IAAA (Identification and Authentication, Authorization and Accountability) PDF
Document Details
Tags
Summary
This document is about the fundamentals of security. It describes different methods of authentication types, passwords, and cybersecurity concepts, making the document useful to people studying information security and related concepts. It may be lecture notes.
Full Transcript
IAAA (Identi cation and Authentication, Authorization and Accountability) fi Identification - Your name, username, ID number, employee number, SSS etc. - “I am Anthony” AUTHENTICATION “Prove you are Anthony”. – Should always be done with multi-factor authentication! *Something you know...
IAAA (Identi cation and Authentication, Authorization and Accountability) fi Identification - Your name, username, ID number, employee number, SSS etc. - “I am Anthony” AUTHENTICATION “Prove you are Anthony”. – Should always be done with multi-factor authentication! *Something you know - Type 1 Authentication (passwords, pass phrase, PIN, etc.). *Something you have - Type 2 Authentication (ID, passport, smart card, token, cookie on PC, etc.). *Something you are - Type 3 Authentication (and Biometrics) (Fingerprint, iris scan, facial geometry, etc.). Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. ⬧ The subject uses these to authenticate their identity, if they know the secret, they must be who they say they are. ⬧ This is the most commonly used form of authentication, and a password is the most common knowledge factor. ⬧ The user is required to prove knowledge of a secret in order to authenticate. ⬧ It is the weakest form of authentication and can easily be compromised. ⬧ Secret questions like "Where were you born?" are poor examples of a knowledge factor, it is known by a lot of people and can often be researched easily. ▫ Sarah Palin had her email account hacked during the 2008 US Presidential campaign using her secret questions. Since she used basic ones (high school and birthday, …) the hackers could easily find that information online, he reset her password with the information and gained full control of her email account. ⬧ Passwords: ▫ It is always easier to guess or steal passwords than it is to break the encryption. ▫ We have password policies to ensure they are as secure as possible. → They should contain minimum length, upper/lower case letters, numbers, and symbols, they should not contain full words or other easy to guess phrases. → They have an expiration date, password reuse policy and minimum use before users can change it again. → Common and less secure passwords often contain: The name of a pet, child, family member, significant other, anniversary dates, birthdays, birthplace, favorite holiday, something related to a favorite sports team, or the word "password". Winter2024 is not a good password, even if it does fulfil the password requirements. Key Stretching – Adding 1-2 seconds to password verification. ▫ If an attacker is brute forcing a password and needs millions of tries it will become an unfeasible attack. ▫ Brute Force Attacks (Limit number of wrong logins): ▫ Uses the entire key space (every possible key), with enough time any cipher text can be decrypted. ▫ Effective against all key based ciphers except the one-time pad, it would eventually decrypt it, but it would also generate so many false positives the data would be useless. Clipping Levels: Clipping levels are in place to prevent administrative overhead. → It allows authorized users who forget or mistype their password to still have a couple of extra tries. → It prevents password guessing by locking the user account for a certain timeframe (an hour), or until unlocked by an administrator. Password Management: ▫ We covered some password requirements, here are the official recommendations by the U.S. Department of Defense and Microsoft. → Password history = set to remember 24 passwords. → Maximum password age = 90 days. → Minimum password age = 2 days (to prevent users from cycling through 24 passwords to return to their favorite password again). → Minimum password length = 14 characters. → Passwords must meet complexity requirements = true. → Store password using reversible encryption = false. Something you have: Type 2 Authentication ⬧ ID, passport, smart card, token, cookie on PC, these are called Possession factors. ▫ The subject uses these to authenticate their identity, if they have the item, they must be who they say they are. ▫ Simple forms can be credit cards, you have the card, and you know the pin, that is multifactor authentication. ▫ Most also assume a shared trust, you have your passport, it looks like you on the picture, we trust the issuer, so we assume the passport is real. ⬧ Single-Use Passwords: ▫ Having passwords which are only valid once makes many potential