Information Systems Security

Access Control

Arrianto Mukti Wibowo, M.Sc., Faculty of Computer Science

University of Indonesia

Access Control Systems &

Methodology

Tujuan domain

• Mempelajari mekanisme dan metode

yang dipergunakan para

administrator/manager untuk mengontrol

apa yang boleh diakses user, termasuk

apa yang boleh dilakukan setelah

otentikasi dan otorisasi, termasuk

pemantauannya.

Topik bahasan

• Identification,

• authentication,

• authorization,

• access control

models,

• access control

techniques,

• access control

methods,

• access control

administration,

• threats to access

controls

7

What is access control?

• Access control is the heart of security • Definitions:

– The ability to allow only authorized users, programs or

processes system or resource access

– The granting or denying, according to a particular security

model, of certain permissions to access a resource

– An entire set of procedures performed by hardware, software

and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on preestablished rules.

8

How can AC be implemented?

• Administrative controls

– Policies

– Procedures

• Logical controls

– Passwords

• Physical controls

– Electric door

9

What does AC hope to protect?

• Data - Unauthorized viewing,

modification or copying

• System - Unauthorized use, modification

or denial of service

• It should be noted that nearly every

network operating system (NT, Unix,

Vines, NetWare) is based on a secure

physical infrastructure

10

Administrative access control

• Awareness training • Background checks • Separation of duties • Split knowledge • Policies • Data classification

• Effective user registration • Termination procedures

11

Physical access control

• Guards • Locks • Mantraps • ID badges • CCTV, sensors, alarms • Biometrics

• Fences - the higher the voltage the better • Card-key and tokens

Man Trap

1. Memeasukkan kartu identifikasi (what you have) 2. Mengetikkan 12 digit angka rahasia (what you know) 3. Komputer secara acak akan

memilihkan kata-kata yang harus diucapkan ulang (who you are)

Typical Access Rights



Read, inquiry or copy only



Write, create, update or delete only



Execute only

Mandatory vs Discretionary

Access Control

• Mandatory

– “The system decided how the data will be shared” – Enforces corporate security policy

– Compares sensitivity of information resources

• Discretionary

– “You decided how you want to protect and share your data”

– Enforces data-owner-defined sharing of information resources

15

Mandatory Access Control

• Assigns sensitivity levels, AKA labels

• Every object is given a sensitivity label & is accessible only to users who are cleared up to that particular level.

• Only the administrators, not object owners, make change the object level

• Generally more secure than DAC • Orange book B-level

• Used in systems where security is critical, i.e., military • Hard to program for and configure & implement

16

Mandatory Access Control

(Continued)

• Downgrade in performance

• Relies on the system to control access

• Example: If a file is classified as confidential,

MAC will prevent anyone from writing secret

or top secret information into that file.

• All output, i.e., print jobs, floppies, other

magnetic media must have be labeled as to the

sensitivity level

17

Discretionary Access Control

• Access is restricted based on the authorization

granted to the user

• Orange book C-level

• Prime use to to separate and protect users

from unauthorized data

• Used by Unix, NT, NetWare, Linux, Vines, etc.

• Relies on the object owner to control access

18

Access control lists (ACL)

• A file used by the access control system to

determine who may access what programs and

files, in what method and at what time

• Different operating systems have different ACL

terms

• Types of access:

19

Standard UNIX file permissions

Permission Allowed action, if object is a file

Allow action if object is a directory

R (read) Reads contents of a file List contents of the directory X (execute) Execute file as a program Search the directory

W (write) Change file contents Add, rename, create files and subdirectories

20

Standard NT file permissions

Permission Allowed action, if object is a file

Allow action if object is a directory

No access None None

List N/A RX

Read RX RX

Add N/A WX

Add & Read N/A RWX Change RWXD RWXD Full Control All All

21

Authentication

3 types of authentication:



Something you know - Password, PIN,

mother‟s maiden name, passcode, fraternity

chant



Something you have - ATM card, smart card,

token, key, ID Badge, driver license, passport



Something you are - Fingerprint, voice scan,

22

Multi-factor authentication

 2-factor authentication. To increase the level of

security, many systems will require a user to provide 2 of the 3 types of authentication.

 ATM card + PIN

 Credit card + signature  PIN + fingerprint

 Username + Password (NetWare, Unix, NT default)

 3-factor authentication -- For highest security

 Username + Password + Fingerprint  Username + Passcode + SecurID token

23

 Insecure - Given the choice, people will choose easily

remembered and hence easily guessed passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc.

