Security Overview

CSCE 824

Security ObjectivesConfidentiality: prevent/detect/deter improper disclosure of informationIntegrity: prevent/detect/deter improper modification of informationAvailability: prevent/detect/deter improper denial of access to services*FarkasCSCE 824

CSCE 824

Distributed applicationsAuthenticityNon-repudiationCSCE 824*Farkas

CSCE 824

Sample QuestionsWhat is the trade off between the security objectives?Give an example of the security objectives in the domain of college education.Consider the trend about attack sophistication and intruders knowledge. Recommend an approach to enhance the security of future computing systems.*FarkasCSCE 824

CSCE 824

Achieving SecurityPolicyWhat to protect?MechanismHow to protect?AssuranceHow good is the protection?*FarkasCSCE 824

CSCE 824

Security PolicyOrganizational PolicyComputerized Information SystemPolicy*FarkasCSCE 824

CSCE 824

Sample QuestionsWhy do we need to fit the security policy into the organizational policy?Why is it recommended to separate policy from mechanism?What does assurance mean in the context of security?Give an example security policy enforced on your personal computer/CSE computing system/CEC computing system and recommend security mechanism to implement the policy. *FarkasCSCE 824

CSCE 824

Security MechanismPrevention DetectionTolerance/Recovery*FarkasCSCE 824

CSCE 824

Security TradeoffsCOSTSecurityFunctionalityEase of Use*FarkasCSCE 824

CSCE 824

Threats, Attacks, Vulnerability, RiskTypes of threats Types of attacks Relation to security objectivesM(ethod), O(pportunity), and M(otive) of attacksMethods of defense Security planningRisk Management

*FarkasCSCE 824

CSCE 824

Risk Management Framework(Business Context)Understand BusinessContext *FarkasCSCE 824

CSCE 824

Sample QuestionsGive an example of vulnerability, threat, risk, and attack in the domain of What does it mean weakest link of defense?Recommend a way to increase computing systems security by incorporating security trade offs into the security planning. Why do we need to understand the business context to have effective security?

*FarkasCSCE 824

CSCE 824

Cryptography

CSCE 824

Insecure communicationsConfidential

Cryptographic ProtocolsMessages should be transmitted to destinationOnly the recipient should see itOnly the recipient should get itProof of the senders identityMessage shouldnt be corrupted in transitMessage should be sent/received once only

Conventional (Secret Key) CryptosystemEncryptionDecryptionPlaintextPlaintextCiphertextKSenderRecipientC=E(K,M)M=D(K,C)K needs secure channel

Public Key CryptosystemEncryptionDecryptionPlaintextPlaintextCiphertextSenderRecipientC=E(Kpub,M)M=D(Kpriv,C)Recipients public Key (Kpub)Recipients private Key (Kpriv)Kpub needs reliable channel

CryptographyCryptanalysts goal:Break messageBreak keyBreak algorithmTaxonomy of attacksBreakable vs. unbreakable cryptographic systemProperties of good cryptosystem.

Cryptosystem VulnerabilitiesPassive Attacker (Eavesdropper)Active AttackerCapabilities

Basic Encryption TechniquesSubstitutionPermutationCombinations and iterations of theseTechniques and attacksADVANTAGES/DISADVANTAGES!

Inherent Weaknesses of Symmetric CryptographyKey distribution must be done secretly (difficult when parties are geographically distant, or don't know each other)Need a key for each pair of usersn users need n*(n-1)/2 keysIf the secret key (and cryptosystem) is compromised, the adversary will be able to decrypt all traffic and produce fake messages

Product CiphersOne encryption applied to the result of the other En(En-1((E1(M)))), e.g.,Double transpositionSubstitution followed by permutation, followed by substitution, followed by permutationBroken for Chosen plaintext*FarkasCSCE 824

CSCE 824

Trustworthy Encryption SystemsBased on sound mathematicsHas been analyzed by expertsHas stood the test of time

Examples: Data Encryption Standard (DES), Advanced Encryption Standard (AES), River-Shamir-Adelman (RSA)

Public Key Encryption *FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Public-Key EncryptionTwo keys one is private one is publicSolves the key distribution problem (but need reliable channel)Provides electronic signaturesSlower than secret-key encryption

*FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 6Public-Key EncryptionNeeded for security:One of the keys must be kept secretImpossible (at least impractical) to decipher message if no other information is availableKnowledge of algorithm, one of the keys, and samples of ciphertext must be insufficient to determine the other key

*FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 6RSA NotationC = E(KE-B, M)M = D(KD-B,C)

KE-B:public key of BKD-B:private key of BE: encryption alg.D:decryption alg.M:plaintextC:ciphertext *FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 6RSABoth sender and receiver know nSender knows eOnly receiver knows dModulus: Remainder after division, i.e., if a mod n=b then a=c*n+bNeed:Find values e,d,n such that

Easy to calculate Me, Cd for all M < nInfeasible to determine d give e

Med mod n = M mod n*FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 6Signature and EncryptionDEDEABPlaintextPlaintextSignedPlaintextSignedPlaintextEncrypted Signed PlaintextAs private keyBs public keyBs private keyAs public key*FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 6Non-repudiationRequires notarized signature, involving a third party

Large system: hierarchies of notarization*FarkasCSCE 824

CSCE 824

Cryptographic Hash Functions *FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 8-9Hash FunctionsHash function h maps an input x of arbitrary length to a fixed length output h(x) (compression)Accidental or intentional change to the data will change the hash valueGiven h and x, h(x) is easy to compute (ease of computation)*FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 8-9Good Hash FunctionIt is easy to compute the hash value for any given messageIt is infeasible to find a message that has a given hashIt is infeasible to modify a message without changing its hashIt is infeasible to find two different messages with the same hash

*FarkasCSCE 824

CSCE 824

Cryptographic Protocols *FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 6ProtocolsGood protocol characteristics:Established in advanceMutually subscribedUnambiguousComplete

*FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 6Symmetric-Key Distribution: Symmetric-Key TechniquesSymmetric-Key without ServerSymmetric-Key with Server

*FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 6Symmetric-Key Distribution: Public-Key TechniquesSimple secret key distributionSecret key distribution with confidentiality and authenticationDiffie-Hellman Key Exchange*FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 6Simple secret key distributionSenderRecipientKE-S ||ID-S

2. E KE-S(Ksession)

Vulnerable to active attack!HOW?*FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 6With confidentiality and authenticationSenderRecipientE KE-R[N1||ID-A]

2. E KE-S[N1||N2]

3. E KE-R[N2]

4. E KE-R E KD-S(Ksession)Assume: KE-R and KE-S are known in advanceQuestion: Why do we need reliable distribution of public keys?*FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 6Intruder in the Middle AttackJohnRoseIntruderHi Rose, Im John.Hi John, Im Rose.Hi John, Im Rose.Hi Rose, Im John.Intruder and John Uses Diffie-HellmanTo agree on key K.Intruder and RoseUses Diffie-HellmanTo agree on key K.Question: the attacker may want to have K and K be the same, Why?*FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 6Asymmetric-Key ExchangeWithout serverBroadcastingPublicly available directoryWith serverPublic key distribution centerCertificates*FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 6Public-key certificatesCertificate AuthoritySenderRecipient KE-SC-S=EKD-CAuth[Time1,ID-S,KE-S]1. C-S2. C-R KE-RCR=EKD-CAuth[Time2,ID-R,KE-R]*FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 6CertificatesGuarantees the validity of the informationEstablishing trustPublic key and user identity are bound together, then signed by someone trustedNeed: digital signature*FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 6Digital SignatureNeed the same effect as a real signatureUn-forgeableAuthenticNon-alterableNot reusable

*FarkasCSCE 824

CSCE 824

CSCE 522 - Farkas*Lecture 6Digital signatureDirect digital signature: public-key cryptography basedArbitrated digital signature:Conventional encryption: Arbiter sees messageArbiter does not see messagePublic-key basedArbiter does not see message*FarkasCSCE 824

CSCE 824

Identification and Authentication*FarkasCSCE 824

CSCE 824

AuthenticationAllows an entity (a user or a system) to prove its identity to another entityTypically, the entity whose identity is verified reveals knowledge of some secret S to the verifierStrong authentication: the entity reveals knowledge of S to the verifier without revealing S to the verifier

Authentication InformationMust be securely maintained by the system.

Authentication RequirementsNetwork must ensureData exchange is established with addressed peer entity not with an entity that masquerades or replays previous messagesNetwork must ensure data source is the one claimedAuthentication generally follows identificationEstablish validity of claimed identityProvide protection against fraudulent transactions

User AuthenticationWhat the user knowsPassword, personal informationWhat the user possessesPhysical key, ticket, passport, token, smart cardWhat the user is (biometrics)Fingerprints, voiceprint, signature dynamics

PasswordsCommonly used methodFor each user, system stores (user name, F(password)), where F is some transformation (e.g., one-way hash) in a password fileF(password) is easy to computeFrom F(password), password is difficult to computePassword is not stored in the systemWhen user enters the password, system computes F(password); match provides proof of identity

Vulnerabilities of PasswordsInherent vulnerabilitiesEasy to guess or snoopNo control on sharingPractical vulnerabilitiesVisible if unencrypted in distributed and network environmentSusceptible for replay attacks if encrypted naivelyPassword advantageEasy to modify compromised password.

