Download presentation
Presentation is loading. Please wait.
1
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 1 Authentication, access control, and policy configuration Lorrie Faith Cranor October 2009
2
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 2 Outline Definitions Authentication Access control Policy management Policy authoring
3
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 3 Definitions Identification - a claim about identity – Who or what I am (global or local) Authentication - confirming that claims are true – I am who I say I am – I have a valid credential Authorization - granting permission based on a valid claim – Now that I have been validated, I am allowed to access certain resources or take certain actions Access control system - a system that authenticates users and gives them access to resources based on their authorizations – Includes or relies upon an authentication mechanism – May include the ability to grant course or fine-grained authorizations, revoke or delegate authorizations – Also includes an interface for policy configuration and management
4
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 4 Building blocks of authentication Factors – Something you know (or recognize) – Something you have – Something you are Two factors are better than one – Especially two factors from different categories What are some examples of each of these factors? What are some examples of two-factor authentication?
5
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 5 Authentication mechanisms Text-based passwords Graphical passwords Hardware tokens Public key crypto protocols Biometrics
6
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 6 Evaluation Accessibility Memorability Security Cost Environmental considerations
7
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 7 Typical password advice
8
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 8 Typical password advice Pick a hard to guess password Don’t use it anywhere else Change it often Don’t write it down So what do you do when every web site you visit asks for a password?
9
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 9 Bank = b3aYZ Amazon = aa66x! Phonebill = p$2$ta1
10
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 10
11
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 11 Problems with Passwords Selection – Difficult to think of a good password – Passwords people think of first are easy to guess Memorability – Easy to forget passwords that aren’t frequently used – Difficult to remember “secure” passwords with a mix of upper & lower case letters, numbers, and special characters Reuse – Too many passwords to remember – A previously used password is memorable Sharing – Often unintentional through reuse – Systems aren’t designed to support the way people work together and share information
12
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 12 Mnemonic Passwords Four First letter of each word (with punctuation) fsasya,oF Substitute numbers for words or similar-looking letters 4sa7ya,oF Substitute symbols for words or similar-looking letters F 4sasya,oF Four 4sa7ya,oF 4s&7ya,oF score s anda seven s yearsy ago a,, our oFathers F Source: Cynthia Kuo, SOUPS 2006
13
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 13 The Promise? Phrases help users incorporate different character classes in passwords – Easier to think of character-for-word substitutions Virtually infinite number of phrases Dictionaries do not contain mnemonics Source: Cynthia Kuo, SOUPS 2006
14
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 14 The Problem? “Goodness” of mnemonic passwords unknown – Yan et al. compared regular, mnemonic, and randomly generated passwords Used standard (non-mnemonic) dictionary Effectively evaluated whether mnemonic passwords contained dictionary words Source: Cynthia Kuo, SOUPS 2006
15
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 15 Mnemonic password evaluation Mnemonic passwords are not a panacea for password creation No comprehensive dictionary today May become more vulnerable in future – Many people start to use them – Attackers incentivized to build dictionaries Publicly available phrases should be avoided! C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase- Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA. Source: Cynthia Kuo, SOUPS 2006
16
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 16 Password keeper software Run on PC or handheld Only remember one password
17
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 17 Single sign-on Login once to get access to all your passwords
18
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 18 Biometrics
19
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 19 Graphical passwords
20
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 20 “Forgotten password” mechanism Email password or magic URL to address on file Challenge questions Why not make this the normal way to access infrequently used sites?
