CIT 480: Securing Computer Systems Authentication CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Topics Identity Groups and Roles Network Identities Authentication Biometrics UNIX Authentication CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Authentication Identity is computer’s representation of an entity Entities can be subjects or objects. Authentication is a security control that binds a principal to an identity, so that the system can enforce access control and audit user actions. Example: username expresses your identity. password binds the person typing to that particular identity (username). CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Purpose of Identity Access Control Most systems base access rights on identity of principal executing the process. Accountability Logging and auditing functions. Need to track identity across account/role changes (e.g., su, sudo). CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Groups and Roles An “entity” may be a set of entities referred to by a single identifier. Principals often need to share access to files, and thus are taken as groups. static: alias for a group of principles. dynamic: principal changes from one group to another as different privileges are needed. role: a group that ties membership to function CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Network Identity Ethernet (MAC) Address 48-bit data link level identifier example: 00:0B:DB:78:39:8A IP Address 32-bit network level identifier ex: 10.17.0.101 IPv6 Address 128-bit network level identifier ex: fe80::2a0:c9ff:fe97:153d/64 Hostname (DNS name) string application level identifier ex: www.nku.edu CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Authentication Types Authentication can be based on What the entity knows (e.g., passwords) What the entity has (e.g., access card) What the entity is (e.g., fingerprints) Where the entity is (e.g., local terminal) Or a combination of two or more of 1..4, which is known as Multi Factor Authentication (MFA). CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems What You Know Passwords Pass Phrases PINs http://www.infosecblog.org/2007/09/why-good-passwords/ CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems What You Have Smart Cards USB Token RFID RFID used for toll collection CIT 480: Securing Computer Systems

USB Tokens and Smart Cards Small device with storage and processor. USB tokens tend to focus on storage. Smart cards on processor + small storage. Differences are growing smaller. Methods of use By Hand (read card and type one-time password) USB Wireless CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems RFID Radio Frequency Identification Types of Tags Passive: use power from reader signal Active: internal power source Applications Product tracking (EPC barcode replacement) Transportation payment Automotive (embedded in car keys) Passports Human implants EPC RFID Tag CIT 480: Securing Computer Systems

Authentication System A: set of authentication information information used by entities to prove identity C: set of complementary information information stored by system to validate A F: set of complementation functions f : A → C generate C from A L: set of authentication functions l: A  C→{T,F} verify identity S: set of selection functions enable entity to create or alter A or C CIT 480: Securing Computer Systems

Password System Example Authenticate with 8-character alphanumeric password. System compares against stored MD5 hash. A = [A-Za-z0-9]{8} C = 22-char Base64 strings F = { MD5 } L = { MD5(A)==C } CIT 480: Securing Computer Systems

What You Are: Biometrics Identification by human characteristics: Physiological Behavioral A biometric characteristic should be: universal: everyone should have it unique: no two people should share it permanent: it should not change with time quantifiable: it must be practically measurable CIT 480: Securing Computer Systems

Biometric System Example User authenticates with fingerprint. System compares w/ digital fingerprint template. A = { user fingerprints } C = { digital fingerprint templates } F = { fingerprint reader + analog->digital } L = { tunable similarity function } CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems How Biometrics Work User submits sample. Software turns sample into digital template. Software compares template against stored reference template. Authentication based on how closely templates match. CIT 480: Securing Computer Systems

Biometric Measurement Possible Outcomes: Correct person accepted Imposter rejected Correct person rejected (False Rejection) Imposter accepted (False Acceptance) CIT 480: Securing Computer Systems

False Positives and Negatives Tradeoff between False Accept Rate False Reject Rate CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Fingerprints Capacitive measurement, using differences in electrical charges of whorls on finger to detect those parts touching chip and those raised. Attacks: Forcing authorized user to grant access. Recover latent fingerprint impression. Artificial gummy fingers made from molding plastic/gelatin 68-100% successful when tested against 11 types of fingerprint auth systems. CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Brandon Mayfield Fingerprints found in 2004 Madrid bombing. Brandon arrested May 6, 2004. FBI claimed “100 percent positive” match. Held under a false name. Then transferred to unidentified location. Spanish police identify fingerprint as belonging to an Algerian man May 21, 2004. Brandon released May 25, 2004. CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Eye Biometrics Iris Scan Lowest false accept/reject rates of any biometric. Person must hold head still and look into camera. Retinal Scan Cataracts and pregnancy change retina pattern. Lower false accept/reject rates than fingerprints. Intrusive and slow. CIT 480: Securing Computer Systems

Other Types of Biometrics Physiological DNA Face recognition Hand geometric Scent detection Voice recognition Behavioral Gait recognition Keyboard dynamics Mouse dynamics Signatures http://ducknetweb.blogspot.com/2013/09/cardiac-rhythm-bracelet-selling-for-79.html CIT 480: Securing Computer Systems

Biometrics are not infallible What are False Accept and Reject Rates? Do the characteristics change over time? Retina changes during pregnancy. Fingerprint damage due to work/pipe smoking. Young and old people have fainter fingerprints. Is it accurate in the installed environment? Is someone observing fingerprint or voiceprint checks? i.e., did you collect biometric from the person? CIT 480: Securing Computer Systems

