need:
Find values e,d,n such that
Easy to calculate Me, Cd for all M < n Infeasible to determine d give e
Med mod n = M mod n
28Farkas CSCE 824
CSCE 522 - Farkas 29Lecture 6
Signature and Encryption
D E D E
A B
Plaintext Plaintext
SignedPlaintext
SignedPlaintext
Encrypted Signed Plaintext
A’s private key
B’s public keyB’s private key
A’s public key
29Farkas CSCE 824
CSCE 522 - Farkas 30Lecture 6
Non-repudiation Requires notarized signature, involving a third
party
Large system: hierarchies of notarization
30Farkas CSCE 824
Cryptographic Hash Functions
31Farkas CSCE 824
CSCE 522 - Farkas 32Lecture 8-9
Hash Functions
Hash function h maps an input x of arbitrary length to a fixed length output h(x) (compression)
Accidental or intentional change to the data will change the hash value
Given h and x, h(x) is easy to compute (ease of computation)
32Farkas CSCE 824
CSCE 522 - Farkas 33Lecture 8-9
Good Hash Function
1. It is easy to compute the hash value for any given message
2. It is infeasible to find a message that has a given hash
3. It is infeasible to modify a message without changing its hash
4. It is infeasible to find two different messages with the same hash
33Farkas CSCE 824
Cryptographic Protocols
34Farkas CSCE 824
CSCE 522 - Farkas 35Lecture 6
ProtocolsGood protocol characteristics: Established in advance Mutually subscribed Unambiguous Complete
35Farkas CSCE 824
CSCE 522 - Farkas 36Lecture 6
Symmetric-Key Distribution: Symmetric-Key Techniques
Symmetric-Key without Server Symmetric-Key with Server
36Farkas CSCE 824
CSCE 522 - Farkas 37Lecture 6
Symmetric-Key Distribution: Public-Key Techniques
Simple secret key distribution Secret key distribution with confidentiality
and authentication Diffie-Hellman Key Exchange
37Farkas CSCE 824
CSCE 522 - Farkas 38Lecture 6
Simple secret key distribution
Sender Recipient
1. KE-S ||ID-S
2. E KE-S(Ksession)
Vulnerable to active attack!HOW?
Public key of S
Secret Session key
38Farkas CSCE 824
CSCE 522 - Farkas 39Lecture 6
With confidentiality and authentication
Sender Recipient
1. E KE-R[N1||ID-A]
2. E KE-S[N1||N2]
3. E KE-R[N2]
4. E KE-R E KD-S(Ksession)
Assume: KE-R and KE-S are known in advanceNonce
Question: Why do we need reliable distribution of public keys?
39Farkas CSCE 824
CSCE 522 - Farkas 40Lecture 6
Intruder in the Middle Attack
John RoseIntruderHi Rose, I’m John.
Hi John, I’m Rose. Hi John, I’m Rose.
Hi Rose, I’m John.
Intruder and John Uses Diffie-HellmanTo agree on key K.
Intruder and RoseUses Diffie-HellmanTo agree on key K’.
Question: the attacker may want to have K and K’ be the same, Why?
40Farkas CSCE 824
CSCE 522 - Farkas 41Lecture 6
Asymmetric-Key Exchange Without server
BroadcastingPublicly available directory
With serverPublic key distribution centerCertificates
41Farkas CSCE 824
CSCE 522 - Farkas 42Lecture 6
Public-key certificates
Certificate Authority
Sender Recipient
KE-S
C-S=EKD-CAuth[Time1,ID-S,KE-S]
1. C-S
2. C-R
KE-R
CR=EKD-CAuth[Time2,ID-R,KE-R]
42Farkas CSCE 824
CSCE 522 - Farkas 43Lecture 6
Certificates
Guarantees the validity of the information Establishing trust Public key and user identity are bound
together, then signed by someone trusted Need: digital signature
43Farkas CSCE 824
CSCE 522 - Farkas 44Lecture 6
Digital Signature Need the same effect as a real signature
Un-forgeableAuthenticNon-alterableNot reusable
44Farkas CSCE 824
CSCE 522 - Farkas 45Lecture 6
Digital signature
Direct digital signature: public-key cryptography based
Arbitrated digital signature:Conventional encryption:
Arbiter sees message Arbiter does not see message
Public-key based Arbiter does not see message
45Farkas CSCE 824
Identification and Authentication
46Farkas CSCE 824
Authentication Allows an entity (a user or a system) to prove
its identity to another entity Typically, the entity whose identity is verified
reveals knowledge of some secret S to the verifier
Strong authentication: the entity reveals knowledge of S to the verifier without revealing S to the verifier
Authentication Information
Must be securely maintained by the system.
