Security and Cryptography 1. Stefan Köpsell, Thorsten Strufe. Module 8:Access Control and Authentication



Similar documents
Part III. Access Control Fundamentals

Information Security Information & Network Security Lecture 2

Access Control. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Access Control.

CS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University

Access Control Models Part I. Murat Kantarcioglu UT Dallas

Role Based Access Control: Adoption and Implementation in the Developing World

Database Security Part 7

Access Control Matrix

Chapter 23. Database Security. Security Issues. Database Security

Session objectives. Access control. Subjects and objects. The request. Information Security

Outline. INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control. The concept of identity

Role Based Access Control (RBAC) Nicola Zannone

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Assessment of Access Control Systems

Chapter 2 Taxonomy and Classification of Access Control Models for Cloud Environments

Computer security Lecture 3. Access control

INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control

CSE543 - Introduction to Computer and Network Security. Module: Access Control

CS 665: Computer System Security. Designing Trusted Operating Systems. Trusted? What Makes System Trusted. Information Assurance Module

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

Access Control Intro, DAC and MAC. System Security

Analysis of Different Access Control Mechanism in Cloud

BM482E Introduction to Computer Security

Security Models: Past, Present and Future

ITM661 Database Systems. Database Security and Administration

Integrating basic Access Control Models for efficient security along with encryption for the ERP System

Govt. of Karnataka, Department of Technical Education Diploma in Computer Science & Engineering. Sixth Semester

Trusted RUBIX TM. Version 6. Multilevel Security in Trusted RUBIX White Paper. Revision 2 RELATIONAL DATABASE MANAGEMENT SYSTEM TEL

Identity Management and Access Control

Reference Guide for Security in Networks

ISSECO Syllabus Public Version v1.0

Project Overview

Cryptographic Modules, Security Level Enhanced. Endorsed by the Bundesamt für Sicherheit in der Informationstechnik

Role-Based Access Controls

Completeness, Versatility, and Practicality in Role Based Administration

Information Security and Cryptography

Cryptography & Network Security. Introduction. Chester Rebeiro IIT Madras

Mandatory Access Control

Introduction to Computer Security

Application Based Access Control on Cloud Networks for Data Security

Securing Data on Microsoft SQL Server 2012

Role-based access control. RBAC: Motivations

CompTIA Security+ Certification SY0-301

SECURITY CHAPTER 24 (6/E) CHAPTER 23 (5/E)

Database Security and Authorization

Module 7 Security CS655! 7-1!

Access Control Fundamentals

MS-55096: Securing Data on Microsoft SQL Server 2012

MACs Message authentication and integrity. Table of contents

AUTHENTICATION AND ACCESS CONTROL BEST PRACTICES FOR HEALTHCARE SYSTEMS

Database Security. Chapter 21

Ky Vu DeVry University, Atlanta Georgia College of Arts & Science

Access Control Basics. Murat Kantarcioglu

Security and Authorization. Introduction to DB Security. Access Controls. Chapter 21

Best Practices, Procedures and Methods for Access Control Management. Michael Haythorn

Computer Security. Principles and Practice. Second Edition. Amp Kumar Bhattacharjee. Lawrie Brown. Mick Bauer. William Stailings

TIME SCHEDULE. 1 Introduction to Computer Security & Cryptography 13

Cryptography and Network Security

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

CHAPTER - 3 WEB APPLICATION AND SECURITY

Welcome to Information Systems Security (503009)

Overview of Information Security. Murat Kantarcioglu

Information Flows and Covert Channels

How To Model Access Control Models In Cse543

Major prerequisites by topic: Basic concepts in operating systems, computer networks, and database systems. Intermediate programming.

CRYPTOGRAPHIC SECURE CLOUD STORAGE MODEL WITH ANONYMOUS AUTHENTICATION AND AUTOMATIC FILE RECOVERY

Access Control. 1 Overview of Access Control. Lecture Notes (Syracuse University) Access Control: 1. What is Access Control?