Biometrics can be compromised. Unique identifiers, not secrets. You can change a password. You can’t change your iris scan. Examples: You leave your fingerprints every place. It’s easy to take a picture of your face. Other compromises. Use faux ATM-style devices to collect biometrics. Obtain all biometric templates from server. CIT 480: Securing Computer Systems

Use and Misuse of Biometrics Employee identification. Employee enters login name. System uses fingerprint to verify employee is who he claims to be. Problem: Does biometric match the employee? Criminal search (Superbowl 2001) System uses face recognition to search for criminals in public places. Problem: Does any biometric in database match anyone in a crowd of people? Assume system is 99.99% accurate and 1 in 10million people is a terrorist. Result: 1000 false positives for each terrorist. "But the case for face recognition is straightforward. They were looking for two of the terrorists and had photographs of them. Face recognition systems in airports would have caught them." I'm not sure we really know that the authorities had photographs that were good enough for face recognition, even for those small number of suspects that they claim to have placed on a terrorist watch list. But even if we grant the premise, not much follows from it. First, the fact that the authorities suspected only two of the nineteen hijackers reminds us that automatic face recognition cannot recognize a face until it is in the database. Most hijackers are not on lists of suspected terrorists, and even if those particular hijackers had been prevented from boarding their planes, seventeen others would have boarded. CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Location Classic: only allow access from a particular terminal or a particular set of remote hosts. Modern: GPS-based Location Signature Sensor (LSS) for host and user. Access rules permit user only to access host with specific LSS values. Cell-phones track location, and some states use them to track drivers’ speed and locations. http://en.wikipedia.org/wiki/Gps CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems UNIX Authentication UNIX identifies user with a UID Username is for humans, UID for computers. 15-bit to 32-bit unsigned integer. UID=0 is the superuser, root. Identity and authentication data stored in /etc/passwd /etc/shadow /etc/group http://www.3connected.com/techfaq.php CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems /etc/{passwd,shadow} Central file(s) describing UNIX user accounts. /etc/passwd Username UID Default GID GCOS Home directory Login shell /etc/shadow Username Encrypted password Date of last pw change. Days ‘til change allowed. Days `til change required. Expiration warning time. Expiration date. student:x:1000:1000:Example User,,555-1212,:/home/student:/bin/bash student:$1$w/UuKtLF$otSSvXtSN/xJzUOGFElNz0:13226:0:99999:7::: CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Groups and GIDs GIDs are 32-bit non-negative integers. Each user has a default GID. File group ownership set to default GID. Temporarily change default GID: newgrp. Groups are described in /etc/group Users may belong to multiple groups. Format: group name, pw, GID, user list. wheel:x:10:root,waldenj,bergs CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Superuser Powers Superuser can Read any file. Modify any file. Add / remove users. Become any user. Kill any process. Reprioritize processes. Configure network. Set date/time. Shutdown / reboot. Superuser can’t Change read-only filesystem. Decrypt hashed passwords. Modify NFS-mounted filesystems. Read or modify SELinux protected files. CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Switching Users The su command allows you to switch users. > id uid=102(wj) gid=102(wj) groups=102(wj) > su Password: # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm), 6(disk),10(wheel) # su john john$ id uid=1995(john) gid=1995(john) groups=1995(john) john$ exit # exit CIT 480: Securing Computer Systems

Real and Effective UIDs Real UID The UID matching the username you logged in as. Effective UID The UID that is checked for access control. The su command changes your EUID. SUID programs A SUID program executes with an EUID of the owner of the program instead of yours. /usr/bin/passwd is SUID root. Why? CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Key Points Access control is based on identity. Authentication consists of an entity, the user, attempting to convince another entity, the verifier, of the user’s identity something you know something you have something you are somewhere you are Authentication Types Passwords Security Tokens Biometrics CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems References Phil Agre. “Your Face is not a Bar Code,” http://polaris.gseis.ucla.edu/pagre/bar-code.html, 2003. Ross Anderson, Security Engineering, 2nd edition, Wiley, 2008. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. DigitalPersona, http://www.digitalpersona.com/company/news/pressKit.php, 2006. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3/e O’Reilly, 2003. Ben Mook, “Md. pilot program tracks drivers’ speed, location via cell phones,” The Daily Record, October 21, 2005, http://www.mddailyrecord.com/pub/5_398_friday/businessnews/172883-1.html Bruce Schneier, “Biometrics: Truths and Fictions,” Cryptogram, http://www.schneier.com/crypto-gram-9808.html#biometrics, 1998. Bruce Schneier, “The Curse of the Secret Question,” http://www.schneier.com/essay-081.html, 2005. Orville Wilson, “Privacy & Identity - Security and Usability: The viability of Passwords & Biometrics,” http://facweb.cs.depaul.edu/research/vc/CIPLIT2004/ppt/Orville_Wilson.ppt, 2004. “Simple Anatomy of the Retina,” http://webvision.med.utah.edu/sretina.html, 2006. CIT 480: Securing Computer Systems