Authentication Requirements Network must ensure
Data exchange is established with addressed peer entity not with an entity that masquerades or replays previous messages
Network must ensure data source is the one claimed
Authentication generally follows identification Establish validity of claimed identity Provide protection against fraudulent transactions
User Authentication What the user knows
Password, personal information What the user possesses
Physical key, ticket, passport, token, smart card
What the user is (biometrics)Fingerprints, voiceprint, signature dynamics
Passwords Commonly used method For each user, system stores (user name,
F(password)), where F is some transformation (e.g., one-way hash) in a password file F(password) is easy to compute From F(password), password is difficult to compute Password is not stored in the system
When user enters the password, system computes F(password); match provides proof of identity
Vulnerabilities of Passwords Inherent vulnerabilities
Easy to guess or snoop No control on sharing
Practical vulnerabilities Visible if unencrypted in distributed and network
environment Susceptible for replay attacks if encrypted naively
Password advantage Easy to modify compromised password.
Attacks on Password Guessing attack/dictionary attack Social Engineering Sniffing Trojan login Van Eck sniffing
One-time Password
Use the password exactly once!
Lamport’s scheme Doesn’t require any special hardware System computes F(x),F2(x),…, F100(x) (this allows
100 logins before password change) System stores user’s name and F100(x) User supplies F99(x) the first time If the login is correct, system replaces F100(x) with
F99(x) Next login: user supplies F98(x) … and so on User calculates Fn(x) using a hand-held calculator,
a workstation, or other devices
Time Synchronized
Secret key
Time
One Time Password
DES
56Farkas CSCE 824
Challenge Response
Work station Host
Network
• Non-repeating challenges from the host is used• The device requires a keypad
User IDChallengeResponse
57Farkas CSCE 824
Access Control
58Farkas CSCE 824
Access Control Protection objects: system resources for which
protection is desirable Memory, file, directory, hardware resource, software
resources, etc. Subjects: active entities requesting accesses to
resources User, owner, program, etc.
Access mode: type of access Read, write, execute
Access Control Requirement Cannot be bypassed Enforce least-privilege and need-to-know
restrictions Enforce organizational policy
Access ControlAccess Control
Access control: ensures that all direct accesses to object are authorized
Protects against accidental and malicious threats by regulating the reading, writing and execution of data and programs
Need:– Proper user identification and authentication– Information specifying the access rights is protected form
modification
61Farkas CSCE 824
Access ControlAccess Control
Access control components:– Access control policy: specifies the authorized accesses of a
system– Access control mechanism: implements and enforces the policy
Separation of components allows to:– Define access requirements independently from implementation– Compare different policies– Implement mechanisms that can enforce a wide range of policies
62Farkas CSCE 824
Closed vs. Open SystemsClosed vs. Open SystemsClosed system Open System
Access requ. Access requ.
Exists Rule? Exists Rule?
Access permitted
Access denied
Access denied
Access permitted
Allowed accesses
Disallowed accesses
yes no yesno
(minimum privilege) (maximum privilege)
63Farkas CSCE 824
Access Control ModelsAll accesses
Discretionary AC
Mandatory AC Role-Based AC
64Farkas CSCE 824
Discretionary Access Control Access control is based on
User’s identity and Access control rules
Most common administration: owner basedUsers can protect what they ownOwner may grant access to othersOwner may define the type of access given to
others
Access Matrix Model
ReadWriteOwn
Read
ReadWriteOwn
OBJECTS AND SUBJECTS
SUBJECTS
Joe
Sam
File 1 File 2
66Farkas CSCE 824
Grant and RevokeGRANT <privilege> ON <relation>To <user>[WITH GRANT OPTION]------------------------------------------------------------------------------------------------------------------------------------
GRANT SELECT * ON Student TO Matthews GRANT SELECT *, UPDATE(GRADE) ON Student TO
FARKAS GRANT SELECT(NAME) ON Student TO Brown
GRANT command applies to base relations as well as views
Grant and RevokeREVOKE <privileges> [ON <relation>]FROM <user>-------------------------------------------------------------------------------------------------------------------------
REVOKE SELECT* ON Student FROM Blue REVOKE UPDATE ON Student FROM Black REVOKE SELECT(NAME) ON Student FROM Brown
Non-cascading Revoke
A
B
C
D
E
F
A
B
C
A revokes D’s privileges
E
F
69Farkas CSCE 824
Cascading Revoke
A
B
C
D
E
F
A
B
C
A revokes D’s privileges
70Farkas CSCE 824
Positive and Negative Authorization
Problem:Contradictory authorizations• GRANT <privilege> ON X TO <user>• DENY <privilege> ON X TO <user>
A
B
C
E
D
+
-
+
-
71Farkas CSCE 824
Negative Authorization
A
B
C
E
D
+
-
+
-
-
Positive authorization granted By A to D becomes blocked but NOT deleted.
