Chapter 1 Date 4/09/09
Confidentiality
- Is the concealment of information or resources.
- Ensures that necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of confidently must prevail while data is on computer, or on network devices it is transmitted and once it reaches its destination.
- Access control mechanisms support confidentiality.
- One access control mechanism for preserving confidentiality is cryptography, which scrambles data to make it incomprehensible. A cryptographic key controls access to the unscrambled data, but then the cryptographic key itself becomes another datum to be protected.
- Other system-dependent mechanisms can prevent processes from illicitly accessing information data protected only by these controls can be read when the controls fail or are bypassed. Then their advantage is offset by a corresponding disadvantage. They can protect the secrecy of data more completely than cryptography, but if they fail or are evaded, the data becomes visible.
- Confidentiality also applies to the existence of data.Resource hiding is another important aspect of confidentiality
- All the mechanisms that enforce confidentiality require supporting services from the system.The assumption is that the security services can rely on the kernel, and other agents, to supply correct data. Thus, assumptions and trust underlie confidentiality mechanisms.
Integrity
- It refers to the trustworthiness of data or resources, and it is usually phrased in terms of preventing improper or unauthorized change.
- Integrity includes data integrity (the content of the information) and origin integrity (the source of the data, often called authentication).
- Integrity mechanisms fall into two classes: prevention mechanisms and detection mechanisms.
- Prevention mechanisms seek to maintain the integrity of the data by blocking any unauthorized attempts to change the data or any attempts to change the data in unauthorized ways. The distinction between these two types of attempts is important. The former occurs when a user tries to change data which she has no authority to change. The latter occurs when a user authorized to make certain changes in the data tries to change the data in other ways by not following the advised ways.
- Detection mechanisms do not try to prevent violations of integrity; they simply report that the data’s integrity is no longer trustworthy. Detection mechanisms may analyze system events (user or system actions) to detect problems or (more commonly) may analyze the data itself to see if required or expected constraints still hold. The mechanisms may report the actual cause of the integrity violation (a specific part of a file was altered), or they may simply report that the file is now corrupt.
- Working with integrity is very different from working with confidentiality. With confidentiality, the data is either compromised or it is not, but integrity includes both the correctness and the trustworthiness of the data. The origin of the data (how and from whom it was obtained), how well the data was protected before it arrived at the current machine, and how well the data is protected on the current machine all affect the integrity of the data.
Availability
· Refers to the ability to use the information or resource desired.
· Availability is an important aspect of reliability as well as of system design because an unavailable system is at least as bad as no system at all. The aspect of availability that is relevant to security is that someone may deliberately arrange to deny access to data or to a service by making it unavailable. System designs usually assume a statistical model to analyze expected patterns of use, and mechanisms ensure availability when that statistical model holds. Someone may be able to manipulate use (or parameters that control use, such as network traffic) so that the assumptions of the statistical model are no longer valid. This means that the mechanisms for keeping the resource or data available are working in an environment for which they were not designed. As a result, they will often fail. Attempts to block availability, called denial of service attacks, can be the most difficult to detect, because the analyst must determine if the unusual access patterns are attributable to deliberate manipulation of resources or of environment.
· System availability can be affected by device or software failure. Backup devices should be used and be available to quickly replace critical systems, and employees should be skilled and on hand to make the necessary adjustments to bring the system back online. Environmental issues like heat, cold, humidity, static electricity, and contaminants can also affect system availability.
[MATT]
Types of Access Control Attacks are DOS, Dictionary, Spoofing, Brute Force and Wardialing
Denial of Service Attack
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users
One common method of attack involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
This attack can be done via wireless and wired.
Slow network performance
Unavailability to access any web
Mail bomb (Dramatically increase in number of spam mails)
The five basic types of attack are:
- Consumption of computational resources, such as bandwidth, disk space, or processor time
- Disruption of configuration information, such as routing information.
- Disruption of state information, such as unsolicited resetting of TCP sessions.
- Disruption of physical network components.
- Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
Threats
- Threat is a potential violation of security. Violation isn’t actually needed for a threat to be there. The threat may occur we means that those actions that could cause it must be guarded.
- Such actions are called as attacks and persons behind such attacks are called as attackers. The security services (Security Tirade) counter threats to the system are divided in 4 classes
- Disclosure or unauthorized access to information.
- Snooping. Is unauthorized interception to the information is the form of disclosure. It is passive. Might be someone is reading or listening the information. Wiretapping is also another form of snooping in which someone is monitoring the network cabling .This term is also used for wireless medium too.
Confidentiality service faces this threat
- Deception or acceptance of false data.
- Modification or alternation is unauthorized change of information covers three classes of threats. The goal is deception in which some entity rely on modified data which action to take Modification can cause deception disruption and usurpation. Unlink snooping modification is is active. Example is Man in Middle attack. In which the intruder changes information and pas it on to the recipient. Modification is active and snooping is passive. Security service that is affected by this is Integrity.
