Lecture 11: Access control mechanisms and user authentication

1
Lecture 11 Access control mechanisms and user
authentication

• We will cover
• Access control mechanisms
• User authentication
• Reading - Pfleeger, chapter 4

2
Logical item protection

• logical item software data
• files are the logical items that contain sw or
  data, so file protection is the key
• protection mechanisms attempt to enforce respect
  of file owners usage permissions
• this is achieved through some form of access
  control mechanism
• Access Control mechanism used to certify that
  user process is only granted usage of a given
  object in accordance with the usage permissions
  specified by the owner of the object

3
types of Access Control

• 2 types of access control
• 1. Discretionary Access Control (DAC) - user can
  specify usage permissions of objects owned by
  user on the system
• 2. Mandatory Access Control (MAC) - user has no
  control over usage permissions of objects in the
  system - the usage permissions are determined
  centrally and enforced - usually in a system in
  which the user is not seen as the owner of the
  programs and files in the system e.g. The company
  or organisation owns all the objects in the
  computer system even if a particular set of users
  have regular access

4
Access Control Matrix

• general model for access control is the Access
  Control Matrix (ACM)
• matrix (table) in which each column represents an
  item (file) to be protected and each row
  represents a user
• the ith, jth entry in the matrix represents the
  permissions that user i has on object/file j
• includes mode of access - read, write, execute,
  etc to file

5

• Access Control Matrix

6

• ACM - captures complete picture of usage
  permissions in a system
• but problem with Access control Matrices is that
  they are very cumbersome and could grow very
  large - with millions of items and thousands of
  users
• also highly redundant as most of the entries for
  most files will be blank (no access rights)
• thus never implemented as such

7
Access Control Lists

• Access Control Lists (ACL) - this is equivalent
  to a column of the ACM i.e. it associates with
  each file or resource to be protected a list of
  users who have access to that file and the mode
  of access permitted
• it only has to contain in the list those users
  who have some access permissions on the file - it
  does not need all the null entries that occur in
  the ACM

8

• Access Control List

9

• although in general ACLs can contain a simple
  list of users and their permissions this can
  still be a long list - not only is there problem
  with space it uses, but more importantly is the
  overhead of the system administrators and
  ordinary users who have to try to specify who has
  access to what, if they have to list each
  individual user who should have access to a given
  file

10
ACLs using security groups

• In a practical implementation of ACLs e.g.
  Windows, it is more common for the list to list a
  series of security groups and associate
  permissions with those groups
• Users are then a member of one or more groups and
  it is their group membership that defines their
  access rights

11

• the idea behind ACLs and ACMs is that these
  provide the information that the OS should check
  before granting access to a given process in a
  given access mode to a given file
• obviously the ACL/ACM are very sensitive
  structures which need to be secured from
  unauthorised access

12

• UNIX has a very restricted notion of 3 security
  groups - owner, group, world - and defines access
  of only 3 modes for each of the 3 groups - while
  it is true that a user can change their group id.
  it is still very permissive and does not allow
  for much fine grained control in defining access
  rights to objects in a system - it is quite
  efficient however as the permissions are
  represented by a set of only 12 bits (9 normal
  bits and 3 special)

13
Capabilities

• A capability essentially associates with a user a
  set of permissions of use on a specific file or
  resource in the system - one per item
• but unlike ACLs the access rights are associated
  with the user not the file or resource
• a capability list - is a set of such capabilities
  all associated with a user
• capability list is equivalent to a row in the ACM
  
• the idea is that then the user has to tend the
  capability to the OS for it to check to see if it
  will grant access to a given file

14

• advantage is that it makes it easy to have an
  overview and control of the set of permissions
  given to a specific user, disadvantage is that it
  is difficult to see all permissions associated
  with a given file - ACLs - have opposite advs and
  disadvs - easy to see overview of permissions on
  a given file, but not for a given user.
• As ever with any such structures protection of
  the information in the structure is vital

15

• A capability

16
User authentication

• Authentication is the binding of an identity with
  a user
• 3 classic mechanisms used to authenticate the
  identity of a user - by something the user
• 1. Knows - known only to user and system -
  passwords, etc.
• 2. Has - physical item in users possession
• 3. Is - biometric measurements that are
  relatively unique to the user - not going to say
  anything about this today