VALLIAMMAI ENGINEERING COLLEGE

Rewrite-Based Access Control Policies in Distributed Environments

Firewalls CSCI 454/554

Chapter 23. Database Security. Security Issues. Database Security

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Firewalls. Mahalingam Ramkumar

Chapter 24. Database Security. Copyright 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley

An Application of Integrating Role and Lattice Based Access Control in Database Engineering

TELECOMMUNICATION NETWORKS

The Future of Access Control: Attributes, Automation and Adaptation

SELinux Policy Management Framework for HIS

QUT Digital Repository:

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Weighted Total Mark. Weighted Exam Mark

Central Agency for Information Technology

Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG

Homomorphic encryption and emerging technologies COSC412

Secure Role-Based Access Control on Encrypted Data in Cloud Storage using Raspberry PI

Introduction to Computer Security

Database Security. Soon M. Chung Department of Computer Science and Engineering Wright State University

Compter Networks Chapter 9: Network Security

Lecture 1: Introduction. CS 6903: Modern Cryptography Spring Nitesh Saxena Polytechnic University

CIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 7

Talk announcement please consider attending!

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

An Oracle White Paper March Oracle Label Security in Government and Defense Environments

Lecture 14 Towards Trusted Systems Security Policies and Models

Towards Securing APIs in Cloud Computing

Distributed Attribute Based Encryption for Patient Health Record Security under Clouds

An Object Oriented Role-based Access Control Model for Secure Domain Environments

CAPP-Compliant Security Event Audit System for Mac OS X and FreeBSD

International Journal on Recent and Innovation Trends in Computing and Communication ISSN Volume: 1 Issue: DATABASE SECURITY

Transcription:

Security and Cryptography 1 Stefan Köpsell, Thorsten Strufe Module 8:Access Control and Authentication Disclaimer: large parts from Stefan Katzenbeisser, Günter Schäfer Dresden, WS 14/15

Reprise from the last modules (30k ft) Security goals and services describe and implement protection from threats History has been an arms race between cryptography and cryptanalysis Each success for the cryptanalysis community has helped make ciphers more secure Different flavors of ciphers with different properties aim at confidentiality Secure pseudo-random numbers are essential for the security of ciphers MACs and signatures aim at providing integrity Keys can be agreed upon apriori, exchanged, or agreed upon online Stream- and block ciphers are commonly symmetric and have different properties Asymmetric crypto allows for public keys and has many different applications Privacy and Security Folie Nr. 2

Access Control Recall security goals of confidentiality and integrity So far, using crypto: Conceal information in seemingly random noise Prove absence of tampering by signature How does this solution relate to real life? Privacy and Security Folie Nr. 4

Confidentiality and Integrity in RL partikelchen.de Privacy and Security Folie Nr. 5

Physical access control Objects vs. Subjects Subjects have controlled access to objects Prevents information disclosure Prevents tampering Requires some gatekeeper: Identification of subjects (Authentication) Explicit instructions (Policy, <policy descriptions>, authorization) Controlling (and granting) access Privacy and Security Folie Nr. 6

Some Terminology Def: Access control comprises mechanisms to enforce mediation on subject requests for access to objects as defined in a security policy. Def: A subject is an active entity that can initiate a request for resources and utilize these resources to complete some task Def: An object is a resource that is used to store, access, or process information Def: An operation (action) is an instance of access, commonly a utilization, retrieval, or manipulation event, of a subject on an object Objects historically had the notion of files, or repositories Subjects commonly processes (local or remote) Operations historically: r,w,x Privacy and Security Folie Nr. 7

Common Concept of Access Control Reference monitor is a concept to detail decision process: Rights/Policy Subject Request Reference monitor granted Object Access Control denied RM not necessarily a physical/logical component in the system AC/RM may be implemented on different levels: Online application: control access to functions/data Databases: control access to tables, columns OS: control access to resources (files, devices) Privacy and Security Folie Nr. 8

