Security Barriers Asset Proper Access Attack Security System Security is about building barriers to protect assets. What complicates security is the necessity for barrier penetration. To be secure the barrier holes must be guarded. Proper Access Attack Security System Asset Have class list common BARRIERS outside of computing (gates, walls, motes, etc.). Have the class list HOLES (door in the building, gate in the livestock pen, bridge across the mote).
Computer Security Basic Concepts in Barrier Penetration Control - Who are you? - Can you prove it? - That which you are permitted to do. Example -- a travel pass for the Tube in London 1) Photo card - from ticket clerk - contains your ID# and photo and signature - has no time limit -> authentication token 2) Pass ticket = from vending machine or clerk - good for one week, month or year - must write ID to be valid -> authorization token The pass ticket gets you through turnstiles, but spot checks require you to show both cards to a clerk. This is a clear separation of authentication from authorization that too often gets confused in real life situations. - You should be held responsible.
Identity Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers used in our world? What is the problem with using people’s names as identifiers? The question is asking for things like names, SS#, Student ID, file names, credit card accounts, street addresses, email addresses, domain names. This question could be separated into the non-computing and computing world (IP#, port#, UID, etc.) The problem is that IDs need to be unique. This is why Swiss bank accounts don’t require names.
Authorization Access privileges granted to a user, program, or process.† Common authorization tokens: Note that many authorization tokens are never authenticated (concert tickets, stamps, money), but some are (airline ticket, credit card). † Definition from National Information Systems Security
Authentication Security measure designed to establish the validity of a transmission, message, or originator,or a means of verifying an individual’s authorization to receive specific categories of information.† Authenticity is clearly a special kind of integrity. † Definition from National Information Systems Security
Authentication Authentication ... is a basis for trust Password -- the most common means of authentication Uses challenge - reponse protocol CHALLENGE RESPONSE password: In WWII a common authentication was to ask, “Who won the 1940 World Series?”. Gundersen authenticates by asking for your birth date or street address? THESE ARE PUBLIC, as is your mother’s maiden name, Social Security #, etc. (Encryption required) Passwords are vulnerable to attacks. Why? Challenge-response systems fail when responses are efficiently discovered.
Password Cracking cracker algorithm == repeatedly Give password cracking software a challenge. The conventional wisdom is as follows... Don’t use short passwords (at least 12 symbols). Include both lowercase and uppercase and digits. Use first letters from some phrase you can remember. TtlsH1wwya Bracket the password with non-alphanumerics. #TtlsH1wwya& Bracket the password with non-alphanumerics. #TtlsH1wwya& Alt - 0181
Additional Means of Authentication HHAD - Hand Held Authentication Device token -- small device carried by user (often includes microprocessor, keypad and/or real-time clock) Challenge-Response Token System displays random number which user enters on keypad. Card uses keypad input to calculate and display number. User enters number in computer which system verifies by same computation. Time-Based Token Challenge and response token typically works as follows: 1) computer displays random number (challenge), 2) user enters PIN to token, 3) user enters random number to token, 4) token gives up code, 5) user enters code into computer (response). This prohibits use of token without PIN and use of PIN without token and it prohibits reuse of a code. Card uses internal real-time clock value to calculate and display number. User enters number in computer which system verifies with its clock.
Additional Means of Authentication biometric -- requires special devices to read human features Cruise lines authenticate passengers returning from shore leave by comparing their photo ID to their database. Following 9/11 the National Guard troops posted at airports were all required to memorize a few photos - humans tend to be better at such recognition.
Additional Means of Authentication digital certificate -- a certificate authority performs a security check on a user and grants an electronic certificate (essentially encryption keys) smartcard -- physically requires reader, contains full microprocessor with cryptographic calculations performed onboard. Smartcards can store ... Tampering with a smartcard typically renders it useless.
Authentication Factors ...what you _______ (password) ...what you _______ (key, token, smartcard) ...what you _____ (biometrics - fingerprints, retinal scan) ..._______ you are (in secure location, at some terminal)
Non-repudiation Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data.† Attacker Note the bi-directionality. The usual scam is performed by the sender, but you can also be scammed by a web site that causes you to initiate the transaction. An expert on phone solicitation recently said that companies have discovered that getting you to call in is better than their calling you. They offer special deals, etc. User Access † Definition from National Information Systems Security