72Farkas CSCE 824
DAC and Trojan Horse
Employee
Black’s Employee
Brown: read, write
Black, Brown: read, writeBrown
Black
Read Employee
REJECTED!Black is not allowed To access Employee
73Farkas CSCE 824
DAC and Trojan Horse
Employee
Black’s Employee
Brown: read, write
Black, Brown: read, writeBrown
Black
Word Processor
THInserts Trojan HorseInto shared program
Uses shared program Reads Employee
CopiesEmployeeTo Black’sEmployee
74Farkas CSCE 824
DAC Overview Advantages:
IntuitiveEasy to implement
Disadvantages: Inherent vulnerability (look TH example)Maintenance of ACL or Capability listsMaintenance of Grant/RevokeLimited power of negative authorization
Mandatory Access Control
Objects: security classification e.g., grades=(confidential, {student-info})Subjects: security clearancese.g., Joe=(confidential, {student-info})Access rules: defined by comparing the security classification of the requested objects with the security clearance of the subject e.g., subject can read object only if label(subject) dominates label(object)
76Farkas CSCE 824
Mandatory Access Control
If access control rules are satisfied, access is permittede.g., Joe wants to read grades.label(Joe)=(confidential,{student-info})label(grades)=(confidential,{student-info})Joe is permitted to read grades
Granularity of access rights!
77Farkas CSCE 824
Mandatory Access ControlSecurity Classes (labels): (A,C)
A – total order authority level C – set of categories
e.g., A = confidential > public , C = {student-info, dept-info}
(confidential,{ })
(confidential,{dept-info})
(confidential,{student-info,dept-info})
(confidential,{student-info})
(public,{student-info,dept-info})(public,{,dept-info})
(public,{ })
(public,{student-info})
78Farkas CSCE 824
Mandatory Access Control
Dominance (): label l=(A,C) dominates l’=(A’,C’) iff A A’ and C C’
e.g., (confidential,{student-info}) (public,{student-info})BUT
(confidential, {student-info}) (public,{student-info, department-info})
79Farkas CSCE 824
Bell- LaPadula (BLP) Model
Confidentiality protection Lattice-based access control
SubjectsObjectsSecurity labels
Supports decentralized administration
80Farkas CSCE 824
BLP Reference Monitor
All accesses are controlled by the reference monitor
Cannot be bypassed Access is allowed iff the resulting system
state satisfies all security properties Trusted subjects: subjects trusted not to
compromise security
81Farkas CSCE 824
BLP Axioms 1.
Simple-security property: a subject s is allowed to read an object o only if the security label of s dominates the security label of oNo read upApplies to all subjects
82Farkas CSCE 824
*-property: a subject s is allowed to write an object o only if the security label of o dominates the security label of s
No write downApplies to un-trusted subjects only
BLP Axioms 2.
83Farkas CSCE 824
Blind Writes
Improper modification of data Most implementations disallow blind writes
84Farkas CSCE 824
Trojan Horse and BLP
Employee
Black’s Employee
Brown: read, write
Black, Brown: read, writeBrown
Black
Word Processor
TH
Insert Trojan HorseInto shared program
Use shared program ReadEmployee
CopyEmployeeTo Black’sEmployee
Secret
Public
Secret PublicPublic
Secret
Reference Monitor
85Farkas CSCE 824
RBAC Motivation
Multi-user systems Multi-application systems Permissions are associated with roles Role-permission assignments are persistent v.s.
user-permission assignments Intuitive: competency, authority and
responsibility
RBAC
Allows to express security requirements but CANNOT ENFORCE THESE PRINCIPLES
e.g., RBAC can be configured to enforce BLP rules but its correctness depend on the configuration done by the system security officer.
Roles
User group: collection of user with possibly different permissions
Role: mediator between collection of users and collection of permissions
RBAC independent from DAC and MAC (they may coexist)
RBAC is policy neutral: configuration of RBAC determines the policy to be enforced
RBAC
RBAC3 consolidated model
RBAC1
role hierarchy RBAC2
constraints
RBAC0 base model
89Farkas CSCE 824
RBAC0
.
.
UUsers
RRoles
PPermissions
. SSessions
User assignment
Permissionassignment
90Farkas CSCE 824
RBAC1
.
.
UUsers
RRoles
PPermissions
. SSessions
User assignment
Permissionassignment
Role Hierarchy
91Farkas CSCE 824
RBAC1
Role Hierarchy
Primary-care Physician
Physician
Specialist Physician
Health-care provider
Inheritanceof
privileges
92Farkas CSCE 824
RBAC2
.
.
UUsers
RRoles
PPermissions
. SSessions
User assignment
Permissionassignment
Constraints
93Farkas CSCE 824
RBAC3
.
.
UUsers
RRoles
PPermissions
. SSessions
User assignment
Permissionassignment
Constraints
94Farkas CSCE 824
Next Class
Information Warfare
Farkas CSCE 824 95