C H A P TER 4:

A C C ESS C O N TR O L

Access ControlO bjectives

IAAA
Authentication
Type 1
Type 2
Type 3

Authorization
SSO

Access Control Models

Administration
2

Access Controls
Access controls are security features
that control how people can interact
with systems, and resources.

Access ControlO bjectives

IAAA
Authentication
Type 1
Type 2
Type 3

Authorization
SSO

Access Control Models

Administration
4

Access
Access is the data flow between an
subject and an object.
Subject is a person, process or program
Object is a resource (file, printer etc)
Access controls should support the CIA

triad and regulate what a subject can do

with an object

Access Controls
Access controls are security features
that control how people can interact
with systems, and resources.
Logical
Physical
Administrative

IAAA ofAccess Control

The component of Access Control that we
are about to discuss are:
Identification:
Make a claim (userid etc)
Authentication:
Provide support (proof) for your claim
Authorization:
What rights and permissions you have
Auditing:
Accountabilitymatching actions to subjects
7

Identifi
cation
Public Information (usually we arent

concerned with protecting identities)

Identification must be unique for
accountability
Standard naming schemes should be
used
Identifier should not indicate extra
information about user (like job position)

User ID
Account Number
RFID
IP or MAC address

Authentication
Proving your identity
Type 1: Something you know
Type 2: Something you have
Type 3: Something you are

Type 1:Som ething You Know

Passwords/Passphrases/Cognitive

Password
Best practices
No less than 8 characters
Change on a regular basis
Enforce password history
Consider brute force and dictionary

10

attacks
Ease of cracking cognitive passwords
Graphic Image
Enable clipping levels and respond

Type 2:Som ething you have

Token Devices
Smart Card
Memory Card
Hardware Key
Cryptographic Key
Certificate
Cookies

11

Token D evices:O ne Tim e Passw ord

G enerators
Password that is used only once then
no longer valid
One time password reduces vulnerability

12

associated with sniffing passwords.

Simple device to implement
Can be costly
Users can lose or damage
Two Types: Synchronous/Asynchronous

Synchronous Token D evices

Rely upon synchronizing with

authentication server.
Frequently time based, but
could be event based
If damaged, or battery fails,
must be re-synchronized
Authentication server knows
what password to expect
based on time or event.

13

Asynchronous Token D evices

Asynchronous/ Challenge Response

User logs in
Authentication returns a

14

challenge to the user

User types challenge string into
token device and presses enter.
Token devices returns a reply
Only that specific users token
device could respond with the
expected reply.
More Complex than synchronous
May provide better protection
against sniffing

M em ory Cards

15

M em ory Cards
NOT a smart card
Holds information, does NOT process
A memory card holds authentication

info, usually youll want to pair this

with a PIN WHY?
A credit card or ATM card is a type of
memory card, so is a key/swipe card
Usually insecure, easily copied.*
16

Sm art Card

17

Sm art Card (191)

Much more secure than memory cards
Can actually process information
Includes a microprocessor and ICs
Can provide two factor authentication, as

you the card can store authentication

protected by a pin. (so you need the card,
and you need to know something)
Two types
Contact

Contactless
18

Sm art Card Attacks

There are attacks against smart cards
1. Fault generation manipulate environmental
controls and measure errors in order to reverse
engineer logic
2. Side Channel Attacks Measure the cards while
they work
Differential power analysis measure power emissions
Electromagnetic analysis example frequencies emitted

3. Micro probing* - using needles to vibrations to

remove the outer protection on the cards circuits.
Then tap into ROMS if possible or die ROMS to
read data.
19

Type 3: Som ething You Are

Biometrics
Static: Should not significantly change

over time. Bound to a users

physiological traits
Fingerprint, hand geometry, iris, retina, etc
Dynamic: Based on behavioral traits
Voice, gait, signature, keyboard cadence,
etc
Even though these can be modified
temporarily, they are very difficult to
modify for any significant length of time.
20

