ITIS 6210/8210 Access Control and Security ... - Marc Grosz Wiki

ITIS 6210/8210 

Access Control and 

Security Architecture 

Lecture 1 

Professor Mohamed Shehab 

mshehab@uncc.edu 

Woodward Hall 333F 

Office Hours: TUE 1:00-3:00 PM 

O Or b by appointment. 

it t

IT IS 6210/8210 

A Access Control C l and d Security S i Architecture 

A hi 

�� Discusses objectives objectives, formal models models, and 

mechanisms for access control, access 

control on commercial off-the-shelf systems systems, 

and security architecture for authorization. 

�� Current topics of advanced research in 

access control. Content varies depending on 

faculty interests, interests research developments developments, and 

student demand. 

�� The course provides the students with 

hands-on experience in secure system 

development through a project project.

Topics include: 

�� Access Control Basics 

◦ Access Control Matrix 

◦ Access Control List 

� Access Control Models 

◦ Mandatory y Access Control 

� Chinese Wall Policy 

� Biba Model 

� BllLPdl Bell-LaPadula MModel d l 

� Lattice-based Access Control 

◦ Discretionary y Access Control 

◦ Role Based Access Control 

◦ Location/Temporal/Context p 

Based Access 

Control

Topics include: (Cont (Cont.) ) 

�� Delegation Models 

� Policy Specification and Management 

◦ Security Assertion Markup Language (SAML) 

◦ XACML 

◦ XML Security 

� Network Firewall Access Control 

� Security Architectures 

◦ Trust negotiations and management 

◦ Identity Management 

◦ Web Services Security

Grading Policy 

�� Midterm Exam 25% 

� Final Exam 25% 

� Project 50% 

◦ Presentation 20% 

◦ Report 30% 

� Both a project proposal and final report 

are required. q

Recommended Reference Material 

�� Books: 

◦ Computer Security: Art and Science, 

Matt Bishop, Addison-Wesley 

� Research Papers: p 

◦ Will be provided. 

�� PowerPoint Slides and Papers will be posted 

on course website: 

� http://www.sis.uncc.edu/~mshehab/fall2009/itis6210/

Information If Information ti S Security it 

Basic Concepts

Lecture Outline 

�� Security Overview 

� Security Design Principles 

� Privacy Overview 

�� Cryptography Overview

Information Protection - Why? 

�� Information is an important strategic and 

operational asset for any organization. 

� Damages and misuses of information affect 

not only y a single g user or an application; pp ; they y 

may have disastrous consequences on the 

entire organization organization. 

� Additionally, the advent of the Internet as 

well as networking capabilities has made the 

access to information much easier.

Information Security: Examples 

�� Consider a payroll database in a corporation corporation, 

it must be ensured that: 

◦ Salaries of individual employees are not disclosed 

to arbitrary users of the database. 

◦ Salaries are modified by only those individuals 

that are properly p p y authorized. 

◦ Paychecks are verified by individuals different 

than the ones who issued them. 

◦ Paychecks are printed on time at the end of each 

pay period period.

What is Information Security? 

� Confidentiality 

◦ Is this all? 

◦ Why not? 

� Availability 

◦ To whom? 

�� Authentication 

◦ Still not there 

� IIntegrity i

Confidentiality 

�� Refers to information protection from 

unauthorized read operations. 

� First formal work in computer security was 

motivated by y the military’s y attempt p to 

implement controls to enforce a “need to 

know” know principle. principle 

� Confidentiality also applies to the existence 

of data, which is sometimes more revealing 

than the data itself.

Integrity 

�� Refers to information protection from 

modifications; it involves several goals: 

◦ Data integrity, ensuring the integrity of 

information with respect to the original 

information. 

◦ Origin g integrity, g y, ensuring g source of the data, , 

often referred to as authentication. 

◦ Semantic Integrity, protecting information from 

incorrect modifications.

Integrity Example 

�� A newspaper may print information 

obtained from a leak at the White house, 

but attributes it to the wrong source. 