- Desquamating or Spoofing is impersonation of one entity by another entity. Comes in both deception and usurpation. Suppose a user trying to log into a computer over internet but he/she reaches to and other computer he get spoofed. Or a user is trying to access a file but intruder has arranged him an other file is another example of spoofing.
Integrity Encounters Spoofing.
In some cases integrity is allowed is called delegation in which both parties know about each other and one party allows full access or authority to other one to perform on his her behalf.
Mostly this is active.
Repudiation of Origin
Is false denial that entity sent created something is a form of deception.
Example Shipping
Integrity is affected by this
Denial of receipt false denial that entity received something in the form of deception Integrity and availability is effected by this.
Example Shipping
Disruption, or interruption or prevention in correct operation.
Usurpation, or unauthorized control of some part of a system.
Delay, a temporary inhibition of a service, is a form of usurpation, although it can play a supporting role in deception. Typically, delivery of a message or service requires some time t; if an attacker can force the delivery to take more than time t, the attacker has successfully delayed delivery. This requires manipulation of system control structures, such as network components or server components, and hence is a form of usurpation. If an entity is waiting for an authorization message that is delayed, it may query a secondary server for the authorization. Even though the
attacker may be unable to masquerade as the primary server, she might be able to masquerade as that secondary server and supply incorrect information. Availability mechanisms can thwart this threat.
Denial of service, a long-term inhibition of service, is a form of usurpation, although it is often used with other mechanisms to deceive. The attacker prevents a server from providing a service. The denial may occur at the source (by preventing the server from obtaining the resources needed to perform its function), at the destination (by blocking the communications from the server), or along the intermediate path (by discarding messages from either the client or the server, or both). Denial of service poses the same threat as an infinite delay. Availability mechanisms counter this threat. Denial of service or delay may result from direct attacks or from non security related problems. From our point of view, the cause and result are important; the intention underlying them is not. If delay or denial of service compromises system security, or is part of a sequence of events leading to the compromise of a system, then we view it as an attempt to breach system security. But the attempt may not be deliberate; indeed, it may be the product of environmental characteristics rather than specific actions of an attacker.
Definition 1–1. A security policy is a statement of what is, and what is not,
allowed.
Definition 1–2. A security mechanism is a method, tool, or procedure for
enforcing a security policy.
Mechanisms can be nontechnical, such as requiring proof of identity before
changing a password; in fact, policies often require some procedural mechanisms
that technology cannot enforce
Policy presents what is allowed and what is not allowed or in other words policy defines what is secure and what is insecure or simply we may say that a policy defines what a staff can perform. When two sites communicate with each other then the entity they compose has a security policy based on the security policies of two sites.If those policies are inconsistent then both sites must decide what security policy for composed site should be. Because inconsistencies cause security breaches.
Goal of Security.
Defined security policies’ specification secure or insecure actions mechanism can prevent detect and recover from attacks.
Prevention from attacks
Prevention means that an attack will fail For example, if one attempts to break into a host over the Internet and that host is not connected to the Internet, the attack has been prevented. Typically, prevention involves implementation of mechanisms that users cannot override and that are trusted to be implemented in a correct, unalterable way, so that the But some simple preventative mechanisms, such as passwords (which aim to prevent unauthorized users from accessing the system), have become widely accepted. Prevention mechanisms can prevent compromise of parts of the system;
Detection is most useful when an attack cannot be prevented, but it can also indicate the effectiveness of preventative measures. Detection mechanisms accept that an attack will occur; the goal is to determine that an attack is under way, or has occurred, and report it. The attack may be monitored, however, to provide data about its nature, severity, and results. Typical detection mechanisms monitor various aspects of the system, looking for actions or information indicating an attack. A good example of such a mechanism is one that gives a warning when a user enters an incorrect password three times. The login may continue, but an error message in a system log reports the unusually high number of mistyped passwords. Detection mechanisms do not prevent compromise of parts of the system, which is a serious drawback. The resource protected by the detection mechanism is continuously or
periodically monitored for security problems.
Recovery By definition, recovery requires resumption of correct operation. It has two forms.
The first is to stop an attack and to assess and repair any damage caused by that attack. As an example, if the attacker deletes a file, one recovery mechanism would be to restore the file from backup tapes Moreover, the attacker may return, so recovery involves identification and fixing of the vulnerabilities used by the attacker to enter the system.
In a second form of recovery, the system continues to function correctly while an attack is under way. This type of recovery is quite difficult to implement because of the complexity of computer systems. It draws on techniques of fault tolerance as well as techniques of security and is typically used in safety-critical systems. It differs from the first form of recovery, because at no point does the system function incorrectly. However, the system may disable nonessential functionality.
Assumptions and Trust
A policy consists of a set of axioms that the policy makers believe can be enforced. Designers of policies always make two assumptions.
First, the policy correctly and unambiguously partitions the set of system states into "secure" and "nonsecure" states.
