Presentation is loading. Please wait.

Presentation is loading. Please wait.

CyLab Usable Privacy and Security Laboratory 1 Authentication, access control, and policy configuration Lorrie Faith Cranor October.

Similar presentations


Presentation on theme: "CyLab Usable Privacy and Security Laboratory 1 Authentication, access control, and policy configuration Lorrie Faith Cranor October."— Presentation transcript:

1 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 1 Authentication, access control, and policy configuration Lorrie Faith Cranor October 2009

2 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 2 Outline  Definitions  Authentication  Access control  Policy management  Policy authoring

3 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 3 Definitions  Identification - a claim about identity – Who or what I am (global or local)  Authentication - confirming that claims are true – I am who I say I am – I have a valid credential  Authorization - granting permission based on a valid claim – Now that I have been validated, I am allowed to access certain resources or take certain actions  Access control system - a system that authenticates users and gives them access to resources based on their authorizations – Includes or relies upon an authentication mechanism – May include the ability to grant course or fine-grained authorizations, revoke or delegate authorizations – Also includes an interface for policy configuration and management

4 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 4 Building blocks of authentication  Factors – Something you know (or recognize) – Something you have – Something you are  Two factors are better than one – Especially two factors from different categories  What are some examples of each of these factors?  What are some examples of two-factor authentication?

5 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 5 Authentication mechanisms  Text-based passwords  Graphical passwords  Hardware tokens  Public key crypto protocols  Biometrics

6 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 6 Evaluation  Accessibility  Memorability  Security  Cost  Environmental considerations

7 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 7 Typical password advice

8 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 8 Typical password advice  Pick a hard to guess password  Don’t use it anywhere else  Change it often  Don’t write it down So what do you do when every web site you visit asks for a password?

9 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 9 Bank = b3aYZ Amazon = aa66x! Phonebill = p$2$ta1

10 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 10

11 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 11 Problems with Passwords  Selection – Difficult to think of a good password – Passwords people think of first are easy to guess  Memorability – Easy to forget passwords that aren’t frequently used – Difficult to remember “secure” passwords with a mix of upper & lower case letters, numbers, and special characters  Reuse – Too many passwords to remember – A previously used password is memorable  Sharing – Often unintentional through reuse – Systems aren’t designed to support the way people work together and share information

12 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 12 Mnemonic Passwords Four First letter of each word (with punctuation) fsasya,oF Substitute numbers for words or similar-looking letters 4sa7ya,oF Substitute symbols for words or similar-looking letters F 4sasya,oF Four 4sa7ya,oF 4s&7ya,oF score s anda seven s yearsy ago a,, our oFathers F Source: Cynthia Kuo, SOUPS 2006

13 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 13 The Promise?  Phrases help users incorporate different character classes in passwords – Easier to think of character-for-word substitutions  Virtually infinite number of phrases  Dictionaries do not contain mnemonics Source: Cynthia Kuo, SOUPS 2006

14 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 14 The Problem?  “Goodness” of mnemonic passwords unknown – Yan et al. compared regular, mnemonic, and randomly generated passwords Used standard (non-mnemonic) dictionary Effectively evaluated whether mnemonic passwords contained dictionary words Source: Cynthia Kuo, SOUPS 2006

15 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 15 Mnemonic password evaluation  Mnemonic passwords are not a panacea for password creation  No comprehensive dictionary today  May become more vulnerable in future – Many people start to use them – Attackers incentivized to build dictionaries  Publicly available phrases should be avoided! C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase- Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA. Source: Cynthia Kuo, SOUPS 2006

16 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 16 Password keeper software  Run on PC or handheld  Only remember one password

17 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 17 Single sign-on  Login once to get access to all your passwords

18 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 18 Biometrics

19 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 19 Graphical passwords

20 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 20 “Forgotten password” mechanism  Email password or magic URL to address on file  Challenge questions  Why not make this the normal way to access infrequently used sites?

