CS363

1 / 43

# CS363 - PowerPoint PPT Presentation

Week 8 - Monday. CS363. Last time. What did we talk about last time? Access control Authentication. Questions?. Project 2. Security Presentation. Andrew Sandridge. Challenge Response. Pass Algorithms. Some systems have a special function f a user (or user's system) must know

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## CS363

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Week 8 - Monday

### CS363

Last time
• What did we talk about last time?
• Access control
• Authentication
Security Presentation

Andrew Sandridge

Pass Algorithms
• Some systems have a special function f a user (or user's system) must know
• Thus, the system will give the user a prompt, and the user must respond
• Perhaps the system would issue a random value to the user, who must then encrypt it with his secret key and send it back to the system
• Perhaps it's just some other way of processing the data
• Monkey Island 2: LeChuck's Revenge hand puzzle
• A one-time password is invalidated as soon as it is used
• Thus, an attacker stealing the password can do limited damage
• He has to act quickly before the legitimate user logs in first
• How do you generate all these passwords?
• How do you synchronize the user and the system?
• RSA SecurID's change the password every 30 or 60 seconds
• The user must be synchronized with the system within a few seconds to keep this practical
• Using a secure hash function, we start with a seed value k, then
• h(k) = k1, h(k1) = k2, …, h(kn-1) = kn
• Then passwords are in reverse order
• p1 = kn, p2 = kn-1, … pn-1 = k2, pn = k1
Biometrics
• Biometrics means identifying humans by their physical and biological characteristics
• This technology is often seen in spy and science fiction movies
• It does exist, but it is far from perfect
• Like passwords, the actual biometric scans are usually not stored
• Instead specific features are stored for later comparison
• Biometrics pose unique privacy concerns because the information collected can reveal health conditions
Fingerprints
• Historically, fingerprints are one of the most heavily used forms of biometric identification
• Especially useful for solving crimes
• Even identical twins have different fingerprints
• Fun fact: Koalas have fingerprints so similar to human beings that even experts are fooled
• Optical scanners are available
• Cheap, capacitive scanners are now even available on many laptops
• The image of the fingerprint is usually not stored
• Instead, specific, differentiable features are recorded
Voice recognition
• Voice recognition systems must be trained on your voice
• They can be defeated with recording devices
• If you have a cold, it throws off the characteristics of your voice
• As a consequence, they are particularly susceptible to both false positives and false negatives
Eye recognition
• As the technology matures and hardware becomes cheaper, eye recognition is becoming more common
• Iris recognition looks at the patterns of light and dark areas in your iris (the colored part of your eye)
• For simplicity, the image is converted to grayscale for comparison
• Newer iris scanners can make successful identifications at 10 feet away or more, even correcting for glasses!
• Retina scans exist but are unpopular
• The retina is the tissue lining the inside of your eye and requires pupil dilation to get an accurate picture, blinding you for several minutes
• There are even systems for recognizing the patterns of discolorations on the whites of your eyes!
Face recognition
• The shape of your face, the distance between your eyes and nose, and other facial features are relatively distinctive
• Although they can be nearly the same for identical twins
• Computer vision techniques must be used to locate the face, deal with changes in haircut, glasses, etc.
• Participants must have a neutral facial expression or results can be thrown off
• The US Department of State uses facial recognition and fingerprinting to document foreigners entering the country
• Their database has over 75 million photographs
Other biometrics
• Keystroke dynamics are the patterns that you use when typing
• Users are quite distinctive, but distractions and injuries can vary patterns a lot
• Combinations of different biometrics are sometimes used
• DNA sequencing is not (yet) fast enough to be used for authentication
• Researchers are always coming up with new biometrics to use
Problems with biometrics
• People assume that they are more secure than they are
• Attacks:
• Fingerprints can be lifted off a champagne glass
• Voices can be recorded
• Iris recognition can be faked with special contact lenses
• Both false positives and false negatives are possible
• It is possible to tamper with transmission from the biometric reader
• Biometric characteristics can change
• Identical twins sometimes pose a problem
What is trust?
• To trust a program, we are looking for 4 things:
• Functional correctness
• The program does what it should
• Enforcement of integrity
• The program’s data is still correct even if given bad or unauthorized commands
• Limited privilege
• If the program accesses secure data, it only accesses what it needs, and it doesn’t leak rights or data to untrusted parties
• Appropriate confidence level
• The program has been examined carefully and given trust appropriate for its job
Security policies
• A security policy is a statement of the security we expect a system to enforce
• A mechanism is a tool or protocol to enforce the policy
• It is possible to have good policies but bad mechanisms or vice versa
• A trusted system has:
• Enforcement of a security policy
• Sufficiency of measures and mechanisms
• Evaluation
• Confidentiality access control system
• Military-style classifications
• Uses a linear clearance hierarchy
• All information is on a need-to-know basis
• It uses clearance (or sensitivity) levels as well as project-specific compartments
Security clearances
• Both subjects (users) and objects (files) have security clearances
• Below are the clearances arranged in a hierarchy
Simple security condition
• Let levelO be the clearance level of object O
• Let levelS be the clearance level of subject S
• The simple security condition states that S can read O if and only if the levelO≤ levelS and S has discretionary read access to O
• In short, you can only read down
• Example?
• In a few slides, we will expand the simple security condition to make the concept of level
*-Property
• The *-property states that S can write O if and only if the levelS≤ levelO and S has discretionary write access to O
• In short, you can only write up
• Example?
Basic security theorem
• Assume your system starts in a secure initial state
• Let T be all the possible state transformations
• If every element in T preserves the simple security condition and the *-property, every reachable state is secure
• This is sort of a stupid theorem, because we define “secure” to mean a system that preserves the security condition and the *-property
• We add compartments such as NUC = Non-Union Countries, EUR = Europe, and US = United States
• The possible sets of compartments are:
• {NUC}
• {EUR}
• {US}
• {NUC, EUR}
• {NUC, US}
• {EUR, US}
• {NUC, EUR, US}
• Put a clearance level with a compartment set and you get a security level
• The literature does not always agree on terminology
Romaine lattice
• The subset relationship induces a lattice

