Chapter 4_Access Control, Authentication, Authorization and Non-Repudiation .pdf

Full Transcript

CYBERSECURITY FUNDAMENTALS
CYB281

Chapter 4
Access Control, Authentication,
Authorization and Non-Repudiation

9/17/2024 1
 Chapter Objectives
Define access control and list the four access control models
Describe logical access control methods
Explain the different types of physical access control
Define the concept of authentication, authorization and
nonrepudiation Services.

2
 Chapter Contents

Overview of access control
Authentication, Authorization and Nonrepudiation
Identification and authentication techniques
Access control techniques
Access control methodologies, implementations and
administration

3
 Access Control
Access control is the collection of
mechanisms that permits managers of a
system to exercise a directing or restraining
influence over the behavior, use, and
content of a system. It permits management
to specify what users can do, which
resources they can access, and what
operations they can perform on a system.

4
Access Control (Cont.)

Figure 9-1 Access control process and terminology
© Cengage Learning 2012 5
 Access Control: Overview
Access Controls: The security features that control
how users and systems communicate and interact
with one another.
Access: The flow of information between subject
and object
Subject: An active entity that requests access to an
object or the data in an object
Object: A passive entity that contains information
 Security Principle
CIA Trade

6
 Identification, Authentication, and Authorization

Identification, Authentication, and Authorization are
distinct functions.
Identification
Method of establishing the subject’s (user, program,
process) identity.
Authentication
Method of proving the identity.
Authorization
Determines that the proven identity has some set of
characteristics associated with it that gives it the right to
access the requested resources.

7
 Identification
Identification
Method of establishing the subject’s (user, program,
process) identity.
Use of user name or other public information.
Know identification component requirements.
When issuing identification values to users, the following
should be in place:
Each value should be unique, for user accountability;
A standard naming scheme should be followed;
The value should be non-descriptive of the user’s
position or tasks.

8
 Authentication
Authentication
Method of proving the identity.
Something a person is, has, or does.
Use of biometrics, passwords, passphrase, token, or
other private information.

Strong Authentication is important
To be properly authenticated, the subject is usually required
to provide a second piece to the credential set (i.e., password,
passphrase, key, PIN, token etc).

9
 Authentication Methods
There are 3 primary authentication methods. Sensitive or
critical information should be protected by employing at least
two of them (two-or three-factor authentication).

Knowledge -Something you know, such as a password,
passphrase or PIN.

Ownership -For example, tokens and Smart cards.

Characteristics -Biometrics are digitized representations of
physical features (such as fingerprints) or physical actions
(such as signatures).

10
 Authentication
Biometrics
Verifies an identity by analyzing a unique
person attribute or behavior (e.g., what a
person “is”).
Most expensive way to prove identity, also
has difficulties with user acceptance.
Many different types of biometric systems,
know the most common.

11
 Authentication (Cont.)
Biometric systems can be hard to compare.
Type I Error: False rejection rate.
When a biometric system rejects an
authorized individual
Type II Error: False acceptance rate.
When a biometric system accepts an
individual who should have been
rejected
This is an important error to avoid.
Crossover Error Rate
Rating stated as a percentage and
represents the point at which the false
rejection rate equals the false
acceptance rate.
12
 Authentication (Cont.)
Passwords
User name + password most common identification,
authentication scheme.
Weak security mechanism, must implement strong
password protections

Techniques to attack passwords
Electronic monitoring
Access the password file
Brute Force Attacks
Dictionary Attacks
Social Engineering
13
 Authentication (Cont.)
One Time Passwords (aka Dynamic Passwords)
Used for authentication purposes and are only good
once.
This type of system is not vulnerable to electronic
eavesdropping, sniffing, or password guessing.
Two types of Token Devices (aka Password Generator)
Synchronous
Time Based
Counter Synchronization
Asynchronous

14
 Authentication (Cont.)
Smart Cards and Memory Cards
Memory Cards: Holds but cannot process information.
Smart Cards: Holds and can process information. Has a
microprocessor and integrated circuits incorporated into
the card itself.
Contact
Contactless
Significant benefit of smart cards is that the authentication
process occurs at the reader, thereby avoiding the trusted-
path (protecting logon information between the user and
the authentication server) problem.

15
 Authorization
Authorization
Determines that the proven identity has some set of
characteristics associated with it that gives it the right to
access the requested resources.
Granting access rights to subjects should be based on the
level of trust a company has in a subject and the subject’s
need to know.
Is a core component of every operating system and
established whether a user is authorized to access a
particular resource and what actions he is permitted to
perform on the resource

16
 Authorization (Cont.)
Access Criteria can be thought of as:
Roles
Is an efficient way to assign rights to a type of user who performs a
certain task. (job assignment or function).
Groups
When several users require same type of access to information and
resources
Location
To restrict unauthorized individuals from being able to get in and
reconfigure the server remotely.
Time
Restrict the times that certain actions or services can be accessed.
Transaction Types
Can be used to control what data is accessed during certain types
of functions and what commands can be carried out on the data.