21
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 21 Convenient SecureID 1 What problems does this approach solve? What problems does it create? Source: http://worsethanfailure.com/Articles/Security_by_Oblivity.aspx
22
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 22 Convenient SecureID 2 What problems does this approach solve? What problems does is create? 22 Previously available at: http://fob.webhop.net/
23
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 23 Browser-based mutual authentication Chris Drake’s “Magic Bullet” proposal http://lists.w3.org/Archives/Public/public-usable- authentication/2007Mar/0004.html http://lists.w3.org/Archives/Public/public-usable- authentication/2007Mar/0004.html – User gets ID, password (or alternative), image, hotspot at enrollment – Before user is allowed to login they are asked to confirm URL and SSL cert and click buttons – Then login box appears and user enters username and password (or alternative) – Server displays set of images, including user’s image (or if user entered incorrect password, random set of images appear) – User finds their image and clicks on hotspot Image manipulation can help prevent replay attacks What problems does this solve? What problems doesn’t it solve? What kind of testing is needed
24
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 24 Types of access control Discretionary access control – Distributed, dynamic, users set access rules for resources they own and can delegate access to others Role-based access control – Centralized admin assigns users to roles and sets access rules based on roles And many others that vary – discretionary/mandatory – centralized/distributed – granularity – grouping
25
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 25 Policy management problems Admins, large organizations understanding large access control policies – Someone in marketing changed a policy and now we can’t figure out why people in sales no longer have access to a document – Who has access to this document anyway? End users creating and understanding policies – Examples: File system permissions, Grey, Perspective, privacy rules – Home users want to share some files with some other users, but don’t want to share everything
26
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 26 Roles for policy professionals Policy makers Policy implementers L. Bauer, L. Cranor, R.W. Reeder, M.K. Reiter, and K. Vaniea. Real life challenges in access-control management. CHI 2009. http://www.ece.cmu.edu/~lbauer/papers/2009/chi09- management.pdf http://www.ece.cmu.edu/~lbauer/papers/2009/chi09- management.pdf
27
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 27 Policy conflicts Given – Alice is in GroupA and GroupB – FileQ is in FolderX What types of conflicts might occur? Direct conflict – Alice allowed access to FileQ – Alice denied access to FileQ Group/group conflict – GroupA allowed access to FileQ – GroupB denied access to FileQ User/group conflict – Alice allowed access to FileQ – GroupA denied access to FileQ File/directory conflict – Alice allowed access to FileQ – Alice denied access to FolderX 2-way conflict – Alice allowed access to FileQ – GroupA denied access to FolderX
28
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 28 How can conflicts be resolved? Default rule – deny/allow takes precedence Ordered rules – policy author sets order Ordered rules – most recent first/last Specificity – most/least specific takes precedence Weighted rules – policy author assigns weights Exceptions – policy authors defines exceptions (essentially a partial ordering) Combination
29
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 29 Policy Authoring Slides courtesy of Rob Reeder R. W. Reeder. Expandable Grids: A user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring. PhD Thesis, Computer science department, Carnegie Mellon University, Pittsburgh, PA, July 2008. Available as tech report number CMU-CS-08-143.Expandable Grids: A user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring.
30
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 30 Memogate
31
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 31 Proliferation of policies File systems Location disclosure applications Online social networks Websites
32
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 32 Policy authoring Policy – a set of rules that determine the conditions under which access is allowed to a resource Policies are created, edited, and viewed – authored Someone determines policy – the author Policies should fulfill the author’s intentions Policy authoring is done with a user interface
33
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 33 List of rules interfaces support policy authoring operations poorly Viewing policy – Often only one rule at a time is visible – Difficult to understand policy by reading long list of rules Changing policy – Difficult to understand effect of changes because you can’t see all relevant parts of a policy together Viewing group memberships – Usually requires using a separate interface Detecting and resolving conflicts – When rules interact, it isn’t clear what the outcome will be
34
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 34 Solution: Expandable Grid Key insight: Center policy- authoring user interfaces around a display of the whole effective policy, not a list of rules
35
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 35 Expandable Grid details 35 Jana
36
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 36 Direct manipulation interface To change a policy, just click on a cell and toggle the color In order to make this work, we had to change the conflict resolution semantics – Widows semantics: Deny takes precedence, but specificity precedence in resource dimension – Expandable Grid semantics: Recency precedence
37
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 37 User study of Expandable Grid for file permissions Laboratory study 2 conditions: – Expandable Grid – Native Windows file permissions interface 36 participants, 18 per condition, novice policy authors Training: – 3.5 minutes for Grid – 5.5 minutes for Windows 18 tasks based on a teaching assistant scenario