attacks ineffective, just like one-time pads. ▫ While they are passwords, it is something you have in your possession, not something you know. ▫ Some are one-time-pads with a challenge-response or just a pin or phase sent to your phone or email you need to enter to con rm the transaction or the login. ▫ Most users nd single use passwords extremely inconvenient. ⬧ They are widely implemented in online banking, where they are known as TANs (Transaction Authentication Numbers). ▫ Most private users only do a few transactions each week, the single-use passwords has not led to customers refusing to use it. → It is their money; they actually care about keeping those safe fi fi ⬧ Smart Cards and Tokens (contact or contactless): ▫ They contain a computer circuit using an ICC (Integrated Circuit Chip). ▫ Contact Cards - Inserted into a machine to be read. → This can be credit cards you insert into the chip reader or the DOD CAC (Common Access Card). ▫ Contactless Cards - can be read by proximity. → Key fobs (mostly used in automobiles) or credit cards where you just hold it close to a reader. → They use a RFID (Radio Frequency Identi cation) tag (transponder) which is then read by a RFID Transceiver. fi Magnetic Stripe Cards: → Swiped through a reader, no circuit. - A magnetic stripe card is generally used in transportation tickets, identity cards, and credit cards → Very easy to duplicate. Tokens: ▫ HOTP and TOTP can be either hardware or software based. ▫ Cellphone software applications are more common now. → HOTP (HMAC-based One-Time Password): Shared secret and incremental counter, generate code when asked, valid till used. → TOTP (Time-based One-Time Password): Time based with shared secret, often generated every 30 or 60 seconds, synchronized clocks are critical. Something you are - Type 3 Authentication (Biometrics) ⬧ Fingerprint, iris scan, facial geometry etc., these are also called realistic authentication. ▫ The subject uses these to authenticate their identity, if they are that, they must be who they say they are. ▫ Something that is unique to you, this one comes with more issues than the two other common authentication factors. ▫ We can allow unauthorized people into our facilities or systems if we accept someone by mistake. (False Accept) ▫ We can prevent our authorized peoplefrom entering our facilities if we refuse them by mistake. (False Reject). Errors for Biometric Authentication: ⬧ FRR (False rejection rate) Type 1 error: ▫ Authorized users are rejected. ▫ This can be too high settings - 99% accuracy on biometrics. ⬧ FAR (False accept rate) Type 2 error: ▫ Unauthorized user is granted access. ▫ This is a very serious error. ⬧ We want a good mix of FRR and FAR where they meet on the graph is the CER (Crossover Error Rate), this is where we want to be. ▪ Biometric identi ers are often categorized as physiological and behavioral characteristics. ⬧ Physiological Characteristics uses the shape of the body, these do not change unless a drastic event occurs. ▫ Fingerprint, palm veins, facial recognition, DNA, palm print, hand geometry, iris recognition, retina, and odor. ⬧ Behavioral Characteristics uses the pattern of behavior of a person, these can change, but most often revert back to the baseline. ▫ Typing rhythm, how you walk, signature and voice. fi ▪ Issues with Biometric Authentication: ⬧ We also need to respect and protect our employee’s privacy: ▫ Some ngerprint patterns are related to chromosomal diseases. ▫ Iris patterns could reveal genetic sex, retina scans can show if aperson is pregnant or diabetic. ⬧ Hand vein patterns could reveal vascular diseases. ⬧ Most behavioral biometrics could reveal neurological diseases, etc. ⬧ While passwords and smart cards should be safe because you keep them a secret and secure, biometrics is inherently not and something others can easily nd out. ⬧ Attackers can take pictures of your face, your ngerprints, your hands, your ears and print good enough copies to get past a biometric scan. ▫ The US Of ce of Personnel Management got hacked and lost 5.6 million federal employees’ ngerprints. fi fi fi fi fi ⬧ It is possible to copy ngerprints from your high-resolution social media posts if you do a peace sign like the one on the right here. ⬧ How you type, sign your name and your voice pattern can be recorded, also not too dif cult to cheat biometrics if it is worth the effort. ⬧ Some types are still inherently more secure, but they are often also more invasive. ⬧ Lost passwords and ID cards can be replaced with new different ones, biometrics can’t. ⬧ Which should make us question even more the mass collection of biometric data. ▫ When Home Depot loses 10 million credit card numbers it is bad, but they can be reissued. ▫ The FBI has a database with 52 million facial images and