◦ This obeys data integrity. 

y g y 

◦ Violates origin integrity.

Availability 

�� It ensures that access to information is 

not denied to authorized subjects. 

�� Attempts to block availability, availability are called 

denial of service attacks. 

� Example, p , 

SMURF attack.

Additional Information Security 

Requirements 

�� Information Quality – it is not considered 

traditionally as part of information 

security but it is very relevant. 

� Completeness – it refers to ensure that 

subjects bj t receive i all ll iinformation f ti th they are 

entitled to access, according to the stated 

security policies.

Classes of Threats 

�� Disclosure 

◦ Snooping,Trojan Horses 

� Deception 

◦ Modification, spoofing, repudiation of origin, 

denial of receipt 

�� Disruption 

◦ Modification 

� Usurpation (Unauthorized Control) 

◦ Modification, spoofing, delay, denial of service

Goals of Security 

�� Prevention 

◦ Prevent attackers from violating security 

policy 

� Detection 

◦ Detect attackers’ violation of security policy 

�� Recovery 

◦ Stop attack, assess and repair damage 

◦ Continue to function correctly even if attack 

succeeds

Policy and Mechanism 

�� A Security Policy: 

◦ Is a statement of what is and what is not 

allowed allowed. 

� A Security Mechanism: 

◦ I Is a method, h d tool, l or procedure d for f enforcing f 

a security policy. 

E l 

� Example: 

◦ Policy - “Students should not copy from each 

other”. 

◦ Mechanism – Use an online paper correlator.

Policy and Mechanism (Cont (Cont.) ) 

�� Policies define security security, and mechanisms 

enforce security 

◦ Confidentiality 

◦ Integrity g y 

◦ Availability 

�� Composition of policies 

◦ If policies conflict, discrepancies may create 

security vulnerabilities

Policy and Mechanism (Cont (Cont.) ) 

� PPolicies li i 

◦ Unambiguously g y partition p system y states 

◦ Correctly capture security requirements 

� Mechanisms 

◦ Assumed to enforce policy 

◦ Support mechanisms work correctly

Types of Mechanism 

Secure Precise Broad 

Set of reachable 

Set of secure 

states states

Information Security – Mechanisms 

�� Confidentiality is enforced by the access 

control mechanism. 

� Integrity is enforced by the access control 

mechanism and by y the semantic integrity g y 

constraints 

� Availability is enforced by the recovery 

mechanism and by detection techniques for 

DDoS S attacks k – an example l of f which hi h is i query 

flood

Information Security Security- Additional 

Mechanisms: 

�� User authentication - to verify the identity of 

subjects wishing to access the information. 

� IInformation f i authentication h i i - to ensure 

information authenticity - it is supported by 

signature i t mechanisms. h i 

� Encryption - to protect information when being 

transmitted across systems and when being 

stored on secondary storage. 

� Intrusion detection – to protect against 

impersonation of legitimate users and also 

against insider threats.

Information Security – How? 

�� Information must be protected at various 

levels: 

◦ The operating system 

◦ The network 

◦ The data management system 

◦ Physical protection is also important

Data vs Information 

�� Computer security is about controlling access 

to information and resources 

� Controlling access to information can 

sometimes be quite elusive and it is often 

replaced by the more straightforward goal of 

controlling ll access to data d 

� The distinction between data and information 

i is subtle btl but b t it i is also l the th root t of f some of f the th 

more difficult problems in computer security 

� Data represents information Information is the 

� Data represents information. Information is the 

(subjective) interpretation of data

Data vs Information Information (Cont.) (Cont (Cont.) ) 

Data Physical phenomena chosen by convention 

to represent certain aspects of our conceptual 

and real world. The meaning we assign to data 

are called information. Data is used to transmit 

and store information and to derive new 

information by manipulating the data according 

to formal rules. 

from: 

P.Brinch Hansen. Operating Systems Principles. 

Prentice Prentice-Hall, Hall 1973 1973.

