Download - Access Control and Password Management
FORESEC Academy
ACCESS CONTROL AND PASSWORDMANAGEMENT
FORESEC Academy Security Essentials (II)
FORESEC Academy Agenda
Access Control- Techniques
- Models Passwords
- Password Cracking- Password Management
FORESEC Academy
Key Terms & Principles
Data Owner
Data Custodian
Separation of duties
Least Privilege
FORESEC Academy
Access Control Techniques
Discretionary (DAC) Mandatory (MAC) Role-based Rule-based List-based Token-based
FORESEC Academy Lattice Techniques
Access Matrix- Objects- Subjects
Bell-LaPadula Biba Clark-Wilson
FORESEC AcademyLattice Techniques (2)
Bell-LaPadula Designed for Military
Environment Address only Confidentiality Rules
- Simple Security Property - Star Property (* Property) - Strong Star Property
FORESEC AcademyLattice Techniques (3)
Biba Model for Integrity Suited for Commercial Environment Rules
- Simple Integrity Property- Integrity Start Property
Information only flow downwards
FORESEC AcademyLattice Techniques (4)
Clark-Wilson Integrity Model Use an access triple
- Subject, Program, Object Prevent loss or corruption of data Ensure well formed transactions
FORESEC Academy
Access Management
Account administration Maintenance Monitoring Revocation
FORESEC AcademyAccess Control Models
State machine Information flow Covert channels Non-interference
FORESEC Academy Protocols
Password Authentication Protocol (PAP)
Challenge Handshake Authentication Protocol (CHAP)
FORESEC Academy Centralized Control
TACACS RADIUS Domains & Trusts Active Directory Kerberos
FORESEC Academy Access Control:
Biometrics Hand: Fingerprint, hand geometry Eye: retina, iris Face: Thermograms, Photo Voice print Mannerisms: keystroke, tread,
handwriting
FORESEC AcademyAccess Control: Biometrics (2)Key factors in selecting biometrics: Reliability
- FRR, FAR, CER, EER User friendliness Cost
FORESEC AcademySingle Sign-On (SSO)
User only have to log on once Credentials are carried with user Simplifies User management Allow centralized management User only has to remember one set
of credentials
FORESEC Academy Single Sign-On (2)
Can take different forms:- Scripts- Directory Services- Kerberos- Thin Clients
Security Issues Interoperability Issues
FORESEC AcademyAccess Control: Passwords
FORESEC Academy What is Password
Cracking?Discovering a plan text password given an encrypted
password.
FORESEC Academy
Methods of Password Cracking
Dictionary attack
Hybrid attack
Brute force attack
FORESEC Academy
Unix Password Cracking - Crack
Name: Crack Operating System: Unix Brief Description: Crack is a
"password guessing" program that is designed to quickly identify accounts having weak passwords given a Unix password file.
FORESEC Academy Crack
Available from ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack
Features - Configurable password cracking
- Modular approach with various scripts
- Combining and extracting password files
- Works with any crypt() implementation
FORESEC Academy Configuring Crack
Download Crack file Unzip the file using gzip - gunzip -r crack5.0.tar.gz Untar the file
- tar -xvf crack5.0.tar Read manual.txt Edit the script file Compile program
- Crack -makeonly - Crack -makedict
FORESEC Academy Running Crack
Run Crack with a password file- Crack [options] [-fmt format] [file ...]- Crack myfile
Pipe output to a file- Crack myfile > output
Run Reporter script to see results- ./Reporter [-quiet] [-html]
FORESEC AcademyEffectiveness of Crack
User Eric password eric – CRACKED User John password john1234 User Mike password 5369421 User Mary password #57adm7# User Sue password sue – CRACKED User Lucy password 12345 – CRACKED User Pat no password – CRACKED User Tim password password – CRACKED User Cathy password 55555 – CRACKED User Frank password abcde – CRACKED User Tom password mnopqr User Karen password bbbbbbbb - CRACKED
FORESEC AcademyHow to Protect Against it
Enforce a strong password policy Use shadow passwords Use one-time passwords Use passwd to enforce strong
passwords