Attacks on PasswordGuessing attack/dictionary attackSocial EngineeringSniffingTrojan loginVan Eck sniffing

One-time Password

Use the password exactly once!

Lamports schemeDoesnt require any special hardwareSystem computes F(x),F2(x),, F100(x) (this allows 100 logins before password change)System stores users name and F100(x) User supplies F99(x) the first timeIf the login is correct, system replaces F100(x) with F99(x) Next login: user supplies F98(x) and so onUser calculates Fn(x) using a hand-held calculator, a workstation, or other devices

Time SynchronizedSecret keyTimeOne Time PasswordDES*FarkasCSCE 824

CSCE 824

Challenge ResponseWork stationHostNetwork Non-repeating challenges from the host is used The device requires a keypadUser IDChallengeResponse*FarkasCSCE 824

CSCE 824

Access Control*FarkasCSCE 824

CSCE 824

Access ControlProtection objects: system resources for which protection is desirableMemory, file, directory, hardware resource, software resources, etc.Subjects: active entities requesting accesses to resourcesUser, owner, program, etc.Access mode: type of accessRead, write, execute

Access Control Requirement Cannot be bypassedEnforce least-privilege and need-to-know restrictionsEnforce organizational policy

Access ControlAccess control: ensures that all direct accesses to object are authorizedProtects against accidental and malicious threats by regulating the reading, writing and execution of data and programsNeed:Proper user identification and authenticationInformation specifying the access rights is protected form modification*FarkasCSCE 824

CSCE 824

Access ControlAccess control components:Access control policy: specifies the authorized accesses of a systemAccess control mechanism: implements and enforces the policySeparation of components allows to:Define access requirements independently from implementationCompare different policiesImplement mechanisms that can enforce a wide range of policies *FarkasCSCE 824

CSCE 824

Closed vs. Open SystemsClosed systemOpen SystemAccess requ.Access requ.Exists Rule?Exists Rule?Access permittedAccess deniedAccess deniedAccess permitted

Allowed accessesDisallowed accessesyesnoyesno(minimum privilege)(maximum privilege)*FarkasCSCE 824

CSCE 824

Access Control ModelsAll accessesDiscretionary ACMandatory ACRole-Based AC*FarkasCSCE 824

CSCE 824

Discretionary Access ControlAccess control is based onUsers identity and Access control rulesMost common administration: owner basedUsers can protect what they ownOwner may grant access to othersOwner may define the type of access given to others

Access Matrix ModelOBJECTS AND SUBJECTSSUBJECTS

JoeSamFile 1File 2*FarkasCSCE 824

ReadWriteOwnRead

ReadWriteOwn

CSCE 824

Grant and RevokeGRANT ON To [WITH GRANT OPTION]------------------------------------------------------------------------------------------------------------------------------------GRANT SELECT * ON Student TO MatthewsGRANT SELECT *, UPDATE(GRADE) ON Student TO FARKASGRANT SELECT(NAME) ON Student TO Brown

GRANT command applies to base relations as well as views

Grant and RevokeREVOKE [ON ]FROM -------------------------------------------------------------------------------------------------------------------------REVOKE SELECT* ON Student FROM BlueREVOKE UPDATE ON Student FROM BlackREVOKE SELECT(NAME) ON Student FROM Brown

Non-cascading RevokeABCA revokes Ds privilegesEF*FarkasCSCE 824

CSCE 824

Cascading RevokeABCA revokes Ds privileges*FarkasCSCE 824

CSCE 824

Positive and Negative AuthorizationProblem:Contradictory authorizations GRANT ON X TO DENY ON X TO *FarkasCSCE 824

CSCE 824

Negative Authorization-Positive authorization granted By A to D becomes blocked but NOT deleted.*FarkasCSCE 824

CSCE 824

DAC and Trojan HorseEmployeeBlacks EmployeeBrown: read, writeBlack, Brown: read, writeBrownBlack*FarkasCSCE 824