Data vs Information Information (Cont.) (Cont (Cont.) ) 

�� Protecting information means to protect 

not only the data directly representing 

the information 

� Information must be protected also 

i i i h h 

against transmissions through: 

◦ Covert channels 

◦ Inference 

� It is typical of database systems 

� It refers to the derivation of sensitive information 

from non-sensitive data

Inference - Example 

Name Sex Programme Units Grade Ave 

Alma F MBA 8 63 

Bill M CS 15 58 

Carol F CS 16 70 

DDon M MIS 22 75 

Errol M CS 8 66 

Flora F MIS 16 81 

Gala F MBA 23 68 

Homer M CS 7 50 

Igor M MIS 21 70

Inference – Example Example (Cont.) (Cont (Cont.) ) 

� Assume that there is a policy stating that the average grade 

of a single student cannot be disclosed; however statistical 

summaries can be disclosed 

� Suppose that an attacker knows that Carol is a female CS 

student 

� B By combining bi i the h results l of f the h ffollowing ll i llegitimate i i 

queries: 

◦ Q1: SELECT Count (*) FROM Students WHERE Sex =‘F’ = F AND 

Programme = ‘CS’ 

◦ Q2: SELECT Avg (Grade Ave) FROM Students WHERE Sex =‘F’ 

AND Programme = ‘CS’ 

� The attacker learns from Q1 that there is only one female 

student t d t so th the value l 70 returned t d b by Q2 is i precisely i l h her 

average grade

Information Security: 

A Complete Solution. 

�It consists of: 

◦ First defining a security policy policy. 

◦ Then choosing g some mechanism to 

enforce the policy. 

◦ Fi Finally ll providing idi assurance that h bboth h 

the mechanism and the policy p y are 

sound.

Security Design Principles

Overview 

� Saltzer and Schroeder [1975] defined the 8 principles that 

are based on the ideas of f simplicity and restriction 

� Simplicity 

◦ Less to go wrong 

◦ Fewer possible inconsistencies 

◦ Easy to understand 

� Restriction 

◦ Minimize access – an entity can access only information 

it needs (also known as “need to know” principle) 

◦ Inhibit communication – an entity can communicate 

with other entities only when necessary, and in few (and 

narrow) ways as possible

Principle of Least Privilege 

�� The principle of least privilege states that an 

entity should be given only those privileges 

that it needs in order to complete its task 

◦ The function of an entity, y and not its identity, y 

should control the assignment of rights 

◦ Rights should be added as needed, discarded 

after use

Principle of Fail Fail-Safe Safe Defaults 

�� The principle of fail fail-safe safe defaults state 

that, unless an entity is given explicit 

access to an object, it should be denied 

access to that object j 

◦ This principle requires that the default access 

permission to an object be none

Principle of Economy of Mechanism 

�� The principle of economy of mechanism 

states that security mechanisms should be as 

simple as possible 

� Simpler means less can go wrong 

◦ And when errors occur, occur they are easier to 

understand and fix 

�� Interfaces and interactions 

◦ Interfaces to other modules are crucial, because 

modules often make implicit assumptions about 

input or output parameters or the current 

system state

Principle of Complete Mediation 

�� The principle of complete mediation 

requires that all accesses to objects be 

checked to ensure that they are allowed 

� Usually done once, on first action 

◦ UNIX: access checked on open, not checked 

thereafter 

◦ If permissions change after, may get 

unauthorized access 

◦ This approach violates the principle of 

complete mediation

Principle of Open Design 

�� The principle of open design states that the 

security of a mechanism should not depend 

on secrecy of f it its ddesign i or iimplementation l t ti 

◦ If the strength of a program’s security depends on 

the ignorance of f user, a knowledgeable user can 

defeat the security mechanism 

� “S “Security through h h obscurity” b ” is not a good d principle l 

◦ This principles does not apply to information 

such h as passwords d or cryptographic hi keys k (these ( h 

are data and not algorithms)

Principle of Open Design (Cont (Cont.) ) 

�� Issues of proprietary software and trade 

secrets complicate the application of this 

principle 

� In some cases companies do not want 

their hi ddesigns i made d public bli to protect them h 

from competitors 

� The principle then requires that the 

design g and implementation p 

be available to 

people barred from disclosing it outside 

the company p y

Principle of Separation of Privilege 

�� The principle of separation of privileges 

states that a system should not grant 

permission based on a single condition condition. 