Second, the security mechanisms prevent the system from entering a "nonsecure" state. If either assumption is erroneous, the system will be nonsecure.
These two assumptions are fundamentally different. The first assumption asserts that the policy is a correct description of what constitutes a "secure" system
The second assumption says that the security policy can be enforced by security mechanisms. These mechanisms are either secure, precise, or broad. Let P be the set of all possible states. Let Q be the set of secure states (as specified by the security policy). Let the security mechanisms restrict the system to some set of states R (thus, R P). Then we have the following definition.
Definition
A security mechanism is secure if R Í Q; it is precise if R = Q; and it is broad ifthere are states r such that r Î R and r Ë Q.
Trusting that mechanisms work requires several assumptions.
1. Each mechanism is designed to implement one or more parts of the security policy.
2. The union of the mechanisms implements all aspects of the security policy.
3. The mechanisms are implemented correctly.
4. The mechanisms are installed and administered correctly.
Assurance
System specification, design, and implementation can provide a basis for determining "how much" to trust a system. This aspect of trust is called assurance. It requires specific steps to ensure that the computer will function properly. The sequence of steps includes detailed specifications of the desired (or undesirable) behavior; an analysis of the design of the hardware, software, and other components to show that the system will not violate the specifications; and arguments or proofs that the implementation will produce the desired behavior.
Specification
A system is said to satisfy specification if the specification fully describes how the system will work specification can be formal or informal can be written in any high level language and low level language.
Design
The design of the system translates the specification of system into components that implements the systems. Design of the system must not violate the specification of the system.
Implementation
The implementation of a system is said to be correct if the design of the system is correct. If the design of a system fully satisfy the specification then definitely according to the transitivity implementation will also satisfy the specification.
A program is said to be correct if its implementation performs as specified.
Operational Issues Human Issue
Cost benefits Organizational issue
Risk Analysis People Issue
Laws and customs
Chapter 02 date 08/09/09
Access Control Models.
An access control model dictates how a subject can access the objects. There are three types of access control models are Discretionary, mandatory and non discretionary (a role base). Each has its own pros and cons these models can be used individually or can be used in combine in order to achieve the desire level of security.
These models are built in the core of the operating system or supporting application for every access attempt before subject communicates with object security kernel reviews rules and permission whether request us allowed.
Discretionary access control model: Identity base access control
If a user creates a file he is the owner of that file. And identifier of this file is placed in the file header. Now this user can grant access to other user by authorization. IN DAC the owner of the file can specify which subject can access the resource. Most common DAC is implemented by ACLs, DAC can be applied both to the directory hierarchy and the file itself.PC world file has attributes like No access, Read, Write, Execute, Full Access and Change.
Mandatory Access Control Model.
In mandatory access control model users and owner of the file don’t have much freedom that may access the file. The operating system is one that make this decision and wishes of the users are override. This model is much more structured strict and based on the security labels (terms security label and sensitivity label can be used interchangeably) user are given security clearance (Top secret, secret and so on) and data is classified in the same way. Clearance and classifications of objects are stored in the security labels which are bound to specific subject and objects when a subject wants to access the object it is based on the clearance of subject and classification of object and security policy of the system. Rules how subject can access the objects are made by security officer.
Security labels are attached to all objects and thus every file, device and directory has its own security label with its classification information.
Sensitivity Label
Sensitivity labels or security labels, contains classifications and different categories classification indicates sensitivity level and categories enforces need to know rules.
In MAC implementations, the system makes access decisions by comparing the subject’s clearance and need-to-know level to that of this security label. In DAC, the system compares the subject’s identity to the ACL on the resource.
Role base access control (RBAC)
Role base access control has centrally administrated set of control to determine how subjects and objects interact with each other. This type of the model assigns the resources to the user according to their role in the organization
Introducing roles also introduces the difference between rights being assigned explicitly and implicitly. If rights and permissions are assigned explicitly, it indicates they are assigned directly to a specific individual. If they are assigned implicitly, it indicates they are assigned to a role or group and the user inherits those attributes.
Core RBAC
This component will be integrated in every RBAC implementation, because it is the foundation of the model. Users, roles, permissions, operations, and sessions are defined and mapped according to the security policy.
• Has a many-to-many relationship among individual users and privileges
• Session is a mapping between a user and a subset of assigned roles
• Accommodates traditional but robust group-based access control
NEED MORE WORK ON THIS
Access Control Matrix
An access control matrix is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. Matrices are data structures that programmers implement as table lookups that will be used and enforced by the operating system.
Protection State
The state of the system is the collection of all the current values of all memory locations of the system the register, primary memory and secondary storage the subset of this collection that deals with the protection is called as the protection state
Need to work on Access Control Matrix
Chapter no 03 11/09/09
Given a computer system how can we determine that this system is secure do we have any kind of algorithm that can tell us that the given system is secure If wit we do have a algorithm it can only tell that either the system is insecure but it cant tell us the point where the system is insecure.
