1 / 27

Authentication and access control overview

Authentication and access control overview. March 24, 2008. Outline. Definitions Authentication Factors Evaluation Examples Access control Case study: Convenient SecureID Case study: Website mutual authentication. Definitions. Identification - a claim about identity

binta
Download Presentation

Authentication and access control overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Authentication and access control overview March 24, 2008

  2. Outline • Definitions • Authentication • Factors • Evaluation • Examples • Access control • Case study: Convenient SecureID • Case study: Website mutual authentication

  3. Definitions • Identification - a claim about identity • Who or what I am (global or local) • Authentication - confirming that claims are true • I am who I say I am • I have a valid credential • Authorization - granting permission based on a valid claim • Now that I have been validated, I am allowed to access certain resources or take certain actions • Access control system - a system that authenticates users and gives them access to resources based on their authorizations • Includes or relies upon an authentication mechanism • May include the ability to grant course or fine-grained authorizations, revoke or delegate authorizations

  4. Building blocks of authentication • Factors • Something you know (or recognize) • Something you have • Something you are • Two factors are better than one • Especially two factors from different categories • What are some examples of each of these factors? • What are some examples of two-factor authentication?

  5. Authentication mechanisms • Text-based passwords • Graphical passwords • Hardware tokens • Public key crypto protocols • Biometrics

  6. Evaluation • Accessibility • Memorability • Security • Cost • Environmental considerations

  7. Typical password advice

  8. Typical password advice • Pick a hard to guess password • Don’t use it anywhere else • Change it often • Don’t write it down So what do you do when every web site you visit asks for a password?

  9. Bank = b3aYZ Amazon = aa66x! Phonebill = p$2$ta1

  10. Problems with Passwords • Selection • Difficult to think of a good password • Passwords people think of first are easy to guess • Memorability • Easy to forget passwords that aren’t frequently used • Difficult to remember “secure” passwords with a mix of upper & lower case letters, numbers, and special characters • Reuse • Too many passwords to remember • A previously used password is memorable • Sharing • Often unintentional through reuse • Systems aren’t designed to support the way people work together and share information

  11. Substitute numbers for words or similar-looking letters fsasya,oF Substitute symbols for words or similar-looking letters 4sa7ya,oF Mnemonic Passwords Four F Four and and a , , score s y years seven s seven a ago o our F Fathers First letter of each word (with punctuation) 4sa7ya,oF 4sasya,oF 4s&7ya,oF Source: Cynthia Kuo, SOUPS 2006

  12. The Promise? • Phrases help users incorporate different character classes in passwords • Easier to think of character-for-word substitutions • Virtually infinite number of phrases • Dictionaries do not contain mnemonics Source: Cynthia Kuo, SOUPS 2006

  13. The Problem? • “Goodness” of mnemonic passwords unknown • Yan et al. compared regular, mnemonic, and randomly generated passwords • Used standard (non-mnemonic) dictionary • Effectively evaluated whether mnemonic passwords contained dictionary words Source: Cynthia Kuo, SOUPS 2006

  14. Mnemonic password evaluation • Mnemonic passwords are not a panacea for password creation • No comprehensive dictionary today • May become more vulnerable in future • Many people start to use them • Attackers incentivized to build dictionaries • Publicly available phrases should be avoided! C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA. Source: Cynthia Kuo, SOUPS 2006

  15. Password keeper software • Run on PC or handheld • Only remember one password

  16. Single sign-on • Login once to get access to all your passwords

  17. Biometrics

  18. Graphical passwords

  19. “Forgotten password” mechanism • Email password or magic URL to address on file • Challenge questions • Why not make this the normal way to access infrequently used sites?

  20. What problems does this approach solve? What problems does is create? Convenient SecureID 1 Source: http://worsethanfailure.com/Articles/Security_by_Oblivity.aspx

  21. What problems does this approach solve? What problems does is create? Convenient SecureID 2 Sources: http://fob.webhop.net/

  22. Browser-based mutual authentication • Chris Drake’s “Magic Bullet” proposal http://lists.w3.org/Archives/Public/public-usable-authentication/2007Mar/0004.html • User gets ID, password (or alternative), image, hotspot at enrollment • Before user is allowed to login they are asked to confirm URL and SSL cert and click buttons • Then login box appears and user enters username and password (or alternative) • Server displays set of images, including user’s image (or if user entered incorrect password, random set of images appear) • User finds their image and clicks on hotspot • Image manipulation can help prevent replay attacks • What problems does this solve? • What problems doesn’t it solve? • What kind of testing is needed

  23. Types of access control • Discretionary access control • Distributed, dynamic, users set access rules for resources they own and can delegate access to others • Role-based access control • Centralized admin assigns users to roles and sets access rules based on roles • And many others that vary • discretionary/mandatory • centralized/distributed • granularity • grouping

  24. Access control usability problems • Admins, large organizations understanding large access control policies • Someone in marketing changed a policy and now we can’t figure out why people in sales no longer have access to a document • Who has access to this document anyway? • End users creating and understanding policies • Examples: File system permissions, Grey, Perspective, privacy rules • Home users want to share some files with some other users, but don’t want to share everything

  25. Policy conflicts • Given • Alice is in GroupA and GroupB • FileQ is in FolderX • What types of conflicts might occur? • Direct conflict • Alice allowed access to FileQ • Alice denied access to FileQ • Group/group conflict • GroupA allowed access to FileQ • GroupB denied access to FileQ • User/group conflict • Alice allowed access to FileQ • GroupA denied access to FileQ • File/directory conflict • Alice allowed access to FileQ • Alice denied access to FolderX • 2-way conflict • Alice allowed access to FileQ • GroupA denied access to FolderX

  26. How can conflicts be resolved? • Default rule – deny/allow takes precedence • Ordered rules – policy author sets order • Ordered rules – most recent first/last • Specificity – most/least specific takes precedence • Weighted rules – policy author assigns weights • Exceptions – policy authors defines exceptions (essentially a partial ordering) • Combination

More Related