� In other words: more than one condition 

must b be verified ifi d i in order d to gain i access 

◦ Separation of duty 

� Example: company check for more than $75,000 must 

be signed by two officers of the company 

� EExample: l O On BBerkeley-based k l b d versions i of f Unix, U i a user 

is not allowed to change from his accounts to the 

root account unless two conditions are verified: (i) ( ) the 

user knows the root password; (ii) the user is in the 

wheel group (with GID 0)

Principle of Least Common Mechanism 

�� The principle of least common 

mechanism states that mechanisms used 

to access resources should not be shared 

◦ Information can flow along g shared channels 

◦ Covert channels 

�� Isolation 

◦ Virtual machines 

◦ Sandboxes

Principle of Least Common Mechanism 

(Example) 

�� For example example, serving an application on the 

Internet allows both attackers and users to 

gain access to the application application. Sensitive 

information can potentially be shared 

between the subjects via the mechanism. 

� A different mechanism for each subject or 

class of subjects can provide flexibility of 

access control among various users and 

prevent potential security violations that 

would otherwise occur if only one 

mechanism was implemented.

Principle of Psychological Acceptability 

� The principle p p of psychological p y g acceptability p y states 

that security mechanisms should not make the 

resource more difficult to access than if the security 

mechanisms were not present 

◦ Hide complexity introduced by security mechanisms 

◦ Ease of f installation, configuration, f use 

◦ Human factors critical here 

◦ O On the th other th hand, h d security it requires i that th t th the messages 

impart no unnecessary information 

� For example, p , if a user supplies pp the wrong g p password, , the system y 

should reject the attempt with a message saying that the login 

failed. If it were to say that the password was incorrect, the user 

would know that the account name was legitimate g

Privacy

Privacy ?? 

�� Information Privacy is the ability of an 

individual to control the use and dissemination 

of information that relates to himself or 

herself. 

�� The word “Privacy” Privacy means different things in 

different contexts: 

◦ Freedom from intrusion intrusion. 

◦ Control of personal information. 

◦ Control of one’s one s image or name name. 

� The historic driver of the privacy problem is 

the “bad bad people” people problem problem.

Approaches to Privacy 

Enforcement 

� GGovernmental l SStandards d d 

◦ Enforcement by regulatory agencies, states, etc. 

� Industry Standards 

◦ “Codes Codes of conduct” conduct 

◦ Limited enforcement through licensing 

◦ Limited enforcement from government 

� Unregulated g Market 

◦ Reputation 

�� Technology can help in all of these cases cases.

Fair Fair Credit Credit Reporting Reporting Act, Act 1970 

1970 

�� Right to: 

◦ See your credit report. 

◦ Challenge incorrect information. 

◦ Information automatically y expire p after 7 years. y 

◦ Know who accesses your report. 

◦ Free credit report if you are denied credit credit.

The Code of Fair Information 

Practice (1973) 

�� Included: 

◦ No Secret record-keeping systems. 

◦ Right to see your record. 

◦ Information obtained for one purpose p p may y 

not be used for another purpose. 

◦ Right to correct or amend incorrect records records. 

◦ Organizations must assure the reliability of 

data and take precautions to prevent misuse misuse.

Other Privacy Acts 

�� HIPAA: Health Insurance Portability 

and Accountability Act 

� COPPA COPPA: Child Children’s ’ Online O li Privacy P i 

Protection Act 

◦ Applies to online collection of info on 

children under 13. 

