Download Hardware Support, C-R Attacks, and Access Control Lists in Biometric Security and more Study notes Computer Science in PDF only on Docsity!
May 5, 2005 ECS 153, Introduction to Computer Slide # 1
Hardware Support
• Token-based
- Used to compute response to challenge
- May encipher or hash challenge
- May require PIN from user
• Temporally-based
- Every minute (or so) different number shown
- Computer knows what number to expect when
- User enters number and fixed password
May 5, 2005 ECS 153, Introduction to Computer Slide # 2
C-R and Dictionary Attacks
• Same as for fixed passwords
- Attacker knows challenge r and response f ( r );
if f encryption function, can try different keys
- May only need to know form of response; attacker can tell if guess correct by looking to see if deciphered object is of right form
- Example: Kerberos Version 4 used DES, but keys had 20 bits of randomness; Purdue attackers guessed keys quickly because deciphered tickets had a fixed set of bits in some locations
May 5, 2005 ECS 153, Introduction to Computer Slide # 4
EKE Protocol
Alice Bob Alice || Es ( p ) Alice Bob Es ( Ep ( k )) Now Alice, Bob share a randomly generated secret session key k Alice Bob Ek ( RA ) Alice Bob Ek ( RARB ) Alice Bob Ek ( RB )
May 5, 2005 ECS 153, Introduction to Computer Slide # 5
Biometrics
- Automated measurement of biological, behavioral
features that identify a person
- Fingerprints: optical or electrical techniques
- Maps fingerprint into a graph, then compares with database
- Measurements imprecise, so approximate matching algorithms used
- Voices: speaker verification or recognition
- Verification: uses statistical techniques to test hypothesis that speaker is who is claimed (speaker dependent)
- Recognition: checks content of answers (speaker independent)
May 5, 2005 ECS 153, Introduction to Computer Slide # 7
Cautions
- These can be fooled!
- Assumes biometric device accurate in the environment it is being used in!
- Transmission of data to validator is tamperproof, correct
May 5, 2005 ECS 153, Introduction to Computer Slide # 8
Location
• If you know where user is, validate identity
by seeing if person is where the user is
- Requires special-purpose hardware to locate
user
- GPS (global positioning system) device gives location signature of entity
- Host uses LSS (location signature sensor) to get signature for entity
May 5, 2005 ECS 153, Introduction to Computer Slide # 10
PAM
- Idea: when program needs to authenticate, it checks central repository for methods to use
- Library call: pam_authenticate
- Accesses file with name of program in /etc/pam_d
- Modules do authentication checking
- sufficient : succeed if module succeeds
- required : fail if module fails, but all required modules executed before reporting failure
- requisite : like required , but don’t check all modules
- optional : invoke only if all previous modules fail
May 5, 2005 ECS 153, Introduction to Computer Slide # 11
Example PAM File
auth sufficient /usr/lib/pam_ftp.so auth required /usr/lib/pam_unix_auth.so use_first_pass auth required /usr/lib/pam_listfile.so onerr=succeed
item=user sense=deny file=/etc/ftpusers For ftp:
- If user “anonymous”, return okay; if not, set PAM_AUTHTOK to password, PAM_RUSER to name, and fail
- Now check that password in PAM_AUTHTOK belongs to that of user in PAM_RUSER; if not, fail
- Now see if user in PAM_RUSER named in /etc/ftpusers; if so, fail; if error or not found, succeed
May 5, 2005 ECS 153, Introduction to Computer Slide # 13
Example 1
• Processes p , q
• Files f , g
• Rights r , w , x , a , o
f g p q
p rwo r rwxo w
q a ro r rwxo
May 5, 2005 ECS 153, Introduction to Computer Slide # 14
Example 2
- Procedures inc_ctr , dec_ctr , manage
- Variable counter
- Rights + , – , call counter inc_ctr dec_ctr manage inc_ctr + dec_ctr – manage call call call
May 5, 2005 ECS 153, Introduction to Computer Slide # 16
Default Permissions
• Normal: if not named, no rights over file
- Principle of Fail-Safe Defaults
• If many subjects, may use groups or
wildcards in ACL
- UNICOS: entries are ( user , group , rights )
- If user is in group , has rights over file
- ‘*’ is wildcard for user , group
- (holly, *, r): holly can read file regardless of her group
- (*, gleep, w): anyone in group gleep can write file
May 5, 2005 ECS 153, Introduction to Computer Slide # 17
Abbreviations
- ACLs can be long … so combine users
- UNIX: 3 classes of users: owner, group, rest
- rwx rwx rwx rest group owner
- Ownership assigned based on creating process
- Some systems: if directory has setgid permission, file group owned by group of directory (SunOS, Solaris)
May 5, 2005 ECS 153, Introduction to Computer Slide # 19
Permissions in IBM AIX
attributes: base permissions owner(bishop): rw- group(sys): r— others: —- extended permissions enabled specify rw- u:holly permit -w- u:heidi, g=sys permit rw- u:matt deny -w- u:holly, g=faculty
May 5, 2005 ECS 153, Introduction to Computer Slide # 20
ACL Modification
• Who can do this?
- Creator is given own right that allows this
- System R provides a grant modifier (like a
copy flag) allowing a right to be transferred, so
ownership not needed
- Transferring right to another modifies ACL