Hardware Support, C-R Attacks, and Access Control Lists in Biometric Security, Study notes of Computer Science

An in-depth exploration of various aspects of computer security, including hardware support for access control, vulnerabilities of token-based and biometric systems, and the implementation of access control lists (acls) and capability lists (c-lists). The slides cover topics such as token-based systems, c-r and dictionary attacks, biometric characteristics, cautions, and access control lists in different systems.

Typology: Study notes

Pre 2010

Uploaded on 09/17/2009

koofers-user-gaf
koofers-user-gaf 🇺🇸

10 documents

1 / 49

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
May 5, 2005 ECS 153, Introduction to Computer
Security
Slide #1
Hardware Support
Token-based
Used to compute response to challenge
May encipher or hash challenge
May require PIN from user
Temporally-based
Every minute (or so) different number shown
Computer knows what number to expect when
User enters number and fixed password
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31

Partial preview of the text

Download Hardware Support, C-R Attacks, and Access Control Lists in Biometric Security and more Study notes Computer Science in PDF only on Docsity!

May 5, 2005 ECS 153, Introduction to Computer Slide # 1

Hardware Support

• Token-based

  • Used to compute response to challenge
    • May encipher or hash challenge
    • May require PIN from user

• Temporally-based

  • Every minute (or so) different number shown
    • Computer knows what number to expect when
  • User enters number and fixed password

May 5, 2005 ECS 153, Introduction to Computer Slide # 2

C-R and Dictionary Attacks

• Same as for fixed passwords

  • Attacker knows challenge r and response f ( r );

if f encryption function, can try different keys

  • May only need to know form of response; attacker can tell if guess correct by looking to see if deciphered object is of right form
  • Example: Kerberos Version 4 used DES, but keys had 20 bits of randomness; Purdue attackers guessed keys quickly because deciphered tickets had a fixed set of bits in some locations

May 5, 2005 ECS 153, Introduction to Computer Slide # 4

EKE Protocol

Alice Bob Alice || Es ( p ) Alice Bob Es ( Ep ( k )) Now Alice, Bob share a randomly generated secret session key k Alice Bob Ek ( RA ) Alice Bob Ek ( RARB ) Alice Bob Ek ( RB )

May 5, 2005 ECS 153, Introduction to Computer Slide # 5

Biometrics

  • Automated measurement of biological, behavioral

features that identify a person

  • Fingerprints: optical or electrical techniques
    • Maps fingerprint into a graph, then compares with database
    • Measurements imprecise, so approximate matching algorithms used
  • Voices: speaker verification or recognition
    • Verification: uses statistical techniques to test hypothesis that speaker is who is claimed (speaker dependent)
    • Recognition: checks content of answers (speaker independent)

May 5, 2005 ECS 153, Introduction to Computer Slide # 7

Cautions

  • These can be fooled!
    • Assumes biometric device accurate in the environment it is being used in!
    • Transmission of data to validator is tamperproof, correct

May 5, 2005 ECS 153, Introduction to Computer Slide # 8

Location

• If you know where user is, validate identity

by seeing if person is where the user is

  • Requires special-purpose hardware to locate

user

  • GPS (global positioning system) device gives location signature of entity
  • Host uses LSS (location signature sensor) to get signature for entity

May 5, 2005 ECS 153, Introduction to Computer Slide # 10

PAM

  • Idea: when program needs to authenticate, it checks central repository for methods to use
  • Library call: pam_authenticate
    • Accesses file with name of program in /etc/pam_d
  • Modules do authentication checking
    • sufficient : succeed if module succeeds
    • required : fail if module fails, but all required modules executed before reporting failure
    • requisite : like required , but don’t check all modules
    • optional : invoke only if all previous modules fail

May 5, 2005 ECS 153, Introduction to Computer Slide # 11

Example PAM File

auth sufficient /usr/lib/pam_ftp.so auth required /usr/lib/pam_unix_auth.so use_first_pass auth required /usr/lib/pam_listfile.so onerr=succeed
item=user sense=deny file=/etc/ftpusers For ftp:

  1. If user “anonymous”, return okay; if not, set PAM_AUTHTOK to password, PAM_RUSER to name, and fail
  2. Now check that password in PAM_AUTHTOK belongs to that of user in PAM_RUSER; if not, fail
  3. Now see if user in PAM_RUSER named in /etc/ftpusers; if so, fail; if error or not found, succeed

May 5, 2005 ECS 153, Introduction to Computer Slide # 13

Example 1

• Processes p , q

• Files f , g

• Rights r , w , x , a , o

f g p q

p rwo r rwxo w

q a ro r rwxo

May 5, 2005 ECS 153, Introduction to Computer Slide # 14

Example 2

  • Procedures inc_ctr , dec_ctr , manage
  • Variable counter
  • Rights + , , call counter inc_ctr dec_ctr manage inc_ctr + dec_ctr – manage call call call

May 5, 2005 ECS 153, Introduction to Computer Slide # 16

Default Permissions

• Normal: if not named, no rights over file

  • Principle of Fail-Safe Defaults

• If many subjects, may use groups or

wildcards in ACL

  • UNICOS: entries are ( user , group , rights )
    • If user is in group , has rights over file
    • ‘*’ is wildcard for user , group
      • (holly, *, r): holly can read file regardless of her group
      • (*, gleep, w): anyone in group gleep can write file

May 5, 2005 ECS 153, Introduction to Computer Slide # 17

Abbreviations

  • ACLs can be long … so combine users
    • UNIX: 3 classes of users: owner, group, rest
    • rwx rwx rwx rest group owner
    • Ownership assigned based on creating process
      • Some systems: if directory has setgid permission, file group owned by group of directory (SunOS, Solaris)

May 5, 2005 ECS 153, Introduction to Computer Slide # 19

Permissions in IBM AIX

attributes: base permissions owner(bishop): rw- group(sys): r— others: —- extended permissions enabled specify rw- u:holly permit -w- u:heidi, g=sys permit rw- u:matt deny -w- u:holly, g=faculty

May 5, 2005 ECS 153, Introduction to Computer Slide # 20

ACL Modification

• Who can do this?

  • Creator is given own right that allows this
  • System R provides a grant modifier (like a

copy flag) allowing a right to be transferred, so

ownership not needed

  • Transferring right to another modifies ACL