17
 Authorization (Cont.)
Authorization concepts to keep in mind:
Authorization Creep
When new access rights and permissions assigned to
employee without the old permissions being reviewed and
removed.
Default to Zero
All access controls should be based on the concept of
starting with zero access and then building on top of that.
Need to Know Principle
individuals should be given access only to the information
that they absolutely require in order to complete their job
duties.
Access Control Lists
A list of subjects that are authorized to access a particular
object.
18
 Authorization (Cont.)
Problems in controlling access to assets:
Different levels of users with different levels of
access
Resources may be classified differently
Diverse identity of data
Corporate environments keep changing
Solutions that enterprise wide and single sign on solutions
supply:
User provisioning
Password synchronization and reset
Centralized auditing and reporting
Integrated workflow (increase in productivity)
Regulatory compliance
19
 Authorization (Cont.)
Single Sign On (SSO) Capabilities
Allow user credentials to be entered one
time and the user is then able to access
all resources in primary and secondary
network domains
SSO technologies include:
Kerberos
Sesame
Security Domains
Directory Services
Dumb Terminals

20
 SSO Process
SSOs enable users to logon to the authentication server and still
obtain access to all additional authorized networked systems
without additional identification and authentication.
SSO is also referred to as reduced sign-on, and is used in web-
based environments in federated ID management systems.

Figure 1: SSO Process
21
 SSO Technologies (Cont.)
Legacy Single Sign-On (SSO)
Although many legacy systems do not support an external means to identify and authenticate
their users, it is possible to store user credentials centrally, and automatically enter them where
and when needed.
The SSO system stores every user’s password to every system. This causes concern with respect to
availability: if the SSO system fails, denial of service results.
If the SSO is compromised, controls over access to all systems may be lost.
Kerberos
An SSO open-standards protocol for authentication in a single security domain.
Kerberos is an authentication protocol that uses symmetric key encryption in three key pairs: two
authentication pairs are shared by the authenticator and a single principal and one session pair is
shared between principals.
The session-key pair is distributed in such a way that principals are required to trust the
authenticator rather than each other.
SESAME
The Secure European System for Applications in a Multi-Vendor Environment (SESAME) is a
protocol developed by the European Union that addresses multiple or disparate security
domains. 22
 Pros and Cons of SSO Technologies
Pros :
Efficient log-on process -The user logs on only once to access all
authorized systems.
Encourages users to create stronger passwords -With only one
password to remember and control, users may be inclined to use
passwords that are harder and more difficult to crack. Fewer
passwords to manage should also result in fewer being written down
in unsafe locations.
Centralized administration -Ensures consistent application of policy
and procedures.
Cons :
Single point of compromise -A single compromised sign-in allows
the intruder into all of the account owner‟s authorized resources.
Legacy Interoperability-It may be difficult to include unique
computers or legacy systems in the single sign on network.
Implementation difficulties-Unusual types of systems may not
interface well with SSO software.

23
 Access Control Models
Three Main Types
Discretionary (Unrestricted)
Mandatory
Non-Discretionary (Role Based)

Discretionary Access Control (DAC)
A system that uses discretionary access control allows the
owner of the resource to specify which subjects can access
which resources.
Access control is at the discretion of the owner.

24
 Access Control Models (cont.)
Mandatory Access Control (MAC)
Access control is based on a security labeling system. Users
have security clearances and resources have security labels that
contain data classifications.
This model is used in environments where information
classification and confidentiality is very important (e.g., the
military).

Non-Discretionary (Role Based) Access Control Models
Role Based Access Control (RBAC) uses a centrally administered
set of controls to determine how subjects and objects interact.
Is the best system for an organization that has high turnover.

25
 Access Control Techniques

There are several different access controls and technologies
available to support the different models.

Rule Based Access Control
Constrained User Interfaces
Access Control Matrix
Content Dependent Access Control
Context Dependent Access Control

26
 Access Control Techniques (Cont.)
Rule Based Access Control

Uses specific rules that indicate what can and cannot
happen between a subject and an object.
Not necessarily identity based.
Traditionally, rule based access control has been used in
MAC systems as an enforcement mechanism.

27
 Access Control Techniques (Cont.)
Constrained User Interfaces
Restrict user’s access abilities by not allowing them certain
types of access, or the ability to request certain functions or
information
Three major types
Menus and Shells
Database Views
Physically Constrained Interfaces

28
 Access Control Techniques (Cont.)
Access Control Matrix
Is a table of subjects and objects indicating what actions
individual subjects can take upon individual objects.
Two types
Capability Table (bound to a subject)
Access Control List (bound to an object)

29
 Access Control Matrix

Object-Oriented Capability Table:
Is a collection of access control lists
implemented by comparing the
column of objects to the rows of
subjects.

Subject-Oriented Capability Table:
Is a collection of access control lists
implemented by comparing the
column of users or subjects to their
rights of access to protected objects.