What is a secure system?
If a system never leaks a right r then system is said to be safe with respect to the right right r. and if a system can leak a right r then system is said to be unsafe with respect to right r.
Safety refers abstract model and security refers implementation Secure systems corresponds to model safe wrt all rights and model safe system with respect to all rights doesn’t ensure a secure system.
EXAMPLE: A computer system allows the network administrator to read all network
traffic. It disallows all other users from reading this traffic. The system is designed in such a way that the network administrator cannot communicate with other users. Thus, there is no way for the right r of the network administrator over the network device to leak. This system is safe.
Unfortunately, the operating system has a flaw. If a user specifies a certain file name in a file deletion system call, that user can obtain access to any file on the system (bypassing all file system access controls). This is an implementation flaw, not a theoretical one. It also allows the user to read data from the network. So this system is not secure.
Chapter No 04 Security Policies
A security policy is a statement that partitions the states of the system into a set of authorized, or secure, states and a set of unauthorized, or nonsecure, states. A security policy sets the context in which we can define a secure system. What is secure under one policy may not be secure under a different policy. More precisely:
Or a secure system is a system that starts in an authorized state and cannot enter an unauthorized state.
A breach of security occurs when a system enters an unauthorized state.
Let X be a set of entities and let I be some information. Then I has the property of confidentiality with respect to X if no member of X can obtain information about I. Confidentiality implies that information must not be disclosed to some set of entities. It may be disclosed to others. The membership of set X is often implicit for example, when we speak of a document that is confidential. Some entity has access to the document. All entities not authorized to have such access make up the set X
Let X be a set of entities and let I be some information or a resource. Then it has the property of integrity with respect to X if all members of X trust I
Let X be a set of entities and let I be a resource. Then I has the property of availability with respect to X if all members of X can access I.
A security policy considers all relevant aspects of confidentiality, integrity, and availability. With respect to confidentiality, it identifies those states in which information leaks to those not authorized to receive it. This includes not only the leakage of rights but also the illicit transmission of information without leakage of rights, called information flow. Also, the policy must handle dynamic changes of authorization, so it includes a temporal element. This aspect of the security policy is often called a confidentiality policy.
With respect to integrity, a security policy identifies authorized ways in which information may be altered and entities authorized to alter it. Authorization may derive from a variety of relationships, and external influences may constrain it.
Those parts of the security policy that describe the conditions and manner in which data can be altered are called the integrity policy.
With respect to availability, a security policy describes what services must be provided. It may present parameters within which the services will be accessiblefor example, that a browser may download Web pages but not Java applets. It may require a level of service or example, hat a server will provide authentication data within 1 minute of the request being ade. This relates directly to issues of quality of service.
Security Mechanism
Security mechanism is set of methods or procedure that enforces security policy or some part of security policy.
Security Model
A security model is a model that represents a particular policy or set of policies.
Types of Security Policies
Military security policy or Governmental security policy
This policy is defined primarily for the confidentiality The name comes from the military's need to keep information secret , such as the date that a troop ship will sail, secret. Although integrity and availability are important, organizations using this
class of policies can overcome the loss of either for example, by using orders not sent through a computer network. But the compromise of confidentiality would be catastrophic, because an opponent would be able to plan countermeasures (and the organization may not know of the compromise).
A commercial security policy is a security policy developed primarily to provide integrity. The name comes from the need of commercial firms to prevent tampering with their data, because they could not survive such compromises. For example, if the confidentiality of a bank's computer is compromised, a customer's account balance may be revealed. This would certainly embarrass the bank and possibly cause the customer to take her business elsewhere. But the loss to the bank's "bottom line" would be minor. However, if the integrity of the computer holding the accounts were compromised, the balances in the customers' accounts
could be altered, with financially ruinous effects.
Some integrity policies use the notion of a transaction; like database specifications, they require that actions occur in such a way as to leave the database in a consistent state. These policies, called transaction-oriented integrity security policies, are critical to organizations that require consistency of databases.
Difference in *Confidentiality and Integrity Policy
Confidentiality policies place no trust in objects; the policy statement dictates whether that objects can be disclosed. It says nothing about whether the object should be believed
Integrity policies, to the contrary, indicate how much the object can be trusted. Given that this level of trust is correct, the policy dictates what a subject can do with that object
A confidentiality policy is a security policy dealing only with confidentiality.
An integrity policy is a security policy dealing only with integrity.
Both confidentiality policies and military policies deal with confidentiality; however, a
Confidentiality policy does not deal with integrity at all, whereas a military policy may. A similar distinction holds for integrity policies and commercial policies.
Role of Trust 14/09/09
Role of trust in understanding the nature of computer security is very important let us consider an example a system administrator receives a security patch for her computer's operating system. She installs it. Has she improved the security of her system? She has indeed, given the correctness of certain assumptions:
She is assuming that the patch came from the vendor and was not tampered with in
Transit, rather than from an attacker trying to trick her into installing a bogus patch
that would actually open security holes.