CSCE 824

DAC and Trojan HorseEmployeeBlacks EmployeeBrown: read, writeBlack, Brown: read, writeBrownBlackWord ProcessorUses shared program*FarkasCSCE 824

CSCE 824

DAC OverviewAdvantages:IntuitiveEasy to implementDisadvantages:Inherent vulnerability (look TH example)Maintenance of ACL or Capability listsMaintenance of Grant/RevokeLimited power of negative authorization

Mandatory Access ControlObjects: security classification e.g., grades=(confidential, {student-info})Subjects: security clearancese.g., Joe=(confidential, {student-info})Access rules: defined by comparing the security classification of the requested objects with the security clearance of the subject e.g., subject can read object only if label(subject) dominates label(object)

*FarkasCSCE 824

CSCE 824

Mandatory Access ControlIf access control rules are satisfied, access is permittede.g., Joe wants to read grades.label(Joe)=(confidential,{student-info})label(grades)=(confidential,{student-info})Joe is permitted to read grades

Granularity of access rights!

*FarkasCSCE 824

CSCE 824

Mandatory Access ControlSecurity Classes (labels): (A,C) A total order authority level C set of categoriese.g.,A = confidential > public , C = {student-info, dept-info}(confidential,{ })(confidential,{dept-info})(confidential,{student-info,dept-info})(confidential,{student-info})(public,{student-info,dept-info})(public,{,dept-info})(public,{ })(public,{student-info})*FarkasCSCE 824

CSCE 824

Mandatory Access Control

Dominance (): label l=(A,C) dominates l=(A,C) iff A A and C C

e.g., (confidential,{student-info}) (public,{student-info})BUT (confidential, {student-info}) (public,{student-info, department-info}) *FarkasCSCE 824

CSCE 824

Bell- LaPadula (BLP) ModelConfidentiality protectionLattice-based access controlSubjectsObjectsSecurity labelsSupports decentralized administration*FarkasCSCE 824

CSCE 824

BLP Reference MonitorAll accesses are controlled by the reference monitorCannot be bypassedAccess is allowed iff the resulting system state satisfies all security propertiesTrusted subjects: subjects trusted not to compromise security*FarkasCSCE 824

CSCE 824

BLP Axioms 1.Simple-security property: a subject s is allowed to read an object o only if the security label of s dominates the security label of oNo read upApplies to all subjects*FarkasCSCE 824

CSCE 824

*-property: a subject s is allowed to write an object o only if the security label of o dominates the security label of sNo write downApplies to un-trusted subjects onlyBLP Axioms 2.*FarkasCSCE 824

CSCE 824

Blind WritesImproper modification of dataMost implementations disallow blind writes*FarkasCSCE 824

CSCE 824

Trojan Horse and BLPEmployeeBlacks EmployeeBrown: read, writeBlack, Brown: read, writeBrownBlackWord ProcessorTHInsert Trojan HorseInto shared programUse shared programReadEmployeeCopyEmployeeTo BlacksEmployeeSecretPublicSecret PublicPublic SecretReference Monitor*FarkasCSCE 824

CSCE 824

RBAC MotivationMulti-user systemsMulti-application systemsPermissions are associated with rolesRole-permission assignments are persistent v.s. user-permission assignmentsIntuitive: competency, authority and responsibility

RBACAllows to express security requirements but CANNOT ENFORCE THESE PRINCIPLES

e.g., RBAC can be configured to enforce BLP rules but its correctness depend on the configuration done by the system security officer.

RolesUser group: collection of user with possibly different permissionsRole: mediator between collection of users and collection of permissionsRBAC independent from DAC and MAC (they may coexist)RBAC is policy neutral: configuration of RBAC determines the policy to be enforced

RBACRBAC3 consolidated model RBAC1role hierarchy RBAC2constraintsRBAC0 base model*FarkasCSCE 824

CSCE 824

RBAC0.. UUsers RRoles PPermissions. SSessions User assignmentPermissionassignment*FarkasCSCE 824

CSCE 824

RBAC1Role Hierarchy*FarkasCSCE 824

CSCE 824

RBAC1Role HierarchyPrimary-care PhysicianPhysician Specialist PhysicianHealth-care providerInheritanceof privileges*FarkasCSCE 824

CSCE 824

RBAC2.. UUsers RRoles PPermissions. SSessions User assignmentPermissionassignment*FarkasCSCE 824

CSCE 824

RBAC3*FarkasCSCE 824

CSCE 824

Next ClassDatabase securityFarkasCSCE 824*

CSCE 824

**********************