30
 Access Control Techniques (Cont.)
Content Dependent Access Control
Access to an object is determined by the content within
the object.
Context Based Access Control
Makes access decision based on the context of a collection
of information rather than content within an object.
First an organization must choose the access control model (DAC,
MAC, RBAC).
Then the organization must select and implement different access
control technologies.
Access Control Administration comes in two basic forms:
Centralized
Decentralized
31
 Access Control Administration
Centralized Access Control Administration:
One entity is responsible for overseeing access to all
corporate resources.
Provides a consistent and uniform method of controlling
access rights.
Protocols: Agreed upon ways of communication
Attribute Value Pairs: Defined fields that accept certain
values.
Types of Centralized Access Control
Radius
TACAS
Diameter

32
 RADIUS
Remote Authentication Dial In User Service.
Is a client/server authentication protocol and authenticates
and authorizes remote users.
Most ISPs uses Radius to authenticate customers before they
are allowed to access the Internet.
Radius is an open protocol and can be used in different types
of implementations.
Uses UDP as a transport protocol
Only encrypts the user’s password as it is being transmitted
from Radius client to the radius server.
Is appropriate protocol when simplistic username/password
authentication can take place and users only need an “accept”
or “deny” for obtaining access.
33
 TACACS
Terminal Access Controller Access Control System.

Uses TCP as a transport protocol.

Encrypts all user data and does not have the vulnerabilities
that are inherent in the radius protocol.

Presents true AAA (Authentication, authorization, and
accounting) architecture.

34
 Diameter
Protocol that has been developed to build upon the
functionality of radius and overcome many of its limitations.
It is an IETF standard defined in (RFC 3588)
The various applications that require AAA functions can define
their own extensions on top of the Diameter base protocol, and
can benefit from the general capabilities provided by the
Diameter base protocol.

Figure 2: Diameter Protocol
35
Decentralized Access Control Administration

Decentralized Access Control Administration:

Gives control of access to the people who are closer to the
resources
Has no methods for consistent control, lacks proper
consistency.

36
 Access Control Practices
Know the access control tasks that need to be accomplished
regularly to ensure satisfactory security. Best practices
include:
Deny access to anonymous accounts
Enforce strict access criteria
Suspend inactive accounts
Replace default passwords
Enforce password rotation
Audit and review
Protect audit logs

37
 Access Control Practices (Cont.)
Unauthorized Disclosure of Information
Object Reuse
Data Hiding
Emanation Security
Tempest
Project started by the Department of Defense (DoD) and
then turned into a standard that outlines how to develop
countermeasures that control spurious electrical signals
that are emitted by electronic equipment.
White Noise
A uniform spectrum of random electrical signals.
Control Zone
Creates a security perimeter and is constructed to protect
against unauthorized access to data or compromise of
sensitive information.
38
 Access Control Monitoring
Intrusion Detection
Three Common Components
Sensors
Analyzers
Administrator Interfaces
Common Types
Intrusion Detection
Intrusion Prevention
Honeypots
Network Sniffers

39
 Access Control Monitoring (Cont.)

Two Main Types of Intrusion Detection Systems
Network Based (NIDS)
Host Based (HIDS)
HIDS and NIDS can be:
Signature Based
Statistical Anomaly Based
Protocol Anomaly Based
Traffic Anomaly Based
Rule Based

40
 Access Control Monitoring (Cont.)
Intrusion Prevention Systems
Is a preventative and proactive technology, IDS is a
detective technology.
Two types: Network Based (NIPS) and Host Based (HIPS)

Honeypots
An attractive offering that hopes to lure attackers away from
critical systems
Network sniffers
A general term for programs or devices that are able to
examine traffic on a LAN segment.

41
 Non-Repudiation
A Non-Repudiation service provides assurance of the origin
or delivery of data in order to protect the sender against false
denial by the recipient that the data has been received, or to
protect the recipient against false denial by the sender that the
data has been sent. Thus, a non-repudiation service provides
evidence to prevent a person from unilaterally modifying or
terminating legal obligations arising out of a transaction
effected by computer-based means.

42
 Non-Repudiation (Cont.)
Types of non-repudiation:
Non-repudiation of origin
Non-repudiation of submission
Non-repudiation of delivery

43
 Non-repudiation of origin

Originator’s Digital Signature with Certificate
Message
Digital Signature: Hash of Message encrypted with private
key of originator.
Certificate of Digital Signature: Certificate by trusted party
containing public key of originator.
Key-Revocation Possibility:
Time of key revocation is crucial, message needs to contain
a time stamp.
Stored at recipient.

44
 Non-repudiation of submission

Messages are handled by a delivery system
Not under control of sender
Reasonably efficient in sending messages
Delivery system can send receipt to sender.

45
 Non-repudiation of delivery

Recipient Acknowledgment with Signature
Recipient signs digest of received message and sends it
back to the sender.
“Reluctant recipient problem”

46
 Non-repudiation of delivery (Cont.)

Trusted Delivery Agent
Akin to process server
Police officer, deputy delivering summons or subpoena.
Delivery agent is trusted when attesting to handing
message to recipient
Delivery agent signs digest of message and returns it to
sender after handing it to the receiver.

47
 Non-repudiation of delivery (Cont.)

Progressive Delivery Reports
Mail transfer protocol hands messages from one mail
server to the next.
Possible to send reports from each mail server.

E-mail header has a record of those hand-offs
Unfortunately, these might be faked, too.

48