She is assuming that the vendor tested the patch thoroughly.
She is assuming that the vendor's test environment corresponds to her environment.
Otherwise, the patch may not work as expected
She is assuming that the patch is installed correctly. Some patches are simple to
install, because they are simply executable files. Others are complex, requiring the
system administrator to reconfigure network-oriented properties, add a user, modify
the contents of a registry, give rights to some set of users, and then reboot the
system. An error in any of these steps could prevent the patch from correcting the
problems, as could an inconsistency between the environments in which the patch was developed and in which the patch is applied. Furthermore, the patch may claim to require specific privileges, when in reality the privileges are unnecessary and in fact dangerous.
Types of Access Control
There are two types of access controls used by security policies alone or in combination. In one of them access control is left to the discretion (judgment) of the owner also called as identity base access control and in other one the access control is left to the operating system, also called as the mandatory access control. If an individual user can set an access control mechanism to allow or deny access to an object, that mechanism is a discretionary access control (DAC), also called an identity-based access control (IBAC). Discretionary access controls base access rights on the identity of the subject and the identity of the object involved. Identity is the key; the owner of the object constrains who can access it by allowing only particular subjects to have access. The owner states the constraint in terms of the identity of the subject, or the owner of the subject.
When a system mechanism controls access to an object and an individual user cannot alter that access, the control is a mandatory access control (MAC), occasionally called a rule-based access control. The operating system enforces mandatory access controls. Neither the subject nor the owner of the object can determine whether access is granted. Typically, the system mechanism will check information associated with both the subject and the object to determine whether the subject should access the object. Rules describe the conditions under which access is allowed.
An originator controlled access control (ORCON or ORGCON) bases access on the creator of an object (or the information it contains). The goal of this control is to allow the originator of the file (or of the information it contains) to control the dissemination of the information. The owner of the file has no control over who may access the file. a
Date 16/09/09
needto work on that
Authentication: Binding of an identity of the entity to a subject, subjects act on behalf of some other external entity. Identity of that entity associates the action that a subject may take. So the identity of that entity must bind to that subject. We may say that its mapping of real world objects to the secure world objects.
Entity must provide.
What the entity know (Passwords, secret question, name)
What the entity has (badge, smart card)
What the entity is (token, retina, DNA, finger prints)
Where the entity is (IP address)
Authentication Process: In this process we try to obtain authentication information from the entity. Analyzing the data if it is associated to that entity
Authentication System: There are 5 components of authentication System
Set A of authentication information is the specific info with which entities proves their identities.
Set C of complementary information that a systems stores to validate the identity of the entity.
Set F the complementation function that generates the authentication information from the complimentary information.
Set L of authentication function that verifies the entity.
Set S of the selection function that enables the entity to alter or create a new authentication
Passwords: It is associated to the entity which is used to verify the identity of that entity. When a user enters a password system validates that password if the pass is correct then user is authenticated if not then authentication fails.
Approaches to protect a password.
Goal of authentication system is to protect the identity of the entity. If one entity can guess the identity of an other entity then guesser can impersonate itdelf. The goal is to find an a belongs A such that, for f belongs F, f(a) = c belongs C and c is associated with a particular entity (or any entity).
we have two approaches for protecting the passwords, used simultaneously.
1. Hide enough information so that one of a, c, or f cannot be found.
2. Prevent access to the authentication functions L.
Attacking a Password System
A dictionary attack is the guessing of a password by repeated trial and error
If the complementary information and complementation functions are available, the dictionary attack takes each guess g and computes f(g) for each f belongs F. If f (g) corresponds to the complementary information for entity E, then g authenticates E under f. This is a dictionary attack type 1.
If either the complementary information or the complementation functions are unavailable, the authentication functions l belongs L may be used. If the guess g results in l returning true, g is the correct password. This is a dictionary attack type 2.
11.2.2. Countering Password Guessing
Password guessing requires either the set of complementation functions and complementary information or access to the authentication functions. In both approaches, the goal of the defenders is to maximize the time needed to guess the password.
Random Selection of Passwords
Theorem
Let the expected time required to guess a password be T. Then T is a maximum when the selection of any of a set of possible passwords is equiprobable.
Pronounceable and Other Computer-Generated Passwords
A compromise between using random, unmemorizable passwords and writing passwords down is to use pronounceable passwords
EXAMPLE: The passwords "helgoret" and "juttelon" are pronounceable passwords; "przbqxdf " and "zxrptglfn" are not.
key crunching [373].
Definition 114. Let n and k be two integers, with n k. Key crunching is the hashing of a string of length n or less to another string of length k or less.
Conventional hash functions, such as MD5 and SHA-1, are used for key crunching.