Security Objectives, Levels, and Categories A security objective is a statement of intent to counter a given threat or enforce a given organisational security policy. A security level is defined as a hierarchical attribute with entities of a system to denote their degree of sensitivity Examples: Military: unclassified < confidential < secret < top secret Commercial: public < sensitive < proprietary < restricted A security category is defined as a nonhierarchical grouping of entities to help denote their degree of sensitivity Example (commercial): department A, department B, administration, etc. --> Security categories facilitate the Need-to-know principle Privacy and Security Folie Nr. 9

Security Labels and Policies A security label is defined as an attribute that is associated with system entities to denote their hierarchical sensitivity level and security categories Security labels that denote the security sensitivity of: Subjects are called clearances Objects are called classifications The security policy of a system defines the conditions under which subject accesses to objects are mediated by the system reference monitor functionality To be derived from the organizational policy (IPRs, procedures) Compliance to be monitored (on introduction, regularly) Privacy and Security Folie Nr. 10

Classes of Security Models Access control models Identity-based access control (IBAC) Role-based access control (RBAC) Attribute-based access control (ABAC) Information flow models (e.g. Chinese Wall model) Multilevel security models (e.g. Bell-La Padula model) Non-interference models General types of access control: Discretionary Mandatory Privacy and Security Folie Nr. 11

Types of Access Control: DAC / MAC Discretionary Access Control Owner is responsible for security of her objects Authorization per object No system-wide security properties Rights commonly to be granted: read, write, execute (*NIX, win) --> commonly challenged by lack of competence, overview Mandatory Access Control System-wide (usually: rule-based) security policy configuration User may change authorization, but system policy dominates --> commonly challenged by lack of overview, BOfH Privacy and Security Folie Nr. 12

IBAC: Access Control Matrix Task: Configuration of authorizations (rights of subjects on objects) S r O Subject? Operation Object Define: Set of objects O, set of subjects S, set of rights R (e.g. rwx ) Access Control Matrix defines mapping M : S x O 2 R (e.g.: {true,false}) Advantages of ACM: Intuitive, flexible Easy to implement Disadvantages of ACM: Huge, sparse static s1 s2 s3 o1 { read, write } o2 { owner, execute } o3 { read, write } o4 { send, receive} { signal } o5 { send, receive } Privacy and Security Folie Nr. 13

Access Control Description Schemes Access Control Lists (ACLs) Columns of the ACM: list of authorizations on an object ACL(o1) = {(s1,{r,w}), (s2,{r}); ACL(o2) = {(s3,{r,w,x}); (*NIX: subjects only identified as owner, group, others) -r-x--xrwx 1 thorsten www-data Assessing authorizations to an object is simple 0 Jan 13 10:14 Super-Secret-Document-YEO Assessing authorizations granted to a subject is difficult Capabilities Rows of ACM: list of objects and rights granted to a subject CL(s3) = {(o2,{o,x}), (o4,{s,r}); Advantages/disadvantages inverse to ACLs Privacy and Security Folie Nr. 14

From IBAC to RBAC Complexity of IBAC yields problems of overview and adaptation Subjects usually act in roles (specificly in organizations) Introduce indirection of the role abstraction: Dr. Brains physician Read patient information Dr. Bones Write diagnosis Nurse Kathy nurse Read prescriptions Carer Tuck Write blood values User Role - Relation Role Right - Relation Privacy and Security Folie Nr. 15

Role-based Access Control Extend IBAC: Set of subjects S Set of roles R Set of objects O Set of permissions P Subject Define mappings sr: S 2 R ; pr: R 2 P S R? Operation O Object Sessions are dynamic role assignments (a subject is active in a role) Subject is assigned permissions from role for the session accordingly Role hierarchies and constraints extend RBAC Privacy and Security Folie Nr. 16

Summary You know means for confidentiality & integrity other than crypto ;-) You can distinguish between authorization, authentication, access control You can explain ACMs, ACLs and capabilities You can distinguish DAC and MAC You know the different general strategies of IBAC and RBAC You can explain different classes of authentication and factors You know about cardinality and multi-factor authentication You can explain some knowledge-based authentication schemes, strategies You about biometry and ist advantages and disadvantages Privacy and Security Folie Nr. 39

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information