FORESEC Academy

ACCESS CONTROL AND PASSWORDMANAGEMENT

FORESEC Academy Security Essentials (II)

FORESEC Academy Agenda

Access Control- Techniques

- Models Passwords

- Password Cracking- Password Management

FORESEC Academy

Key Terms & Principles

Data Owner

Data Custodian

Separation of duties

Least Privilege

FORESEC Academy

Access Control Techniques

Discretionary (DAC) Mandatory (MAC) Role-based Rule-based List-based Token-based

FORESEC Academy Lattice Techniques

Access Matrix- Objects- Subjects

Bell-LaPadula Biba Clark-Wilson

FORESEC AcademyLattice Techniques (2)

Bell-LaPadula Designed for Military

Environment Address only Confidentiality Rules

- Simple Security Property - Star Property (* Property) - Strong Star Property

FORESEC AcademyLattice Techniques (3)

Biba Model for Integrity Suited for Commercial Environment Rules

- Simple Integrity Property- Integrity Start Property

Information only flow downwards

FORESEC AcademyLattice Techniques (4)

Clark-Wilson Integrity Model Use an access triple

- Subject, Program, Object Prevent loss or corruption of data Ensure well formed transactions

FORESEC Academy

Access Management

Account administration Maintenance Monitoring Revocation

FORESEC AcademyAccess Control Models

State machine Information flow Covert channels Non-interference

FORESEC Academy Protocols

Password Authentication Protocol (PAP)

Challenge Handshake Authentication Protocol (CHAP)

FORESEC Academy Centralized Control

TACACS RADIUS Domains & Trusts Active Directory Kerberos

FORESEC Academy Access Control:

Biometrics Hand: Fingerprint, hand geometry Eye: retina, iris Face: Thermograms, Photo Voice print Mannerisms: keystroke, tread,

handwriting

FORESEC AcademyAccess Control: Biometrics (2)Key factors in selecting biometrics: Reliability

- FRR, FAR, CER, EER User friendliness Cost

FORESEC AcademySingle Sign-On (SSO)

User only have to log on once Credentials are carried with user Simplifies User management Allow centralized management User only has to remember one set

of credentials

FORESEC Academy Single Sign-On (2)

Can take different forms:- Scripts- Directory Services- Kerberos- Thin Clients

Security Issues Interoperability Issues

FORESEC AcademyAccess Control: Passwords

FORESEC Academy What is Password

Cracking?Discovering a plan text password given an encrypted

password.

FORESEC Academy

Methods of Password Cracking

Dictionary attack

Hybrid attack

Brute force attack

FORESEC Academy

Unix Password Cracking - Crack

Name: Crack Operating System: Unix Brief Description: Crack is a

"password guessing" program that is designed to quickly identify accounts having weak passwords given a Unix password file.

FORESEC Academy Crack

Available from ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack

Features - Configurable password cracking

- Modular approach with various scripts

- Combining and extracting password files

- Works with any crypt() implementation

FORESEC Academy Configuring Crack

Download Crack file Unzip the file using gzip - gunzip -r crack5.0.tar.gz Untar the file

- tar -xvf crack5.0.tar Read manual.txt Edit the script file Compile program

- Crack -makeonly - Crack -makedict

FORESEC Academy Running Crack

Run Crack with a password file- Crack [options] [-fmt format] [file ...]- Crack myfile

Pipe output to a file- Crack myfile > output

Run Reporter script to see results- ./Reporter [-quiet] [-html]

FORESEC AcademyEffectiveness of Crack

User Eric password eric – CRACKED User John password john1234 User Mike password 5369421 User Mary password #57adm7# User Sue password sue – CRACKED User Lucy password 12345 – CRACKED User Pat no password – CRACKED User Tim password password – CRACKED User Cathy password 55555 – CRACKED User Frank password abcde – CRACKED User Tom password mnopqr User Karen password bbbbbbbb - CRACKED

FORESEC AcademyHow to Protect Against it

Enforce a strong password policy Use shadow passwords Use one-time passwords Use passwd to enforce strong

passwords