User Selection of Passwords
proactive password selection enables users to propose passwords they can remember, but rejects any that are deemed too easy to guess.
passwords that researchers have found easy to guess are as follows
1. Passwords based on account names
a. Account name followed by a number
b. Account name surrounded by delimiters
2. Passwords based on user names
a. Initials repeated 0 or more times
b. All letters lower- or uppercase
c. Name reversed
d. First initial followed by last name reversed
3. Passwords based on computer names
5. Reversed dictionary words
6. Dictionary words with some or all letters capitalized
7. Reversed dictionary words with some or all letters capitalized
8. Dictionary words with arbitrary letters turned into control characters
9. Dictionary words with any of the following changes: a 2 or 4, e 3, h 4, i 1, l 1, o 0, s 5 or $, z 5.
10. Conjugations or declensions of dictionary words
11. Patterns from the keyboard
12. Passwords shorter than six characters
13. Passwords containing only digits
14. Passwords containing only uppercase or lowercase letters, or letters and numbers, or letters and punctuation
15. Passwords that look like license plate numbers
16. Acronyms (such as "DPMA," "IFIPTC11," "ACM," "IEEE," "USA," and so on)
17. Passwords used in the past
18. Concatenations of dictionary words
19. Dictionary words preceded or followed by digits, punctuation marks, or spaces
20. Dictionary words with all vowels deleted
21. Dictionary words with white spaces deleted
22. Passwords with too many characters in common with the previous (current) password
Good passwords can be constructed in several ways. A password containing at least one digit, one letter, one punctuation symbol, and one control character is usually quite strong. A second technique is to pick a verse from an obscure poem (or an obscure verse from a well-known poem) and pick the characters for the string from its letters
Definition 115. A proactive password checker is software that enforces specific restrictions on the selection of new passwords.
Proactive password checkers must meet several criteria [111]:
1. It must always be invoked. Otherwise, users could bypass the proactive mechanism.
2. It must be able to reject any password in a set of easily guessed passwords (such as in the list above).
3. It must discriminate on a per-user basis. For example, "^AHeidiu'" (^A being control-a) is a reasonable password (modulo Exercise 5) for most people, but not for the author, whose oldest daughter is named "Heidi Tinúviel."
4. It must discriminate on a per-site basis. For example, "^DHMC^DCNH" is a reasonable password at most places, but not at the Dartmouth Hitchcock Medical Center at Dartmouth College, New Hampshire.
5. It should have a pattern-matching facility. Many common passwords, such as "aaaaa," are not in dictionaries but are easily guessed. A pattern-matching language makes detecting these patterns simple. For example, in one pattern-matching language, the pattern "^\(.\)\1*$" will detect all strings composed of a single character repeated one or more times.
6. It should be able to execute subprograms and accept or reject passwords based on the results. This allows the program to handle spellings that are not in dictionaries. For example, most computer dictionaries do not contain the word "waters" (because it is the plural of a word, "water," in that dictionary). A spelling checker would recognize "waters" as a word. Hence, the program should be able to run a spelling checker on proposed passwords, to detect conjugations and declensions of words in the dictionary.
7. The tests should be easy to set up, so administrators do not erroneously allow easily guessed passwords to be accepted.
18/09/09
Reusable Passwords and Dictionary Attacks
As discussed earlier, reusable passwords are quite susceptible to dictionary attacks of type 1. The goal of random passwords, pronounceable passwords, and proactive password checking is to maximize the time needed to guess passwords.
SALTING
In cryptography, a salt comprises random bits that are used as one of the inputs to a key derivation function. The other input is usually a password or passphrase. The output of the key derivation function is stored as the encrypted version of the password. A salt can also be used as a part of a key in a cipher or other cryptographic algorithm. If a type 1 dictionary attack is aimed at finding any user's password (as opposed to a particular user's password), a technique known as salting increases the amount of work required [651]. Salting makes the choice of complementation function a function of randomly selected data. Ideally, the random data is different for each user.
Guessing Through Authentication Functions
If the actual complements, or the complementation functions, are not publicly available, the only way to try to guess a password is to use the authentication function systems provide for authorized users to log in.
Defending against such attacks
backoff techniques. The most common, exponential backoff, begins when a user attempts to authenticate and fails. Let x be a parameter selected by the system administrator. The system waits x0 = 1 second before reprompting for the name and authentication data. If the user fails again, the system reprompts after x1 = x seconds. After n failures, the system waits xn1 seconds. Other backoff techniques use arithmetic series rather than geometric series (reprompting immediately, then waiting x seconds, then waiting 2x seconds, and so forth).
Techniques of the second type involve disconnection. After some number of failed authentication attempts, the connection is broken and the user must reestablish it. This technique is most effective when connection setup requires a substantial amount of time, such as redialing a telephone number
Techniques of the third type use disabling. If n consecutive attempts to log in to an account fail, the account is disabled until a security manager can reenable it.
The final, fourth type of technique is called jailing. The unauthenticated user is given access to a limited part of the system and is gulled into believing that he or she has full access. The jail then records the attacker's actions. This technique is used to determine what the attacker wants or simply to waste the attacker's time.