� Gramm-Leach-Bliley Act 

� Sarbanes-Oxley: Public Company 

y p y 

Accounting Reform and Investor 

Protection Act


�� Gramm Gramm-Leach-Bliley Leach Bliley Act 

◦ Consumers must be informed of privacy 

policies 

� Initial notice 

� Annual notice 

� Notices were mostly ignored! 

◦ Consumers must have a chance to “opt-out” 

� Many y different ways y to “opt-out” p 

� Have you ever opted out?


�� Sarbanes Sarbanes-Oxley: Oxley: Public Company 

Accounting Reform and Investor 

Protection Act 

◦ Insider Trading 

◦ Conflict of Interest 

◦ Public disclosures 

◦ Public disclosures 

◦ Assessment of internal controls 

◦ Mandatory disclosures

Example: Patient Records 

Name a e SSN SS DOB O Sex Se Zip p 

Code 

Disease sease 

DOB 

1/21/76 

4/13/86 

2/28/76 

1/21/76 

4/13/86 

2/28/76 

Sex Andre 

BBarbra b 

Male James 

Female Bob 

Male Carol 

Male Alice 

Female 

Female 

Zip 400-44-1234 Disease 1/21/76 

Code 420 420-33-1434 33 1434 4/13/86 

53715 603-00-1444 Heart 2/28/76 Disease 

53715 412-22-1111 412 22 1111 Hepatitis p 1/21/76 

53703 210-12-2222 Bronchitis 4/13/86 

53703 450-45-6666 Broken 2/28/76 Arm 

53706 Flu 

53706 Hang Nail 

Male 53715 Heart Disease 

Name DOB Sex Zip p 

FFemale l 53715 HHepatitis 

Code 

Male 

Andre 

53703 

1/21/76 

Bronchitis 

Male 53715 

Male 

BBethh 53703 

1/10/81 

Broken 

FFemale l 

Arm 

55410 

Female 

Carol 

53706 

10/1/44 

Flu 

Female 90210 

Female 

Dan 

53706 

2/21/84 

Hang 

Male 

Nail 

02174 

Ellen 4/19/72 Female 02237 

Voter Registration Data 

Rl Released d Medical Md l Data 

D

Cryptography Overview

Cryptography 

� Basic assumptions 

◦ Message to be encrypted 

◦ Algorithms (publicly known) to encrypt/decrypt message 

◦ Key y( (known only yto sender/recipient) p ) 

◦ Given only algorithms and encrypted message, nobody knows a 

method to decrypt that is significantly faster than trying all keys 

� Types of attacks 

◦ Ciphertext only 

◦ Known plaintext 

◦ Chosen plaintext 

� Real attacks generally don’t break cryptography! 

◦ Don’t pick the lock, tunnel into the vault

Symmetric Cryptography 

�� The secret key that seals also unseals 

◦ M’ = f(M,key) encryption or sealing 

◦ M = f’(M’ f’(M’,key) k ) ddecryption p i or unsealing li 

� Uses: 

◦ Prevent eavesdropping 

� Must be secure channel for key exchange 

◦ Secure storage 

� I have to remember my key 

◦ Authentication 

� Challenge/response 

◦ Integrity Check 

� Checksum on the message 

� Encrypt the checksum

Public Key ( (Assymetric ( (Assymetric Assymetric) ) Cryptography 

�� First published in 1976 (Diffie (Diffie-Hellman) Hellman) 

◦ More common today: RSA 

� Matched pair of keys 

◦ Public key (e) to encrypt 

◦ Private key (d) to decrypt 

� F For iintegrity, i encrypt checksum h k with i h 

sender’s private key 

◦ Only sender’s public key will decrypt properly

Public Key ( (Assymetric ( (Assymetric Assymetric) ) Cryptography 

�� Uses: 

◦ Prevent eavesdropping 

◦ Authentication 

◦ Integrity g y 

� Problem: public key algorithms slow 

◦ SSolution: l ti Use U t to share h secret t key 

k

Public Key Cryptography: 

Non Non-repudiation repudiation 

�� Message Integrity Checksum (MAC) can 

convince Recipient that Sender created message 

◦ Message correct, from right source 

� But can’t convince anyone else! 