Homeland Security and U.S. Customs and Border Patrol is working on adding the iris scans and 170 million foreigner ngerprints to the FBI’s database. ▫ The compromises of the future will have much more wide-reaching rami cations than the ones we have seen until now. fi fi fi fi AUTHORIZATION Authorization ▪ What are you allowed to access? ▪ We use Access Control models. What and how we implement depends on the organization and what our security goals are. ▪ More on this in later when we cover DAC, MAC, RBAC, ABAC, and RUBAC. ▪ Least Privilege and Need to Know. Least Privilege – (Minimum necessary access) Give users/systems exactly the access they need, no more, no less. Need to Know – Even if you have access, if you do not need to know, then you should not access the data. ▪ DAC (Discretionary Access Control) - Often used when Availability is most important: ⬧ Access to an object is assigned at the discretion of the object owner. ⬧ The owner can add, remove rights, commonly used by most OS’s’. - The most common example is file and folder permissions that exist in Windows and Unix-based operating systems ⬧ Uses DACL’s (Discretionary ACL), based on user identity. MAC (Mandatory Access Control) - Often used when Con dentiality is most important: Access to an object is determined by labels and clearance, this is often used in the military or in organizations where con dentiality is very important. ⬧ Labels: Objects have Labels assigned to them; the subject's clearance must dominate the object's label. ▫ The label is used to allow Subjects with the right clearance access them. ▫ Labels are often more granular than just “Top Secret”, they can be “Top Secret – Nuclear”. ⬧ Clearance: Subjects have Clearance assigned to them. ▫ Based on a formal decision on a subject's current and future trustworthiness. ▫ The higher the clearance the more in depth the background checks should be. fi fi ▪ RBAC (Role-Based Access Control) - Often used when Integrity is most important: ⬧ Policy neutral access control mechanism de ned around roles and privileges. ⬧ A role is assigned permissions, and subjects in that role are added to the group, if they move to another position they are moved to the permissions group for that position. ⬧ It makes administration of 1,000's of users and 10,000's of permissions much easier to manage. ⬧ The most commonly used form of access control. ⬧ If implemented right, it can also enforce separation of duties and prevent authorization/privilege creep. ▫ We move employees transferring within the organization from one role to another and we do not just add the new role to the old one. fi ABAC (Attribute-Based Access Control): ⬧ Access to objects is granted based on subjects, objects, AND environmental conditions. ⬧ Attributes could be: ▫ Subject (user) – Name, role, ID, clearance, etc. ▫ Object (resource) – Name, owner, and date of creation. ▫ Environment – Location and/or time of access, and threat levels. Ex: A doctor may have access to a patient's medical records only during their shift and only if they are in the hospital premises ⬧ Can also be referred to as policy-based access control (PBAC) or claims-based access control (CBAC). ▪ Context-Based Access Control: ⬧ Access to an object is controlled based on certain contextual parameters, such as location, time, sequence of responses, access history. ⬧ Providing the username and password combination followed by a challenge and response mechanism such as CAPTCHA, ltering the access based on MAC addresses on wireless, or a rewall ltering the data based on packet analysis are all examples of context- dependent access control mechanisms fi fi fi ▪ Content-Based Access Control: ⬧ Access is provided based on the attributes or content of an object, then it is known as a content-dependent access control. ⬧ In this type of control, the value and attributes of the content that is being accessed determine the control requirements. ⬧ Hiding or showing menus in an application, views in databases, and access to confidential information are all content-dependent. ACCOUNTABILITY Also known as Auditing ▪ Traces an Action to a Subject's Identity: ⬧ Proves who performed given action, it provides non- repudiation. ⬧ Group or shared accounts are never OK, they have zero accountability. ⬧ Uses audit trails and logs, to associate a subject with its actions. ▪ Non-repudiation. A user cannot deny having performed a certain action. This uses both Authentication and Integrity. ▪ Subject and Object. Subject – (Active) Most often users but can also be programs – Subject manipulates Object. Object – (Passive) Any passive data (both physical paper and data) – Object is manipulated by Subject. Some can be both at different times, an active program is a subject; when closed, the data in program can be object.