Password Aging
Guessing of passwords requires that access to the complement, the complementation functions, and the authentication functions be obtained. If none of these have changed by the time the password is guessed, then the attacker can use the password to access the system.
Password aging is the requirement that a password be changed after some period of time has passed or after some event has occurred.
There are problems involved in implementing password aging. The first is forcing users to change to a different password. The second is providing notice of the need to change and a user-friendly method of changing passwords.
Password aging is useless if a user can simply change the current password to the same thing. One technique to prevent this is to record the n previous passwords. When a user changes a password, the proposed password is compared with these n previous ones. If there is a match, the proposed password is rejected. The problem with this mechanism is that users can change passwords n times very quickly, and then change them back to the original passwords. This defeats the goal of password aging.
Challenge-Response
Let user U desire to authenticate himself to system S. Let U and S have an agreed-on secret function f. A challenge-response authentication system is one in which S sends a random message m (the challenge) to U, and U replies with the transformation r = f(m) (the response). S validates r by computing it separately.
Pass Algorithms
Let there be a challenge-response authentication system in which the function f is the secret. Then f is called a pass algorithm
One-Time Passwords
A one-time password is a password that is invalidated as soon as it is used. Mechanism that uses one-time passwords is also a challenge-response mechanism. The challenge is the number of the authentication attempt; the response is the one-time password
19/09/09
Hardware-Supported Challenge-Response Procedures
Hardware support comes in two forms: a program for a general-purpose computer and special-purpose hardware support. Both perform the same functions.
The first type of hardware device, informally called a token, provides mechanisms for hashing or enciphering information. With this type of device, the system sends a challenge. The user enters it into the device. The device returns the appropriate response. Some devices require the user to enter a personal identification number or password, which is used as a cryptographic key or is combined with the challenge to produce the response.
The second type of hardware device is temporally based. Every 60 seconds, it displays a different number. The numbers range from 0 to 10n 1, inclusive. A similar device is attached to the computer. It knows what number the device for each registered user should display. To authenticate, the user provides his login name. The system requests a password. The user then enters the number shown on the hardware device, followed by a fixed (reusable) password. The system validates that the number is the one expected for the user at that time and that the reusable portion of the password is correct.
Whether or not a challenge-response technique is vulnerable to a dictionary attack of type 1 depends on the nature of the challenge and the response. In general, if the attacker knows the challenge and the response, a dictionary attack proceeds as for a reusable password system.
21/09/09
Biometrics
Fingerprints
Fingerprints can be scanned optically, but the cameras needed are bulky. A capacitative technique uses the differences in electrical charges of the whorls on the finger to detect those parts of the finger touching a chip and those raised. The data is converted into a graph in which ridges are represented by vertices and vertices corresponding to adjacent ridges are connected. Each vertex has a number approximating the length of the corresponding ridge. At this point, determining matches becomes a problem of graph matching . This problem is similar to the classical graph isomorphism problem, but because of imprecision in measurements, the graph generated from the fingerprint may have different numbers of edges and vertices. Thus, the matching algorithm is an approximation.
Voices
Authentication by voice, also called speaker verification or speaker recognition, involves recognition of a speaker's voice characteristics or verbal information verification . The former uses statistical techniques to test the hypothesis that the speaker's identity is as claimed. The system is first trained on fixed pass-phrases or phonemes that can be combined. To authenticate, either the speaker says the pass-phrase or repeats a word (or set of words) composed of the learned phonemes. Verbal information verification deals with the contents of utterances. The system asks a set of questions such as "What is your mother's maiden name?" and "In which city were you born?" It then checks that the answers spoken are the same as the answers recorded in its database. The key difference is that speaker verification techniques are speaker-dependent, but verbal information verification techniques are speaker-independent, relying only on the content of the answers .
Eyes
Authentication by eye characteristics uses the iris and the retina. Patterns within the iris are unique for each person. Hence, one verification approach is to compare the patterns statistically and ask whether the differences are random . A second approach is to correlate the images using statistical tests to see if they match . Retinal scans rely on the uniqueness of the patterns made by blood vessels at the back of the eye. This requires a laser beaming onto the retina, which is highly intrusive. This method is typically used only in the most secure facilities .
11.4.4. Faces
Face recognition consists of several steps. First, the face is located. If the user places her face in a predetermined position (for example, by resting her chin on a support), the problem becomes somewhat easier. However, facial features such as hair and glasses may make the recognition harder. Techniques for doing this include the use of neural networks and templates . The resulting image is then compared with the relevant image in the database. The correlation is affected by the differences in the lighting between the current image and the reference image, by distortion, by "noise," and by the view of the face. The correlation mechanism must be "trained." Several different methods of correlation have been used, with varying degrees of success . An alternative approach is to focus on the facial features such as the distance between the nose and the chin, and the angle of the line drawn from one to the other .