21 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 21 Convenient SecureID 1  What problems does this approach solve?  What problems does it create? Source: http://worsethanfailure.com/Articles/Security_by_Oblivity.aspx

22 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 22 Convenient SecureID 2  What problems does this approach solve?  What problems does is create? 22 Previously available at: http://fob.webhop.net/

23 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 23 Browser-based mutual authentication  Chris Drake’s “Magic Bullet” proposal  http://lists.w3.org/Archives/Public/public-usable- authentication/2007Mar/0004.html http://lists.w3.org/Archives/Public/public-usable- authentication/2007Mar/0004.html – User gets ID, password (or alternative), image, hotspot at enrollment – Before user is allowed to login they are asked to confirm URL and SSL cert and click buttons – Then login box appears and user enters username and password (or alternative) – Server displays set of images, including user’s image (or if user entered incorrect password, random set of images appear) – User finds their image and clicks on hotspot Image manipulation can help prevent replay attacks  What problems does this solve?  What problems doesn’t it solve?  What kind of testing is needed

24 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 24 Types of access control  Discretionary access control – Distributed, dynamic, users set access rules for resources they own and can delegate access to others  Role-based access control – Centralized admin assigns users to roles and sets access rules based on roles  And many others that vary – discretionary/mandatory – centralized/distributed – granularity – grouping

25 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 25 Policy management problems  Admins, large organizations understanding large access control policies – Someone in marketing changed a policy and now we can’t figure out why people in sales no longer have access to a document – Who has access to this document anyway?  End users creating and understanding policies – Examples: File system permissions, Grey, Perspective, privacy rules – Home users want to share some files with some other users, but don’t want to share everything

26 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 26 Roles for policy professionals  Policy makers  Policy implementers L. Bauer, L. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. Real life challenges in access-control management. CHI 2009. http://www.ece.cmu.edu/~lbauer/papers/2009/chi09- management.pdf http://www.ece.cmu.edu/~lbauer/papers/2009/chi09- management.pdf

27 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 27 Policy conflicts  Given – Alice is in GroupA and GroupB – FileQ is in FolderX  What types of conflicts might occur?  Direct conflict – Alice allowed access to FileQ – Alice denied access to FileQ  Group/group conflict – GroupA allowed access to FileQ – GroupB denied access to FileQ  User/group conflict – Alice allowed access to FileQ – GroupA denied access to FileQ  File/directory conflict – Alice allowed access to FileQ – Alice denied access to FolderX  2-way conflict – Alice allowed access to FileQ – GroupA denied access to FolderX

28 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 28 How can conflicts be resolved?  Default rule – deny/allow takes precedence  Ordered rules – policy author sets order  Ordered rules – most recent first/last  Specificity – most/least specific takes precedence  Weighted rules – policy author assigns weights  Exceptions – policy authors defines exceptions (essentially a partial ordering)  Combination

29 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 29 Policy Authoring Slides courtesy of Rob Reeder R. W. Reeder. Expandable Grids: A user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring. PhD Thesis, Computer science department, Carnegie Mellon University, Pittsburgh, PA, July 2008. Available as tech report number CMU-CS-08-143.Expandable Grids: A user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring.

30 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 30 Memogate

31 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 31 Proliferation of policies File systems Location disclosure applications Online social networks Websites

32 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 32 Policy authoring  Policy – a set of rules that determine the conditions under which access is allowed to a resource  Policies are created, edited, and viewed – authored  Someone determines policy – the author  Policies should fulfill the author’s intentions  Policy authoring is done with a user interface

33 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 33 List of rules interfaces support policy authoring operations poorly  Viewing policy – Often only one rule at a time is visible – Difficult to understand policy by reading long list of rules  Changing policy – Difficult to understand effect of changes because you can’t see all relevant parts of a policy together  Viewing group memberships – Usually requires using a separate interface  Detecting and resolving conflicts – When rules interact, it isn’t clear what the outcome will be

34 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 34 Solution: Expandable Grid Key insight: Center policy- authoring user interfaces around a display of the whole effective policy, not a list of rules

35 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 35 Expandable Grid details 35 Jana

36 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 36 Direct manipulation interface  To change a policy, just click on a cell and toggle the color  In order to make this work, we had to change the conflict resolution semantics – Widows semantics: Deny takes precedence, but specificity precedence in resource dimension – Expandable Grid semantics: Recency precedence

37 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 37 User study of Expandable Grid for file permissions  Laboratory study  2 conditions: – Expandable Grid – Native Windows file permissions interface  36 participants, 18 per condition, novice policy authors  Training: – 3.5 minutes for Grid – 5.5 minutes for Windows  18 tasks based on a teaching assistant scenario

38 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 38 Example task: Jana  Set permissions so that Jana can read and write the Four-part Harmony.doc file in the Theory 101\Handouts folder.  Task setup: – Jana is a TA “this” year (did the study in 2007) Is in the group Theory 101 TAs 2007 – Jana was a TA last year Is in the group Theory 101 TAs 2006 – 2007 TAs are allowed READ & WRITE – 2006 TAs are denied READ & WRITE – Since Jana is in both groups, she is denied access