Biom etric Concerns

Accuracy
Type I Error: False Rejection--A legitimate user is

21

barred from access. Is caused when a system

identifies too much information. This causes
excessive overhead.
Type II Error: False AcceptanceAn impostor is
allowed access. This is a security threat and comes
when a system doesnt evaluate enough information
As FRR goes down, FAR goes up and vice versa
The level at which the two meet is called CER
(Crossover Error Rate). The lower the number, the
more accurate the system
Iris Scans are the most accurate

Biom etric Concerns

User Acceptance
Many users feel biometrics are

intrusive
Retina scans can reveal health care

information

Time for enrollment and verification

can make users resistant

Cost/benefit analysis
No way to revoke biometrics
22

Biom etric Concerns

Cost
Biometric systems can be very costly

and require unwieldy technology

Though costs are coming down for
means like fingerprint recognition,
other technologies still remain
prohibitive

23

Strong Authentication
Strong Authentication is the combination
of 2 or more of these and is encouraged!
Strong Authentication provides a higher level

of assurance*
Strong Authentication is also called multifactor authentication*
Watch out! Most people want to choose
biometrics as the best authentication, but
any one source can be compromised. Always
look for more than one type!
Mutual Authentication is beneficial
24

Authorization
The concept of ensuring that someone
who is authenticated is allowed
access to a resource.
Authorization is a preventative control
Race conditions would try to cause

authorization happen before

authentication

25

Auditing
Logging and reviewing accesses to
objects.
What is the purpose of auditing?
Auditing is a detective control*

26

A U TH O R IZ ATIO N

Authorization
Now that I proved I am who I say I am,
what can I do?
Both OSes and Applications can provide

this functionality.
Authorization can be provided based on
user, groups, roles, rules, physical
location, time of day (temporal
isolation)* or transaction type (example
a teller may be able to withdrawal small
amounts, but require manager for large
withdrawals)
28

Authorization principals
Default NO access (implicit deny)* -

Unless a subject is explicitly given

access to an object, then they are
implicitly denied access.
Principle of Least Privelege
Need to know
Content-based

29

Authorization Creep
As a subject stays in an environment
over time, their permissions
accumulate even after they are no
longer needed.
Auditing authorization can help mitigate

this. SOX requires yearly auditing.

30

Single Sign O n
As environments get larger and more
complex it becomes harder and
harder to manage users accounts
securely.
Multiple users to create/disable
Passwords to remember, leads to

31

passwords security issues

Reduces user frustration as well as IT
frustration!
Wastes your IT budget trying to manage
disparate accounts.

Single Sign O n
Single sign on systems try to mitigate
this problem. Some SSO systems are.
Kerberos
LDAP
Sesame
KryptoKnight

32

SSO Single Sign-on Pros and Cons

Pros
Ease of use for end users
Centralized Control
Ease of administration

Cons
Single point of failure
Standards necessary
Keys to the kingdom
33

SSO technologies
Kerberos
SESAME
LDAP
Microsoft Active Directory*

34

Kerberos
A network authentication protocol

35

designed from MITs project Athena.

Kerberos tries to ensure authentication
security in an insecure environment
Used in Windows2000+ and some Unix
Allows for single sign on
Never transfers passwords
Uses Symmetric encryption to verify
Identifications
Avoids replay attacks

Kerberos Com ponents

Principals users or network services
KDC Key Distribution Center, stores secret

keys (passwords) for principals

Authenticating Service (AS)
Ticket Granting Service (TGS)

Tickets: provide access to specific network

services (ex. File sharing)

Realms a grouping of principals that a KDC
provides service for, looks like a domain
name
Example: somedepartment.mycompany.com
36

Welcome to
the
Kerberos
Carnival

37

Realm

Database
Server

Welcome to
the
Kerberos
Carnival
File Server

Realm

TGS

G
3. T

t
rin
P
to
nt
i
r

op

----

et
k
c
-- -4. Ti
-A-

R
T+

r
rve
e
S

tt
s
e
u
eq

---

--

et +
k
c
i
T
5.