 Easily broken - Programs such as crack, SmartPass, PWDUMP,

NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT passwords.

 Dictionary attacks are only feasible because users choose easily guessed passwords!

 Inconvenient - In an attempt to improve security, organizations

often issue users with computer-generated passwords that are difficult, if not impossible to remember

 Repudiable - Unlike a written signature, when a transaction is

signed with only a password, there is no real proof as to the identity of the individual that made the transaction

Kerugian Password

• Eavesdropper mencuri password saat sedang diucapkan

• Maling bisa mencuri daftar password di server • Password mungkin mudah ditebak

• Guna meningkatkan keamanan penggunaan password, mungkin komputer justru malah meningkatkan

ketidaknyamanan penggunaan komputer. Mis:

komputer yang memilihkan password, harus ganti password setelah sekian lama

25

Classic password rules

• The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfill both

criteria is to use two small unrelated words or

phonemes, ideally with a special character or number. Good examples would be hex7goop or -typetin

• Don‟t use:

– common names, DOB, spouse, phone #, etc. – word found in dictionaries

– password as a password – systems defaults

On-Line password guessing &

prevensinya

• Dictionary attack

• Ada komputer yang memaksa pemasukkan password hanya oleh manusia (bukan program). Manusia relatif tidak cepat.

• Ada maximum retries. Mis: kartu ATM bisa ditelan. Tapi bisa

menyebabkan vandalisme: jika dia punya seluruh username, dia bisa coba bikin program yang mencoba login ke seluruh username. Setelah 5 kali, system akan lock!

• Ada cara lain: setiap memasukkan password yang salah akan diproses secara l a m b a t s e k a l I .. .. .. !

• Bisa mendeteksi: last successful & unsucessfull login dari mana dan kapan

• Ada yang memaksa user menggunakan password yang dibuat oleh

komputer: user tak senang mengingatnya… sehingga user menulisnya di kertas! Mis: geocities

• Suka pakai kombinasi @$*%$ angka huruf BESAR

Off-line Password Guessing

• Menebak password melalui hashnya,

karena hash dari password yang umum

pasti sama

• Backup dari disk yang ada di server juga

harus dienkripsi

Password distribution

• User datang ke administrator. Kalo ada orang menyamar?

• Pakai KTP/SIM/KTM yang ada fotonya

• User di depan terminal khusus memilih passwordnya. • Atau user diberi password yang dipakai untuk login

pertama kali, habis itu dipaksa mengganti password. Disebut pre-expired password

• Cara yang tidak tepat: passwordnya adalah NPM, dan memberitahu dengan cara broadcast (misalnya posting di papan pengumuman).

• Kalau di bank, kita akan dikirimi surat yang isinya PIN kita. Pendapat anda?

Authentication Token

• What you have!

• kunci rumah, kartu kredit

• bisa dicuri!

• Mungkin keuntungannya psikologis: orang

kurang rela meminjamkan kartu ketimbang

password!

• Biasanya butuh hardware tambahan: misalnya

smart card / magentic card reader

Smart Card

Ukuran kartu kredit, tapi di dalamnya ada processor. Ada macam-macam:

• PIN protected memory card: isi hanya bisa dibuka kalau PIN-nya benar

• Cryptographic challenge & response cards • Contactless smart card

Kegunaannya:

– Bank Cards: debit & credit

– ID-card, termasuk untuk login. One card for all access

– Wallet for e-cash – Payphone

– Loyality program – Ticket parkir

– Health-card: bisa jaga rahasia

Bank Card

4532 1234 8321 3912 exp 04/03

31

Biometrics

• Authenticating a user via human characteristics

• Using measurable physical characteristics of a person to prove their identification

