Access Control. Tom Chothia Computer Security, Lecture 5

Transcription

1 Access Control Tom Chothia Computer Security, Lecture 5

2 The Crypto Wars : Clipper chip considered in US congress and rejected. Due partly to Matt Blaze s analysis and strongly attack by John Kerry among others US laws lifted: the Geeks ``won the crypto wars. Freedoms won in the US then filtered through to the rest of the Internet, e.g. French laws until 2004: ECB mode only, max key length 40, must include known plain text.

3 Crypto Wars: Round 2 We learnt in September that the NSA had been working to weaken ( back door ) crypto. Some of the possible backdoors: Bad elliptic curve parameters Weak random number generators: e.g. Dual_EC_DRBG

4 Certificates A public key certificate binds a public key to an identity. As well as a public key it contains a name, address, etc. It is signed, with the private key, and anyone else that trusts it.

5 Distributing Public Keys The whole system breaks down if you get the wrong key for someone. The best way to exchange keys is face to face. You can also check the fingerprint of the key. If someone you trust has signed some else key you can may trust it too. Web of trust.

6 Key Servers Key servers store public key certificates E.g. Many clients can automatically search a key server for unknown addresses. But beware, there is no gautentee the key is not a fake.

7 Recommended Key Lengths As computers get faster, key lengths need to get longer. We expect that some key lengths that are secure today will be crackable in a few decades. See

8 The module so far: You should know: Symmetric key crypto, public key crypto AES, DES, 3-DES, RSA, DH, Elgaml Cipher block modes: ECB, CBC, CTR Padding Signing Combining public and symmetric crypto You should be using: PGP and Truecrypt

9 Today s Lecture Access control models Access Control Matrix Access Control Lists Capability Lists Role Based Access Control Linux/Unix access control Confused Deputy Problem

10 Model of Access Control Principal (subject) e.g. a user or program. Action e.g. read Resource Monitor Object (resource) e.g. a file

11 Access Control Types Mandatory access control An administrator sets all permissions. Often used in a government environment. E.g. SELinux, Microsoft s Mandatory Integrity Control Discretionary access control Each user can set the permissions for their own data. More common, standard for most OSs.

12 Access Control Matrix Operating System Accounts Program Accounting Data Audit Trial Alice (manager) Bob (auditor) Accounts Program Sam (sys admin) Permissions: x: execute, r: read, w: write

13 Access Control Matrix ACM is a matrix of all principals and objects. The matrix entries describe the permissions. Problem: maintaining such a matrix can be difficult. If the matrix is corrupted then all controls is lost.

14 Access Control Lists (ACLs) We don t want to store one massive matrix. Instead we can store each column of the matrix with the object it refers to. e.g. (Accounts data, [(Sam,r), (Bob,r),(Accounts program, rw)] )

15 Capability Lists ACLs work well for operating systems. But they are not so good for systems with huge numbers of users, e.g. Amazon. Capability Lists store the rights with the principal, e.g. (Alice, [(Operating System, x), (Accounts program, x)])

16 Capability Lists Capability Lists work well in web systems. The Capability List can be implemented as a: Cookie e.g. a server encrypts principals rights and stores this in the browser. A Certificate This lets a principal prove their rights to a third party.

17 Model of Access Control Principal (subject) e.g. a user Action e.g. read Resource Monitor Object (resource) e.g. a file

18 Role Based Access Control Principal (subject) e.g. a user Object (resource) e.g. a file Roles Permissions

19 Access Control Matrix Alice (manager) Bob (auditor) Sam (sys admin) Accounts Program Accounting Data x - r rwx r r

20 Role Based Access Control Accounts prog. Accounts Data Personnel file Manager x - rw Auditor xr r - Sys admin rwx r - Object Roles Permissions Principals Manager Auditor Sys admin Alice Y N N Bob N Y N Sam N N Y Dave N Y N

21 Role Based Access Control Role Based Access Control makes it very easy to maintain large access control policies. Good at expressing complex policies Bad at expressing single user policies Used in Microsoft Active Directory, Microsoft SQL Server, PostgreSQL, SELinux, FreeBSD, Oracle DBMS,

22 Summary of Access Control Models Access Control Matrix: Simple, but hard to use in practice Access Control Lists Store access rights with the object Good for OS access control Capability Lists Store access rights with the principal Good for web servers, cookies, certs. Role Based Access Control Easy to administer

23 Access Control in Unix/Linux Unix/Linux/Mac use ACL, with groups. uid set when you log on. Linux Kernel then dynamically enforces the ACLS. ls l displays files with their ACL root owns everything ( get root = control the system)

24 The UNIX Access Control List The permissions The owner size File name -rw-r bob staff 6 9 Aug 22:18 test.txt Link counter The Group The Date

25 UNIX File Permissions File Type Owner Permissions drwxrwxrwx Group Permissions Other Permissions Permissions: r: read permission w: write permission x: execution permission -: no permissions File Type: - : file d : directory b/c: device file

26 Access Control for Directories For directories r is read only for directory contents x is permission to traverse, e.g. switch to, run. No x : I can t run any commands inside the directory No r : I can t list the files in the directory

27

28 Access Control for Process -r-sr-xr-x 1 root wheel Jun 2009 passwd The x permission controls who can run a process in the case of passwd: anyone. The s permission indicates that the process runs with the permission of its owner.

29 The Confused Deputy Problem Users can run programs with more privileges If there was a mistake in the passwd program we could use it do root only actions. The Confused Deputy Problem, when a low level attacker gets a high level process to misusing its authority. Make sure process have as low a level as possible.

30 Common Problems With Access Control Little protection if the attacker has physical access Poorly configured policies can be a problem Confused deputy problem: low level uses can get programs with high level access to do their dirty work. No defence against stack based attacks

31 Further Study Security Engineering, Ross Anderson Access Control Chapter Computer Security, Dieter Gollmann Chapters 4, 6 & 7 Experiment with your own computer.

32 Next Time Hash functions. Getting around access control. Password protection what to do with that password file.