17
Passwords

• passwords can ideally provide high levels of
  security provided user does not disclose password
• if the alphabet of basic symbols that can be used
  in password is B, then the number of different
  passwords of length N is BN
• thus even with upper and lowercase letters and
  digits you have 62N - a huge search space for N
  even of length 8 628 approx. 180 trillion
• Thus theoretical average time to crack a password
  (BN I) / (2 MIPS)
• where I is number of instructions in cracking
  program and MIPS is speed of processor it is
  running on

18

• Problem is formula is only applicable
• a) if passwords are random sequences of the set
  of basic symbols - non-random passwords greatly
  reduce the size of the search space
• b) if we are considering finding just 1
  particular password, but password cracker is
  interested in finding any password to allow them
  onto a system, so the number of user accounts is
  important - for a large networked organisation
  this can be very large - tens or hundreds of
  thousands
• the real metric of interest is the probability of
  cracking any password on a system, with a given
  number of users, during the lifetime of the
  system (which could be 10 years or more)

19
password selection

• most users choose passwords that are non-random
• a number of different studies have shown that
  users choose passwords that are meaningful e.g.
• 50 of passwords used by Egg on-line banking
  users were names of a member of their family
• 82 of passwords used by users in City of London
  financial institutions were easily guessed being
  people's names, swear words and words of vulgar
  sexual content, place names (favourite holiday
  spots) and common office objects

20

• passwords are held securely on the system by use
  of a one-way or hash function (see lecture 4 for
  hash functions) - hash function is applied to
  password user submits and if it matches the
  stored hash value for user then user is
  authenticated. Remember with a hash function it
  is very difficult to invert the function to get
  the password from the hash value - so on original
  Unix systems the file of password hash values was
  openly accessible - it was seen as safe
• hash functions that are used are standard - SHA,
  MD5, Blowfish

21
Salt

• to prevent collisions in the set of hash values
  i.e. to prevent 2 users who have the same
  password from recognising that they have the same
  password because they have the same password hash
  value, then a 12 bit salt (random number) is
  assigned to user - this is kept in password file
  and is prepended or appended to password before
  hash value is computed

22
Password attacks

• 1. brute-force search - mentioned in previous
  lecture - should be infeasible with random
  passwords - but the quality of the hash function
  used can undermine the system even if random
  passwords are used e.g.
• Original Windows NT allowed users to specify up
  to 14 character passwords giving a theoretically
  huge search space.
• Hash function used by NT - ignored the case of
  letters and the 14 character password was treated
  by the hash function as 2 7 character passwords
  each of which was separately hashed - thus the
  security was no better than that provided by a 7
  character password (and remember one that ignores
  letter case) - that is one of the reasons why it
  is better to use industry standard hash (and
  encryption) functions rather than proprietary
  ones - because the weakness was not understood by
  Microsoft

23

• 2. dictionary attack - try common words, etc - we
  have mentioned this before - 2 typical methods by
  which the attack works
• i) if attacker can get a copy of the password
  file with the set of hash values, then can apply
  hash function used to dictionary words, etc, and
  compare hashed result against entries in password
  file of hash values
• as a result of this, file of password hash values
  are normally now kept in files called shadow
  password files - they are only accessible to
  someone with administrative access rights, have
  formats that are private and are often encrypted

24

• ii) If there is no upper limit on login attempts
  with incorrect passwords, then can keep on trying
  login attempts
• Note - military systems tend not to have upper
  limits on login attempts - because if they
  suspended an account whenever an upper limit of
  attempts was reached, this would leave the
  military system open to denial of service attacks
  from enemies who would simply need to make a
  number of incorrect login attempts to suspend
  every account on the system

25

• 3. Pre-computed hash lookup table - the time
  taken to search for a password can be reduced by
  trading off storage space against time
• given that a standard hash algorithm will be
  used, then the hash values for a large number of
  passwords can be pre-computed and stored in a
  lookup table
• thus password hash values can then be rapidly
  compared to entries in table rather than having
  to be re-computed everytime you want to crack a
  password on a new system

26

• of course the storage required to hold all
  possible passwords would be infeasible just as
  the time required to search for a random password
  might be infeasible, but common passwords could
  be stored and it speeds up the cracking process
• Also you can combine the use of a lookup table
  seeded with appropriate pre-computed entries with
  searching to significantly reduce time required
  to complete an exhaustive search - this is known
  as a password probability matrix approach