bo
J
t
n
P ri

1. Username
2. TGT
38

Print
Server A

------

AS

----

----
---------

Kerberos Concerns
Computers must have clocks synchronized

39

within 5 minutes of each other

Tickets are stored on the workstation. If
the workstation is compromised your
identity can be forged.
If your KDC is hacked, security is lost
A single KDC is a single point of failure
and performance bottleneck
Still vulnerable to password guessing
attacks

SESAM E
European technology, developed to extend
Kerberos and improve on its weaknesses
Sesame uses both symmetric and asymmetric

cryptography.
Uses Privileged Attribute Certificates rather
than tickets, PACS are digitally signed and contain
the subjects identity, access capabilities for the
object, access time period and lifetime of the PAC.
PACS come from the Privileged Attribute Server.

40

KryptoKnight
Should only be known as an older

obsolete SSO Technology

41

A C C ESS C O N TR O L
M O D ELS

Access ControlM odels

A framework that dictates how subjects access
objects.
Uses access control technologies and security
mechanisms to enforce the rules
Supported by Access Control Technologies
Business goals and culture of the
organization will prescribe which model is
used
Every OS has a security kernel/reference
monitor (talk about in another chapter) that
enforces the access control model.
43

Access ControlM odels

The models we are about to discuss
are
From the TCSEC(Trusted Computer
System Evaluation CriteriaOrange
Book)
DAC (Discretionnary Access Control)
MAC (Mandatory Access Control)

Established Later
RBAC (Role based Access Control)
44

D AC
Discretionary Access Control
Security of an object is at the owners

discretion
Access is granted through an ACL
(Access Control List)
Commonly implemented in commercial
products and all client based systems
Identity Based

45

M AC
Mandatory Access Control*
Data owners cannot grant access!
OS makes the decision based on a
security label system
Subjects label must dominate the objects
label
Users and Data are given a clearance
level (confidential, secret, top secret etc)*
Rules for access are configured by the
security officer and enforced by the OS.
46

M AC
MAC is used where classification and
confidentiality is of utmost
importance military.
Generally you have to buy a specific
MAC system, DAC systems dont do
MAC
SELinux
Trusted Solaris (now called Solaris with

Trusted Extensions)
47

M AC sensitivity labels
All objects in a MAC system have a

security label*
Security labels can be defined the
organization.
They also have categories to support
need to know at a certain level.
Categories can be defined by the
organization
48

Role Based Access Control

49

Role Based Access Control

Also called non-discretionary.
Uses a set of controls to determine how

subjects and objects interact.

Dont give rights to users directly. Instead
create roles which are given rights. Assign
users to roles rather than providing users
directly with privileges.
Advantages:
This scales better than DAC methods
Fights authorization creep*
50

Role based Access control

When to use*
If you need centralized access
If you DONT need MAC ;)
If you have high turnover

51

Access Controltechnologies that support

access controlm odels

We will talk more in depth of each in the next

few slides.
Rule-based Access Control
Constrained User Interfaces
Access Control Matrix
Access Control Lists
Content-Dependant Access Control
Context-Dependant Access Control
52

Rule Based Access Control

Uses specific rules that indicate what can and
cannot transpire between subject and object.
if x then y logic
Before a subject can access and object it
must meet a set of predefined rules.
ex. If a user has proper clearance, and its

between 9AM -5PM then allow access (Context

based access control)

However it does NOT have to deal

specifically with identity/authorization

Ex. May only accept email attachments 5M or less
53

Rules Based Access Control

Is considered a

54

compulsory
control because
the rules are
strictly enforced
and not
modifiable by
users.
Routers and
firewalls use Rule

Constrained U ser Interfaces

Restrict user access by not allowing them see
certain data or have certain functionality (see
slides)
Views only allow access to certain data (canned
interfaces)
Restricted shell like a real shell but only with
certain commands. (like Cisco's non-enable mode)
Menu similar but more gui
Physically constrained interface show only
certain keys on a keypad/touch screen. like an
ATM. (a modern type of menu) Difference is you
are physically constrained from accessing them.
55

View

56

Shell

57

Physically Constrained
Interface

58

Content D ependant Access Controls

Access is determined by the type of
data.
Example, email filters that look for

specific things like confidential, SSN,

images.
Web Proxy servers may be content
based.