Keystrokes
Keystroke dynamics requires a signature based on keystroke intervals, keystroke pressure, keystroke duration, and where the key is struck (on the edge or in the middle). This signature is believed to be unique in the same way that written signatures are unique. Keystroke recognition can be both static and dynamic. Static recognition is done once, at authentication time, and usually involves typing of a fixed or known string . Once authentication has been completed, an attacker can capture the connection (or take over the terminal) without detection. Dynamic recognition is done throughout the session, so the aforementioned attack is not feasible. However, the signature must be chosen so that variations within an individual's session do not cause the authentication to fail. For example, keystroke intervals may vary widely, and the dynamic recognition mechanism must take this into account. The statistics gathered from a user's typing are then run through statistical tests (which may discard some data as invalid, depending on the technique used) that account for acceptable variance in the data.
Combinations
Several researchers have combined some of the techniques decribed above to improve the accuracy of biometric authentication. Dieckmann, Plankensteiner, and Wagner combined voice sounds and lip motion with the facial image. Duc, Bigun, Bigun, Maire, and Fischer describe a "supervisor module" for melding voice and face recognition with a success rate of 99.5%. The results indicate that a higher degree of accuracy can be attained than when only a single characteristic is used.
Caution
Because biometrics measures characteristics of the individual, people are tempted to believe that attackers cannot pose as authorized users on systems that use biometrics. Two assumptions underlie this belief. The first is that the biometric device is accurate in the environment in which it is used. For example, if a fingerprint scanner is under observation, having it scan a mask of another person's finger would be detected. But if it is not under observation, such a trick might not be detected and the unauthorized user might gain access. The second assumption is that the transmission from the biometric device to the computer's analysis process is tamperproof. Otherwise, one could record a legitimate authentication and replay it later to gain access. Exercise 13 explores this in more detail.
Location
Denning and MacDoran suggest an innovative approach to authentication. They reason that if a user claims to be Anna, who is at that moment working in a bank in California but is also logging in from Russia at the same time, the user is impersonating Anna. Their scheme is based on the Global Positioning System (GPS), which can pinpoint a location to within a few meters. The physical location of an entity is described by a location signature derived from the GPS satellites. Each location (to within a few meters) and time (to within a few milliseconds) is unique, and hence form a location signature. This signature is transmitted to authenticate the user. The host also has a location signature sensor (LSS) and obtains a similar signature for the user. If the signatures disagree, the authentication fails.
This technique relies on special-purpose hardware. If the LSS is stolen, the thief would have to log in from an authorized geographic location. Because the signature is generated from GPS data, which changes with respect to time, location, and a variety of vagaries resulting from the nature of the electromagnetic waves used to establish position, any such signature would be unique and could not be forged. Moreover, if intercepted, it could not be replayed except within the window of temporal uniqueness.
This technique can also restrict the locations from which an authorized user can access the system.
Authentication methods can be combined, or multiple methods can be used.
25/09/09
Design Principles
Saltzer and Schroeder describe eight principles for the design and implementation of
Simplicity makes designs and mechanisms easy to understand. More importantly, less can go wrong with simple designssecurity mechanisms. Simplicity also reduces the potential for inconsistencies within a policy or set of policies
Restriction minimizes the power of an entity. The entity can access only information it needs.
Entities can communicate with other entities only when necessary, and in as few (and narrow) ways as possible.
Communication" is used in its widest possible sense, including that of imparting information by not communicating
Design Principles
Principle of Least Privilege
The principle of least privilege states that a subject should be given only those privileges that it needs in order to complete its task. If a subject does not need an access right, the subject should not have that right. Furthermore, the function of the subject (as opposed to its identity) should control the assignment of rights. If a specific action requires that a subject's access rights be augmented, those extra rights should be relinquished immediately on completion of the action. This is the analogue of the "need to know" rule: if the subject does not need access to an object to perform its task, it should not have the right to access that object. More precisely, if a subject needs to append to an object, but not to alter the information already contained in the object, it should be given append rights and not write rights.
This principle requires that processes should be confined to as small a protection domain as possible.
Principle of Fail-Safe Defaults
This principle restricts how privileges are initialized when a subject or object is created.
The principle of fail-safe defaults states that, unless a subject is given explicit access to an object, it should be denied access to that object.
This principle requires that the default access to an object is none. Whenever access, privileges, or some security-related attribute is not explicitly granted, it should be denied. Moreover, if the subject is unable to complete its action or task, it should undo those changes it made in the security state of the system before it terminates. This way, even if the program fails, the system is still safe.
Principle of Economy of Mechanism
The principle of economy of mechanism states that security mechanisms should be as simple as possible.
If a design and implementation are simple, fewer possibilities exist for errors. The checking and testing process is less complex, because fewer components and cases need to be tested. Complex mechanisms often make assumptions about the system and environment in which they run. If these assumptions are incorrect, security problems may result.