◦ Sender, recipient share key 

◦ Either could generate message 

� Public key solves this problem 

◦ Private key required to encrypt 

◦ Only y 

known to sender

Public Key Cryptography 

�� Public key d d, private key e 

◦ m = e(d(m)) = d(e(m)) 

� Given d, d(m), hard to find m 

◦ same for e, e(m) 

� Given d, hard to find e 

◦ same for e, d 

� Most based on modular arithmetic 

◦ Modular exponentiation

Algorithms: Diffie Diffie-Hellman Hellman 

�� Goal: Two parties agree on common 

number 

◦ E E.g., l learn shared h d key k 

� Initial: large prime p, g < p 

◦ publicly known 

� Each chooses secret 

� T = g s mod p 

� Exchange and repeat 

� Exchange and repeat 

◦ Result is the same

Algorithms: Diffie Diffie-Hellman Hellman (Problems) 


◦ Am I talking to the right person? 

� Man in the middle 

◦ Sets up session with either end

Algorithms: RSA 

(Rivest, Shamir, Adleman) 

�� Key generation 

◦ Choose primes p,q 

◦ Ch Choose e relatively l ti l prime i t to ( (p-1)(q-1) 1)( 1) 

◦ Public key 

◦ PPrivate i key k d where h d = 1/(e 1/( mod d ( (p-1)(q-1)) 1)( 1)) 

� Encrypt: c = me mod n 

◦ Decrypt: m = c d mod n 

� de = 1 mod (p-1)(q-1), so m = (m e ) d mod n 

� Breakable if we can factor (why?)

Hash Algorithms 

�� Transform arbitrarily long message m into (short) 

fixed-length message h(m) 

◦ Must be easy to compute h(m) 

◦ Given h(m), hard to find (an) m 

◦ Hard to find m 1 and m 2 such that h(m ( 1)=h(m 1) ( 2) 2) 

� Goal: h(m) should appear random 

◦ Non-trivial to define “appear pp random” 

� Uses 

◦ Password storage g (easy ( y to verify y that it is probably p y 

correct) 

◦ Integrity: Send m, h(m|s) 

◦ Storage integrity

Changing one input bit should 

change ~50% of the output bits. 

Message MD5 

“this is a test” ff22941336956098ae9a564289d1bf1b 

“this is c test” c5e530b91f5f324b1e64d3ee7a21d573 

“this is a test ” 6df4c47dba4b01ccf4b5e0d9a7b8d925

128 ? 128 ? 

How big is 2 2128 How big is 2 2128 �� MD5 is 128 bits long 

� 2 128 = 

340,282,366,920,938,463,463,374,607,431,7 

68,211,456 , , 

� If you could try a billion 2 combinations a 

second, d it would ld take t k 10,790 10 790 billion billi years

Message Digest Algorithms 

�� Rivest Functions: 

◦ MD2 (128 bits) 

◦ MD4 (128 bits) 

◦ MD5 (128 ( bits) ) 

� NIST Functions: 

◦ SHA (160 bits) bit ) SHA SHA-1 1 (160 bit bits) ) 

◦ SHA-512, SHA-1024 

� Other Functions: 

◦ Snerfu, N-Hash, N Hash, RIPE-MD, RIPE MD, HAVAL

(Strange) Hash Uses 


◦ A sends challenge rA ◦ B responds with h(k|r h(k|rA) A) and r B 

◦ A responds with h(k|rB) � Integrity / Message Authentication Code 

◦ h(m | k) 

�� Generate a one-time one time pad 

◦ h(k | r) gives first block, then h(k | bi-1) gives bi �� Can also generate a hash using symmetric 

encryption 

67

ITIS 6210/8210 Access Control and Security ... - Marc Grosz Wiki

Create successful ePaper yourself

Delete template?

Save as template?