38
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 38 Example task: Jana Set permissions so that Jana can read and write the Four-part Harmony.doc file in the Theory 101\Handouts folder. Task setup: – Jana is a TA “this” year (did the study in 2007) Is in the group Theory 101 TAs 2007 – Jana was a TA last year Is in the group Theory 101 TAs 2006 – 2007 TAs are allowed READ & WRITE – 2006 TAs are denied READ & WRITE – Since Jana is in both groups, she is denied access
39
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 39 Jana task – common error
40
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 40 Learning Jana’s effective permissions 2 3 4 Click “Advanced” Click “Effective Permissions” Select Jana View Jana’s Effective Permissions 1
41
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 41 Learning Jana’s group membership 5 6 8 9 Bring up Computer Management interface Click on “Users” Double-click Jana Read Jana’s group membership TAs 2006 TAs 2007 7 Click “Member Of”
42
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 42 Learning Jana’s groups’ permissions 1011 12 13 Click on TAs 2006 Read permissions for TAs 2006 Click on TAs 2007 Read permissions for TAs 2007
43
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 43 Changing Jana’s groups’ permissions 14 15 Click on TAs 2006 Change permissions for TAs 2006
44
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 44 Checking work 17 18 19 16 Click “Advanced” Click “Effective Permissions” Select Jana View Jana’s Effective Permissions
45
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 45 XP support for fundamental operations Viewing policy – Effective policy is 3 screens away (most authors don’t find them) Changing policy – Authors operate on rules, not effective policy Viewing group memberships – In a separate application from file permissions Detecting and resolving conflicts – Has to be done manually
46
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 46 Viewing effective policy 1
47
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 47 Viewing group membership 2
48
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 48 Changing policy 3
49
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 49 Resolving rule conflicts
50
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 50 Grid support for fundamental operations Viewing policy – Effective policy directly shown on screen Changing policy – Changes take one click Viewing group memberships – Group memberships are shown in the trees Detecting and resolving conflicts – Happens automatically
51
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 51 Results Small-sizeLarge-size Task type AccuracyTimeAccuracyTime View simple View complex Change simple Change complex Compare groups Conflict simple Conflict complex Memogate simulation Precedence rule test 111s 126s 89% 56% 94% 17% 89% 94% 61% 0% 89% 83% 67% 61% 89% 0% 100% 94% 89% 94% 61% 56% 100 39% 100 67% 17% 67% 83% 72% 61% 100 6% 94% 78% 29s 64s 35s 55s 30s 52s 70s Insufficient data 39s 103s 55s 103s 29s 20s 66s Insufficient data 42s 118s 42s 61s 39s 67s 50s 42s 73s 104s 52s Insufficient data 105s 116s 71s 115s 100s 143s Grid Windows Jana task
52
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 52 Conflict-resolution method Were the effects we observed due to the Expandable Grid visualization, the recency precedence conflict- resolution method, or both? We ran another study to find out – Implemented deny-takes-precedence in the Expandable Grid interface – Ran 18 new participants with the new Grid interface Results – On the Jana task, recency precedence made a big difference – On the other tasks, the Grid was generally superior to Windows no matter the conflict resolution scheme Both the Grid’s presentation aspects AND recency precedence make a difference
53
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 53 Desired properties for conflict resolution method Direct manipulation Exception-rule preservation Order independence Fail safety
54
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 54 Problems with Windows and recency semantics Windows: – No satisfactory way to solve Jana-like rule conflicts Recency: – Too liberal in overriding existing rules – Does not work well in the presence of dynamic changes, like adding a user to a group, moving a file
55
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 55 Our specificity semantics Conflict resolution procedure – Resolve rule conflicts by choosing the more specific rule when possible (specificity precedence) – Otherwise, use deny-precedence Benefits – If group rules are in conflict, can make a user-level exception – Exceptions stay in place even when group rules change – User-level or file-level exceptions stay in place even in the presence of dynamic changes
56
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 56 Enhanced Grid
57
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 57 Enhanced Grid
58
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 58 Semantics study #2 Laboratory study 3 conditions: – Expandable Grid with specificity semantics – Expandable Grid with Windows semantics – Native Windows file permissions interface 54 participants, 18 per condition, novice policy authors 10 minutes training for all conditions Used large-scale Teaching Assistant scenario from prior study 12 total tasks with counterbalanced task order
59
CyLab Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ 59 Results and discussion Conflict resolution semantics can have a big effect on usability, but no perfect semantics Specificity helps resolve rule conflicts and makes group rule exceptions easy Specificity semantics is not always better than Windows semantics The grid/specificity combination overcomes semantics disadvantages Whatever the semantics, show effective policy!
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.