31 (2).docx

Full Transcript

Authentication from Lens of ISM Entity authentication is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity. Types of authentication are: User Message Device /server Humanness Physical object Authentication vs Identification Authentication is : An entity makes an explicit claim / Verifier checks if the claim is legitimate / an identity if used to facilitate the authentication process identities must be properly managed claimant needs to provide proof to allow authentication check. Identification is where : Nobody makes a claim explicitly. / An entity present with an unknown identity/ an identifier tries to uncover the present entity identity. User authentication is about the claimant which usually is a human user and the verifier is usually a computer. User authentication process must be managed properly in terms of verifiers , configs etc. User authentication factors are: 1. Knowledge-based: “What you know” (e.g., passwords) 2. Possession-based: “What you possess / have” (e.g., hardware security tokens and smart cards) Advantages: cheap and simple to deploy widely used and well tested easy to use for non expert users multipurpose Disadvantages: Usability issues: bring it every time with you, training Loss and theft : only requires a pin (what you know) Insecure Implementations : security vulnerabilities in hardware tokens, clone attacks, side channel attacks. 3. Inherence-based: “Who you are” (including “How you behave”) = Biometrics Fingerprint, handwriting, signature, speech, DNA…. Enrolment: capturing biometric features and add them into the database as a template. Verification/Identification: matching an input live template against one or all enrolled templates. Two modes Verification (Authentication) – 1:1 matching: checking if a live template matches the enrolled template corresponding to a given ID. Identification – 1:N matching: checking if a live template matches all enrolled templates in the database Disadvantages: Privacy Safety Limited security Cannot be easily damaged or replaced Biometrics spoofing No biometric system is 0% error rate, some cannot use it, what you know must be a backup 4. Context-based: Where you are. Location. 5. Multi-factor (MFA) – Using 2 or more authentications together. Ex: SMS + authenticator mobile application 6. Password based : Password is a secret textual string you enter to access protected information. PINS , textual passwords, graphical passwords Passwords stored in : your brain, paper, USB key, device, browser, password manager How are passwords stored? Server Side. Could be stored as clear password, hashed password, hash with random number(salt)/ using key stretching methods , H^n(password || salt), where n is large Hashing is used to avoid password leakage is sever is hacked. We add a salt on top of hashing to resist rainbow table (a pre calculated table of possible passwords and their hash values) attacks. Similar to cryptographic nonce. Salt is a random number but stored in clear at server side. Security – usability dilemma Stronger passwords are securer but harder to manage by humans (= less usable). Weaker passwords are easier to manage by humans (more usable) but also easier to crack. Strong passwords for humans ≠ Strong passwords for automated password crackers Users have a tendency of choosing usability over security: using easy-to-manage passwords. User behaviour has not changed much. Possible Solutions: Password Checkers A password checker evaluates the strength of a given password and warns the user about its weakness Proactive password checkers work at the client side when the user is entering his/her password. Reactive password checkers work at the server side after users set their passwords (by scanning all passwords of all users). Both proactive and reactive password checkers are based on one or more password meters that estimate the security strength of a given password Password Managers A password manager is a software/hardware tool managing credentials of multiple accounts of the user Local password managers run from a local computer (could be a smart phone) and store the data locally Web-based password managers run from the Web or the cloud and store the data remotely in a remote web site Cloud-based password managers run from local computer or the Web and store the data remotely in a cloud. Three layers of managers: password managers, users, and organisations Password Guidance NCSC guidance can be reinforced as policies. Recovery authentication :What you know/must remember, you can forget, we need a recovery system such as a password reset. Possible methods are : password reset by email, secret questions and answers, physical authentication… Non -User Authentication form Lens of ISM Authenticating other entities Such as physical objects, information {transactions}, servers, devices, software, humanness {captcha} Access Control Access control is protection of system resources against unauthorized access. Need to know who issues the request & what is requested using authentication and authorisation Access Control Models: DAC : Discretionary Access Control The owner of an object defines the access control rules (often based on individual/group identities), based on his/her discretion. A real-world example: Google Drive shared files / folders MAC: Mandatory Access Control A central body sets mandatory access control rules regarding who can access what and under which conditions The central body is an access control manager and an authoriser, who can be an organisation, a person or a software/hardware system A real-world example: UK government’s security classifications and vetting Baseline Personnel Security Standard (BPSS): “… access to UK OFFICIAL assets and occasional access to UK SECRET assets.” Security Check (SC): “… long-term, frequent and uncontrolled access to SECRET assets and/or occasional, supervised access to TOP SECRET assets” Enhanced SC (eSC): “ … regular uncontrolled access up to SECRET assets and occasional, controlled access to TOP SECRET assets.” Developed Vetting (DV): “… frequent and uncontrolled access to TOP SECRET assets or … any access to TOP SECRET codeword material RBAC: Role-Based Access Control Entities have (centrally defined) roles. Roles reflects the context of the application. Access control rules are mapped to roles. A real world example: WordPress access control system ABAC : Attribute-Based Access Control Entities have attributes. Access control rules are mapped to attributes. - RBAC can be seen as a special case of ABAC: role as an attribute! A real-world example: UK law and regulations on alcohol control (age as the attribute; online shops selling alcohol will have to consider these rules) RAC : Risk-based Access Control Identity Management Entity vs Identity : many to many relationship. One entity can have multiple identities One identity can be allocated/claimed/used by multiple entities. Identity vs Identifier (ID) - Identities are normally identified via a unique identifier to avoid ambiguity in the authentication process Real vs Virtual - Example: a person’s real name vs a person’s pen name Physical vs Electronic - Example: a person’s real name vs a person’s email address An identity management (IdM) system or an identity provider (IdP/IDP) is often used to manage (e.g., create, maintain, expire) identities, including mappings to entities Identity management is used for AUTHENTICATION, AUTHORIZATION, ACCESS CONTROL & ACCOUNTABILITY Theoretical Models: Bell-LaPadula (BLP) model MAC policies: 1) no read up – a user can only read objects of its own or at a lower level; 2) no write down – a user may only write to objects at its own or at a higher level. DAC based access matrix for security properties of objects. Designed with data confidentiality in mind. Biba model: dual of BLP - MAC policies: 1) no read down – a user can only read objects of its own or at an upper level; 2) no write up – a user may only write to objects at its own or at a lower level. Designed with data integrity in mind.