59

Context D ependant Access Control

System reviews a Situation then
makes a decision on access.
A firewall is a great example of this, if

session is established, then allow traffic

to proceed.
In a web proxy, allow access to certain
body imagery if previous web sessions
are referencing medical data otherwise
deny access.

60

Review ofAccess ControlTechnology /

Techniques

Constrained User Interfaces

view, shell, menu, physical

Access Control Matrix

Capability Tables
ACL
Content Dependant Access Control
Context Dependant Access Control

61

A C C ESS C O N TR O L
A D M IN IS TR ATIO N

Centralized Access ControlAdm inistration

A centralized place for configuring and

managing access control
All the ones we will talk about (next) are
AAA protocols

63

Authentication
Authorization
Auditing

Centralized Access ControlTechnologies

We will talk about each of these in the

upcoming slides
Radius
TACACS, TACACS+
Diameter

64

RAD IU S
Remote Authentication Dial-in User Service (RADIUS) is an
authentication protocol that authenticates and authorizes
users
Handshaking protocol that allows the RADIUS server to
provide authentication and authorization information to
network server (RADIUS client)
Users usually dial in to an access server (RADIUS client)

65

that
communicates with the RADIUS server
RADIUS server usually contains a database of users and
credentials
Communication between the RADIUS client and server is
protected

Radius Pros/Cons
Radius Pros
Its been around, a lot of vendor support

Radius Cons
Radius can share symmetric key between NAS

and Radius server, but does not encrypt

attribute value pairs, only user info. This could
provide info to people doing reconnaissance

66

TACACS+
Provides the same functionality of

Radius
TACACS+ uses TCP port 49
TACACS+ can support one time
passwords
Encrypts ALL traffic data
TACACS+ separates each AAA
function.
For example can use an AD for

67

authentication, and an SQL server for

D iam eter
DIAMETER is a protocol designed as the next generation
RADIUS
RADIUS is limited to authenticating users via SLIP and
PPP dial-up modem connections
Other device types use different protocol types
Internet protocol that supports seamless and continuous
connectivity for mobile devices - such as PDAs, laptops,
or cell phones with Internet data capabilities
Move between service provider networks and change
their points of attachment to the Internet
Including better message transport, proxying, session
control, and higher security for AAA transactions
68

Centralized Access Controls overview

Idea centralize access control
Radius, TACACS+, diameter
Decentralized is simply maintaining

access control on all nodes

separately.

69

A C C ESS C O N TR O L
M ETH O D S

Unauthorized D isclosure ofInform ation

Sometimes data is un-intentionally

released.
Examples:
Object reuse
Countermeasures
Destruction
Degaussing
overwriting

Emanations Security (EMSEC)

71

Em anation Security
All devices give off electrical /

magnetic signals.
A non-obvious example is reading
info from a CRT bouncing off
something like a pair of sunglasses.
Tempest is a standard to develop
countermeasures to protect against
this.
72

Em anation Counterm easures

Faraday cage a metal mesh cage

around an object, it negates a lot of

electrical/magnetic fields.
White Noise a device that emits
radio frequencies designed to
disguise meaningful transmission.
Control Zones protect sensitive
devices in special areas with special
walls etc.
73

Access ControlO bjectives

IAAA
Authentication
Type 1
Type 2
Type 3

Authorization
SSO

Access Control Models

Administration
74