{NUC, EUR, US}

{NUC, EUR}

{NUC, US}

{EUR, US}

{NUC}

{EUR}

{US}

Updated properties
• Let L be a security level and C be a category
• Instead of talking about levelO≤ levelS, we say that security level (L, C) dominates security level (L’, C’) if and only if L’ ≤ L and C’ C
• Simple security now requires (LS, CS) to dominate (LO, CO) and S to have read access
• *-property now requires (LO, CO) to dominate (LS, CS) and S to have write access
• Problems?
Clark-Wilson model
• Commercial model that focuses on transactions
• Just like a bank, we want certain conditions to hold before a transaction and the same conditions to hold after
• If conditions hold in both cases, we call the system consistent
• Example:
• D is the amount of money deposited today
• W is the amount of money withdrawn today
• YB is the amount of money in accounts at the end of business yesterday
• TB is the amount of money currently in all accounts
• Thus,

D + YB – W = TB

Clark-Wilson definitions
• Data that has to follow integrity controls are called constrained data items or CDIs
• The rest of the data items are unconstrained data items or UDIs
• Integrity constraints (like the bank transaction rule) constrain the values of the CDIs
• Two kinds of procedures:
• Integrity verification procedures (IVPs) test that the CDIs conform to the integrity constraints
• Transformation procedures (TPs) change the data in the system from one valid state to another
Clark-Wilson rules
• Clark-Wilson has a system of 9 rules designed to protect the integrity of the system
• There are five certification rules that test to see if the system is in a valid state
• There are four enforcement rules that give requirements for the system
Certification Rules 1 and 2
• CR1: When any IVP is run, it must ensure that all CDIs are in a valid state
• CR2: For some associated set of CDIs, a TP must transform those CDIs in a valid state into a (possibly different) valid state
• By inference, a TP is only certified to work on a particular set of CDIs
Enforcement Rules 1 and 2
• ER1: The system must maintain the certified relations, and must ensure that only TPs certified to run on a CDI manipulate that CDI
• ER2: The system must associate a user with each TP and set of CDIs. The TP may access those CDIs on behalf of the associated user. If the user is not associated with a particular TP and CDI, then the TP cannot access that CDI on behalf of that user.
• Thus, a user is only allowed to use certain TPs on certain CDIs
Certification Rule 3 and Enforcement Rule 3
• CR3: The allowed relations must meet the requirements imposed by the principle of separation of duty
• ER3: The system must authenticate each user attempting to execute a TP
• In theory, this means that users don't necessarily have to log on if they are not going to interact with CDIs
Certification Rules 4 and 5
• CR4: All TPs must append enough information to reconstruct the operation to an append-only CDI
• Logging operations
• CR5: Any TP that takes input as a UDI may perform only valid transformations, or no transformations, for all possible values of the UDI. The transformation either rejects the UDI or transforms it into a CDI
• Gives a rule for bringing new information into the integrity system
Enforcement Rule 4
• ER4: Only the certifier of a TP may change the list of entities associated with that TP. No certifier of a TP, or of any entity associated with that TP, may ever have execute permission with respect to that entity.
• Separation of duties
Clark-Wilson summary
• Designed close to real commercial situations
• No rigid multilevel scheme
• Enforces separation of duty
• Certification and enforcement are separated
• Enforcement in a system depends simply on following given rules
• Certification of a system is difficult to determine
Next time…
• Chinese Wall and Biba models
• Theoretical limitations (HRU result)
• Trusted system design elements
• Yuki Gage presents
Reminders
• Read Sections 5.1 – 5.3
• Keep working on Project 2