39 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 39 Jana task – common error

40 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 40 Learning Jana’s effective permissions 2 3 4 Click “Advanced” Click “Effective Permissions” Select Jana View Jana’s Effective Permissions 1

41 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 41 Learning Jana’s group membership 5 6 8 9 Bring up Computer Management interface Click on “Users” Double-click Jana Read Jana’s group membership TAs 2006 TAs 2007 7 Click “Member Of”

42 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 42 Learning Jana’s groups’ permissions 1011 12 13 Click on TAs 2006 Read permissions for TAs 2006 Click on TAs 2007 Read permissions for TAs 2007

43 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 43 Changing Jana’s groups’ permissions 14 15 Click on TAs 2006 Change permissions for TAs 2006

44 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 44 Checking work 17 18 19 16 Click “Advanced” Click “Effective Permissions” Select Jana View Jana’s Effective Permissions

45 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 45 XP support for fundamental operations  Viewing policy – Effective policy is 3 screens away (most authors don’t find them)  Changing policy – Authors operate on rules, not effective policy  Viewing group memberships – In a separate application from file permissions  Detecting and resolving conflicts – Has to be done manually

46 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 46 Viewing effective policy 1

47 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 47 Viewing group membership 2

48 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 48 Changing policy 3

49 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 49 Resolving rule conflicts

50 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 50 Grid support for fundamental operations  Viewing policy – Effective policy directly shown on screen  Changing policy – Changes take one click  Viewing group memberships – Group memberships are shown in the trees  Detecting and resolving conflicts – Happens automatically

51 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 51 Results Small-sizeLarge-size Task type AccuracyTimeAccuracyTime View simple View complex Change simple Change complex Compare groups Conflict simple Conflict complex Memogate simulation Precedence rule test 111s 126s 89% 56% 94% 17% 89% 94% 61% 0% 89% 83% 67% 61% 89% 0% 100% 94% 89% 94% 61% 56% 100 39% 100 67% 17% 67% 83% 72% 61% 100 6% 94% 78% 29s 64s 35s 55s 30s 52s 70s Insufficient data 39s 103s 55s 103s 29s 20s 66s Insufficient data 42s 118s 42s 61s 39s 67s 50s 42s 73s 104s 52s Insufficient data 105s 116s 71s 115s 100s 143s Grid Windows Jana task

52 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 52 Conflict-resolution method  Were the effects we observed due to the Expandable Grid visualization, the recency precedence conflict- resolution method, or both?  We ran another study to find out – Implemented deny-takes-precedence in the Expandable Grid interface – Ran 18 new participants with the new Grid interface  Results – On the Jana task, recency precedence made a big difference – On the other tasks, the Grid was generally superior to Windows no matter the conflict resolution scheme  Both the Grid’s presentation aspects AND recency precedence make a difference

53 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 53 Desired properties for conflict resolution method  Direct manipulation  Exception-rule preservation  Order independence  Fail safety

54 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 54 Problems with Windows and recency semantics  Windows: – No satisfactory way to solve Jana-like rule conflicts  Recency: – Too liberal in overriding existing rules – Does not work well in the presence of dynamic changes, like adding a user to a group, moving a file

55 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 55 Our specificity semantics  Conflict resolution procedure – Resolve rule conflicts by choosing the more specific rule when possible (specificity precedence) – Otherwise, use deny-precedence  Benefits – If group rules are in conflict, can make a user-level exception – Exceptions stay in place even when group rules change – User-level or file-level exceptions stay in place even in the presence of dynamic changes

56 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 56 Enhanced Grid

57 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 57 Enhanced Grid

58 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 58 Semantics study #2  Laboratory study  3 conditions: – Expandable Grid with specificity semantics – Expandable Grid with Windows semantics – Native Windows file permissions interface  54 participants, 18 per condition, novice policy authors  10 minutes training for all conditions  Used large-scale Teaching Assistant scenario from prior study  12 total tasks with counterbalanced task order

59 CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 59 Results and discussion  Conflict resolution semantics can have a big effect on usability, but no perfect semantics  Specificity helps resolve rule conflicts and makes group rule exceptions easy  Specificity semantics is not always better than Windows semantics  The grid/specificity combination overcomes semantics disadvantages  Whatever the semantics, show effective policy!


Download ppt "CyLab Usable Privacy and Security Laboratory 1 Authentication, access control, and policy configuration Lorrie Faith Cranor October."

Similar presentations


Ads by Google