– Fingerprint – signature dynamics – Iris – retina – voice – face – DNA, blood

Identifikasi Fisik Manusia

Fingerprint scan

Hand Geometry

33

biometrics

 Can‟t be lent like a physical key or token and can‟t be

forgotten like a password

 Good compromise between ease of use, template size,

cost and accuracy

 Fingerprint contains enough inherent variability to

enable unique identification even in very large (millions of records) databases

 Basically lasts forever -- or at least until amputation or

dismemberment

34

Biometric Disadvantages



Still relatively expensive per user



Companies & products are often new &

immature



No common API or other standard



Some hesitancy for user acceptance

Performance Issues

• False Rejection Rate (type 1 error): prosentase

subjek yang benar, tapi ditolak

• False Acceptance Rate (type 2 error):

prosentase subjek yang invalid, tapi diakui

sistem

• Cross Error Rate (CER): FRR sama dengan FAR

• Masalahnya kalau sensitifitas dinaikkan, FRR

naik, FAR turun. Perlu dicarititik optimum,

yakni CER

Cross Error Rate

FRR FAR % Sensitifitas CER

Random Number Generator

• Misalnya KeyBCA

• Challenge & respond

• Termasuk apa?

– What you know?

– What you have?

– Who you are?

Logical Access Controls

• Akses kontrol infrastruktur TI dapat dilakukan pada berbagai tingkat

– Front end & Back end

– How networks segregate & protect access to information resources.

• Paths of Logical Access

– General points of entry

• Network connectivity • Remote access

• Operator console

Logical Access Controls:

Protection

• Logical Access Control Software

– Prevents unauthorized access and modification to an organization‟s sensitive data and use of system critical functions

– Semua layer: networks, operating systems, databases & application systems

– Fungsi software:

• Identifikasi dan otentikasi • Otorisasi akses

• Monitor: Logging aktifitas user, reporting

– Implementasi paling efektif: tingkat networks dan operating system (membatasi privileges pada low level)

Operating systems access control

• User identification and authentication mechanisms • Restricted logon IDs

• Rules for access to specific information resources • Create individual accountability and auditability • Create or change user profiles

• Log events

• Log user activities • Report capabilities

Database and/or application-level

access control

• Create or change data files and database profiles • Verify user authorization at the application and

transaction levels

• Verify user authorization within the application

• Verify user authorization at the field level for changes within a database

• Verify subsystem authorization for the user at the file level

• Log database/data communications access activities for monitoring access violations

SSO is the process for the consolidating all

organization platform-based administration,

authentication and authorization functions into a

single centralized administrative function. A single

sign-on product that interfaces with:



client-server and distributed systems  mainframe systems

 network security including remote access mechanisms

Single sign-on (SSO)

Multiple passwords are no longer required, therefore, whereby a user may be more inclined and motivated to select a stronger password

It improves an administrator‟s ability to manage users‟ accounts and authorizations to all associates systems

It reduces administrative overhead in resetting forgotten passwords over multiple platforms and applications

It reduces the time taken by users to log into multiple applications and platforms



Support for all major operating system

environments is difficult

The costs associated with SSO development

can be significant when considering the nature

and extent of interface development and

maintenance that may be necessary

The centralized nature of SSO presents the

possibility of a single point of failure and total

compromise of an organization‟s information

assets

Untung rugi KDC

• Keuntungan:

– kalau ada user baru, tinggal menambahkan di KDC – kalau seorang user ter-compromised, tidak semua

node akan tercompromised

• Kerugiannya:

– KDC bisa memalsukan jati diri orang lain – KDC adalah titik lemah dari sistem

– Performa KDC bisa berkurang kalau banyak sekali orang berhubungan ke KDC pada waktu yang

Contoh KDC: Kerberos 5

• Dimuat dalam RFC 1510 oleh Kohl dan

Neuman pada tahun 1993, dan source

code-nya bisa diambil dari

http://web.mit.edu.

• Produk yang menggunakan antara lain

OSF Distributed Computing Environment

(DCE) dan Windows 2000.

Objek Kerberos

• Authentication: Token yang dibuat oleh client dan dikirim ke server untuk membuktikan jati diri user • Ticket: diterbitkan oleh TGS (ticket granting service),

yang dapat “ditunjukkan” oleh klien kepada suatu server layanan tertentu (misalnya database server). • Session key: kunci random yang dibuat oleh

Kerberos dan diberikan kepada klien saat ingin berkomunikasi dengan server tertentu.

Catatan:

• Klien membutuhkan „ticket‟ dan session key untuk berhubungan dg server tertentu, dimana ticket

52

Rule of least privilege

• One of the most fundamental principles of infosec • States that: Any object (user, administrator, program,

system) should have only the least privileges the object needs to perform its assigned task, and no more.

• An AC system that grants users only those rights necessary for them to perform their work

• Limits exposure to attacks and the damage an attack can cause